Edit tour

Windows Analysis Report
INVOICE.exe

Overview

General Information

Sample name:	INVOICE.exe
Analysis ID:	1544729
MD5:	1ab8d41cb5819e924eb939c3b5336455
SHA1:	f23031478adbeba9a5c1704f8d649b9e39f2f1b0
SHA256:	0b2833b9d51f1e9f74cad22c64151e5e57fbf85866cbecaa25b890d24368270a
Tags:	exeRedLineStealeruser-Racco42
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

INVOICE.exe (PID: 4448 cmdline: "C:\Users\user\Desktop\INVOICE.exe" MD5: 1AB8D41CB5819E924EB939C3B5336455)

RegSvcs.exe (PID: 2656 cmdline: "C:\Users\user\Desktop\INVOICE.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.gmail.com", "Username": "cruisejohn190@gmail.com", "Password": "oadc jzrw bmvr klnl"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.3271329459.0000000002DEF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3271329459.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3271329459.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3271329459.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2042559177.00000000036C0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 A7 88 44 24 2B 88 44 24 2F B0 25 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000002.00000002.3269882735.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 A7 88 44 24 2B 88 44 24 2F B0 25 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000002.00000002.3273707140.0000000005370000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3273707140.0000000005370000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3273707140.0000000005370000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.3273707140.0000000005370000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x429f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x42a63:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x42aed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x42b7f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x42be9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x42c5b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x42cf1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x42d81:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000002.00000002.3271145443.0000000002A90000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3271145443.0000000002A90000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3271145443.0000000002A90000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.3272737436.0000000003D8D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3272737436.0000000003D8D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3272737436.0000000003D8D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.3273840582.00000000053E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3273840582.00000000053E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3273840582.00000000053E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.3273840582.00000000053E0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x41b09:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x41b7b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41c05:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41c97:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41d01:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41d73:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41e09:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41e99:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Process Memory Space: RegSvcs.exe PID: 2656	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 2656	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 A7 88 44 24 2B 88 44 24 2F B0 25 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.2ad0196.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2ad0196.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.2ad0196.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2ad0196.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x40bf1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40c63:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x40ced:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40d7f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x40de9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40e5b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x40ef1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40f81:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.INVOICE.exe.36c0000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 A7 88 44 24 2B 88 44 24 2F B0 25 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 A7 88 44 24 2B 88 44 24 2F B0 25 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.53e0000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.53e0000.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.53e0000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.53e0000.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fd09:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3fd7b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3fe05:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3fe97:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3ff01:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3ff73:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x40009:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40099:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.5370ee8.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.5370ee8.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.5370ee8.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.5370ee8.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x41b09:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x41b7b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41c05:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41c97:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41d01:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41d73:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41e09:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41e99:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.2ad107e.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2ad107e.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.2ad107e.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2ad107e.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x41b09:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x41b7b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41c05:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41c97:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41d01:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41d73:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41e09:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41e99:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.5370000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.5370000.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.5370000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.5370000.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.5370000.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.5370000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.5370000.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x429f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x42a63:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x42aed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x42b7f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x42be9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x42c5b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x42cf1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x42d81:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.5370000.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x40bf1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40c63:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x40ced:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40d7f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x40de9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40e5b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x40ef1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40f81:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.2ad0196.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2ad0196.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.2ad0196.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2ad0196.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x429f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x42a63:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x42aed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x42b7f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x42be9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x42c5b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x42cf1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x42d81:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.3dc5d90.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.3dc5d90.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.3dc5d90.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.3dc5d90.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fd09:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3fd7b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3fe05:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3fe97:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3ff01:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3ff73:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x40009:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40099:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.3dc5d90.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.3dc5d90.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.3dc5d90.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.3dc5d90.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x41b09:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x41b7b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41c05:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41c97:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41d01:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41d73:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41e09:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41e99:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.5370ee8.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.5370ee8.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.5370ee8.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.5370ee8.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fd09:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3fd7b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3fe05:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3fe97:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3ff01:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3ff73:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x40009:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40099:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.53e0000.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.53e0000.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.53e0000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.53e0000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x41b09:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x41b7b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41c05:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41c97:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41d01:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41d73:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41e09:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41e99:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.2ad107e.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2ad107e.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.2ad107e.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2ad107e.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fd09:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3fd7b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3fe05:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3fe97:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3ff01:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3ff73:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x40009:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40099:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 46 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 74.125.133.108, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 2656, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49705

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.RegSvcs.exe.3dc5d90.3.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.gmail.com", "Username": "cruisejohn190@gmail.com", "Password": "oadc jzrw bmvr klnl"}

Multi AV Scanner detection for submitted file

Source: INVOICE.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: INVOICE.exe

Joe Sandbox ML: detected

Source: INVOICE.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49704 version: TLS 1.2

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.3272737436.0000000003D8D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3273707140.0000000005370000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3271145443.0000000002A90000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: INVOICE.exe, 00000000.00000003.2041250137.0000000003900000.00000004.00001000.00020000.00000000.sdmp, INVOICE.exe, 00000000.00000003.2040681038.0000000003760000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: INVOICE.exe, 00000000.00000003.2041250137.0000000003900000.00000004.00001000.00020000.00000000.sdmp, INVOICE.exe, 00000000.00000003.2040681038.0000000003760000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AD449B GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00AD449B
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00ADC7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00ADC7E8
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00ADC75D FindFirstFileW,FindClose,	0_2_00ADC75D
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00ADF021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00ADF021
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00ADF17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00ADF17E
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00ADF47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00ADF47F
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AD3833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00AD3833
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AD3B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00AD3B56
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00ADBD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00ADBD48

Source: global traffic

TCP traffic: 192.168.2.5:49705 -> 74.125.133.108:587

Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.5:49705 -> 74.125.133.108:587

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\INVOICE.exe

Code function: 0_2_00AE2404 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00AE2404

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: smtp.gmail.com

Source: RegSvcs.exe, 00000002.00000002.3271329459.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.0000000005746000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.00000000057BE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.0000000005712000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/r1.crl0
Source: RegSvcs.exe, 00000002.00000002.3271329459.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.00000000057BE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3271329459.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.0000000005712000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/wr2/GSyT1N4PBrg.crl0
Source: RegSvcs.exe, 00000002.00000002.3271329459.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.00000000057BE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.0000000005712000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
Source: RegSvcs.exe, 00000002.00000002.3271329459.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.0000000005746000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.00000000057BE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.0000000005712000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/r1.crt0
Source: RegSvcs.exe, 00000002.00000002.3271329459.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.00000000057BE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3271329459.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.0000000005712000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/wr2.crt0
Source: RegSvcs.exe, 00000002.00000002.3271329459.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.00000000057BE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3271329459.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.0000000005712000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://o.pki.goog/wr20%
Source: RegSvcs.exe, 00000002.00000002.3271329459.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.00000000057BE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.0000000005712000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr10)
Source: RegSvcs.exe, 00000002.00000002.3271329459.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.00000000057BE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.0000000005712000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
Source: RegSvcs.exe, 00000002.00000002.3271329459.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000002.00000002.3271329459.0000000002DEF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3271329459.0000000002F84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.gmail.com
Source: RegSvcs.exe, 00000002.00000002.3272737436.0000000003D8D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3273707140.0000000005370000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3271145443.0000000002A90000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3273840582.00000000053E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: RegSvcs.exe, 00000002.00000002.3272737436.0000000003D8D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3273707140.0000000005370000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3271145443.0000000002A90000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3271329459.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3273840582.00000000053E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: RegSvcs.exe, 00000002.00000002.3271329459.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: RegSvcs.exe, 00000002.00000002.3271329459.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49704 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 2.2.RegSvcs.exe.53e0000.6.raw.unpack, SKTzxzsJw.cs

.Net Code: jkMIP5NKU

Source: C:\Users\user\Desktop\INVOICE.exe

Code function: 0_2_00AE407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00AE407C

Source: C:\Users\user\Desktop\INVOICE.exe

Code function: 0_2_00AE427A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00AE427A

Source: C:\Users\user\Desktop\INVOICE.exe

0_2_00AE407C

Source: C:\Users\user\Desktop\INVOICE.exe

Code function: 0_2_00AD003A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00AD003A

Source: C:\Users\user\Desktop\INVOICE.exe

Code function: 0_2_00AFCB26 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00AFCB26

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.2ad0196.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.INVOICE.exe.36c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.53e0000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.5370ee8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.2ad107e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.5370000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.5370000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.2ad0196.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.3dc5d90.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.3dc5d90.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.5370ee8.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.53e0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.2ad107e.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2042559177.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.3269882735.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.3273707140.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000002.00000002.3273840582.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\INVOICE.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00A73B4C
Source: INVOICE.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: INVOICE.exe, 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d949703c-1
Source: INVOICE.exe, 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"	memstr_c8ce1e74-1

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: INVOICE.exe

Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A73633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	0_2_00A73633
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AFC216 PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	0_2_00AFC216
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AFC5E7 SendMessageW,NtdllDialogWndProc_W,	0_2_00AFC5E7
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AFC502 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	0_2_00AFC502
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AFC668 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	0_2_00AFC668
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AFC8F9 NtdllDialogWndProc_W,	0_2_00AFC8F9
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AFC8CA NtdllDialogWndProc_W,	0_2_00AFC8CA
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AFC9A8 ClientToScreen,NtdllDialogWndProc_W,	0_2_00AFC9A8
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AFC928 NtdllDialogWndProc_W,	0_2_00AFC928
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AFC973 NtdllDialogWndProc_W,	0_2_00AFC973
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AFCAE6 GetWindowLongW,NtdllDialogWndProc_W,	0_2_00AFCAE6
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AFCB26 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_00AFCB26
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A71287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,745AC8D0,NtdllDialogWndProc_W,	0_2_00A71287
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A71290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	0_2_00A71290
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AFD4A8 GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	0_2_00AFD4A8
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AFD422 NtdllDialogWndProc_W,	0_2_00AFD422
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A716B5 NtdllDialogWndProc_W,	0_2_00A716B5
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A716DE GetParent,NtdllDialogWndProc_W,	0_2_00A716DE
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A7167D NtdllDialogWndProc_W,	0_2_00A7167D
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AFD7F6 NtdllDialogWndProc_W,	0_2_00AFD7F6
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A7189B NtdllDialogWndProc_W,	0_2_00A7189B
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AFBCC7 NtdllDialogWndProc_W,CallWindowProcW,	0_2_00AFBCC7
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AFBF9A NtdllDialogWndProc_W,	0_2_00AFBF9A
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AFBFF6 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	0_2_00AFBFF6

Source: C:\Users\user\Desktop\INVOICE.exe

Code function: 0_2_00ADA279: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00ADA279

Source: C:\Users\user\Desktop\INVOICE.exe

Code function: 0_2_00AC8638 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,746C5590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,

0_2_00AC8638

Source: C:\Users\user\Desktop\INVOICE.exe

Code function: 0_2_00AD5264 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00AD5264

Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A7E800	0_2_00A7E800
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A9DAF5	0_2_00A9DAF5
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A7E060	0_2_00A7E060
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A84140	0_2_00A84140
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A92345	0_2_00A92345
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AF0465	0_2_00AF0465
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AA6452	0_2_00AA6452
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AA25AE	0_2_00AA25AE
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A9277A	0_2_00A9277A
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AF08E2	0_2_00AF08E2
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A86841	0_2_00A86841
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AA69C4	0_2_00AA69C4
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00ACE928	0_2_00ACE928
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AD8932	0_2_00AD8932
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AA890F	0_2_00AA890F
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A88968	0_2_00A88968
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A9CCA1	0_2_00A9CCA1
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AA6F36	0_2_00AA6F36
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A870FE	0_2_00A870FE
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A83190	0_2_00A83190
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A71287	0_2_00A71287
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A93307	0_2_00A93307
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A9F359	0_2_00A9F359
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A85680	0_2_00A85680
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A91604	0_2_00A91604
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A858C0	0_2_00A858C0
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A97813	0_2_00A97813
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A91AF8	0_2_00A91AF8
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AA9C35	0_2_00AA9C35
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AF7E0D	0_2_00AF7E0D
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A7FE40	0_2_00A7FE40
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A9BF26	0_2_00A9BF26
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A91F10	0_2_00A91F10
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00CE3620	0_2_00CE3620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00408C60	2_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040DC11	2_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00407C3F	2_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418CCC	2_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00406CA0	2_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004028B0	2_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041A4BE	2_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418244	2_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00401650	2_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402F20	2_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004193C4	2_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418788	2_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402F89	2_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402B90	2_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004073A0	2_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_028BCFD0	2_2_028BCFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_028BCC88	2_2_028BCC88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_028BD8A0	2_2_028BD8A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_028B0FD0	2_2_028B0FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_028B1030	2_2_028B1030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0597F578	2_2_0597F578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0597BD68	2_2_0597BD68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05979648	2_2_05979648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0597EE48	2_2_0597EE48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05976288	2_2_05976288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05970006	2_2_05970006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05970040	2_2_05970040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06805238	2_2_06805238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0680A0D8	2_2_0680A0D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068061B0	2_2_068061B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06808678	2_2_06808678
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06801538	2_2_06801538
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06805227	2_2_06805227
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0680DBE0	2_2_0680DBE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0694AACC	2_2_0694AACC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: String function: 00A98A80 appears 42 times
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: String function: 00A90C63 appears 70 times
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: String function: 00A77F41 appears 35 times

Source: INVOICE.exe, 00000000.00000003.2039737575.0000000003A2D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs INVOICE.exe
Source: INVOICE.exe, 00000000.00000002.2042559177.00000000036C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename114dadde-009f-411c-8ab8-184341bb47e2.exe4 vs INVOICE.exe
Source: INVOICE.exe, 00000000.00000003.2039608223.0000000003883000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs INVOICE.exe

Source: INVOICE.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.2ad0196.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.INVOICE.exe.36c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.53e0000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.5370ee8.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.2ad107e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.5370000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.5370000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.2ad0196.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.3dc5d90.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.3dc5d90.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.5370ee8.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.53e0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.2ad107e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.2042559177.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.3269882735.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.3273707140.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000002.00000002.3273840582.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 2.2.RegSvcs.exe.3dc5d90.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.3dc5d90.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.5370ee8.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.5370ee8.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.2ad107e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.2ad107e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.53e0000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.53e0000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.53e0000.6.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.53e0000.6.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@2/2

Source: C:\Users\user\Desktop\INVOICE.exe

Code function: 0_2_00ADA0F4 GetLastError,FormatMessageW,

0_2_00ADA0F4

Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AC84F3 AdjustTokenPrivileges,CloseHandle,		0_2_00AC84F3
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AC8AA3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00AC8AA3

Source: C:\Users\user\Desktop\INVOICE.exe

Code function: 0_2_00ADB3BF SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00ADB3BF

Source: C:\Users\user\Desktop\INVOICE.exe

Code function: 0_2_00AEEF21 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00AEEF21

Source: C:\Users\user\Desktop\INVOICE.exe

Code function: 0_2_00AE84D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00AE84D0

Source: C:\Users\user\Desktop\INVOICE.exe

Code function: 0_2_00A74FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00A74FE9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\INVOICE.exe

File created: C:\Users\user\AppData\Local\Temp\aut15A9.tmp

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\INVOICE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: INVOICE.exe

ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\INVOICE.exe "C:\Users\user\Desktop\INVOICE.exe"
Source: C:\Users\user\Desktop\INVOICE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\INVOICE.exe"
Source: C:\Users\user\Desktop\INVOICE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\INVOICE.exe"	Jump to behavior

Source: C:\Users\user\Desktop\INVOICE.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.3272737436.0000000003D8D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3273707140.0000000005370000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3271145443.0000000002A90000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: INVOICE.exe, 00000000.00000003.2041250137.0000000003900000.00000004.00001000.00020000.00000000.sdmp, INVOICE.exe, 00000000.00000003.2040681038.0000000003760000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: INVOICE.exe, 00000000.00000003.2041250137.0000000003900000.00000004.00001000.00020000.00000000.sdmp, INVOICE.exe, 00000000.00000003.2040681038.0000000003760000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 2.2.RegSvcs.exe.3dc5d90.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.5370ee8.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.2ad107e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.53e0000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Users\user\Desktop\INVOICE.exe

Code function: 0_2_00B99A00 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_00B99A00

Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A98AC5 push ecx; ret	0_2_00A98AD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C40C push cs; iretd	2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00423149 push eax; ret	2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C50E push cs; iretd	2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004231C8 push eax; ret	2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040E21D push ecx; ret	2_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C6BE push ebx; ret	2_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_028B47AC push es; retf	2_2_028B47AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05974730 push eax; retf	2_2_05974745
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_069407AF push esp; retf	2_2_069407C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0694FEF0 push es; ret	2_2_0694FF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0694F8AA push es; ret	2_2_0694F8AC

Source: 2.2.RegSvcs.exe.3dc5d90.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'bnqftIAbTfTup', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.5370ee8.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'bnqftIAbTfTup', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.2ad107e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'bnqftIAbTfTup', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.53e0000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'bnqftIAbTfTup', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A74A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00A74A35
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AF53DF IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00AF53DF

Source: C:\Users\user\Desktop\INVOICE.exe

Code function: 0_2_00A93307 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00A93307

Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\INVOICE.exe

API/Special instruction interceptor: Address: CE3244

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

2_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7970			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1854			Jump to behavior

Source: C:\Users\user\Desktop\INVOICE.exe

API coverage: 4.3 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AD449B GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00AD449B
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00ADC7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00ADC7E8
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00ADC75D FindFirstFileW,FindClose,	0_2_00ADC75D
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00ADF021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00ADF021
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00ADF17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00ADF17E
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00ADF47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00ADF47F
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AD3833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00AD3833
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AD3B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00AD3B56
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00ADBD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00ADBD48

Source: C:\Users\user\Desktop\INVOICE.exe

Code function: 0_2_00A74AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A74AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99989	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99864	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99739	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99614	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99489	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99364	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99239	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99114	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98989	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98864	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98739	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98614	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98489	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98364	Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.3274137984.0000000005712000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\INVOICE.exe

Code function: 0_2_00AE401F BlockInput,

0_2_00AE401F

Source: C:\Users\user\Desktop\INVOICE.exe

Code function: 0_2_00A73B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00A73B4C

Source: C:\Users\user\Desktop\INVOICE.exe

Code function: 0_2_00AA5BFC RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

0_2_00AA5BFC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

2_2_004019F0

Source: C:\Users\user\Desktop\INVOICE.exe

Code function: 0_2_00B99A00 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_00B99A00

Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00CE34B0 mov eax, dword ptr fs:[00000030h]	0_2_00CE34B0
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00CE3510 mov eax, dword ptr fs:[00000030h]	0_2_00CE3510
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00CE1E70 mov eax, dword ptr fs:[00000030h]	0_2_00CE1E70

Source: C:\Users\user\Desktop\INVOICE.exe

Code function: 0_2_00AC81D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00AC81D4

Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A9A2A4 SetUnhandledExceptionFilter,	0_2_00A9A2A4
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00A9A2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A9A2D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004123F1 SetUnhandledExceptionFilter,	2_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\INVOICE.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\INVOICE.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B87008

Jump to behavior

Source: C:\Users\user\Desktop\INVOICE.exe

Code function: 0_2_00AC8A73 LogonUserW,

0_2_00AC8A73

Source: C:\Users\user\Desktop\INVOICE.exe

Code function: 0_2_00A73B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00A73B4C

Source: C:\Users\user\Desktop\INVOICE.exe

Code function: 0_2_00A74A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00A74A35

Source: C:\Users\user\Desktop\INVOICE.exe

Code function: 0_2_00AD4CFA mouse_event,

0_2_00AD4CFA

Source: C:\Users\user\Desktop\INVOICE.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\INVOICE.exe"

Jump to behavior

Source: C:\Users\user\Desktop\INVOICE.exe

0_2_00AC81D4

Source: C:\Users\user\Desktop\INVOICE.exe

Code function: 0_2_00AD4A08 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00AD4A08

Source: INVOICE.exe, 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: INVOICE.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\INVOICE.exe

Code function: 0_2_00A987AB cpuid

0_2_00A987AB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

2_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\INVOICE.exe

Code function: 0_2_00AA5007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00AA5007

Source: C:\Users\user\Desktop\INVOICE.exe

Code function: 0_2_00AB215F GetUserNameW,

0_2_00AB215F

Source: C:\Users\user\Desktop\INVOICE.exe

Code function: 0_2_00AA40BA __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00AA40BA

Source: C:\Users\user\Desktop\INVOICE.exe

Code function: 0_2_00A74AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A74AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.2ad0196.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5370ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ad107e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5370000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5370000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ad0196.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3dc5d90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3dc5d90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5370ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ad107e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3271329459.0000000002DEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3271329459.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3271329459.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3273707140.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3271145443.0000000002A90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3272737436.0000000003D8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3273840582.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2656, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 2.2.RegSvcs.exe.2ad0196.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5370ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ad107e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5370000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5370000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ad0196.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3dc5d90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3dc5d90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5370ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ad107e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3273707140.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3271145443.0000000002A90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3272737436.0000000003D8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3273840582.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: INVOICE.exe	Binary or memory string: WIN_81
Source: INVOICE.exe	Binary or memory string: WIN_XP
Source: INVOICE.exe	Binary or memory string: WIN_XPe
Source: INVOICE.exe	Binary or memory string: WIN_VISTA
Source: INVOICE.exe	Binary or memory string: WIN_7
Source: INVOICE.exe	Binary or memory string: WIN_8
Source: INVOICE.exe, 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 2.2.RegSvcs.exe.2ad0196.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5370ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ad107e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5370000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5370000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ad0196.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3dc5d90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3dc5d90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5370ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ad107e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3271329459.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3273707140.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3271145443.0000000002A90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3272737436.0000000003D8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3273840582.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2656, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.2ad0196.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5370ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ad107e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5370000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5370000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ad0196.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3dc5d90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3dc5d90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5370ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ad107e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3271329459.0000000002DEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3271329459.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3271329459.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3273707140.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3271145443.0000000002A90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3272737436.0000000003D8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3273840582.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2656, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 2.2.RegSvcs.exe.2ad0196.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5370ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ad107e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5370000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5370000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ad0196.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3dc5d90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3dc5d90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5370ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ad107e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3273707140.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3271145443.0000000002A90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3272737436.0000000003D8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3273840582.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AE6399 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00AE6399
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00AE685D socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00AE685D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	21 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	11 Software Packing	NTDS	148 System Information Discovery	Distributed Component Object Model	121 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	251 Security Software Discovery	SSH	3 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	121 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
INVOICE.exe	55%	ReversingLabs	Win32.Trojan.AutoitInject
INVOICE.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://api.ipify.org/	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
https://api.ipify.org/t	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	172.67.74.152	true	false		unknown
smtp.gmail.com	74.125.133.108	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	RegSvcs.exe, 00000002.00000002.3272737436.0000000003D8D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3273707140.0000000005370000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3271145443.0000000002A90000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3271329459.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3273840582.00000000053E0000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.pki.goog/gsr1/gsr1.crl0;	RegSvcs.exe, 00000002.00000002.3271329459.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.00000000057BE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.0000000005712000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://o.pki.goog/wr20%	RegSvcs.exe, 00000002.00000002.3271329459.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.00000000057BE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3271329459.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.0000000005712000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://account.dyn.com/	RegSvcs.exe, 00000002.00000002.3272737436.0000000003D8D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3273707140.0000000005370000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3271145443.0000000002A90000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3273840582.00000000053E0000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://c.pki.goog/r/r1.crl0	RegSvcs.exe, 00000002.00000002.3271329459.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.0000000005746000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.00000000057BE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.0000000005712000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://i.pki.goog/r1.crt0	RegSvcs.exe, 00000002.00000002.3271329459.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.0000000005746000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.00000000057BE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.0000000005712000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://c.pki.goog/wr2/GSyT1N4PBrg.crl0	RegSvcs.exe, 00000002.00000002.3271329459.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.00000000057BE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3271329459.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.0000000005712000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://pki.goog/gsr1/gsr1.crt02	RegSvcs.exe, 00000002.00000002.3271329459.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.00000000057BE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.0000000005712000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://api.ipify.org/t	RegSvcs.exe, 00000002.00000002.3271329459.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.3271329459.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://smtp.gmail.com	RegSvcs.exe, 00000002.00000002.3271329459.0000000002DEF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3271329459.0000000002F84000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://i.pki.goog/wr2.crt0	RegSvcs.exe, 00000002.00000002.3271329459.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.00000000057BE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3271329459.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3274137984.0000000005712000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
74.125.133.108	smtp.gmail.com	United States		15169	GOOGLEUS	false
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544729
Start date and time:	2024-10-29 16:58:48 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	INVOICE.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/2@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 46 Number of non-executed functions: 277
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: INVOICE.exe

Simulations

Behavior and APIs

Time	Type	Description
11:59:40	API Interceptor	72x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.74.152	67065b4c84713_Javiles.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	4F08j2Rmd9.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	y8tCHz7CwC.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/
	2zYP8qOYmJ.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	Bill_Of _Lading.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Shipping documents 00029399400059.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	z20SWIFT_MT103_Payment_552016_pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	Remittance Receipt.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	SecuriteInfo.com.Win64.Malware-gen.4046.15809.exe	Get hash	malicious	EICAR	Browse	104.26.13.205
	SecuriteInfo.com.Win64.Malware-gen.4046.15809.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	SUNNY HONG VSL PARTICULARS.xlsx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	SecuriteInfo.com.Trojan.Inject5.10837.16335.2292.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	INVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	zmap.arm7.elf	Get hash	malicious	Mirai, Okiru	Browse	172.65.204.32
	https://lumen.backerkit.com/invites/mAqpu6B5ZtIAsrg4a5WdGA/confirm?redirect_path=//rahul-garg-lcatterton-com.athuselevadores.com.br	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	zmap.mips.elf	Get hash	malicious	Mirai, Okiru	Browse	172.65.204.32
	zmap.m68k.elf	Get hash	malicious	Mirai, Okiru	Browse	172.65.204.32
	https://deedayoshayoatmetoback.me/whatever/toni/kross/hala/mbappe/sanchez/mark/tremble/awee/rgguuu/us/invite/	Get hash	malicious	Unknown	Browse	188.114.96.3
	0001.xls	Get hash	malicious	Remcos	Browse	104.21.74.191
	installer.exe	Get hash	malicious	Unknown	Browse	172.67.75.163
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	http://email.lndg.page/ls/click?upn=u001.IvLseMgsVhVvzUpwRiP-2FwDY1kjINp61fUuRWFtJrOlsR2xK9oB-2FfYMEmxXZADqvZYVpAGo4tqJabIsrfh5cAoQ-3D-3DBY5f_Z037rZRAjNnoLxuCNZalsWeL-2FuGvpRjfvafXSKPUadVelwBKNiVQ67EtFqVq-2F-2FAK6i6xZqeXhJzRqi8XomI4er4VLqx9iTYG7-2BCEAXYgFCl0PkJ3-2Fta3PunUyBaUajSXL-2F4RU8ivpOSEDeErwB8BZGzV2oyEJ1SK5v6Yp5gOMXaPWrDBmQyDNn3b-2FaOwkDESVUP2cfI7B8pfKWj4ZDcF0w-3D-3D	Get hash	malicious	Unknown	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://deedayoshayoatmetoback.me/whatever/toni/kross/hala/mbappe/sanchez/mark/tremble/awee/rgguuu/us/invite/	Get hash	malicious	Unknown	Browse	172.67.74.152
	Jmaman_##Salary##_Benefit_for_JmamanID#IyNURVhUTlVNUkFORE9NMTAjIw==.html	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	z59IKE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.74.152
	http://url5148.librariapena.com/ls/click?upn=u001.GicqFEndYG5aFpuN1ngPufTfXrsQ9xNlNirpytR4MM9aBsYYFODsiAPftWqmKpvrE6ff_B2fWkfszhSflnL0HA3FnQqEKk1HJkizy-2Fud2LEQeI5aha2K2G6ppF2O0bL7D7H7LMN8WGu5xRF2M8uaTM6MXf6DAMaADWmIUL1YqZWKrQh1g-2F0n0cxV2mRrNZEteUwfW5DOdClcZ0c7E-2FIhACBFYnzvVFSnfSt3CZCN7P1EL1QyPVm42KBQGCDp3btvtG-2BbRJha-2FOyJXx-2BDZbno3l2jsvw-2FwkacYeoKE0uINsamNbg0rV0A52QCvn7k6VYTShXjbi9u51Z787-2F01bX1DTA9aSBSP-2FWMLEspaU-2FIdc1x-2FmRDSh7t6BQtQAtVlDsdci-2FkdE5XEzXcy1T7RT1mRx0Z8c0C7T5TxNvH7MOJLp-2BPx4LTMm4cKm4w-2Br4av4rqX3sFI-2B0Z54CPJjpfmgkQpOwbMxDkpsmVoLcKhd8rV7DcMtFguJaotRS3nEWM4vOO-2FegVGhzrwPBH6NjA2esFflr-2FYmA56ZztqyuVYNkq6vFbZhu3qpImgcxi-2BBybDKRWWCy9ZJhz5kW6d7c5iFMdA14shvBlO5oteNsOg1T8Wcd4MIJllivR5RQLa6JKyKUfgK8kF9DoOU4JGzocfITKQs9Z05ET92-2FS1aC5wu-2FuyffXQ4VOTrXPB9d3zUlvAaEdOc87CGa5e4y4lu-2F-2B9njpJqjlihSLoXPx3uHJhhT5l60Eu-2Fd0OnNMVN2uGoOn8P4Kyfxcr-2B3atbrIS84kkAo7VV7ElDHFn2Wn-2B0iZqwoFL1t1YCz2cR3xAkH3Dm45o7ag9bF7tv0L4g2t8v1fAwuiPylHAHkqFOEcwcDndKNNLE7ObrCi0wDxBijc-2FYVZU6-2F0yIfBAmiocABK2NEl2-2F-2FPMERnDYg-3D-3D	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	DA92phBHUS.exe	Get hash	malicious	XWorm	Browse	172.67.74.152
	https://u.to/Ipn6IA	Get hash	malicious	Unknown	Browse	172.67.74.152
	Documentos.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.74.152
	seemybestthingwhichigiventouformakebestappinesswogiven.hta	Get hash	malicious	Cobalt Strike	Browse	172.67.74.152
	greatevenevermadeforrgreatthignstogetinbacketothegreat.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher	Browse	172.67.74.152
	bestintercomthingswhichgivebestthingstogetmeback.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher	Browse	172.67.74.152

Process:	C:\Users\user\Desktop\INVOICE.exe
File Type:	data
Category:	dropped
Size (bytes):	272384
Entropy (8bit):	7.901696435595344
Encrypted:	false
SSDEEP:	6144:Z9fI618yKEmMHbwMPOiInTYumEh4O7sCADEeWyFacIlozeOccJL9:Z9A08yVUMWijEh8A6acdUaJ
MD5:	18B4642F4FD581904D574D51A8355C4E
SHA1:	209360DD98977D769F6550AE60335FCF66D6E34C
SHA-256:	B0A523181B8377002CFD5562ADE5AFC06E7C0BE58CA050B0829C5053B86F2FBD
SHA-512:	0468E455E97D477FAD92724199C08EAADA1094107C78621C281460E09A9D5E3AB7A74E94707EE12F3B33D02182E2DDE0FF8667A2D1704373A1C067A40575548C
Malicious:	false
Reputation:	low
Preview:	...K49GXKFBU..5Q.XDL3QDD.5ULSLK79GXOFBUFL5QIXDL3QDDT5ULSLK79.XOFLJ.B5.@.e.2..e.]<?s<9X^59"f!4("Z%i:!lA$d=[u...kZV#=aKO_bL5QIXDL[A.ixD.2.=.I.6.1ta8sD.7S..Mz5..$.-.:.Gu{!8^$.2.r &.=./vg/Kx=.2.^Z/t>.<UFL5QIXDL3QDDT5U. -79GX..BU.M1Q=.D.3QDDT5UL.Lh62FQOF.TFL.SIXDL3~.DT5ELSL.69GX.FBEFL5SIXAL3QDDT5PLSLK79GX?BBUBL5.rZDN3Q.DT%ULCLK79WXOVBUFL5QYXDL3QDDT5UL.YI7iGXOF"WF.3SIXDL3QDDT5ULSLK79GXOFBUFL..HXXL3QDDT5ULSLK79GXOFBUFL5QIXD.>SD.T5ULSLK79GXO.CU.M5QIXDL3QDDT5ULSLK79GXOFBUFbA41,DL3I.ET5ELSL.69G\OFBUFL5QIXDL3QdDTU{>7-?V9G."FBU.M5Q'XDL.PDDT5ULSLK79GX.FB.h(T%(XDL.aDDT.WLSZK79MZOFBUFL5QIXDL3.DD..'?!/K79.^MFB5DL5YKXDl1QDDT5ULSLK79G.OF.UFL5QIXDL3QDDT5ULSLK79GXOFBUFL5QIXDL3QDDT5ULSLK79GXOFBUFL5QIXDL3QDDT5ULSLK79GXOFBUFL5QIXDL3QDDT5ULSLK79GXOFBUFL5QIXDL3QDDT5ULSLK79GXOFBUFL5QIXDL3QDDT5ULSLK79GXOFBUFL5QIXDL3QDDT5ULSLK79GXOFBUFL5QIXDL3QDDT5ULSLK79GXOFBUFL5QIXDL3QDDT5ULSLK79GXOFBUFL5QIXDL3QDDT5ULSLK79GXOFBUFL5QIXDL3QDDT5ULSLK79GXOFBUFL5QIXDL3QDDT5ULSLK79GXOFBUFL5QIXDL3QDDT5ULSLK79GXOFBUFL5QIXDL3QDDT5UL

C:\Users\user\AppData\Local\Temp\spiketop

Download File

Process:	C:\Users\user\Desktop\INVOICE.exe
File Type:	data
Category:	dropped
Size (bytes):	272384
Entropy (8bit):	7.901696435595344
Encrypted:	false
SSDEEP:	6144:Z9fI618yKEmMHbwMPOiInTYumEh4O7sCADEeWyFacIlozeOccJL9:Z9A08yVUMWijEh8A6acdUaJ
MD5:	18B4642F4FD581904D574D51A8355C4E
SHA1:	209360DD98977D769F6550AE60335FCF66D6E34C
SHA-256:	B0A523181B8377002CFD5562ADE5AFC06E7C0BE58CA050B0829C5053B86F2FBD
SHA-512:	0468E455E97D477FAD92724199C08EAADA1094107C78621C281460E09A9D5E3AB7A74E94707EE12F3B33D02182E2DDE0FF8667A2D1704373A1C067A40575548C
Malicious:	false
Reputation:	low
Preview:	...K49GXKFBU..5Q.XDL3QDD.5ULSLK79GXOFBUFL5QIXDL3QDDT5ULSLK79.XOFLJ.B5.@.e.2..e.]<?s<9X^59"f!4("Z%i:!lA$d=[u...kZV#=aKO_bL5QIXDL[A.ixD.2.=.I.6.1ta8sD.7S..Mz5..$.-.:.Gu{!8^$.2.r &.=./vg/Kx=.2.^Z/t>.<UFL5QIXDL3QDDT5U. -79GX..BU.M1Q=.D.3QDDT5UL.Lh62FQOF.TFL.SIXDL3~.DT5ELSL.69GX.FBEFL5SIXAL3QDDT5PLSLK79GX?BBUBL5.rZDN3Q.DT%ULCLK79WXOVBUFL5QYXDL3QDDT5UL.YI7iGXOF"WF.3SIXDL3QDDT5ULSLK79GXOFBUFL..HXXL3QDDT5ULSLK79GXOFBUFL5QIXD.>SD.T5ULSLK79GXO.CU.M5QIXDL3QDDT5ULSLK79GXOFBUFbA41,DL3I.ET5ELSL.69G\OFBUFL5QIXDL3QdDTU{>7-?V9G."FBU.M5Q'XDL.PDDT5ULSLK79GX.FB.h(T%(XDL.aDDT.WLSZK79MZOFBUFL5QIXDL3.DD..'?!/K79.^MFB5DL5YKXDl1QDDT5ULSLK79G.OF.UFL5QIXDL3QDDT5ULSLK79GXOFBUFL5QIXDL3QDDT5ULSLK79GXOFBUFL5QIXDL3QDDT5ULSLK79GXOFBUFL5QIXDL3QDDT5ULSLK79GXOFBUFL5QIXDL3QDDT5ULSLK79GXOFBUFL5QIXDL3QDDT5ULSLK79GXOFBUFL5QIXDL3QDDT5ULSLK79GXOFBUFL5QIXDL3QDDT5ULSLK79GXOFBUFL5QIXDL3QDDT5ULSLK79GXOFBUFL5QIXDL3QDDT5ULSLK79GXOFBUFL5QIXDL3QDDT5ULSLK79GXOFBUFL5QIXDL3QDDT5ULSLK79GXOFBUFL5QIXDL3QDDT5ULSLK79GXOFBUFL5QIXDL3QDDT5UL

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.9676466698255055
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	INVOICE.exe
File size:	686'080 bytes
MD5:	1ab8d41cb5819e924eb939c3b5336455
SHA1:	f23031478adbeba9a5c1704f8d649b9e39f2f1b0
SHA256:	0b2833b9d51f1e9f74cad22c64151e5e57fbf85866cbecaa25b890d24368270a
SHA512:	6a76513aa9755e5215321241715556fa41cfdb42bbea0c385c96b19d4186e8165ec27b607a20b5750a59ea80c6005775da2e6a7375b854b1e917521409833243
SSDEEP:	12288:mozGdX0M4ornOmZIzfMwHHQmRROXK5oAhxvyn9SKbpSgKIyTgCpz:m4GHnhIzOa5b+n9pbpSZlcU
TLSH:	0BE423D1E086915AE8F301F49C77ACBD292AEC3DC0305D89738BB911AF77642876395E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	0847a5a9ad2d61b0

Static PE Info

General

Entrypoint:	0x529a00
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67201CEB [Mon Oct 28 23:23:23 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fc6683d30d9f25244a50fd5357825e79

Entrypoint Preview

Instruction
pushad
mov esi, 004D4000h
lea edi, dword ptr [esi-000D3000h]
push edi
jmp 00007F8114DFA1DDh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F8114DFA1D9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F8114DFA1BFh
mov eax, 00000001h
add ebx, ebx
jne 00007F8114DFA1D9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F8114DFA1DDh
jne 00007F8114DFA1FAh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F8114DFA1F1h
dec eax
add ebx, ebx
jne 00007F8114DFA1D9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F8114DFA1A6h
add ebx, ebx
jne 00007F8114DFA1D9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F8114DFA224h
xor ecx, ecx
sub eax, 03h
jc 00007F8114DFA1E3h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F8114DFA247h
sar eax, 1
mov ebp, eax
jmp 00007F8114DFA1DDh
add ebx, ebx
jne 00007F8114DFA1D9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F8114DFA19Eh
inc ecx
add ebx, ebx
jne 00007F8114DFA1D9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F8114DFA190h
add ebx, ebx
jne 00007F8114DFA1D9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F8114DFA1C1h
jne 00007F8114DFA1DBh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F8114DFA1B6h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007F8114DFA1E0h
mov al, byte ptr [edx]

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17b03c	0x424	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12a000	0x5103c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x17b460	0xc	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x129be4	0x48	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0xd3000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0xd4000	0x56000	0x55e00	a9c1e77ef42ef78a65f520cd1ab2a310	False	0.9873174808951966	data	7.935760808618458	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x12a000	0x52000	0x51600	8f5ce4dd3e8bd400f1005f894a3f8d92	False	0.9635476670506913	data	7.966849452236115	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x12a3b4	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0x12a4e0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	Great Britain	0.4875886524822695
RT_ICON	0x12a94c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	Great Britain	0.34310506566604126
RT_ICON	0x12b9f8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	Great Britain	0.2629668049792531
RT_STRING	0xcaf90	0x594	empty	English	Great Britain	0
RT_STRING	0xcb524	0x68a	empty	English	Great Britain	0
RT_STRING	0xcbbb0	0x490	empty	English	Great Britain	0
RT_STRING	0xcc040	0x5fc	empty	English	Great Britain	0
RT_STRING	0xcc63c	0x65c	empty	English	Great Britain	0
RT_STRING	0xccc98	0x466	empty	English	Great Britain	0
RT_STRING	0xcd100	0x158	empty	English	Great Britain	0
RT_RCDATA	0x12dfa4	0x4cb77	data			1.0003373314536121
RT_GROUP_ICON	0x17ab20	0x30	data	English	Great Britain	0.9166666666666666
RT_GROUP_ICON	0x17ab54	0x14	data	English	Great Britain	1.15
RT_VERSION	0x17ab6c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x17ac4c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll	GetAce
COMCTL32.dll	ImageList_Remove
COMDLG32.dll	GetOpenFileNameW
GDI32.dll	LineTo
IPHLPAPI.DLL	IcmpSendEcho
MPR.dll	WNetUseConnectionW
ole32.dll	CoGetObject
OLEAUT32.dll	VariantInit
PSAPI.DLL	GetProcessMemoryInfo
SHELL32.dll	DragFinish
USER32.dll	GetDC
USERENV.dll	LoadUserProfileW
UxTheme.dll	IsThemeActive
VERSION.dll	VerQueryValueW
WININET.dll	FtpOpenFileW
WINMM.dll	timeGetTime
WSOCK32.dll	connect

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 16:59:40.171911001 CET	49704	443	192.168.2.5	172.67.74.152
Oct 29, 2024 16:59:40.171966076 CET	443	49704	172.67.74.152	192.168.2.5
Oct 29, 2024 16:59:40.172039986 CET	49704	443	192.168.2.5	172.67.74.152
Oct 29, 2024 16:59:40.178394079 CET	49704	443	192.168.2.5	172.67.74.152
Oct 29, 2024 16:59:40.178411961 CET	443	49704	172.67.74.152	192.168.2.5
Oct 29, 2024 16:59:40.858536959 CET	443	49704	172.67.74.152	192.168.2.5
Oct 29, 2024 16:59:40.858756065 CET	49704	443	192.168.2.5	172.67.74.152
Oct 29, 2024 16:59:40.862942934 CET	49704	443	192.168.2.5	172.67.74.152
Oct 29, 2024 16:59:40.862958908 CET	443	49704	172.67.74.152	192.168.2.5
Oct 29, 2024 16:59:40.863276005 CET	443	49704	172.67.74.152	192.168.2.5
Oct 29, 2024 16:59:40.905734062 CET	49704	443	192.168.2.5	172.67.74.152
Oct 29, 2024 16:59:40.951333046 CET	443	49704	172.67.74.152	192.168.2.5
Oct 29, 2024 16:59:41.087080002 CET	443	49704	172.67.74.152	192.168.2.5
Oct 29, 2024 16:59:41.087162018 CET	443	49704	172.67.74.152	192.168.2.5
Oct 29, 2024 16:59:41.087390900 CET	49704	443	192.168.2.5	172.67.74.152
Oct 29, 2024 16:59:41.096683979 CET	49704	443	192.168.2.5	172.67.74.152
Oct 29, 2024 16:59:41.662331104 CET	49705	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:41.668337107 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:41.668461084 CET	49705	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:42.588231087 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:42.589972973 CET	49705	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:42.595410109 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:42.832911968 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:42.833230972 CET	49705	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:42.838917017 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:43.073230982 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:43.079092979 CET	49705	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:43.084633112 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:43.349436998 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:43.349483967 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:43.349519968 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:43.349572897 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:43.349680901 CET	49705	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:43.349680901 CET	49705	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:43.353792906 CET	49705	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:43.359906912 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:43.594332933 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:43.598172903 CET	49705	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:43.603719950 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:43.838139057 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:43.839206934 CET	49705	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:43.844726086 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:44.079461098 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:44.081233025 CET	49705	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:44.088349104 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:44.513458014 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:44.513885021 CET	49705	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:44.519689083 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:44.754159927 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:44.754436970 CET	49705	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:44.760551929 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:44.995840073 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:44.996048927 CET	49705	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:45.002545118 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:45.389480114 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:45.390254974 CET	49705	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:45.390254974 CET	49705	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:45.390254974 CET	49705	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:45.390254974 CET	49705	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:45.395733118 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:45.395868063 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:45.396070004 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:45.396231890 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:46.012501955 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:46.064532995 CET	49705	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:46.070151091 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:46.310554981 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:46.310992002 CET	49705	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:46.311897039 CET	49706	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:46.318648100 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:46.318749905 CET	49706	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:46.353405952 CET	587	49705	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:46.353482008 CET	49705	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:47.167874098 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:47.168374062 CET	49706	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:47.173711061 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:47.412168026 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:47.412540913 CET	49706	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:47.418150902 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:47.654742956 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:47.655442953 CET	49706	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:47.660995007 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:47.897589922 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:47.898274899 CET	49706	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:47.898825884 CET	49706	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:47.903692007 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:47.904264927 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:48.140206099 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:48.140568972 CET	49706	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:48.146008968 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:48.381953955 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:48.382320881 CET	49706	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:48.388125896 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:48.817178011 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:48.817492008 CET	49706	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:48.823136091 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:49.059722900 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:49.059935093 CET	49706	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:49.065246105 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:49.301229954 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:49.301434040 CET	49706	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:49.307305098 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:49.710360050 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:49.711656094 CET	49706	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:49.711720943 CET	49706	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:49.711755991 CET	49706	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:49.711793900 CET	49706	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:49.711846113 CET	49706	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:49.711885929 CET	49706	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:49.711920977 CET	49706	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:49.711950064 CET	49706	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:49.711978912 CET	49706	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:49.711993933 CET	49706	587	192.168.2.5	74.125.133.108
Oct 29, 2024 16:59:49.717216015 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:49.717289925 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:49.717298985 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:49.717308044 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:49.718029976 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:49.718039989 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:49.718048096 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:49.718056917 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:49.718070030 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:49.718079090 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:50.528197050 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 16:59:50.580530882 CET	49706	587	192.168.2.5	74.125.133.108
Oct 29, 2024 17:01:21.674766064 CET	49706	587	192.168.2.5	74.125.133.108
Oct 29, 2024 17:01:21.685163021 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 17:01:21.922239065 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 17:01:21.923077106 CET	49706	587	192.168.2.5	74.125.133.108
Oct 29, 2024 17:01:21.929805040 CET	587	49706	74.125.133.108	192.168.2.5
Oct 29, 2024 17:01:21.929886103 CET	49706	587	192.168.2.5	74.125.133.108

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 16:59:40.152964115 CET	52778	53	192.168.2.5	1.1.1.1
Oct 29, 2024 16:59:40.166426897 CET	53	52778	1.1.1.1	192.168.2.5
Oct 29, 2024 16:59:41.651922941 CET	58689	53	192.168.2.5	1.1.1.1
Oct 29, 2024 16:59:41.661746979 CET	53	58689	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 29, 2024 16:59:40.152964115 CET	192.168.2.5	1.1.1.1	0x7973	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 16:59:41.651922941 CET	192.168.2.5	1.1.1.1	0xd805	Standard query (0)	smtp.gmail.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 29, 2024 16:59:40.166426897 CET	1.1.1.1	192.168.2.5	0x7973	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Oct 29, 2024 16:59:40.166426897 CET	1.1.1.1	192.168.2.5	0x7973	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Oct 29, 2024 16:59:40.166426897 CET	1.1.1.1	192.168.2.5	0x7973	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Oct 29, 2024 16:59:41.661746979 CET	1.1.1.1	192.168.2.5	0xd805	No error (0)	smtp.gmail.com	74.125.133.108	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	172.67.74.152	443	2656	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 15:59:40 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-10-29 15:59:41 UTC	211	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 15:59:41 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8da45fc918564798-DFW
2024-10-29 15:59:41 UTC	14	IN	Data Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 Data Ascii: 173.254.250.72

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Oct 29, 2024 16:59:42.588231087 CET	587	49705	74.125.133.108	192.168.2.5	220 smtp.gmail.com ESMTP ffacd0b85a97d-38058981ae4sm12989127f8f.0 - gsmtp
Oct 29, 2024 16:59:42.589972973 CET	49705	587	192.168.2.5	74.125.133.108	EHLO 528110
Oct 29, 2024 16:59:42.832911968 CET	587	49705	74.125.133.108	192.168.2.5	250-smtp.gmail.com at your service, [173.254.250.72] 250-SIZE 35882577 250-8BITMIME 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-CHUNKING 250 SMTPUTF8
Oct 29, 2024 16:59:42.833230972 CET	49705	587	192.168.2.5	74.125.133.108	STARTTLS
Oct 29, 2024 16:59:43.073230982 CET	587	49705	74.125.133.108	192.168.2.5	220 2.0.0 Ready to start TLS
Oct 29, 2024 16:59:47.167874098 CET	587	49706	74.125.133.108	192.168.2.5	220 smtp.gmail.com ESMTP 5b1f17b1804b1-4319360c0besm148706705e9.41 - gsmtp
Oct 29, 2024 16:59:47.168374062 CET	49706	587	192.168.2.5	74.125.133.108	EHLO 528110
Oct 29, 2024 16:59:47.412168026 CET	587	49706	74.125.133.108	192.168.2.5	250-smtp.gmail.com at your service, [173.254.250.72] 250-SIZE 35882577 250-8BITMIME 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-CHUNKING 250 SMTPUTF8
Oct 29, 2024 16:59:47.412540913 CET	49706	587	192.168.2.5	74.125.133.108	STARTTLS
Oct 29, 2024 16:59:47.654742956 CET	587	49706	74.125.133.108	192.168.2.5	220 2.0.0 Ready to start TLS

Target ID:	0
Start time:	11:59:37
Start date:	29/10/2024
Path:	C:\Users\user\Desktop\INVOICE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\INVOICE.exe"
Imagebase:	0xa70000
File size:	686'080 bytes
MD5 hash:	1AB8D41CB5819E924EB939C3B5336455
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.2042559177.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:59:38
Start date:	29/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\INVOICE.exe"
Imagebase:	0x8f0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3271329459.0000000002DEF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3271329459.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3271329459.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3271329459.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.3269882735.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3273707140.0000000005370000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3273707140.0000000005370000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3273707140.0000000005370000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000002.00000002.3273707140.0000000005370000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3271145443.0000000002A90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3271145443.0000000002A90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3271145443.0000000002A90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3272737436.0000000003D8D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3272737436.0000000003D8D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3272737436.0000000003D8D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3273840582.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3273840582.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3273840582.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000002.00000002.3273840582.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0.9%
Signature Coverage:	9.5%
Total number of Nodes:	1960
Total number of Limit Nodes:	171

Executed Functions

Function 00A73B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A73B7A
IsDebuggerPresent.KERNEL32 ref: 00A73B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,00B352F8,00B352E0,?,?), ref: 00A73BFD

Part of subcall function 00A77D2C: _memmove.LIBCMT ref: 00A77D66

Part of subcall function 00A80A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00A73C26,00B352F8,?,?,?), ref: 00A80ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00A73C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00B27770,00000010), ref: 00AAD3EC
SetCurrentDirectoryW.KERNEL32(?,00B352F8,?,?,?), ref: 00AAD424
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00B24260,00B352F8,?,?,?), ref: 00AAD4AA
ShellExecuteW.SHELL32(00000000,?,?), ref: 00AAD4B1

Part of subcall function 00A73A58: GetSysColorBrush.USER32(0000000F), ref: 00A73A62
Part of subcall function 00A73A58: LoadCursorW.USER32(00000000,00007F00), ref: 00A73A71
Part of subcall function 00A73A58: LoadIconW.USER32(00000063), ref: 00A73A88
Part of subcall function 00A73A58: LoadIconW.USER32(000000A4), ref: 00A73A9A
Part of subcall function 00A73A58: LoadIconW.USER32(000000A2), ref: 00A73AAC
Part of subcall function 00A73A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A73AD2
Part of subcall function 00A73A58: RegisterClassExW.USER32(?), ref: 00A73B28

Part of subcall function 00A739E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A73A15
Part of subcall function 00A739E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A73A36
Part of subcall function 00A739E7: ShowWindow.USER32(00000000,?,?), ref: 00A73A4A
Part of subcall function 00A739E7: ShowWindow.USER32(00000000,?,?), ref: 00A73A53

Part of subcall function 00A743DB: _memset.LIBCMT ref: 00A74401
Part of subcall function 00A743DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A744A6

Strings

runas, xrefs: 00AAD4A5
This is a third-party compiled AutoIt script., xrefs: 00AAD3E4

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: b8b12e25115732035924bc3952ed6bde0ef2a6ce77f696bcdabc77facbf6ba70
Instruction ID: 1699a145d4480f21b7c02ac45380bdd5efa0b8fa031eb7fac285e547a932d4a1
Opcode Fuzzy Hash: b8b12e25115732035924bc3952ed6bde0ef2a6ce77f696bcdabc77facbf6ba70
Instruction Fuzzy Hash: D851D872904248AECF22EBF4DD05AFE7BB8AF05740F10C1A5F859A71A1DF705A45DB21

Function 00A73633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
timewindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 00A736D2
KillTimer.USER32(?,00000001), ref: 00A736FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A7371F
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00A7372A
CreatePopupMenu.USER32 ref: 00A7373E
PostQuitMessage.USER32(00000000), ref: 00A7375F

Strings

TaskbarCreated, xrefs: 00A73725

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
String ID: TaskbarCreated
API String ID: 157504867-2362178303
Opcode ID: ffdc0c350dcb13d3a4508bdd82ba592eaecbd0fbc1178b636dd40fa3a2ae1c2a
Instruction ID: 11bf8ae3891f170f82a6910e95fd6bf300fa7e534de01c4515119b641fd8e814
Opcode Fuzzy Hash: ffdc0c350dcb13d3a4508bdd82ba592eaecbd0fbc1178b636dd40fa3a2ae1c2a
Instruction Fuzzy Hash: D841E7B3204505BBDF24ABA4DD49BBE3765EB44300F21C529FA0AC72A1DF60DE05E761

Function 00A74AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00A74B2B

Part of subcall function 00A77D2C: _memmove.LIBCMT ref: 00A77D66

GetCurrentProcess.KERNEL32(?,00AFFAEC,00000000,00000000,?), ref: 00A74BF8
IsWow64Process.KERNEL32(00000000), ref: 00A74BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00A74C45
FreeLibrary.KERNEL32(00000000), ref: 00A74C50
GetSystemInfo.KERNEL32(00000000), ref: 00A74C81
GetSystemInfo.KERNEL32(00000000), ref: 00A74C8D

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 44f59fa389440b986319d1bf07f32764161247112f5b190c4608c3485856ae01
Instruction ID: 4ac4610e2a76c219f466b22f256dd8b2b37317de2bc62e1721b008ab1b48c5b2
Opcode Fuzzy Hash: 44f59fa389440b986319d1bf07f32764161247112f5b190c4608c3485856ae01
Instruction Fuzzy Hash: E191A63154A7C4DEC732CB6889511AAFFF4AF6A300B48CA9DD0CF93A41D320E948D769

Function 00A74FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00A74FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00A74EEE,?,?,00000000,00000000), ref: 00A75010
LoadResource.KERNEL32(?,00000000,?,?,00A74EEE,?,?,00000000,00000000,?,?,?,?,?,?,00A74F8F), ref: 00AADC90
SizeofResource.KERNEL32(?,00000000,?,?,00A74EEE,?,?,00000000,00000000,?,?,?,?,?,?,00A74F8F), ref: 00AADCA5
LockResource.KERNEL32(00A74EEE,?,?,00A74EEE,?,?,00000000,00000000,?,?,?,?,?,?,00A74F8F,00000000), ref: 00AADCB8

Strings

SCRIPT, xrefs: 00A75006

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: f26bbfadb1d5e220d9b5b65a56af1499d0d31fa5d39668227f1cd06b76fa9c82
Instruction ID: b40fef47fa5b680cbb37a1df3f5d18166d06fa4ed4640cc976348c0b25085e2b
Opcode Fuzzy Hash: f26bbfadb1d5e220d9b5b65a56af1499d0d31fa5d39668227f1cd06b76fa9c82
Instruction Fuzzy Hash: BB115A75600700BFD7218BA5DC48F677BB9FFC9B51F208168F40A962A0DBB1E802C6A4

Function 00B99A00 Relevance: 7.7, APIs: 5, Instructions: 206
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 00B99B3A
GetProcAddress.KERNEL32(?,00B92FF9), ref: 00B99B58
ExitProcess.KERNEL32(?,00B92FF9), ref: 00B99B69
VirtualProtect.KERNELBASE(00A70000,00001000,00000004,?,00000000), ref: 00B99BB7
VirtualProtect.KERNELBASE(00A70000,00001000), ref: 00B99BCC

Memory Dump Source

Source File: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: 8c729d1a6cbe4bad83bad869e63596ab32e09496afd8249d312787a841db7601
Instruction ID: 77c17f2c517f7f70a65b073c22403dae68f11aee9a4e169a832da7e80b1235ee
Opcode Fuzzy Hash: 8c729d1a6cbe4bad83bad869e63596ab32e09496afd8249d312787a841db7601
Instruction Fuzzy Hash: B8510472A543125BDF608EBCDCC0664B7E4EB56320B6807BCC5E6C73C6E7A45C0687A1

Function 00A7E800 Relevance: 4.9, Strings: 3, Instructions: 1102COMMON

Download Yara Rule

Strings

pu, xrefs: 00A7E8F9, 00A7EA80, 00A7EC06, 00A7EC9D
(r, xrefs: 00A7EBE4, 00A7EC89, 00A7EC97, 00A7ECA5, 00A7ECB9, 00A7F054, 00A7F062, 00A7F08A, 00A7F092, 00A7F0F0, 00A7F0F8, 00A7F117, 00A7F125, 00AB3EA0
Variable must be of type 'Object'., xrefs: 00AB41BB

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID:
String ID: (r$Variable must be of type 'Object'.$pu
API String ID: 0-1667697304
Opcode ID: 02a205773cbcfbc6e036dc3994697d5556c10a20a78e24df16df61989f687103
Instruction ID: 97f91eafa9660075c85afd62158e918c8a6f533b23b131325439c929be6d2434
Opcode Fuzzy Hash: 02a205773cbcfbc6e036dc3994697d5556c10a20a78e24df16df61989f687103
Instruction Fuzzy Hash: 72A28C75A00205DFCB24CF58C880AAEB7B5FF58310F64C5A9E91AAB352D735ED42CB91

Function 00AD449B Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00AAE6F1), ref: 00AD44AB
FindFirstFileW.KERNELBASE(?,?), ref: 00AD44BC
FindClose.KERNEL32(00000000), ref: 00AD44CC

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 5326a6e37a6db70f6fd735d56170b186dd0a533ed0d3f382cbc3fdf54fafb16c
Instruction ID: 184ecfc4d02850485ea46eca2b2ac3dfd5eae6b63fa9e00a03c854fda1d29b47
Opcode Fuzzy Hash: 5326a6e37a6db70f6fd735d56170b186dd0a533ed0d3f382cbc3fdf54fafb16c
Instruction Fuzzy Hash: F8E0DF728148006B8210E7B8EC4D8FA779CAE09335F100726F936C22E0FB749990C696

Function 00A80B30 Relevance: 59.0, APIs: 27, Strings: 6, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A80BBB
timeGetTime.WINMM ref: 00A80E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A80FB3
Sleep.KERNEL32(0000000A), ref: 00A80FC1
LockWindowUpdate.USER32(00000000,?,?), ref: 00A8105A
DestroyWindow.USER32 ref: 00A81066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A81080
Sleep.KERNEL32(0000000A,?,?), ref: 00AB51DC
TranslateMessage.USER32(?), ref: 00AB5FB9
DispatchMessageW.USER32(?), ref: 00AB5FC7
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00AB5FDB

Strings

@GUI_CTRLID, xrefs: 00AB5293
@COM_EVENTOBJ, xrefs: 00AB5849
@TRAY_ID, xrefs: 00AB5AE8
(r, xrefs: 00AB52B2, 00AB5307, 00AB535C, 00AB5B0D
@GUI_WINHANDLE, xrefs: 00AB52E8
@GUI_CTRLHANDLE, xrefs: 00AB533D

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: (r$@COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-893526409
Opcode ID: c1f45e53387bfbfe59bc6949cdc496189df1400917019cd6179d5a37d24d978d
Instruction ID: bfed0551d6c54e4b804d13b7aaebb861c7b7730ccc7aa78d9e3516ab111ef549
Opcode Fuzzy Hash: c1f45e53387bfbfe59bc6949cdc496189df1400917019cd6179d5a37d24d978d
Instruction Fuzzy Hash: 20B2B370A08741DFD724DF24C984FAEB7E9BF84304F14891DE59A872A2DB71E945CB82

Function 00AD91FE Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AD9008: __time64.LIBCMT ref: 00AD9012

Part of subcall function 00A75045: _fseek.LIBCMT ref: 00A7505D

__wsplitpath.LIBCMT ref: 00AD92DD

Part of subcall function 00A9426E: __wsplitpath_helper.LIBCMT ref: 00A942AE

_wcscpy.LIBCMT ref: 00AD92F0
_wcscat.LIBCMT ref: 00AD9303
__wsplitpath.LIBCMT ref: 00AD9328
_wcscat.LIBCMT ref: 00AD933E
_wcscat.LIBCMT ref: 00AD9351

Part of subcall function 00AD904E: _memmove.LIBCMT ref: 00AD9087
Part of subcall function 00AD904E: _memmove.LIBCMT ref: 00AD9096

_wcscmp.LIBCMT ref: 00AD9298

Part of subcall function 00AD97DD: _wcscmp.LIBCMT ref: 00AD98CD
Part of subcall function 00AD97DD: _wcscmp.LIBCMT ref: 00AD98E0

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00AD94FB
_wcsncpy.LIBCMT ref: 00AD956E
DeleteFileW.KERNEL32(?,?), ref: 00AD95A4
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00AD95BA
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AD95CB
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AD95DD

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 17afed74b5e0ace619b6579e32044f1133caa688a3d9ee97397d1472b4c16064
Instruction ID: 707bf465d0f6331d922db5c94922297d81c582b7c3a0c8cf92989c999afbcb1e
Opcode Fuzzy Hash: 17afed74b5e0ace619b6579e32044f1133caa688a3d9ee97397d1472b4c16064
Instruction Fuzzy Hash: 2DC12AB1E00219AEDF21DFA5CD85ADFB7BDEF44310F0080AAF609E6251DB709A458F65

Function 00A771EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A74864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00B352F8,?,00A737C0,?), ref: 00A74882

Part of subcall function 00A9068B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00A772C5), ref: 00A906AD

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00A77308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00AAEC21
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00AAEC62
RegCloseKey.ADVAPI32(?), ref: 00AAECA0
_wcscat.LIBCMT ref: 00AAECF9

Strings

Software\AutoIt v3\AutoIt, xrefs: 00A772FE
\, xrefs: 00AAED1C
\Include\, xrefs: 00A772C5
Include, xrefs: 00AAEC18, 00AAEC59

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 2f1871fab76faef6f90d3ff074133be8548048e5646b73e3dce540705f18c468
Instruction ID: 413fdd6932e7c2c69b37538503ae6ca28c0ae4957d3cf760786b1ef002713390
Opcode Fuzzy Hash: 2f1871fab76faef6f90d3ff074133be8548048e5646b73e3dce540705f18c468
Instruction Fuzzy Hash: 93716B71509301AEC714EF69DD819AFBBE8FF89350F51892EF449871A0EF709948CB92

Function 00A73A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A73A62
LoadCursorW.USER32(00000000,00007F00), ref: 00A73A71
LoadIconW.USER32(00000063), ref: 00A73A88
LoadIconW.USER32(000000A4), ref: 00A73A9A
LoadIconW.USER32(000000A2), ref: 00A73AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A73AD2
RegisterClassExW.USER32(?), ref: 00A73B28

Part of subcall function 00A73041: GetSysColorBrush.USER32(0000000F), ref: 00A73074
Part of subcall function 00A73041: RegisterClassExW.USER32(00000030), ref: 00A7309E
Part of subcall function 00A73041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00A730AF
Part of subcall function 00A73041: LoadIconW.USER32(000000A9), ref: 00A730F2

Strings

AutoIt v3, xrefs: 00A73B17
#, xrefs: 00A73B0D
0, xrefs: 00A73B06

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
String ID: #$0$AutoIt v3
API String ID: 2880975755-4155596026
Opcode ID: fb135d486f4833c78c6c67ed7782a619acbb0e4a495ed4aedbd08e289e31ae3c
Instruction ID: 6071751a32461a72e02117e0289492056b4f2ac916761a97d06483c98796c2ef
Opcode Fuzzy Hash: fb135d486f4833c78c6c67ed7782a619acbb0e4a495ed4aedbd08e289e31ae3c
Instruction Fuzzy Hash: 68212C75D00308AFEB20DFA4EC49BAE7BB4FB08711F20412AF904A72A1DBB55650DF94

Function 00A73778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINE, xrefs: 00A73834
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00A737C0
CMDLINERAW, xrefs: 00A7380D
/ErrorStdOut, xrefs: 00A7388F
/AutoIt3ExecuteScript, xrefs: 00A738CE
/AutoIt3OutputDebug, xrefs: 00A738A4
/AutoIt3ExecuteLine, xrefs: 00A738B9

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 98b9cad16a6f3d5a272a13976c90fcace74a148fef2adcd31deb9d9f79a06d41
Instruction ID: 9ec23009f89e3d55a343d9e56aaddbc6180ea1af69fe78806b14bc4120362876
Opcode Fuzzy Hash: 98b9cad16a6f3d5a272a13976c90fcace74a148fef2adcd31deb9d9f79a06d41
Instruction Fuzzy Hash: F8A16D72D1021DAADF14EBA0CD95AEFB7B8BF14300F50C42AF41AA7191DF749A09CB61

Function 00A73025 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 65
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A73074
RegisterClassExW.USER32(00000030), ref: 00A7309E
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00A730AF
LoadIconW.USER32(000000A9), ref: 00A730F2

Strings

AutoIt v3 GUI, xrefs: 00A73090
0, xrefs: 00A73056
+, xrefs: 00A7305D
TaskbarCreated, xrefs: 00A730A4

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: cdf42dbfde62ce563612a928b95616b0d602ba605cbbb9fe9c5e14b30acefee2
Instruction ID: c2281d8d178f6503fd185f3e4099937932577415e79455211085436355b7420c
Opcode Fuzzy Hash: cdf42dbfde62ce563612a928b95616b0d602ba605cbbb9fe9c5e14b30acefee2
Instruction Fuzzy Hash: 3F21D3B1940209AFDB50DFE4EC88ADDBBF4FF08310F20452AE590A62A0EBB54585CF91

Function 00A73041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A73074
RegisterClassExW.USER32(00000030), ref: 00A7309E
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00A730AF
LoadIconW.USER32(000000A9), ref: 00A730F2

Strings

AutoIt v3 GUI, xrefs: 00A73090
0, xrefs: 00A73056
+, xrefs: 00A7305D
TaskbarCreated, xrefs: 00A730A4

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: 8901d9f88c76878a9c2b770fe33b8125056afec4e7118e7447e63be0cf07e339
Instruction ID: 703cf2692990956b6b68502693c57168a49300eb20d98bcd3ce7dcf823bebddd
Opcode Fuzzy Hash: 8901d9f88c76878a9c2b770fe33b8125056afec4e7118e7447e63be0cf07e339
Instruction Fuzzy Hash: A221C5B1901218AFDB10DFE4EC89BADBBF4FB08700F10412AFA10A72A0DBB14545CF95

Function 00CE2600 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00CE26D1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00CE28F7

Memory Dump Source

Source File: 00000000.00000002.2042187086.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ce0000_INVOICE.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction ID: dab56986532f5dc4a8070cf127dd09f106e074a82f4bfd089679bb71234d913c
Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction Fuzzy Hash: 8DA12875E00248EBDB24CFA5C894BEEBBB9FF48304F208159E511BB280D7759A80DF94

Function 00A739E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A73A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A73A36
ShowWindow.USER32(00000000,?,?), ref: 00A73A4A
ShowWindow.USER32(00000000,?,?), ref: 00A73A53

Strings

AutoIt v3, xrefs: 00A73A0D, 00A73A12, 00A73A13
edit, xrefs: 00A73A30

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 1b67103f0b28f4e7195de423ecf98d5376cdb830671e76906c4ec91f7eecf118
Instruction ID: ec138f4719347a2d288a4636ed37309b9d60274c55039692c66b7487a1fa3385
Opcode Fuzzy Hash: 1b67103f0b28f4e7195de423ecf98d5376cdb830671e76906c4ec91f7eecf118
Instruction Fuzzy Hash: B3F03A705002947EEA3057676C48E3B6E7DEBC6F50B20002ABA00A3270CA611811CAB0

Function 00CE23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CE22A0: Sleep.KERNELBASE(000001F4), ref: 00CE22B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00CE24F4

Strings

LSLK79GXOFBUFL5QIXDL3QDDT5U, xrefs: 00CE2557, 00CE255A

Memory Dump Source

Source File: 00000000.00000002.2042187086.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ce0000_INVOICE.jbxd

Similarity

API ID: CreateFileSleep
String ID: LSLK79GXOFBUFL5QIXDL3QDDT5U
API String ID: 2694422964-416620962
Opcode ID: 943be96c86202d270efee7a17c1cb7988c7df2e7ec4757db3274e43e6696e60a
Instruction ID: 9a5ac44b5d9a73a0819a4b7d9ad730dbf04913385dde7e438506ff5c6b389d01
Opcode Fuzzy Hash: 943be96c86202d270efee7a17c1cb7988c7df2e7ec4757db3274e43e6696e60a
Instruction Fuzzy Hash: 27619270D04288DAEF11DBF4C858BDEBBB89F19304F044198E6497B2C1D7B91B49CB65

Function 00A769CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A74F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00B352F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A74F6F

_free.LIBCMT ref: 00AAE5BC
_free.LIBCMT ref: 00AAE603

Part of subcall function 00A76BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00A76D0D

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00AAE392
Bad directive syntax error, xrefs: 00AAE5EB

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 020079a7ee7737c318b0a991abfaff4305a67d1ca832bde256337acb3119d2f3
Instruction ID: 41cfc42caa2ee1405e34a1a159159e8909dfbd91283c9df8a8fbfdd9c5c0158d
Opcode Fuzzy Hash: 020079a7ee7737c318b0a991abfaff4305a67d1ca832bde256337acb3119d2f3
Instruction Fuzzy Hash: 80916E71D10219AFCF04EFA4DD919EDB7B8FF09314F14846AF816AB291EB31A904CB60

Function 00A735B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00A735A1,SwapMouseButtons,00000004,?), ref: 00A735D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00A735A1,SwapMouseButtons,00000004,?,?,?,?,00A72754), ref: 00A735F5
RegCloseKey.KERNELBASE(00000000,?,?,00A735A1,SwapMouseButtons,00000004,?,?,?,?,00A72754), ref: 00A73617

Strings

Control Panel\Mouse, xrefs: 00A735D2

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: b923926dc1fb6895dfd8f4721750b619b208a1be59ef2f3ed5a56f788002467e
Instruction ID: 25a1950e15cf54176f0bac0142485821e6c6c4fc6154ee21bf4cf0e23d633a5b
Opcode Fuzzy Hash: b923926dc1fb6895dfd8f4721750b619b208a1be59ef2f3ed5a56f788002467e
Instruction Fuzzy Hash: 03110676511218BEDF20CFA4DC449ABB7B8EF04740F12C569A909D7210E6719E51A764

Function 00CE12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00CE1ACD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00CE1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00CE1B13

Memory Dump Source

Source File: 00000000.00000002.2042187086.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ce0000_INVOICE.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
Instruction ID: 9e4b83af7ecaa8da5a7e5c69f243ec1bffb502d4279c720c42b04e4ea10ecaba
Opcode Fuzzy Hash: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
Instruction Fuzzy Hash: 59622B30A14258DBEB24CFA5C844BEEB376EF58300F1091A9E50DEB390E7759E81CB59

Function 00AD9604 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00A75045: _fseek.LIBCMT ref: 00A7505D

Part of subcall function 00AD97DD: _wcscmp.LIBCMT ref: 00AD98CD
Part of subcall function 00AD97DD: _wcscmp.LIBCMT ref: 00AD98E0

_free.LIBCMT ref: 00AD974B
_free.LIBCMT ref: 00AD9752
_free.LIBCMT ref: 00AD97BD

Part of subcall function 00A92ED5: RtlFreeHeap.NTDLL(00000000,00000000,?,00A99BA4), ref: 00A92EE9
Part of subcall function 00A92ED5: GetLastError.KERNEL32(00000000,?,00A99BA4), ref: 00A92EFB

_free.LIBCMT ref: 00AD97C5

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: b9ba3a950dd1a7030697058870f3ba09b94392d032a6107ab809e5f29304b5ac
Instruction ID: f48cea52d9da2da97e47861931a618ce50a14a24c70e8ca99ce7f7f1d0ac0dfd
Opcode Fuzzy Hash: b9ba3a950dd1a7030697058870f3ba09b94392d032a6107ab809e5f29304b5ac
Instruction Fuzzy Hash: B0514DB1E04218AFDF249F64DC85A9EBBB9EF48300F1044AEB609A7341DB715E80CF58

Function 00A9487A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A94910
__flush.LIBCMT ref: 00A94930
__write.LIBCMT ref: 00A94963
__flsbuf.LIBCMT ref: 00A94991

Part of subcall function 00A98CA8: __getptd_noexit.LIBCMT ref: 00A98CA8

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: c192cc0e54a8f9db57de2592849b4d8a529bf1476805975b929b304db04efb62
Instruction ID: 98f501edee609c32ca79fbc0eed65d1653740b2b77e62bbf351c4276c470b022
Opcode Fuzzy Hash: c192cc0e54a8f9db57de2592849b4d8a529bf1476805975b929b304db04efb62
Instruction Fuzzy Hash: C641A471B047469FDF288F69C881D6F7BE6AF89364B24C63DE859C7640E670DD428B40

Function 00A773E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AAED92
7516D0D0.COMDLG32(?), ref: 00AAEDDC

Part of subcall function 00A748AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A748A1,?,?,00A737C0,?), ref: 00A748CE

Part of subcall function 00A90911: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A90930

Strings

X, xrefs: 00AAEDAA

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: NamePath$7516FullLong_memset
String ID: X
API String ID: 3926756254-3081909835
Opcode ID: f6e39d4296b54e13cfcd7a932de95b1fd130aa75c070c6f2f5ae9095251b6c7c
Instruction ID: 9fbcc3929411c9d660f5272e72bfbaf160802edde6c11527a03068a73a618b2d
Opcode Fuzzy Hash: f6e39d4296b54e13cfcd7a932de95b1fd130aa75c070c6f2f5ae9095251b6c7c
Instruction Fuzzy Hash: 5821AE31A0025CABCF51DFA4CC45BEE7BF8AF49704F10805AE50CA7282DFB459898BA1

Function 00A90F36 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A9588C: __FF_MSGBANNER.LIBCMT ref: 00A958A3
Part of subcall function 00A9588C: __NMSG_WRITE.LIBCMT ref: 00A958AA
Part of subcall function 00A9588C: RtlAllocateHeap.NTDLL(00D10000,00000000,00000001), ref: 00A958CF

std::exception::exception.LIBCMT ref: 00A90F6C
__CxxThrowException@8.LIBCMT ref: 00A90F81

Part of subcall function 00A9871B: RaiseException.KERNEL32(?,?,00000000,00B29E78,?,00000001,?,?,?,00A90F86,00000000,00B29E78,00A79FEC,00000001), ref: 00A98770

Strings

bad allocation, xrefs: 00A90F61

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID: bad allocation
API String ID: 3902256705-2104205924
Opcode ID: bc5442a68bd9ffbd02037c787c63fcc6947938365822405228f7ac48b01e4092
Instruction ID: 2c94b86b214273780972457525a15951542d4f41b05beede5962d6b193d0d80d
Opcode Fuzzy Hash: bc5442a68bd9ffbd02037c787c63fcc6947938365822405228f7ac48b01e4092
Instruction Fuzzy Hash: 2CF0A4366042196ECF24BF98ED06DEE7BEC9F01390F104565F908D6192EF748B54D2D1

Function 00AD998C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00AD99A1
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00AD99B8

Strings

aut, xrefs: 00AD99B2

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 5de64187c7b7890a350fa1478452fc602a7d10c3be1d09c81efc14c109fa9350
Instruction ID: 59d82e8c0e50506cdd9ea4186da3a012d9bf3e785719fa9e05501943caeb7093
Opcode Fuzzy Hash: 5de64187c7b7890a350fa1478452fc602a7d10c3be1d09c81efc14c109fa9350
Instruction Fuzzy Hash: 32D05E7994030DAFDB60DBE4EC0EFEA777CEB04700F0042B1BA54961A1EAB09599CB91

Function 00AECBF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec8eedf9315d8fd4f00b5f24e1e903ed8958e5e9f29b2e393a45b72cb905788b
Instruction ID: 9d915038cbf0f4314b0f44c3237f4ed2d8fbd2affcd5e62a417c0b2b7b5dfd17
Opcode Fuzzy Hash: ec8eedf9315d8fd4f00b5f24e1e903ed8958e5e9f29b2e393a45b72cb905788b
Instruction Fuzzy Hash: 99F15C715083419FC714DF29C984A6ABBE5FF88324F14892EF89A9B351D731E946CF82

Function 00A7F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A902E2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A90313
Part of subcall function 00A902E2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00A9031B
Part of subcall function 00A902E2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A90326
Part of subcall function 00A902E2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A90331
Part of subcall function 00A902E2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00A90339
Part of subcall function 00A902E2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00A90341

Part of subcall function 00A86259: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00A862B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00A7FB2D
OleInitialize.OLE32(00000000), ref: 00A7FBAA
CloseHandle.KERNEL32(00000000), ref: 00AB4921

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
String ID:
API String ID: 3094916012-0
Opcode ID: bfcb6b3eed745361e33a1f36a234bea482c63d9d10bc7d81dd47aaac2f7f85a5
Instruction ID: 5b8149f5b675f16c1793bc3bedc8052eafad695b6166becb2486f76af312c771
Opcode Fuzzy Hash: bfcb6b3eed745361e33a1f36a234bea482c63d9d10bc7d81dd47aaac2f7f85a5
Instruction Fuzzy Hash: B681DCB1901A40CFC3A8EF39AD4565DBBE9FB98306770856AD01ACB36AEF704484CF14

Function 00A9588C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00A958A3

Part of subcall function 00A9A2EB: __NMSG_WRITE.LIBCMT ref: 00A9A312
Part of subcall function 00A9A2EB: __NMSG_WRITE.LIBCMT ref: 00A9A31C

__NMSG_WRITE.LIBCMT ref: 00A958AA

Part of subcall function 00A9A348: GetModuleFileNameW.KERNEL32(00000000,00B333BA,00000104,00000000,00000001,00000000), ref: 00A9A3DA
Part of subcall function 00A9A348: ___crtMessageBoxW.LIBCMT ref: 00A9A488

Part of subcall function 00A9321F: ___crtCorExitProcess.LIBCMT ref: 00A93225
Part of subcall function 00A9321F: ExitProcess.KERNEL32 ref: 00A9322E

Part of subcall function 00A98CA8: __getptd_noexit.LIBCMT ref: 00A98CA8

RtlAllocateHeap.NTDLL(00D10000,00000000,00000001), ref: 00A958CF

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: c159a4369eac4c0ced4a6c19046a6a4acd263cf0f8aaa73fda4abc64bcc53b96
Instruction ID: bb7fa29e060340584ff5f055781a909d835d2b5f504884e7556656c5bafdaac8
Opcode Fuzzy Hash: c159a4369eac4c0ced4a6c19046a6a4acd263cf0f8aaa73fda4abc64bcc53b96
Instruction Fuzzy Hash: 0101DE36B50B11AAEE122BB4ED43A2F73E8DF82760B604126F501AB191DE749E4057A1

Function 00AD994B Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00AD95F1,?,?,?,?,?,00000004), ref: 00AD9964
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00AD95F1,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00AD997A
CloseHandle.KERNEL32(00000000,?,00AD95F1,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00AD9981

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: b0a5cda5ee690fb366462a29114b5e07869f364f4cf3af5943b34beacf6356ad
Instruction ID: c0802c8bbe674b1f55f6cd8322232d7309306dc1cb80e1f17afb8c7bb278e9d2
Opcode Fuzzy Hash: b0a5cda5ee690fb366462a29114b5e07869f364f4cf3af5943b34beacf6356ad
Instruction Fuzzy Hash: 11E08632141214BBDB215BD4EC09FEE7B18AF05760F144320FB65690E087B15922D798

Function 00AD8DB6 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00AD8DC4

Part of subcall function 00A92ED5: RtlFreeHeap.NTDLL(00000000,00000000,?,00A99BA4), ref: 00A92EE9
Part of subcall function 00A92ED5: GetLastError.KERNEL32(00000000,?,00A99BA4), ref: 00A92EFB

_free.LIBCMT ref: 00AD8DD5
_free.LIBCMT ref: 00AD8DE7

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 33ae1c996f9c9f7cc5f494d2acb49351bd07ed813e84366d3f1e78f850c3488c
Instruction ID: e49b73ef529f65b15df615e075afbef1ea0e5d26b094bdc8eec1953a78d9001d
Opcode Fuzzy Hash: 33ae1c996f9c9f7cc5f494d2acb49351bd07ed813e84366d3f1e78f850c3488c
Instruction Fuzzy Hash: 54E012A170170153CE2466786A80F9327DC5F58B61714081EB48AD76C2CE28E8818234

Function 00A7AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00AAFF5A

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 8cdc153f53177d61f53765eda00ea5b93f63efa9691db4d38093ca349bbc5676
Instruction ID: 0ded7185688ba76e11e46f6f3eede1077cc035875e82f6987029fcfff94364be
Opcode Fuzzy Hash: 8cdc153f53177d61f53765eda00ea5b93f63efa9691db4d38093ca349bbc5676
Instruction Fuzzy Hash: 652249706082019FDB24DF14C994B6AB7F1BF94304F15C96DE89A8B362DB31ED45CB92

Function 00A74DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A74E1A

Strings

EA06, xrefs: 00AADC25

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 99b1cd51f7bc2c552fbbd0eb9b6548e95a5e2f6cbccab823c6b139b45e1efc48
Instruction ID: a81f304c59d11f9d6b7c85c1c5bd71c9b0025345b1b4f534e9b323e9a97c768e
Opcode Fuzzy Hash: 99b1cd51f7bc2c552fbbd0eb9b6548e95a5e2f6cbccab823c6b139b45e1efc48
Instruction Fuzzy Hash: C5417D32A045545BCF218F648D617FE7FB5AF0E320F68C075EC8A9B182C7609D4183E1

Function 00A77BB1 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A77C0B
_memmove.LIBCMT ref: 00A77C76

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 65f285f591322884d02e0f81033bc82a38e40abc82a44601ddf8d7e6f2c0392f
Instruction ID: 6d17f5df4821579bbce1b2f57164fa9eb3a16854b7b3f305bfe83c88750fd41d
Opcode Fuzzy Hash: 65f285f591322884d02e0f81033bc82a38e40abc82a44601ddf8d7e6f2c0392f
Instruction Fuzzy Hash: 36319FB2704606AFC714DF28DD91E6DB3A9FF48360715C629E919CB291EB70ED60CB90

Function 00A7492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

745AC8D0.UXTHEME ref: 00A74992

Part of subcall function 00A934EC: __lock.LIBCMT ref: 00A934F2
Part of subcall function 00A934EC: RtlDecodePointer.NTDLL(00000001), ref: 00A934FE
Part of subcall function 00A934EC: RtlEncodePointer.NTDLL(?), ref: 00A93509

Part of subcall function 00A74A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00A74A73
Part of subcall function 00A74A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A74A88

Part of subcall function 00A73B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A73B7A
Part of subcall function 00A73B4C: IsDebuggerPresent.KERNEL32 ref: 00A73B8C
Part of subcall function 00A73B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00B352F8,00B352E0,?,?), ref: 00A73BFD
Part of subcall function 00A73B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00A73C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A749D2

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$DebuggerDecodeEncodeFullNamePathPresent__lock
String ID:
API String ID: 2688871447-0
Opcode ID: 4996c70bd10224439eaf6f74ca2880dacd83fbd269b84c8fb0ab7b49e7997d51
Instruction ID: 0e8902780c73398f439882389596620ab9c81aa7d848368d1bcd578f21c49b88
Opcode Fuzzy Hash: 4996c70bd10224439eaf6f74ca2880dacd83fbd269b84c8fb0ab7b49e7997d51
Instruction Fuzzy Hash: 98115871908311ABC710EF69DD4591FFBE8EB88750F20C92EF489832A2DB719945CB96

Function 00A95516 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A98CA8: __getptd_noexit.LIBCMT ref: 00A98CA8

__lock_file.LIBCMT ref: 00A9555B

Part of subcall function 00A96D8E: __lock.LIBCMT ref: 00A96DB1

__fclose_nolock.LIBCMT ref: 00A95566

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: cfbdaa9db6606f2e46c071f998b038a0d021890f7f59dd7485c1b684b2d56368
Instruction ID: 37c1e3c848b2d7464ca7cf54dde3dd75081a6fb4271c05a3c2150e12b309309f
Opcode Fuzzy Hash: cfbdaa9db6606f2e46c071f998b038a0d021890f7f59dd7485c1b684b2d56368
Instruction Fuzzy Hash: 53F09071F01A009ADF126F79990376E66E26F41371F168209B424AB1C2CB7C89419B56

Function 00CE129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00CE1ACD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00CE1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00CE1B13

Memory Dump Source

Source File: 00000000.00000002.2042187086.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ce0000_INVOICE.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction ID: 9e0df42ccfd443076a4f29390761450aa44361ed59e0934ec1f3de94e4dea913
Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction Fuzzy Hash: 8B12CD24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F91CF5A

Function 00AB0005 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00AB0010

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 54ce43aeb8b087dd5346a30e290f8918f2ae05e96c81d1aeb4a77a39aae04182
Instruction ID: aa94d4655705945ba1d1a1ef56c6353c0442f99b5cadcabcea30dab763709367
Opcode Fuzzy Hash: 54ce43aeb8b087dd5346a30e290f8918f2ae05e96c81d1aeb4a77a39aae04182
Instruction Fuzzy Hash: C74105746083519FDB24DF14C884F1ABBE1BF85318F19C8ACE9998B762D732E845CB52

Function 00A77CB3 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A77D13

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 113693c81beba45e479be16195c24dec5931b37bc084de3614cfe6e99e893991
Instruction ID: 28a4b1c37e48cc1a29fcb7982ef133e757af09c7ed52607850aa451b0a6d9e9d
Opcode Fuzzy Hash: 113693c81beba45e479be16195c24dec5931b37bc084de3614cfe6e99e893991
Instruction Fuzzy Hash: 20212172604A09EBCB249F65EC4176D7BB4FF15350F21C42EE48AC6191EB3094E08704

Function 00A74F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A74D13: FreeLibrary.KERNEL32(00000000,?), ref: 00A74D4D

Part of subcall function 00A953CB: __wfsopen.LIBCMT ref: 00A953D6

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00B352F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A74F6F

Part of subcall function 00A74CC8: FreeLibrary.KERNEL32(00000000), ref: 00A74D02

Part of subcall function 00A74DD0: _memmove.LIBCMT ref: 00A74E1A

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: cee0e53555d6b9e468b71be4203fddcb651876a16b831fcd9cad7e7a53c69671
Instruction ID: 134790334f6289778ee8d9a478f8bebcb82b6b6a4bb6eb6a4116b4169749437c
Opcode Fuzzy Hash: cee0e53555d6b9e468b71be4203fddcb651876a16b831fcd9cad7e7a53c69671
Instruction Fuzzy Hash: 3511E732700709ABCF21AF70CE16BAE77A59F49B10F10C829F946A71C1DBB19A059B90

Function 00AB00DE Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00AB00EA

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: a705f4fa4a48e8d65ebdf3a00bf446546cccccdc9df151c06f91f36581e7c97e
Instruction ID: c7ce1ed88e8123589a0b08d9daeb38f8b0397c32a179e6bab69ffbdca2e302a0
Opcode Fuzzy Hash: a705f4fa4a48e8d65ebdf3a00bf446546cccccdc9df151c06f91f36581e7c97e
Instruction Fuzzy Hash: A5211EB16083519FDB24DF64C884F1BBBE5BF88314F058968F99A57722D731E809CB92

Function 00A949D3 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00A94A16

Part of subcall function 00A98CA8: __getptd_noexit.LIBCMT ref: 00A98CA8

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: a4de81f6bd72812aa44c873eb558e68d5b330860d23cfc4f505c9217f847d92f
Instruction ID: 13f311597ab4ecf854a39dd548aebf0482c0499f876308badbac519a9a296d34
Opcode Fuzzy Hash: a4de81f6bd72812aa44c873eb558e68d5b330860d23cfc4f505c9217f847d92f
Instruction Fuzzy Hash: 8EF0C231B50205EBDF11AF748D06BDF3BE1AF063A5F048514F424AA591DB7C8912DF55

Function 00A74FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00B352F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A74FDE

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: c20eebe3ff2b9ad4c54d6e7cab13f8086f5c824f3397184432f61e4e93ec9318
Instruction ID: b2fe8002cbeaf2bc242a6a95884693807fb65122ab3fe72f10e6992080b86183
Opcode Fuzzy Hash: c20eebe3ff2b9ad4c54d6e7cab13f8086f5c824f3397184432f61e4e93ec9318
Instruction Fuzzy Hash: 3AF03971509B12CFCB349F74E894822BBF1AF08729321CA3EE1DB82610C731A840DF40

Function 00A90911 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A90930

Part of subcall function 00A77D2C: _memmove.LIBCMT ref: 00A77D66

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 2c36103d8a273b99cf1e4b16ad4ef5ff244f1930d2c1caf2d1a0e633b6be0809
Instruction ID: 8fb00093dd79faca6d1ed95645af917d55a493324863ca00782bff3bf1b35e3c
Opcode Fuzzy Hash: 2c36103d8a273b99cf1e4b16ad4ef5ff244f1930d2c1caf2d1a0e633b6be0809
Instruction Fuzzy Hash: 34E0CD36A052286BC721D6DC9C05FFA77EDDF89790F0441B5FC0CD7245D9605C818690

Function 00A953CB Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00A953D6

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: ac344d965abff8b0aeb911c58f749941e4a9008aa2d2d8fb5bc704252fd7b08b
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 02B0927694020C77CE022A92EC03A4A3B999B407A4F408020FB0C1C1A2A6B3A6649689

Function 00A90D88 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00A90E37

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 6b49df0dc111309b0ff82981d84299a3569dc57bbd16e7e191632218c3e8d916
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 4431BF75B001069FCB18DF58D484969FBF6FF59380B688AA5E40ACB656DB31EDC1CB80

Function 00CE22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00CE22B1

Memory Dump Source

Source File: 00000000.00000002.2042187086.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ce0000_INVOICE.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: ab2b5027e7216d2ffe6c84c85623c57255ec49098cd72f5bd13f7281867c2e44
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 5FE0E67494010EDFDB00EFB4D54969E7FB4EF04311F100161FD01D2280D6309D508A72

Non-executed Functions

Function 00AFCB26 Relevance: 70.6, APIs: 37, Strings: 3, Instructions: 632windowkeyboardnativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A72612: GetWindowLongW.USER32(?,000000EB), ref: 00A72623

NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 00AFCBA1
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00AFCBFF
GetWindowLongW.USER32(?,000000F0), ref: 00AFCC40
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00AFCC6A
SendMessageW.USER32 ref: 00AFCC93
_wcsncpy.LIBCMT ref: 00AFCCFF
GetKeyState.USER32(00000011), ref: 00AFCD20
GetKeyState.USER32(00000009), ref: 00AFCD2D
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00AFCD43
GetKeyState.USER32(00000010), ref: 00AFCD4D
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00AFCD76
SendMessageW.USER32 ref: 00AFCD9D
SendMessageW.USER32(?,00001030,?,00AFB37C), ref: 00AFCEA1
SetCapture.USER32(?), ref: 00AFCED3
ClientToScreen.USER32(?,?), ref: 00AFCF38
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00AFCF5F
ReleaseCapture.USER32 ref: 00AFCF6A
GetCursorPos.USER32(?), ref: 00AFCFA4
ScreenToClient.USER32(?,?), ref: 00AFCFB1
SendMessageW.USER32(?,00001012,00000000,?), ref: 00AFD00D
SendMessageW.USER32 ref: 00AFD03B
SendMessageW.USER32(?,00001111,00000000,?), ref: 00AFD078
SendMessageW.USER32 ref: 00AFD0A7
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00AFD0C8
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00AFD0D7
GetCursorPos.USER32(?), ref: 00AFD0F7
ScreenToClient.USER32(?,?), ref: 00AFD104
GetParent.USER32(?), ref: 00AFD124
SendMessageW.USER32(?,00001012,00000000,?), ref: 00AFD18D
SendMessageW.USER32 ref: 00AFD1BE
ClientToScreen.USER32(?,?), ref: 00AFD21C
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00AFD24C
SendMessageW.USER32(?,00001111,00000000,?), ref: 00AFD276
SendMessageW.USER32 ref: 00AFD299
ClientToScreen.USER32(?,?), ref: 00AFD2EB
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00AFD31F

Part of subcall function 00A725DB: GetWindowLongW.USER32(?,000000EB), ref: 00A725EC

GetWindowLongW.USER32(?,000000F0), ref: 00AFD3BB

Strings

F, xrefs: 00AFD29F
(r, xrefs: 00AFCF19
@GUI_DRAGID, xrefs: 00AFCF06

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
String ID: (r$@GUI_DRAGID$F
API String ID: 302779176-1222290240
Opcode ID: d3e8ed5d7a536958d484c8bd339a51a423a6369370ff153a2a6fdd047096dd21
Instruction ID: 265f5aba1de5123232bd338fc0ea19b243ef77d12b615c356547914f36120902
Opcode Fuzzy Hash: d3e8ed5d7a536958d484c8bd339a51a423a6369370ff153a2a6fdd047096dd21
Instruction Fuzzy Hash: E742AE34204349AFD721CFA5C944EBABBE5FF49320F144A29F695D72A0CB32D855CB92

Function 00A870FE Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A87323
_memset.LIBCMT ref: 00A87699
_memmove.LIBCMT ref: 00A8780C

Strings

[:>:]], xrefs: 00A875F2
[:<:]], xrefs: 00A875D9
Q\E, xrefs: 00A8812B
DEFINE, xrefs: 00AC2459
\b(?=\w), xrefs: 00AC3ABF
\b(?<=\w), xrefs: 00AC3AC9

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: d24102e2866aab0e09939f9bccc9a01c90e4e1571656f83516a71b9d750501a6
Instruction ID: a212b3d7fd310e4115808143956d8320da84bb18cf145292df21b5fa25a61558
Opcode Fuzzy Hash: d24102e2866aab0e09939f9bccc9a01c90e4e1571656f83516a71b9d750501a6
Instruction Fuzzy Hash: C593B175A00219DFDF24DF98C881BADB7B1FF48710F26816EE955AB281E7749E81CB40

Function 00A74A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00A74A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00AAD9BE
IsIconic.USER32(?), ref: 00AAD9C7
ShowWindow.USER32(?,00000009), ref: 00AAD9D4
SetForegroundWindow.USER32(?), ref: 00AAD9DE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00AAD9F4
GetCurrentThreadId.KERNEL32 ref: 00AAD9FB
GetWindowThreadProcessId.USER32(?,00000000), ref: 00AADA07
AttachThreadInput.USER32(?,00000000,00000001), ref: 00AADA18
AttachThreadInput.USER32(?,00000000,00000001), ref: 00AADA20
AttachThreadInput.USER32(00000000,?,00000001), ref: 00AADA28
SetForegroundWindow.USER32(?), ref: 00AADA2B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00AADA40
keybd_event.USER32(00000012,00000000), ref: 00AADA4B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00AADA55
keybd_event.USER32(00000012,00000000), ref: 00AADA5A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00AADA63
keybd_event.USER32(00000012,00000000), ref: 00AADA68
MapVirtualKeyW.USER32(00000012,00000000), ref: 00AADA72
keybd_event.USER32(00000012,00000000), ref: 00AADA77
SetForegroundWindow.USER32(?), ref: 00AADA7A
AttachThreadInput.USER32(?,?,00000000), ref: 00AADAA1

Strings

Shell_TrayWnd, xrefs: 00AAD9B9

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: d70d3f81d595a39665d52464b01835af2a82b43ca00a7d86da134e07d6c41024
Instruction ID: 96df94d3940ee9d1ba2f40e20e5571f47ce9d03fa0f6a2cf6b1c8a508f7b2e94
Opcode Fuzzy Hash: d70d3f81d595a39665d52464b01835af2a82b43ca00a7d86da134e07d6c41024
Instruction Fuzzy Hash: F1312F71A40318BEEB21AFE19C49F7F7E6CEF45B90F104025FA05EA1D1DAB15D11EAA0

Function 00AE407C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00AFF910), ref: 00AE40A6
IsClipboardFormatAvailable.USER32(0000000D), ref: 00AE40B4
GetClipboardData.USER32(0000000D), ref: 00AE40BC
CloseClipboard.USER32 ref: 00AE40C8
GlobalLock.KERNEL32(00000000), ref: 00AE40E4
CloseClipboard.USER32 ref: 00AE40EE
GlobalUnlock.KERNEL32(00000000), ref: 00AE4103
IsClipboardFormatAvailable.USER32(00000001), ref: 00AE4110
GetClipboardData.USER32(00000001), ref: 00AE4118
GlobalLock.KERNEL32(00000000), ref: 00AE4125
GlobalUnlock.KERNEL32(00000000), ref: 00AE4159
CloseClipboard.USER32 ref: 00AE4269

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 4d2a3194d41e79e8ccbf5179b6ef3de080d01bcc1e2b6af9a607cb1ba1177ec4
Instruction ID: 168d19824d8af54cddb0815beb71b1ff7bfad73accb69cf22faad48bd03f214c
Opcode Fuzzy Hash: 4d2a3194d41e79e8ccbf5179b6ef3de080d01bcc1e2b6af9a607cb1ba1177ec4
Instruction Fuzzy Hash: B1518F35204246AFD710EFA1DD85FBE77ACAF98B01F108529F64AD21A1DF70D906CB62

Function 00AC8638 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00AC8AA3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AC8AED
Part of subcall function 00AC8AA3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AC8B1A
Part of subcall function 00AC8AA3: GetLastError.KERNEL32 ref: 00AC8B27

_memset.LIBCMT ref: 00AC867B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00AC86CD
CloseHandle.KERNEL32(?), ref: 00AC86DE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00AC86F5
GetProcessWindowStation.USER32 ref: 00AC870E
SetProcessWindowStation.USER32(00000000), ref: 00AC8718
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00AC8732

Part of subcall function 00AC84F3: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AC8631), ref: 00AC8508
Part of subcall function 00AC84F3: CloseHandle.KERNEL32(?,?,00AC8631), ref: 00AC851A

Strings

default, xrefs: 00AC872D
, xrefs: 00AC868A
winsta0, xrefs: 00AC86F0

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 3dc0d6b0a4f7b9f2d4ae9adfbcbcfc54ea90b31287718605b96ba2a76ff78ed1
Instruction ID: 32c575e97c428653ed0da378d59e15b15050f9788324ee0b60af64aade523e5d
Opcode Fuzzy Hash: 3dc0d6b0a4f7b9f2d4ae9adfbcbcfc54ea90b31287718605b96ba2a76ff78ed1
Instruction Fuzzy Hash: 8B816571900209AEDF11DFA4CD49EEEBBB8FF04384F45416DF914A62A0DB398E15DB60

Function 00ADC7E8 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00ADC819
FindClose.KERNEL32(00000000), ref: 00ADC86D
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00ADC892
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00ADC8A9
FileTimeToSystemTime.KERNEL32(?,?), ref: 00ADC8D0
__swprintf.LIBCMT ref: 00ADC91C
__swprintf.LIBCMT ref: 00ADC95F

Part of subcall function 00A77F41: _memmove.LIBCMT ref: 00A77F82

__swprintf.LIBCMT ref: 00ADC9B3

Part of subcall function 00A93818: __woutput_l.LIBCMT ref: 00A93871

__swprintf.LIBCMT ref: 00ADCA01

Part of subcall function 00A93818: __flsbuf.LIBCMT ref: 00A93893
Part of subcall function 00A93818: __flsbuf.LIBCMT ref: 00A938AB

__swprintf.LIBCMT ref: 00ADCA50
__swprintf.LIBCMT ref: 00ADCA9F
__swprintf.LIBCMT ref: 00ADCAEE

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00ADC916
%4d, xrefs: 00ADC959
%02d, xrefs: 00ADC9A7, 00ADC9B1, 00ADC9FF, 00ADCA4E, 00ADCA9D, 00ADCAEC

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 92663472b4b85114389bc94b3fa68e7a89bc1d899c756b2809de32f2ba219e1a
Instruction ID: 333aa8d9d9ace9ac636cfe9d53605268714effabaaa5652fb69d14eb5b378a8f
Opcode Fuzzy Hash: 92663472b4b85114389bc94b3fa68e7a89bc1d899c756b2809de32f2ba219e1a
Instruction Fuzzy Hash: FEA11272408305ABC700EBA4CD95DAFB7ECFF94700F40892AF59AC7191EA34DA09C762

Function 00ADF021 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00ADF042
_wcscmp.LIBCMT ref: 00ADF057
_wcscmp.LIBCMT ref: 00ADF06E
GetFileAttributesW.KERNEL32(?), ref: 00ADF080
SetFileAttributesW.KERNEL32(?,?), ref: 00ADF09A
FindNextFileW.KERNEL32(00000000,?), ref: 00ADF0B2
FindClose.KERNEL32(00000000), ref: 00ADF0BD
FindFirstFileW.KERNEL32(*.*,?), ref: 00ADF0D9
_wcscmp.LIBCMT ref: 00ADF100
_wcscmp.LIBCMT ref: 00ADF117
SetCurrentDirectoryW.KERNEL32(?), ref: 00ADF129
SetCurrentDirectoryW.KERNEL32(00B28920), ref: 00ADF147
FindNextFileW.KERNEL32(00000000,00000010), ref: 00ADF151
FindClose.KERNEL32(00000000), ref: 00ADF15E
FindClose.KERNEL32(00000000), ref: 00ADF170

Strings

*.*, xrefs: 00ADF0D4

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: d21a2ab6ca208fe1b3c881f4ee901a2bb9d609c3b353378c19da86447f84e5a8
Instruction ID: 2d49b19f89128d179627b2d4d1b3bcd6390244c87a5ed63f47d1da898d37ef5a
Opcode Fuzzy Hash: d21a2ab6ca208fe1b3c881f4ee901a2bb9d609c3b353378c19da86447f84e5a8
Instruction Fuzzy Hash: AB317336501219AEDF10DBF4EC49AEF77AC9F45360F104276FA16D32A1EB30DA45CA54

Function 00AF08E2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AF09DE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00AFF910,00000000,?,00000000,?,?), ref: 00AF0A4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00AF0A94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00AF0B1D
RegCloseKey.ADVAPI32(?), ref: 00AF0E3D
RegCloseKey.ADVAPI32(00000000), ref: 00AF0E4A

Strings

REG_MULTI_SZ, xrefs: 00AF0C05
REG_SZ, xrefs: 00AF0B5B
REG_BINARY, xrefs: 00AF0DD8
REG_EXPAND_SZ, xrefs: 00AF0ABA
REG_QWORD, xrefs: 00AF0D8B
REG_DWORD, xrefs: 00AF0D0E

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 8abc0e34662547b6420ce05696a799b0facb5732ffd22bdef7063c456d14385e
Instruction ID: 9df6eda0ea5e0429d9b7810d000e6cd7311c41b84096a4ec9a9c8dfcea099604
Opcode Fuzzy Hash: 8abc0e34662547b6420ce05696a799b0facb5732ffd22bdef7063c456d14385e
Instruction Fuzzy Hash: 3E0238756006119FDB14EF64C995E2ABBE5FF88724F04885DF98A9B362DB30ED01CB81

Function 00AFC668 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfilenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A72612: GetWindowLongW.USER32(?,000000EB), ref: 00A72623

DragQueryPoint.SHELL32(?,?), ref: 00AFC691

Part of subcall function 00AFAB69: ClientToScreen.USER32(?,?), ref: 00AFAB92
Part of subcall function 00AFAB69: GetWindowRect.USER32(?,?), ref: 00AFAC08
Part of subcall function 00AFAB69: PtInRect.USER32(?,?,00AFC07E), ref: 00AFAC18

SendMessageW.USER32(?,000000B0,?,?), ref: 00AFC6FA
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00AFC705
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00AFC728
_wcscat.LIBCMT ref: 00AFC758
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00AFC76F
SendMessageW.USER32(?,000000B0,?,?), ref: 00AFC788
SendMessageW.USER32(?,000000B1,?,?), ref: 00AFC79F
SendMessageW.USER32(?,000000B1,?,?), ref: 00AFC7C1
DragFinish.SHELL32(?), ref: 00AFC7C8
NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 00AFC8BB

Strings

@GUI_DRAGFILE, xrefs: 00AFC86A
(r, xrefs: 00AFC805
@GUI_DRAGID, xrefs: 00AFC833
@GUI_DROPID, xrefs: 00AFC7E8

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
String ID: (r$@GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 2166380349-2400059299
Opcode ID: 7d796b7551a305a6143f601505fab981f2f54839522b939267d9f3d77f95c1c9
Instruction ID: 8a04d363ad2484371425160e28568cee37ce2995ed07ca178cbdf9094f7fff46
Opcode Fuzzy Hash: 7d796b7551a305a6143f601505fab981f2f54839522b939267d9f3d77f95c1c9
Instruction Fuzzy Hash: 04615C71508304AFC701EFA0DD85DAFBBE8EF88750F10892EF695971A1DB709A49CB52

Function 00ADF17E Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00ADF19F
_wcscmp.LIBCMT ref: 00ADF1B4
_wcscmp.LIBCMT ref: 00ADF1CB

Part of subcall function 00AD43C6: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00AD43E1

FindNextFileW.KERNEL32(00000000,?), ref: 00ADF1FA
FindClose.KERNEL32(00000000), ref: 00ADF205
FindFirstFileW.KERNEL32(*.*,?), ref: 00ADF221
_wcscmp.LIBCMT ref: 00ADF248
_wcscmp.LIBCMT ref: 00ADF25F
SetCurrentDirectoryW.KERNEL32(?), ref: 00ADF271
SetCurrentDirectoryW.KERNEL32(00B28920), ref: 00ADF28F
FindNextFileW.KERNEL32(00000000,00000010), ref: 00ADF299
FindClose.KERNEL32(00000000), ref: 00ADF2A6
FindClose.KERNEL32(00000000), ref: 00ADF2B8

Strings

*.*, xrefs: 00ADF21C

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 933cfa69d904456f4dcfcc6be44728f6ef5e3a96607a019bd659e9e27ef3c8e1
Instruction ID: b159c5883e6c872e1a8382efd31b9feaf3055200643e7333bdc778fc6b14a6d1
Opcode Fuzzy Hash: 933cfa69d904456f4dcfcc6be44728f6ef5e3a96607a019bd659e9e27ef3c8e1
Instruction Fuzzy Hash: 7731B2365012197ECF10DBE4EC49AEF77BC9F49320F1442B6F916A22A0DB30DE86CA54

Function 00ADA279 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00ADA299
__swprintf.LIBCMT ref: 00ADA2BB
CreateDirectoryW.KERNEL32(?,00000000), ref: 00ADA2F8
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00ADA31D
_memset.LIBCMT ref: 00ADA33C
_wcsncpy.LIBCMT ref: 00ADA378
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00ADA3AD
CloseHandle.KERNEL32(00000000), ref: 00ADA3B8
RemoveDirectoryW.KERNEL32(?), ref: 00ADA3C1
CloseHandle.KERNEL32(00000000), ref: 00ADA3CB

Strings

:, xrefs: 00ADA2DC
\, xrefs: 00ADA2D1
\??\%s, xrefs: 00ADA2B5

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 3c0f22f48ea15acf9034459860f988317e29def090bb26408da4b2aada55ea63
Instruction ID: 4c1bcb1ce71aa45c6bd76f88d195f1adaea8ea62f2b5ffba4053a6a4edd4ae61
Opcode Fuzzy Hash: 3c0f22f48ea15acf9034459860f988317e29def090bb26408da4b2aada55ea63
Instruction Fuzzy Hash: F3318EB660010AABDB21DFE0DC49FEB77BDEF88740F1041B6FA09D6160EB7096458B65

Function 00AFC216 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A72612: GetWindowLongW.USER32(?,000000EB), ref: 00A72623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00AFC266
GetFocus.USER32 ref: 00AFC276
GetDlgCtrlID.USER32(00000000), ref: 00AFC281
_memset.LIBCMT ref: 00AFC3AC
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00AFC3D7
GetMenuItemCount.USER32(?), ref: 00AFC3F7
GetMenuItemID.USER32(?,00000000), ref: 00AFC40A
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00AFC43E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00AFC486
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00AFC4BE
NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 00AFC4F3

Strings

0, xrefs: 00AFC3A4

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
String ID: 0
API String ID: 3616455698-4108050209
Opcode ID: ce71bcc505cb083f8119e0dd7cd03ad70736ff5829797f4f26358e1d411ec22c
Instruction ID: e5177b83486ed97a52eb3caeae22bd4ef0d1a374cd3333bc4293583b25ac8af5
Opcode Fuzzy Hash: ce71bcc505cb083f8119e0dd7cd03ad70736ff5829797f4f26358e1d411ec22c
Instruction Fuzzy Hash: 3C817071608309AFD710DF95CA98A7BBBE4FF88364F10492DFA9597291C730D905CBA2

Function 00AC81D4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC852A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AC8546
Part of subcall function 00AC852A: GetLastError.KERNEL32(?,00AC800A,?,?,?), ref: 00AC8550
Part of subcall function 00AC852A: GetProcessHeap.KERNEL32(00000008,?,?,00AC800A,?,?,?), ref: 00AC855F
Part of subcall function 00AC852A: RtlAllocateHeap.NTDLL(00000000,?,00AC800A), ref: 00AC8566
Part of subcall function 00AC852A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AC857D

Part of subcall function 00AC85C7: GetProcessHeap.KERNEL32(00000008,00AC8020,00000000,00000000,?,00AC8020,?), ref: 00AC85D3
Part of subcall function 00AC85C7: RtlAllocateHeap.NTDLL(00000000,?,00AC8020), ref: 00AC85DA
Part of subcall function 00AC85C7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00AC8020,?), ref: 00AC85EB

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00AC8238
_memset.LIBCMT ref: 00AC824D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00AC826C
GetLengthSid.ADVAPI32(?), ref: 00AC827D
GetAce.ADVAPI32(?,00000000,?), ref: 00AC82BA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00AC82D6
GetLengthSid.ADVAPI32(?), ref: 00AC82F3
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00AC8302
RtlAllocateHeap.NTDLL(00000000), ref: 00AC8309
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00AC832A
CopySid.ADVAPI32(00000000), ref: 00AC8331
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00AC8362
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00AC8388
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00AC839C

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 2347767575-0
Opcode ID: e0dedfebe87f778d67ef781127a88e592b1ad3cf936c1ba722e01508037ee68a
Instruction ID: 18f8fb688fc75a9dc9d55826fdc34a7ad0a672fc6987a139ad1ae7c62600200e
Opcode Fuzzy Hash: e0dedfebe87f778d67ef781127a88e592b1ad3cf936c1ba722e01508037ee68a
Instruction Fuzzy Hash: 9361377190021AAFDF10CFE4DC45EEEBB79FF04700B04816DE915AA291EB359A06CB60

Function 00A86841 Relevance: 18.4, Strings: 14, Instructions: 889COMMON

Download Yara Rule

Strings

LIMIT_MATCH=, xrefs: 00AC14C6
NO_START_OPT), xrefs: 00AC14A5
LIMIT_RECURSION=, xrefs: 00AC1552
ANYCRLF), xrefs: 00AC1651
CR), xrefs: 00AC15DD
NO_AUTO_POSSESS), xrefs: 00AC1484
CRLF), xrefs: 00AC1617
ANY), xrefs: 00AC1634
BSR_UNICODE), xrefs: 00AC168E
LF), xrefs: 00AC15FA
UCP), xrefs: 00AC1463
UTF16), xrefs: 00AC1425
UTF), xrefs: 00AC1450
BSR_ANYCRLF), xrefs: 00AC1674

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 54cf36dedf514464a13034e01fe661feeb217c1447d1589baf820db1d1e8fc9e
Instruction ID: 808ed3bbf17c384518c9a34c83970fd19c75624ee3b4d619f8ef79b8a607fb74
Opcode Fuzzy Hash: 54cf36dedf514464a13034e01fe661feeb217c1447d1589baf820db1d1e8fc9e
Instruction Fuzzy Hash: C9726F75E00219DBDB24DF59C850BAEB7F5FF49310F1581AAE819EB291EB309E41CB90

Function 00AF0465 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF0EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AEFE38,?,?), ref: 00AF0EBC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AF0537

Part of subcall function 00A79997: __itow.LIBCMT ref: 00A799C2
Part of subcall function 00A79997: __swprintf.LIBCMT ref: 00A79A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00AF05D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00AF066E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00AF08AD
RegCloseKey.ADVAPI32(00000000), ref: 00AF08BA

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: a364f8e01d6b61d9f6aee6e2503abd43b695d778da4129d075a6836cd470c5ab
Instruction ID: b446b0b64fc02776c598f00bf5f0d338ac378eb13e83b269edfd344cc3ef24ec
Opcode Fuzzy Hash: a364f8e01d6b61d9f6aee6e2503abd43b695d778da4129d075a6836cd470c5ab
Instruction Fuzzy Hash: AAE14B31604214AFCB14DF68C995E2BBBE9EF88754B04C96DF54ADB262DB30ED01CB91

Function 00AD003A Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00AD0062
GetAsyncKeyState.USER32(000000A0), ref: 00AD00E3
GetKeyState.USER32(000000A0), ref: 00AD00FE
GetAsyncKeyState.USER32(000000A1), ref: 00AD0118
GetKeyState.USER32(000000A1), ref: 00AD012D
GetAsyncKeyState.USER32(00000011), ref: 00AD0145
GetKeyState.USER32(00000011), ref: 00AD0157
GetAsyncKeyState.USER32(00000012), ref: 00AD016F
GetKeyState.USER32(00000012), ref: 00AD0181
GetAsyncKeyState.USER32(0000005B), ref: 00AD0199
GetKeyState.USER32(0000005B), ref: 00AD01AB

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 35a831f1e2177f75a1eaf9eb375a22dc9485ea1b1db4d089c0d1caacb01704fe
Instruction ID: dc4de4b15025edea2760d5cd5f1ec6bb15f2f18f8739fceaeb6a3928c4384e24
Opcode Fuzzy Hash: 35a831f1e2177f75a1eaf9eb375a22dc9485ea1b1db4d089c0d1caacb01704fe
Instruction Fuzzy Hash: 34418834A047CA6DFF319BA48814BB6FEA16F11344F08419BE5C7477C2EB9499C8C7A2

Function 00AE84D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A79997: __itow.LIBCMT ref: 00A799C2
Part of subcall function 00A79997: __swprintf.LIBCMT ref: 00A79A0C

CoInitialize.OLE32 ref: 00AE8518
CoUninitialize.COMBASE ref: 00AE8523
CoCreateInstance.COMBASE(?,00000000,00000017,00B02BEC,?), ref: 00AE8583
IIDFromString.COMBASE(?,?), ref: 00AE85F6
VariantInit.OLEAUT32(?), ref: 00AE8690
VariantClear.OLEAUT32(?), ref: 00AE86F1

Strings

Invalid parameter, xrefs: 00AE860F
Failed to create object, xrefs: 00AE858E, 00AE8644
NULL Pointer assignment, xrefs: 00AE85C8

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: a6434e402e29d3cbff5c27aae6989328e133f5b39d39684e5aeba49fcf975aef
Instruction ID: 37c7fc42e0d38ba4d1787135019ca6875240278878a2a03e30b876b93ffe3aa6
Opcode Fuzzy Hash: a6434e402e29d3cbff5c27aae6989328e133f5b39d39684e5aeba49fcf975aef
Instruction Fuzzy Hash: 7B61AC302083519FD710DF65C948B6BBBE4AF48754F00881EF9899B291CF74ED48CBA2

Function 00AE427A Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00AE42A1
EmptyClipboard.USER32 ref: 00AE42A7
GlobalAlloc.KERNEL32(00000002,?), ref: 00AE42BC
CloseClipboard.USER32 ref: 00AE435B

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: e19aa2a9f7a9dd9f04d3e65215d8e23bb2e05b17db902f26c162840dc6a4a895
Instruction ID: 76d6f379eec23e7919a095db9ac9e0603828dc456b1b2fc0c19dc18281decdf1
Opcode Fuzzy Hash: e19aa2a9f7a9dd9f04d3e65215d8e23bb2e05b17db902f26c162840dc6a4a895
Instruction Fuzzy Hash: 13219F352016119FDB10EFA5DC49B7E77A8EF48711F14802AFA46DB2A1DF30AC02CB54

Function 00AD3833 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A748AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A748A1,?,?,00A737C0,?), ref: 00A748CE

Part of subcall function 00AD4AD8: GetFileAttributesW.KERNEL32(?,00AD374F), ref: 00AD4AD9

FindFirstFileW.KERNEL32(?,?), ref: 00AD38E7
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00AD398F
MoveFileW.KERNEL32(?,?), ref: 00AD39A2
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00AD39BF
FindNextFileW.KERNEL32(00000000,00000010), ref: 00AD39E1
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00AD39FD

Strings

\*.*, xrefs: 00AD3892, 00AD389B, 00AD38B0

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 3d7356f8334bbbd6a03a35dd612c28e88fa19551273566a0ca941111407035bf
Instruction ID: 1d52c373f77ad86390b2882a6700b6bfecbdf0ced2ecdd58f2e5103f725af8ac
Opcode Fuzzy Hash: 3d7356f8334bbbd6a03a35dd612c28e88fa19551273566a0ca941111407035bf
Instruction Fuzzy Hash: 1C517F3290510C9ACF15EBE0DEA29FDB778AF14300F64816AE44677291EF716F09CB61

Function 00ADF47F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00A77F41: _memmove.LIBCMT ref: 00A77F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00ADF4CC
Sleep.KERNEL32(0000000A), ref: 00ADF4FC
_wcscmp.LIBCMT ref: 00ADF510
_wcscmp.LIBCMT ref: 00ADF52B
FindNextFileW.KERNEL32(?,?), ref: 00ADF5C9
FindClose.KERNEL32(00000000), ref: 00ADF5DF

Strings

*.*, xrefs: 00ADF4B1

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: ad9f035a7529a31ad2a6d136dcfae99859cb54e3ce5bd826f52cd8f36b72f4fa
Instruction ID: aad3af4f3b4a73a5964cd127241368ef5174123f31ea2f35cd77eb090b5e649e
Opcode Fuzzy Hash: ad9f035a7529a31ad2a6d136dcfae99859cb54e3ce5bd826f52cd8f36b72f4fa
Instruction Fuzzy Hash: C841627590121AAFCF11DFA4DD49AEF7BB4FF05310F148566E81AA32A1DB309E45CB90

Function 00AFD4A8 Relevance: 12.3, APIs: 8, Instructions: 257windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A72612: GetWindowLongW.USER32(?,000000EB), ref: 00A72623

GetSystemMetrics.USER32(0000000F), ref: 00AFD4E6
GetSystemMetrics.USER32(0000000F), ref: 00AFD506
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00AFD741
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00AFD75F
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00AFD780
ShowWindow.USER32(00000003,00000000), ref: 00AFD79F
InvalidateRect.USER32(?,00000000,00000001), ref: 00AFD7C4
NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 00AFD7E7

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
String ID:
API String ID: 830902736-0
Opcode ID: 8dc223aebdc68e86884d4eb051e975f5a8fe8f70b49a13375328c8ac00afa850
Instruction ID: 9469febd920d1dc912dca493a1decd131739d4deab040a125897afc3dd2c5bb7
Opcode Fuzzy Hash: 8dc223aebdc68e86884d4eb051e975f5a8fe8f70b49a13375328c8ac00afa850
Instruction Fuzzy Hash: FDB16875600229AFDF15DFA8C9857BE7BB2BF04711F088069FE48AF295DB34A950CB50

Function 00A84140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON

Download Yara Rule

Strings

ERCP, xrefs: 00A8421F
VUUU, xrefs: 00AB7A3B
VUUU, xrefs: 00A84520
VUUU, xrefs: 00A844DB
VUUU, xrefs: 00A844ED

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 3bd2e7a656798f40c219956f506867849a12329bd2056dceb42cb677c184269c
Instruction ID: e840e144bf4dcef23fbb64c0306b71e6b7ee8096f58ab22ab5263c595e95cf63
Opcode Fuzzy Hash: 3bd2e7a656798f40c219956f506867849a12329bd2056dceb42cb677c184269c
Instruction Fuzzy Hash: 06A26D70E0421ACBDF24EF58C9907EDB7B5BF58314F2481AAD85AA7281E7749E81CF50

Function 00A858C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A85A05
_memmove.LIBCMT ref: 00A85A55
_memmove.LIBCMT ref: 00A85ABB

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 84d41c03433dccf1c018378456a97cad43307a1f6051f5fdc8a24b2b5e1aa867
Instruction ID: 697ee0d181be37a73d56c03b3c94c7ec835e86f4cce59424e74c5c6b7ada9eb3
Opcode Fuzzy Hash: 84d41c03433dccf1c018378456a97cad43307a1f6051f5fdc8a24b2b5e1aa867
Instruction Fuzzy Hash: D2127A70E00609DFDF14DFA5DA85AAEB7F5FF48300F118669E806A7251EB35AE11CB50

Function 00AD5264 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC8AA3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AC8AED
Part of subcall function 00AC8AA3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AC8B1A
Part of subcall function 00AC8AA3: GetLastError.KERNEL32 ref: 00AC8B27

ExitWindowsEx.USER32(?,00000000), ref: 00AD52A0

Strings

@, xrefs: 00AD5293
SeShutdownPrivilege, xrefs: 00AD5270
, xrefs: 00AD528E

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 13c5c335051b15cefacf9186c19b126930b5397a7d35c872899cbe3665ed03a0
Instruction ID: 375f26bf9d70db2d7bd3b9767ddebac4046fe3af7d011a71cf3fb5a47ddc42af
Opcode Fuzzy Hash: 13c5c335051b15cefacf9186c19b126930b5397a7d35c872899cbe3665ed03a0
Instruction Fuzzy Hash: 7D01F731E907116EF72867B8AC4BFFA7268EB05751F240127F807D26D2D9605C0885D4

Function 00AE6399 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 00AE63F2
WSAGetLastError.WS2_32(00000000), ref: 00AE6401
bind.WS2_32(00000000,?,00000010), ref: 00AE641D
listen.WS2_32(00000000,00000005), ref: 00AE642C
WSAGetLastError.WS2_32(00000000), ref: 00AE6446
closesocket.WS2_32(00000000), ref: 00AE645A

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 8f0d190d869dbaba535b817a147f8db4d7dab3cdacb8f3c6a3f9e87db87998e4
Instruction ID: 8442fe7cc5b9eedee0a710f4750b12deff4757d331068d8c97f9094bbc240a59
Opcode Fuzzy Hash: 8f0d190d869dbaba535b817a147f8db4d7dab3cdacb8f3c6a3f9e87db87998e4
Instruction Fuzzy Hash: 0B219E346002049FCB10EFA4CE85B7EB7B9EF48760F148569E95AA73D1CB70AD01CB51

Function 00A85680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00A90F36: std::exception::exception.LIBCMT ref: 00A90F6C
Part of subcall function 00A90F36: __CxxThrowException@8.LIBCMT ref: 00A90F81

_memmove.LIBCMT ref: 00AC05AE
_memmove.LIBCMT ref: 00AC06C3
_memmove.LIBCMT ref: 00AC076A

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 5a06655b32a4d1ae448296adc6f0b9e1e345c2f81c53936452dd270aca68d3af
Instruction ID: 09072bd05af766eb2194daa19a073d0be8076ad33dbfceed414eb68f40898365
Opcode Fuzzy Hash: 5a06655b32a4d1ae448296adc6f0b9e1e345c2f81c53936452dd270aca68d3af
Instruction Fuzzy Hash: F2028B70E00209DFDF18DF64DA81AAEBBB5EF44310F55C069E80ADB255EB319A51CB91

Function 00A71287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A72612: GetWindowLongW.USER32(?,000000EB), ref: 00A72623

NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 00A719FA
GetSysColor.USER32(0000000F), ref: 00A71A4E
SetBkColor.GDI32(?,00000000), ref: 00A71A61

Part of subcall function 00A71290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 00A712D8

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ColorDialogNtdllProc_$LongWindow
String ID:
API String ID: 591255283-0
Opcode ID: 7a7f76ebfcac973abfb0bcdcc78f5b46af845c78f8daa293b8c64dae62b8f03c
Instruction ID: d2f9b35fbe001a64d21b443a0ae9f4590565cc5c15a966e6031f3235c7a12547
Opcode Fuzzy Hash: 7a7f76ebfcac973abfb0bcdcc78f5b46af845c78f8daa293b8c64dae62b8f03c
Instruction Fuzzy Hash: 9EA14571116548BEE638AB6D8D44EBF35EDDB423D1F24C11AF10AD71D2EB20DD0192B6

Function 00AE685D Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE7EA0: inet_addr.WS2_32(00000000), ref: 00AE7ECB

socket.WS2_32(00000002,00000002,00000011), ref: 00AE68B4
WSAGetLastError.WS2_32(00000000), ref: 00AE68DD
bind.WS2_32(00000000,?,00000010), ref: 00AE6916
WSAGetLastError.WS2_32(00000000), ref: 00AE6923
closesocket.WS2_32(00000000), ref: 00AE6937

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 9bd07778f00c49d0c44f28a102bd74c080a9b1acb73d0e9e5a0bc4dbecfad338
Instruction ID: 6a4c7040bafa2e5134d3105a076d68e3e9f7cf32c077e5ca61aec8376cd4b6d8
Opcode Fuzzy Hash: 9bd07778f00c49d0c44f28a102bd74c080a9b1acb73d0e9e5a0bc4dbecfad338
Instruction Fuzzy Hash: DD41D435640210AFEB10AF649D86F3F77A89F48760F04C459FA1AAB3D2CA709D018791

Function 00AF53DF Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00AF542E
IsWindowEnabled.USER32 ref: 00AF543C
GetForegroundWindow.USER32(?,?,00000001), ref: 00AF5449
IsIconic.USER32 ref: 00AF5457
IsZoomed.USER32 ref: 00AF5465

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 5b775ddcf1012fb86c4f2ea7c3364e63b836e700c32eca9056f7fefec69e21e9
Instruction ID: b357f2ee9236f3bfdf307709c477d9c1974e2ebfb1f7ae683b450400025d5ba2
Opcode Fuzzy Hash: 5b775ddcf1012fb86c4f2ea7c3364e63b836e700c32eca9056f7fefec69e21e9
Instruction Fuzzy Hash: 1411B231B009156FE7219FF6DC44B3AB79AFF44763B048029FB46D7251CB309842C6A5

Function 00A83190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 9a340c284474ff843e875a07919d662251b946aacac6e53fe344d5cb04931ab7
Instruction ID: 49f74073d4c5dce065125ce3b5982472cf1f071d11d6114651ad4cd3386d3537
Opcode Fuzzy Hash: 9a340c284474ff843e875a07919d662251b946aacac6e53fe344d5cb04931ab7
Instruction Fuzzy Hash: 052290725083019FCB24EF24C991BAFB7E4BF84710F14891DF59A97291DB71EA05CB92

Function 00AEEF21 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00AEEF51
Process32FirstW.KERNEL32(00000000,?), ref: 00AEEF5F

Part of subcall function 00A77F41: _memmove.LIBCMT ref: 00A77F82

Process32NextW.KERNEL32(00000000,?), ref: 00AEF01F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00AEF02E

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 162ab890cb18f8f64c4bf381c7a2125d6ed3a21861bdc6c84da11eccb20c2ab6
Instruction ID: 9c41a3c703d26429a050bf724cf42c3dd3502dd37d975e4df40a216ebe85c558
Opcode Fuzzy Hash: 162ab890cb18f8f64c4bf381c7a2125d6ed3a21861bdc6c84da11eccb20c2ab6
Instruction Fuzzy Hash: 3C517D715043019FD310EF24DC86E6BB7E8EF88750F10892DF59997291EB70A909CB92

Function 00AFC502 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A72612: GetWindowLongW.USER32(?,000000EB), ref: 00A72623

GetCursorPos.USER32(?), ref: 00AFC53C
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00AABB2B,?,?,?,?,?), ref: 00AFC551
GetCursorPos.USER32(?), ref: 00AFC59E
NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,00AABB2B,?,?,?), ref: 00AFC5D8

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
String ID:
API String ID: 1423138444-0
Opcode ID: d50047ceb1f6f362ca8904cb899cbf8d153f8f8795f0e35926d8ec4181c08b74
Instruction ID: aecad43d537c1988b6ef30a49432dfaae3df8d836e9a3aea52d697d11d5ebf56
Opcode Fuzzy Hash: d50047ceb1f6f362ca8904cb899cbf8d153f8f8795f0e35926d8ec4181c08b74
Instruction Fuzzy Hash: 7631713660041CEFCB25CFA5C998EBA7BF9EF49320F144069FA458B261D731AD51DBA0

Function 00A71290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A72612: GetWindowLongW.USER32(?,000000EB), ref: 00A72623

NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 00A712D8
GetClientRect.USER32(?,?), ref: 00AAB77B
GetCursorPos.USER32(?), ref: 00AAB785
ScreenToClient.USER32(?,?), ref: 00AAB790

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
String ID:
API String ID: 1010295502-0
Opcode ID: f52974b93df00b1423d82e39d033427cbfbbaadd2ae9ab5e02243a625222abf3
Instruction ID: 7a37ee2640d68db89e3cf406b63ce84d61be5ce0b587df80bd469681532fb264
Opcode Fuzzy Hash: f52974b93df00b1423d82e39d033427cbfbbaadd2ae9ab5e02243a625222abf3
Instruction Fuzzy Hash: E0111636A00119EFCB10DFA8DD899FE77F9EB05300F508466F945E7251CB30AA56CBA5

Function 00ACE928 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00ACE93A

Strings

|, xrefs: 00ACE96A
(, xrefs: 00ACE980

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 3e635ca45081b385be718e488a7c6a35dae9b3baddd07fcb9079c3f899e86e7b
Instruction ID: d974ac1d2e6819968a031aa1894318bd7c4b811a14a9bbe57038f9212d463833
Opcode Fuzzy Hash: 3e635ca45081b385be718e488a7c6a35dae9b3baddd07fcb9079c3f899e86e7b
Instruction Fuzzy Hash: 28320475A00605DFCB28CF19C481E6AB7F1FF48360B16C56EE89ADB3A1E770A941CB44

Function 00AE2404 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00AE1920,00000000), ref: 00AE24F7
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00AE252E

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 16ef52a9a984818f8b62750ea489710acbdfcd9223f21dc785e8aaae96bbdf31
Instruction ID: dacb213ac104efab7253016e94180236b6ffba6fc92894df8ce40c48716a2405
Opcode Fuzzy Hash: 16ef52a9a984818f8b62750ea489710acbdfcd9223f21dc785e8aaae96bbdf31
Instruction Fuzzy Hash: DA41F571A04249FFEB20DF96DD85FBBB7FCEB40724F10406AF601A6180EA749E419760

Function 00ADB3BF Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00ADB3CF
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00ADB429
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00ADB476

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 2b7fab76a31ced3cdd131b494ff232ac53b554067ab8ce29c4f9d28e8e020d4a
Instruction ID: c48a6b973a8a0ca0938cafab7491f4877e39be3ef9763b7bc77e72eb6eae6f57
Opcode Fuzzy Hash: 2b7fab76a31ced3cdd131b494ff232ac53b554067ab8ce29c4f9d28e8e020d4a
Instruction Fuzzy Hash: DE216235A10118DFCB00EFA5DC84EEEBBB8FF48310F1580AAE905AB351CB319916CB55

Function 00AC8AA3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00A90F36: std::exception::exception.LIBCMT ref: 00A90F6C
Part of subcall function 00A90F36: __CxxThrowException@8.LIBCMT ref: 00A90F81

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AC8AED
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AC8B1A
GetLastError.KERNEL32 ref: 00AC8B27

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 625df835fd9cfd6e1b7b74def0f37a3aa9256dc376cf2d87e73fb7121a5b7bcb
Instruction ID: c57ef113a12f74f04ba646c852cb0af2cfbaa37f8315bf4b38a1c023aca04eb1
Opcode Fuzzy Hash: 625df835fd9cfd6e1b7b74def0f37a3aa9256dc376cf2d87e73fb7121a5b7bcb
Instruction Fuzzy Hash: 16118CB1514209AFD728EFA4DD85D2BB7FCFF44750B21816EF45697241EB30AD41CA60

Function 00AD4A08 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00AD4A31
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00AD4A48
FreeSid.ADVAPI32(?), ref: 00AD4A58

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 299ffac8bde7fd37a867ff357ac01b3e91359b977e02317e3f20a22cb59df34f
Instruction ID: 3492aba370c3da341e571c96e521820fcfcc6dd86d2362821b680e7d7d3d4996
Opcode Fuzzy Hash: 299ffac8bde7fd37a867ff357ac01b3e91359b977e02317e3f20a22cb59df34f
Instruction Fuzzy Hash: F9F03775A51208BFDB00DFE09C89ABEBBB8EF08201F0044A9A902E2281E6706A048B50

Function 00A7E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea6c85576ae3df2277a5537f386c9e7adc70dc912ac9b9946b1ed59ec0184936
Instruction ID: 2cd569626e827df225735ac812149ecc988e8a16d279d455089a4bb6af141d2f
Opcode Fuzzy Hash: ea6c85576ae3df2277a5537f386c9e7adc70dc912ac9b9946b1ed59ec0184936
Instruction Fuzzy Hash: E822AC71A002169FDF24DF54C881AAEBBF4FF18310F14C1A9E85A9B352E771AD85CB91

Function 00A716DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A72612: GetWindowLongW.USER32(?,000000EB), ref: 00A72623

Part of subcall function 00A725DB: GetWindowLongW.USER32(?,000000EB), ref: 00A725EC

GetParent.USER32(?), ref: 00AAB93A
NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,00A719B3,?,?,?,00000006,?), ref: 00AAB9B4

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: LongWindow$DialogNtdllParentProc_
String ID:
API String ID: 314495775-0
Opcode ID: 2d5bcf8536121ed39ab3a9d4610ea1816dd7af6decd3ca2f7a2b523436c73fe2
Instruction ID: 97b31105651f1a115ddd03e22d289972b6e48a5509570ef965190aef5c68ccba
Opcode Fuzzy Hash: 2d5bcf8536121ed39ab3a9d4610ea1816dd7af6decd3ca2f7a2b523436c73fe2
Instruction Fuzzy Hash: 18216234205554AFCB248F68CDC4EAA3BE6AF4A320F54C254F6595B2F2CB319D51DB50

Function 00ADC75D Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00ADC787
FindClose.KERNEL32(00000000), ref: 00ADC7B7

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: e49848cdf4b2c8c1bb32c70a69ad43cf1f9a30d423b94ecfbf2d478af1e2f52a
Instruction ID: 22c3f9fadbf6265a7fd3c0bdc10cea7d5c1b49a8299d6b07f17dbbcf5de4dea4
Opcode Fuzzy Hash: e49848cdf4b2c8c1bb32c70a69ad43cf1f9a30d423b94ecfbf2d478af1e2f52a
Instruction Fuzzy Hash: C4118E326002009FD710DF69C845A2AF7E9FF84320F00C51EF9AA973A1DB30A801CB81

Function 00AFC5E7 Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A72612: GetWindowLongW.USER32(?,000000EB), ref: 00A72623

NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,00AABABA,?,?,?), ref: 00AFC65B

Part of subcall function 00A725DB: GetWindowLongW.USER32(?,000000EB), ref: 00A725EC

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00AFC641

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: LongWindow$DialogMessageNtdllProc_Send
String ID:
API String ID: 1273190321-0
Opcode ID: d0e014e8528160a59af8532e085e85c22e50a6dbcaf9241147a849ce37a5a2fa
Instruction ID: 13de64f5d451de87d4ebe02fad8772560f16826bc9e9f9f5cc07f3fca2db3101
Opcode Fuzzy Hash: d0e014e8528160a59af8532e085e85c22e50a6dbcaf9241147a849ce37a5a2fa
Instruction Fuzzy Hash: 3F01B131204208EBCB219F95CD84F7A3BA6FF89720F144528FA454B2A1CB31A852EB90

Function 00AFC9A8 Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00AFC9CB
NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,00AABB96,?,?,?,?,?), ref: 00AFC9F4

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ClientDialogNtdllProc_Screen
String ID:
API String ID: 3420055661-0
Opcode ID: f284be00d3fabd915284770715c57353757fbc6b5ceb8a26a1d4781a6764ce32
Instruction ID: 8070b485fc2dde01d04fe775163d201b14d364e57249aea0a509481b00db3749
Opcode Fuzzy Hash: f284be00d3fabd915284770715c57353757fbc6b5ceb8a26a1d4781a6764ce32
Instruction Fuzzy Hash: F7F0177240021CFFEB04CF85DC09ABE7BB9EF48321F10416AF941A2161D7716A61EBA4

Function 00ADA0F4 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00AE957D,?,00AFFB84,?), ref: 00ADA121
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00AE957D,?,00AFFB84,?), ref: 00ADA133

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 0e1ab007ba42c5bbc37726b5a1ea64337ab541531a5fe2ae5283a22abe33dcb1
Instruction ID: 4c86ab97ac38bfd98c0d212791230d2fbdd9129dc08c7685eba3dd54d95f8645
Opcode Fuzzy Hash: 0e1ab007ba42c5bbc37726b5a1ea64337ab541531a5fe2ae5283a22abe33dcb1
Instruction Fuzzy Hash: 5FF05E35505229BBDB219BE4CC49FEA776CBF09361F008266B91A96281D7309944CBA1

Function 00AFCAE6 Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00AFCAEE
NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,00AABB15,?,?,?,?), ref: 00AFCB1C

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: a097f584abf2f933ca406b9cd513dada8c2ab8877db9c78d6fd69f6353a80da7
Instruction ID: 8eab91264b41d593370ceb6d91ef63cfe1f6c0f111bd8b36afeb7282a7880db3
Opcode Fuzzy Hash: a097f584abf2f933ca406b9cd513dada8c2ab8877db9c78d6fd69f6353a80da7
Instruction Fuzzy Hash: A0E0867014025CBFEB159F9ADC1AFBA3B54EB04760F108115F996DA0E1C770D850D760

Function 00AC84F3 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AC8631), ref: 00AC8508
CloseHandle.KERNEL32(?,?,00AC8631), ref: 00AC851A

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: b5718085f2decdea46f38d86cb5c31a49b3700b5427d23c231ee1f5411169330
Instruction ID: 568d448681579fe2be98893f40bd7bd079dc550ef978799a6fb7e6cb7999e664
Opcode Fuzzy Hash: b5718085f2decdea46f38d86cb5c31a49b3700b5427d23c231ee1f5411169330
Instruction Fuzzy Hash: 54E0EC72014611AFEB252FA4EC09E777BEDFF44350714892DF89681470EB62ACA1DB50

Function 00A9A2D5 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,00B04178,00A98ED7,t of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.,?,?,00000001), ref: 00A9A2DA
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00A9A2E3

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9c3095b3ff86149f463a0ca2544fe3aee7e60f831d983e175e8e324ee9554b79
Instruction ID: 1f6e1b155e1c7d0c9654a06af3c7154faa0e2b81c5a3a1812e404db1e333efea
Opcode Fuzzy Hash: 9c3095b3ff86149f463a0ca2544fe3aee7e60f831d983e175e8e324ee9554b79
Instruction Fuzzy Hash: 5FB09231054208AFCA106BD1EC09BA83F6AEF44AA2F404120F61D88060CB625452CA95

Function 00A9F359 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25726cb491356994b4d6a38494fbc9d4850426e729a0f096d4513d504bd0805c
Instruction ID: 77cfd2e7330abbd57a56551727263ad4d4515cbae02c83e701df4ac8bdf07d6a
Opcode Fuzzy Hash: 25726cb491356994b4d6a38494fbc9d4850426e729a0f096d4513d504bd0805c
Instruction Fuzzy Hash: 66320422E69F014DDB239635D832336A289AFB73D4F15D737E819B69A5EF28D4834100

Function 00AA25AE Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09940eeae5aeab20a44a4724f99310d0a38678ff7ee852a2677dd4d4a6e602e5
Instruction ID: 9af522f5fba85603e7091a624c11f51b9570160e2689898bbc6cdb8d63b86dec
Opcode Fuzzy Hash: 09940eeae5aeab20a44a4724f99310d0a38678ff7ee852a2677dd4d4a6e602e5
Instruction Fuzzy Hash: 1AB10021D2AF404DD32396398831336BA5CAFBB6D5F51DB1BFC2675E62EB2185834241

Function 00AD8932 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00AD8944

Part of subcall function 00A9537A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00AD9017,00000000,?,?,?,?,00AD91C8,00000000,?), ref: 00A95383
Part of subcall function 00A9537A: __aulldiv.LIBCMT ref: 00A953A3

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: d0b1e53a03ecc3f5349f562fd2cc6e9122dbd501aba5a080fc4af8cbec8825ca
Instruction ID: 7c608cc5c30731b2ddf9b7bb68042370ac71924d0d2d3e042337083087ee1dc8
Opcode Fuzzy Hash: d0b1e53a03ecc3f5349f562fd2cc6e9122dbd501aba5a080fc4af8cbec8825ca
Instruction Fuzzy Hash: 5D21D232635510CBC729CF25D451B56B3E1EBA5310B298E6CD1F6CB2C0CE38A905CB50

Function 00AFD7F6 Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A72612: GetWindowLongW.USER32(?,000000EB), ref: 00A72623

NtdllDialogWndProc_W.NTDLL(?,00000112,?,00000000), ref: 00AFD8A2

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 073ec1fae48fbb44112f5aca5c9efe24f88ab3ac28e841770c91b74cffb821f9
Instruction ID: 5f165166b4eb1529192d23b984b0f21f09ec6c7ce8d7b3aecdf2ea868c405c26
Opcode Fuzzy Hash: 073ec1fae48fbb44112f5aca5c9efe24f88ab3ac28e841770c91b74cffb821f9
Instruction Fuzzy Hash: 1A11E37520011DBBEB2A9FACCD05FB93766DB417A0F204328FB655B1D2CA60AD0092E5

Function 00AFD422 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A725DB: GetWindowLongW.USER32(?,000000EB), ref: 00A725EC

NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,00AABAD2,?,?,?,?,00000000,?), ref: 00AFD49C

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: e4519af676684b379a60ad9e8853e4b1ca6b14bdb40fef277b2a847ccab42469
Instruction ID: 5aeb09aeeb09571b2636d337a27d88d509c60f9d8269b50a7375e32090ba79a7
Opcode Fuzzy Hash: e4519af676684b379a60ad9e8853e4b1ca6b14bdb40fef277b2a847ccab42469
Instruction Fuzzy Hash: A101247160011CBFDB169FA9C849BBA3BA3EF41362F088124FA591F1A2C730BC10D7A0

Function 00A7189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A72612: GetWindowLongW.USER32(?,000000EB), ref: 00A72623

NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,00A71B04,?,?,?,?,?), ref: 00A718E2

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 2f73f144b0d27ef4f97ab24664ca041b232eb87a57b2af014a6d98a9613b2b2a
Instruction ID: fc20dec4a7443cfd9f4f7c41e4e777a9bee595a9eaae868c92a717faa25c4201
Opcode Fuzzy Hash: 2f73f144b0d27ef4f97ab24664ca041b232eb87a57b2af014a6d98a9613b2b2a
Instruction Fuzzy Hash: 9DF0B831200218EFCB28DF08CC90A3A3BE2EB00320F60C129F8964B2A0CB31DD60EB50

Function 00AE401F Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00AE403A

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: e5a07d922d82f91d3bddb1c0dafd95b6563fcd78c21de52c439bfc133509d483
Instruction ID: bcd91595620025a461e87ce9c1e44ea700ba08b89f961985e01018fb2ac85f4e
Opcode Fuzzy Hash: e5a07d922d82f91d3bddb1c0dafd95b6563fcd78c21de52c439bfc133509d483
Instruction Fuzzy Hash: CFE04F322002149FC710EF9AD804A9BFBECAFA87A1F00C026FD4AC7351DA74E941CB90

Function 00AFC928 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 00AFC968

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: d262ea8c3eaa1548033ddda22cfd11f366b9322f74a6b26e711e05934e63ed2b
Instruction ID: 85bf1f4269b2790b434ed70620fbb76d3b5ed6813127de85037d8ca994e15193
Opcode Fuzzy Hash: d262ea8c3eaa1548033ddda22cfd11f366b9322f74a6b26e711e05934e63ed2b
Instruction Fuzzy Hash: 47F06D31200259EFDB21DF98DD45FD63B95EB09320F148058BA15272E2CB707920D7A0

Function 00AD4CFA Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00AD4D1D

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 5ddd0e1a6f18162bd0b1459c9ffec25327727dd0b0188f35adece4a754294f8e
Instruction ID: 5442761867f49b2918676e1749467f2eab91b5bdf085b0b2e60d72ae26ab6716
Opcode Fuzzy Hash: 5ddd0e1a6f18162bd0b1459c9ffec25327727dd0b0188f35adece4a754294f8e
Instruction Fuzzy Hash: 3AD09EB41646057FFC284B609C1FB76351AF308796FA4454B76879A3C5A8F85C41A435

Function 00AC8A73 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00AC86B1), ref: 00AC8A93

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 698c34c3638240fa54c369e984c3bfd490c2330aecb2b30acf0468387a9f6af4
Instruction ID: 2611931a7e769848b89867bd603ac28bd3317e7868c0215d1d7df2ca63fb64aa
Opcode Fuzzy Hash: 698c34c3638240fa54c369e984c3bfd490c2330aecb2b30acf0468387a9f6af4
Instruction Fuzzy Hash: ADD05E3226050EAFEF018EA4DC01EBE3B69EB04B01F408111FE15C60A1C775D835EB60

Function 00AFC973 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,00AABB3C,?,?,?,?,?,?), ref: 00AFC99E

Part of subcall function 00AFB669: _memset.LIBCMT ref: 00AFB678
Part of subcall function 00AFB669: _memset.LIBCMT ref: 00AFB687
Part of subcall function 00AFB669: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00B36F20,00B36F64), ref: 00AFB6B6
Part of subcall function 00AFB669: CloseHandle.KERNEL32 ref: 00AFB6C8

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
String ID:
API String ID: 2364484715-0
Opcode ID: 2a86b5bae589c0f6de830b7f357810cb9b7c708b0b22020a211dac75482021d4
Instruction ID: cc5ff38a4c60f9643507e2be94f816546bf7c0688fc0ab39613b394371d64fa4
Opcode Fuzzy Hash: 2a86b5bae589c0f6de830b7f357810cb9b7c708b0b22020a211dac75482021d4
Instruction Fuzzy Hash: B2E0923121020CDFCB11AF85EE95EA937B6FB08714F014065FA055B2B2C771AA60EF51

Function 00A7167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A72612: GetWindowLongW.USER32(?,000000EB), ref: 00A72623

NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,00A71AEE,?,?,?), ref: 00A716AB

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 13b00a7e08791028c99037028bd8bc6938dbd55bca07416a2ceb39c793edad18
Instruction ID: 4ced681b14da6a3ebcead79a6c732f91791fb278ca414878b56e836a5586254f
Opcode Fuzzy Hash: 13b00a7e08791028c99037028bd8bc6938dbd55bca07416a2ceb39c793edad18
Instruction Fuzzy Hash: 9DE0EC35100208FBCF15AF90DC51F683B66FB48310F60C468FA590B2A1CE32A922DB50

Function 00AFC8F9 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 00AFC91E

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 61b80028e8c7eca0e3f3127fe35ce68aa9ef12ec8156182a00e6326e73cdcfd1
Instruction ID: f0d0807cd34825b572dc8c3bdfbb642a3f3aa449f91efd9db06875063bbe030e
Opcode Fuzzy Hash: 61b80028e8c7eca0e3f3127fe35ce68aa9ef12ec8156182a00e6326e73cdcfd1
Instruction Fuzzy Hash: 78E04275240249EFDB01DF88D985D9A3BA5AB1D700F414054FA1547262CB71A960EBA1

Function 00AFC8CA Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 00AFC8EF

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 1bfbec430f1eeb331fe9abd6ac166d40b41fb11b08ff6167717a60e5a8076996
Instruction ID: adb6bb95ef165c6d8c1894175f63198d799c014ae7034c44b2b7f33d7ee6842d
Opcode Fuzzy Hash: 1bfbec430f1eeb331fe9abd6ac166d40b41fb11b08ff6167717a60e5a8076996
Instruction Fuzzy Hash: 91E04275244249EFDB01DF88D885E9A3BA5AB1D700F014054FA1557262CB71A920EB61

Function 00A716B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A72612: GetWindowLongW.USER32(?,000000EB), ref: 00A72623

Part of subcall function 00A7201B: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00A720D3
Part of subcall function 00A7201B: KillTimer.USER32(-00000001,?,?,?,?,00A716CB,00000000,?,?,00A71AE2,?,?), ref: 00A7216E

NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,00A71AE2,?,?), ref: 00A716D4

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Window$DestroyDialogKillLongNtdllProc_Timer
String ID:
API String ID: 2797419724-0
Opcode ID: a4dadec8847e51254d3752a7755a12fa0c008e191f80fe9f9c3178d8280e3598
Instruction ID: 9e1a9058c282d9c939e59638c483a6a1bfd3ed84d25b75868370ecb0a300267b
Opcode Fuzzy Hash: a4dadec8847e51254d3752a7755a12fa0c008e191f80fe9f9c3178d8280e3598
Instruction Fuzzy Hash: AAD01231140308FBDA202B90DD17F593A19DB14750F50C031BA08291D3CA716C11E668

Function 00AB215F Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00AB2171

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: f93dbe67150c557557c8d2a0df107d41a3df654b04036f874d3184fe24bf2488
Instruction ID: b65b9a71cbde95b676417db994e586b511d00428fbf271651c99df44297762fd
Opcode Fuzzy Hash: f93dbe67150c557557c8d2a0df107d41a3df654b04036f874d3184fe24bf2488
Instruction Fuzzy Hash: 05C04CF1801109DBCB05DBD0D998DFE77BCAB04345F104455A101F2101D7749B44CB71

Function 00A9A2A4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00A9A2AA

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 125a2e00284b8266277bb853adb2b83afbcf987a96d0d847d7845be7f358e85a
Instruction ID: 1a51dade76ea8079981c733ffe7f6e9208334a58176a2ac4a1c02ff298921c34
Opcode Fuzzy Hash: 125a2e00284b8266277bb853adb2b83afbcf987a96d0d847d7845be7f358e85a
Instruction Fuzzy Hash: 07A0113000020CAB8A002BC2EC088A8BFAEEA002A0B008020F80C880228B32A8228A80

Function 00A88968 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b5b75e52c3af49688a96e32568fbffc3d76d6dbf59b80930edfa1fb89a858ea
Instruction ID: f626147eaf6a619a7a923f3fb3ef652a8734b8c09184e8e18a592112b54c311b
Opcode Fuzzy Hash: 5b5b75e52c3af49688a96e32568fbffc3d76d6dbf59b80930edfa1fb89a858ea
Instruction Fuzzy Hash: 9922E370A00555CBDF38AB28C598B7CB7B1FF81344FAA856AE8529B591DF38ADC1C740

Function 00A92345 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 54e091dd400d22a199f2d20a8023dca6e653b102c45df6b0b3952f2d41827ff8
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 06C174363161930ADF2D8739843413EBEE15AA27B231A075EE8B3DB1D5EF24D964D720

Function 00A9277A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 0439dd05b96ca2daed5973cdea1aa0b618174cf8fc477c3cd790d429f477e2e0
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 56C1303631619309DF6D473A847423EBEE15AA27B231A176EE4B2DB1D5EF20C924D720

Function 00A91AF8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: e13834961035ae3e7bd92ce598c2a2263e1bed26e7ae7fcc36026a29ae9d5d0a
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: A9C1703631A19309DF6D473AC47453EBEE15AA27B231A076EE4B3CB1C4EF20C964D620

Function 00AE791B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00AE7970
DeleteObject.GDI32(00000000), ref: 00AE7982
DestroyWindow.USER32 ref: 00AE7990
GetDesktopWindow.USER32 ref: 00AE79AA
GetWindowRect.USER32(00000000), ref: 00AE79B1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00AE7AF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00AE7B02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE7B4A
GetClientRect.USER32(00000000,?), ref: 00AE7B56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00AE7B90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE7BB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE7BC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE7BD0
GlobalLock.KERNEL32(00000000), ref: 00AE7BD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE7BE8
GlobalUnlock.KERNEL32(00000000), ref: 00AE7BF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE7BF8
GlobalFree.KERNEL32(00000000), ref: 00AE7C03
CreateStreamOnHGlobal.COMBASE(00000000,00000001,88C00000), ref: 00AE7C15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00B02CAC,00000000), ref: 00AE7C2B
GlobalFree.KERNEL32(00000000), ref: 00AE7C3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00AE7C61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00AE7C80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE7CA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AE7E8F

Strings

static, xrefs: 00AE7B8A, 00AE7CE1
AutoIt v3, xrefs: 00AE7B42
DISPLAY, xrefs: 00AE7CF2
, xrefs: 00AE7E15

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 57722be6abf5067cb16470ece4e9c2d9412010581ca5c5d3050a5e4e48d29c54
Instruction ID: 4fc2174dc9f9a3c4a849c7c07833f74356f930e15563c0b6cbb77c5bd027d6a7
Opcode Fuzzy Hash: 57722be6abf5067cb16470ece4e9c2d9412010581ca5c5d3050a5e4e48d29c54
Instruction Fuzzy Hash: 94026A71900159AFDB14DFA5DD89EAEBBB9EF48310F148169F905AB2A1DB30AD01CF60

Function 00AF35D4 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00AFF910), ref: 00AF3690
IsWindowVisible.USER32(?), ref: 00AF36B4

Strings

HIDEDROPDOWN, xrefs: 00AF3769
ISVISIBLE, xrefs: 00AF36A0
DELSTRING, xrefs: 00AF37B2
GETLINECOUNT, xrefs: 00AF392F
ADDSTRING, xrefs: 00AF377F
GETCURRENTSELECTION, xrefs: 00AF384C
SELECTSTRING, xrefs: 00AF386F
ISENABLED, xrefs: 00AF36D4
SETCURRENTSELECTION, xrefs: 00AF381F
GETLINE, xrefs: 00AF3A04
FINDSTRING, xrefs: 00AF37DF
GETSELECTED, xrefs: 00AF390C
ISCHECKED, xrefs: 00AF38A2
GETCURRENTLINE, xrefs: 00AF3956
GETCURRENTCOL, xrefs: 00AF3991
EDITPASTE, xrefs: 00AF39C8
SHOWDROPDOWN, xrefs: 00AF3749
CURRENTTAB, xrefs: 00AF3726
UNCHECK, xrefs: 00AF38EC
SENDCOMMANDID, xrefs: 00AF3A43
CHECK, xrefs: 00AF38D6
TABLEFT, xrefs: 00AF36F0
TABRIGHT, xrefs: 00AF3706

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 4ff54c2d036004a81912e5be95a66d6cd0a65814afc50be78f4654e61bce71a0
Instruction ID: 41ec1a621e035fa9a71f98fecb335e3de924979fc2373f61fb00b9ff58900d47
Opcode Fuzzy Hash: 4ff54c2d036004a81912e5be95a66d6cd0a65814afc50be78f4654e61bce71a0
Instruction Fuzzy Hash: E2D15F312046199FCF14FF50C991E7A77E5AF94394F148568F98A5B3A2CB31EE0ACB81

Function 00AFA60C Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00AFA662
GetSysColorBrush.USER32(0000000F), ref: 00AFA693
GetSysColor.USER32(0000000F), ref: 00AFA69F
SetBkColor.GDI32(?,000000FF), ref: 00AFA6B9
SelectObject.GDI32(?,00000000), ref: 00AFA6C8
InflateRect.USER32(?,000000FF,000000FF), ref: 00AFA6F3
GetSysColor.USER32(00000010), ref: 00AFA6FB
CreateSolidBrush.GDI32(00000000), ref: 00AFA702
FrameRect.USER32(?,?,00000000), ref: 00AFA711
DeleteObject.GDI32(00000000), ref: 00AFA718
InflateRect.USER32(?,000000FE,000000FE), ref: 00AFA763
FillRect.USER32(?,?,00000000), ref: 00AFA795
GetWindowLongW.USER32(?,000000F0), ref: 00AFA7C0

Part of subcall function 00AFA8FC: GetSysColor.USER32(00000012), ref: 00AFA935
Part of subcall function 00AFA8FC: SetTextColor.GDI32(?,?), ref: 00AFA939
Part of subcall function 00AFA8FC: GetSysColorBrush.USER32(0000000F), ref: 00AFA94F
Part of subcall function 00AFA8FC: GetSysColor.USER32(0000000F), ref: 00AFA95A
Part of subcall function 00AFA8FC: GetSysColor.USER32(00000011), ref: 00AFA977
Part of subcall function 00AFA8FC: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00AFA985
Part of subcall function 00AFA8FC: SelectObject.GDI32(?,00000000), ref: 00AFA996
Part of subcall function 00AFA8FC: SetBkColor.GDI32(?,00000000), ref: 00AFA99F
Part of subcall function 00AFA8FC: SelectObject.GDI32(?,?), ref: 00AFA9AC
Part of subcall function 00AFA8FC: InflateRect.USER32(?,000000FF,000000FF), ref: 00AFA9CB
Part of subcall function 00AFA8FC: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00AFA9E2
Part of subcall function 00AFA8FC: GetWindowLongW.USER32(00000000,000000F0), ref: 00AFA9F7
Part of subcall function 00AFA8FC: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00AFAA1F

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: ae0fbd2279173411bacf76b00c4e9e015cc6e4eb3422f44b56c144bfd0141c0b
Instruction ID: 8af736c8ccd9f1f4a5a6326185b58508ef9fdd11016ae1222c6a8af02f36ec9c
Opcode Fuzzy Hash: ae0fbd2279173411bacf76b00c4e9e015cc6e4eb3422f44b56c144bfd0141c0b
Instruction Fuzzy Hash: 46915CB2408305AFD710DFE4DC48E6B7BA9FF89321F100B29FA66D61A0D7719945CB52

Function 00AE75C0 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00AE75F3
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00AE76B2
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00AE76F0
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00AE7702
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00AE7748
GetClientRect.USER32(00000000,?), ref: 00AE7754
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00AE7798
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00AE77A7
GetStockObject.GDI32(00000011), ref: 00AE77B7
SelectObject.GDI32(00000000,00000000), ref: 00AE77BB
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00AE77CB
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AE77D4
DeleteDC.GDI32(00000000), ref: 00AE77DD
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00AE7809
SendMessageW.USER32(00000030,00000000,00000001), ref: 00AE7820
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00AE785B
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00AE786F
SendMessageW.USER32(00000404,00000001,00000000), ref: 00AE7880
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00AE78B0
GetStockObject.GDI32(00000011), ref: 00AE78BB
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00AE78C6
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00AE78D0

Strings

static, xrefs: 00AE7792, 00AE78AA
AutoIt v3, xrefs: 00AE7740
DISPLAY, xrefs: 00AE779D
msctls_progress32, xrefs: 00AE7851

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: b98960123a5363ea3d084003612ffb063fb4c19493565bcf90b58e8108859eb9
Instruction ID: b7b97d210e0587ab4761ae9011e0954f785c589fe1e5d03ed335fe297c57d355
Opcode Fuzzy Hash: b98960123a5363ea3d084003612ffb063fb4c19493565bcf90b58e8108859eb9
Instruction Fuzzy Hash: 4AA17071A40619BFEB14DBA4DC4AFAF7BA9EF08714F108114FA14A72E0CB70AD01CB64

Function 00ADAD9C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00ADADAA
GetDriveTypeW.KERNEL32(?,00AFFAC0,?,\\.\,00AFF910), ref: 00ADAE87
SetErrorMode.KERNEL32(00000000,00AFFAC0,?,\\.\,00AFF910), ref: 00ADAFE5

Strings

Removable, xrefs: 00ADAED9
RAMDisk, xrefs: 00ADAEB1
ATA, xrefs: 00ADAF60
SCSI, xrefs: 00ADAF52
Network, xrefs: 00ADAEC5
Virtual, xrefs: 00ADAFAD
Unknown, xrefs: 00ADAEA7, 00ADAF4B
USB, xrefs: 00ADAF7C
SATA, xrefs: 00ADAF98
CDROM, xrefs: 00ADAEBB
Fibre, xrefs: 00ADAF75
iSCSI, xrefs: 00ADAF8A
FileBackedVirtual, xrefs: 00ADAFB4
1394, xrefs: 00ADAF67
\\.\, xrefs: 00ADADFC
RAID, xrefs: 00ADAF83
SAS, xrefs: 00ADAF91
SSD, xrefs: 00ADAF12
MMC, xrefs: 00ADAFA6
Fixed, xrefs: 00ADAECF
SSA, xrefs: 00ADAF6E
ATAPI, xrefs: 00ADAF59
PhysicalDrive, xrefs: 00ADAE33

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 094adfbfcdb1f72bab71fb5e5b89020bb4a3f8f9ec57b56df22b1aac5a7bd1ad
Instruction ID: faa8bbfa54dc338cc64190efecf8d49ff2da9a852950843e901b02a202494799
Opcode Fuzzy Hash: 094adfbfcdb1f72bab71fb5e5b89020bb4a3f8f9ec57b56df22b1aac5a7bd1ad
Instruction Fuzzy Hash: 5C5182B5649215ABCB00DB50DE9697DB3B1AB6970072084D7E90BA73A1CF71DD01DB83

Function 00A76A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00A76A91
__wcsnicmp.LIBCMT ref: 00A76AA9
__wcsnicmp.LIBCMT ref: 00A76AC1
__wcsnicmp.LIBCMT ref: 00A76AD9
__wcsnicmp.LIBCMT ref: 00A76AF1
__wcsnicmp.LIBCMT ref: 00A76B09
__wcsnicmp.LIBCMT ref: 00A76B21
__wcsnicmp.LIBCMT ref: 00A76B35
__wcsnicmp.LIBCMT ref: 00A76B76
__wcsnicmp.LIBCMT ref: 00A76B8A
__wcsnicmp.LIBCMT ref: 00A76B9E
__wcsnicmp.LIBCMT ref: 00A76BB2

Strings

#pragma compile, xrefs: 00A76A8B
#comments-start, xrefs: 00A76B1B, 00A76B70
#include, xrefs: 00A76B03
#notrayicon, xrefs: 00A76AA3
Cannot parse #include, xrefs: 00AAE749
#comments-end, xrefs: 00A76B98
Unterminated group of comments, xrefs: 00AAE75C
#OnAutoItStartRegister, xrefs: 00A76AD3
#cs, xrefs: 00A76B2F, 00A76B84
#ce, xrefs: 00A76BAC
#include-once, xrefs: 00A76AEB
Bad directive syntax error, xrefs: 00AAE673
#requireadmin, xrefs: 00A76ABB

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 3ac0397f2a7a0742bc447a3cb931bc78fe7d9b5d5f6722b72e6d9cc6e05b40b0
Instruction ID: cb5c8a6f7d2366a802c6f94c47b29f9486b825e4406c2fe671b6defc9c86eb02
Opcode Fuzzy Hash: 3ac0397f2a7a0742bc447a3cb931bc78fe7d9b5d5f6722b72e6d9cc6e05b40b0
Instruction Fuzzy Hash: 64811371740615BACF20AF64CE96FAE77F8AF12740F04C025F949AB1D2EB60DE55C2A0

Function 00A72C18 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00A72CA2
DeleteObject.GDI32(00000000), ref: 00A72CE8
DeleteObject.GDI32(00000000), ref: 00A72CF3
DestroyCursor.USER32(00000000), ref: 00A72CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00A72D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00AAC5BB
6F540200.COMCTL32(?,000000FF,?), ref: 00AAC5F4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00AACA1D

Part of subcall function 00A71B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A72036,?,00000000,?,?,?,?,00A716CB,00000000,?), ref: 00A71B9A

SendMessageW.USER32(?,00001053), ref: 00AACA5A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00AACA71

Strings

0, xrefs: 00AAC8B1

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: DestroyMessageSendWindow$DeleteObject$CursorF540200InvalidateMoveRect
String ID: 0
API String ID: 22932394-4108050209
Opcode ID: ce83ee681444ab1707f183dd46fd5add1b6dea4e6397643120943edc4edf1d53
Instruction ID: 3f9a192ae1063a5d2ce8408c480ecf44bea54bf9c526c85817720c7e9b59109d
Opcode Fuzzy Hash: ce83ee681444ab1707f183dd46fd5add1b6dea4e6397643120943edc4edf1d53
Instruction Fuzzy Hash: 3B126F30604201EFEB25CF24C984BAAB7F5FF56320F548569F599DB2A2C731E842CB91

Function 00AF9A4E Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00AF9B04
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00AF9BBD
SendMessageW.USER32(?,00001102,00000002,?), ref: 00AF9BD9

Strings

0, xrefs: 00AF9C16

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: b0a886ce9be261c7f59beb566b34d59d893fabff388601bf2b0822560d5ddac9
Instruction ID: 4dd0b5b8d6b4ebe9acc3ec33e4f3525fa3569f90e65d72ea0248e752dcffbc37
Opcode Fuzzy Hash: b0a886ce9be261c7f59beb566b34d59d893fabff388601bf2b0822560d5ddac9
Instruction Fuzzy Hash: DF02AB70108309AFD725CFA4C848BBBBBE5FF49344F14852DFA99D62A0CB359945CB92

Function 00AFA8FC Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00AFA935
SetTextColor.GDI32(?,?), ref: 00AFA939
GetSysColorBrush.USER32(0000000F), ref: 00AFA94F
GetSysColor.USER32(0000000F), ref: 00AFA95A
CreateSolidBrush.GDI32(?), ref: 00AFA95F
GetSysColor.USER32(00000011), ref: 00AFA977
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00AFA985
SelectObject.GDI32(?,00000000), ref: 00AFA996
SetBkColor.GDI32(?,00000000), ref: 00AFA99F
SelectObject.GDI32(?,?), ref: 00AFA9AC
InflateRect.USER32(?,000000FF,000000FF), ref: 00AFA9CB
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00AFA9E2
GetWindowLongW.USER32(00000000,000000F0), ref: 00AFA9F7
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00AFAA1F
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00AFAA46
InflateRect.USER32(?,000000FD,000000FD), ref: 00AFAA64
DrawFocusRect.USER32(?,?), ref: 00AFAA6F
GetSysColor.USER32(00000011), ref: 00AFAA7D
SetTextColor.GDI32(?,00000000), ref: 00AFAA85
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00AFAA99
SelectObject.GDI32(?,00AFA62C), ref: 00AFAAB0
DeleteObject.GDI32(?), ref: 00AFAABB
SelectObject.GDI32(?,?), ref: 00AFAAC1
DeleteObject.GDI32(?), ref: 00AFAAC6
SetTextColor.GDI32(?,?), ref: 00AFAACC
SetBkColor.GDI32(?,?), ref: 00AFAAD6

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 4f59565e845ff043a69c4ffcc104149c204cf1afe81cedaf5f0a7c690288b8c9
Instruction ID: 25b1fc63094af3a0a48448a079018d8f95864f07fe3629719399e8e405b1f756
Opcode Fuzzy Hash: 4f59565e845ff043a69c4ffcc104149c204cf1afe81cedaf5f0a7c690288b8c9
Instruction Fuzzy Hash: A75108B1900208FFDB11DFE4DD48EAEBBB9EF48320F114625FA15AB2A1D7719941DB90

Function 00AF8A07 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00AF8AF3
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AF8B04
CharNextW.USER32(0000014E), ref: 00AF8B33
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00AF8B74
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00AF8B8A
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AF8B9B
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00AF8BB8
SetWindowTextW.USER32(?,0000014E), ref: 00AF8C0A
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00AF8C20
SendMessageW.USER32(?,00001002,00000000,?), ref: 00AF8C51
_memset.LIBCMT ref: 00AF8C76
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00AF8CBF
_memset.LIBCMT ref: 00AF8D1E
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00AF8D48
SendMessageW.USER32(?,00001074,?,00000001), ref: 00AF8DA0
SendMessageW.USER32(?,0000133D,?,?), ref: 00AF8E4D
InvalidateRect.USER32(?,00000000,00000001), ref: 00AF8E6F
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00AF8EB9
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00AF8EE6
DrawMenuBar.USER32(?), ref: 00AF8EF5
SetWindowTextW.USER32(?,0000014E), ref: 00AF8F1D

Strings

0, xrefs: 00AF8E87

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 388c263cf06fb917d62919a715db62e74087ffbe5599e1f177aeed701ebc035e
Instruction ID: bf0c4c0f9728bb982f6d7b0f59226f7d7eed77f9f6be4c2e16cbda968c56bc69
Opcode Fuzzy Hash: 388c263cf06fb917d62919a715db62e74087ffbe5599e1f177aeed701ebc035e
Instruction Fuzzy Hash: C7E12D7190121CAFDF209FA5CC84EFE7BB9EF05750F108156FA15AA291DB788A81DF60

Function 00AF48F8 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00AF4A33
GetDesktopWindow.USER32 ref: 00AF4A48
GetWindowRect.USER32(00000000), ref: 00AF4A4F
GetWindowLongW.USER32(?,000000F0), ref: 00AF4AB1
DestroyWindow.USER32(?), ref: 00AF4ADD
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00AF4B06
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00AF4B24
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00AF4B4A
SendMessageW.USER32(?,00000421,?,?), ref: 00AF4B5F
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00AF4B72
IsWindowVisible.USER32(?), ref: 00AF4B92
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00AF4BAD
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00AF4BC1
GetWindowRect.USER32(?,?), ref: 00AF4BD9
MonitorFromPoint.USER32(?,?,00000002), ref: 00AF4BFF
GetMonitorInfoW.USER32(00000000,?), ref: 00AF4C19
CopyRect.USER32(?,?), ref: 00AF4C30
SendMessageW.USER32(?,00000412,00000000), ref: 00AF4C9B

Strings

tooltips_class32, xrefs: 00AF4AFF
0, xrefs: 00AF49DE
(, xrefs: 00AF4C0C

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 3b86a48cdfc2a5e28ce7a697936b8f668c91db1ef870a4f58f1ea9886bd1ef97
Instruction ID: 582b4c6ce2387ee14db0812c8b140797dc0aa3becb8c96f317fe1012f486f716
Opcode Fuzzy Hash: 3b86a48cdfc2a5e28ce7a697936b8f668c91db1ef870a4f58f1ea9886bd1ef97
Instruction Fuzzy Hash: 8DB16871604341AFDB54DFA4C988A6BBBE4FF88310F00891DF6999B2A1DB71E805CB95

Function 00A727D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A728BC
GetSystemMetrics.USER32(00000007), ref: 00A728C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A728EF
GetSystemMetrics.USER32(00000008), ref: 00A728F7
GetSystemMetrics.USER32(00000004), ref: 00A7291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00A72939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00A72949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00A7297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00A72990
GetClientRect.USER32(00000000,000000FF), ref: 00A729AE
GetStockObject.GDI32(00000011), ref: 00A729CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00A729D5

Part of subcall function 00A72344: GetCursorPos.USER32(?), ref: 00A72357
Part of subcall function 00A72344: ScreenToClient.USER32(00B357B0,?), ref: 00A72374
Part of subcall function 00A72344: GetAsyncKeyState.USER32(00000001), ref: 00A72399
Part of subcall function 00A72344: GetAsyncKeyState.USER32(00000002), ref: 00A723A7

SetTimer.USER32(00000000,00000000,00000028,00A71256), ref: 00A729FC

Strings

AutoIt v3 GUI, xrefs: 00A72974

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: a791f0e9366d0fd9438aedb7e8beea05249eb7df2f050fdb036c92abde4f87ad
Instruction ID: ec8738a191b62208900cf26951399e8478c29a2acc54fa9df5fb5065a2f47b0a
Opcode Fuzzy Hash: a791f0e9366d0fd9438aedb7e8beea05249eb7df2f050fdb036c92abde4f87ad
Instruction Fuzzy Hash: 40B13E71A0020AEFDB24DFA8DD45BAD7BB4FF08315F108229FA19E7290DB749951CB54

Function 00AD44DB Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 00AD4541
_wcscmp.LIBCMT ref: 00AD454C
_wcscat.LIBCMT ref: 00AD4562
_wcsstr.LIBCMT ref: 00AD456D
74D31560.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00AD4589
_wcscat.LIBCMT ref: 00AD45D2
_wcscat.LIBCMT ref: 00AD45D9
_wcsncpy.LIBCMT ref: 00AD4604

Strings

%u.%u.%u.%u, xrefs: 00AD4667
StringFileInfo\, xrefs: 00AD455C
\VarFileInfo\Translation, xrefs: 00AD4581
DefaultLangCodepage, xrefs: 00AD45EC
04090000, xrefs: 00AD45BF

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: _wcscat$D31560_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 390803403-1459072770
Opcode ID: 08fcf020cc80502f87e11bfc945b3e55d1d8bcde8838577485256804c9e2cee3
Instruction ID: 2e682263eeae00606eb77ce1143710e108e2d4f6ae9cdc52a3779629bdc59bb6
Opcode Fuzzy Hash: 08fcf020cc80502f87e11bfc945b3e55d1d8bcde8838577485256804c9e2cee3
Instruction Fuzzy Hash: DE41F172A002047FDF11BBA09D43EBF77FCEF49750F000066F906A6282EB34DA1196A9

Function 00ACA844 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00ACA885
__swprintf.LIBCMT ref: 00ACA926
_wcscmp.LIBCMT ref: 00ACA939
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00ACA98E
_wcscmp.LIBCMT ref: 00ACA9CA
GetClassNameW.USER32(?,?,00000400), ref: 00ACAA01
GetDlgCtrlID.USER32(?), ref: 00ACAA53
GetWindowRect.USER32(?,?), ref: 00ACAA89
GetParent.USER32(?), ref: 00ACAAA7
ScreenToClient.USER32(00000000), ref: 00ACAAAE
GetClassNameW.USER32(?,?,00000100), ref: 00ACAB28
_wcscmp.LIBCMT ref: 00ACAB3C
GetWindowTextW.USER32(?,?,00000400), ref: 00ACAB62
_wcscmp.LIBCMT ref: 00ACAB76

Part of subcall function 00A937AC: _iswctype.LIBCMT ref: 00A937B4

Strings

%s%u, xrefs: 00ACA920

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 69cf21b4ac43b176a9bb6481ae1825ff8cefc3d0f8ca892d927788f5835db2a2
Instruction ID: 517eec78c78529d0a94b0c27b420beba1889bc8881e87d043d4a6f5c99df3634
Opcode Fuzzy Hash: 69cf21b4ac43b176a9bb6481ae1825ff8cefc3d0f8ca892d927788f5835db2a2
Instruction Fuzzy Hash: A8A1C07220460AAFDB14DF64C984FBAB7E9FF14358F11852DE999C2150DB30ED45CB92

Function 00ACB196 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00ACB1DA
_wcscmp.LIBCMT ref: 00ACB1EB
GetWindowTextW.USER32(00000001,?,00000400), ref: 00ACB213
CharUpperBuffW.USER32(?,00000000), ref: 00ACB230
_wcscmp.LIBCMT ref: 00ACB24E
_wcsstr.LIBCMT ref: 00ACB25F
GetClassNameW.USER32(00000018,?,00000400), ref: 00ACB297
_wcscmp.LIBCMT ref: 00ACB2A7
GetWindowTextW.USER32(00000002,?,00000400), ref: 00ACB2CE
GetClassNameW.USER32(00000018,?,00000400), ref: 00ACB317
_wcscmp.LIBCMT ref: 00ACB327
GetClassNameW.USER32(00000010,?,00000400), ref: 00ACB34F
GetWindowRect.USER32(00000004,?), ref: 00ACB3B8

Strings

@, xrefs: 00ACB1BB
ThumbnailClass, xrefs: 00ACB2A2, 00ACB322

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: f284bd8e9d0c85e4acb9ab3a5453a82c6ea256d830900b8137e3afaff2171b33
Instruction ID: c3d60cd466fd929020eb243d73868ba1c14ef3f77e197dcea18e498da499592a
Opcode Fuzzy Hash: f284bd8e9d0c85e4acb9ab3a5453a82c6ea256d830900b8137e3afaff2171b33
Instruction Fuzzy Hash: 4881B0720182459FDB04DF54C986FAABBE8EF44314F08856DFD898A0A2DB31DD46CB71

Function 00ACAFDF Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00ACB03E

Strings

REGEXP=, xrefs: 00ACB053
[ACTIVE, xrefs: 00ACB02B
[CLASS:, xrefs: 00ACB08E
ALL, xrefs: 00ACB0D2
ACTIVE, xrefs: 00ACB019
CLASSNAME=, xrefs: 00ACB07B
[REGEXPTITLE:, xrefs: 00ACB066
LAST, xrefs: 00ACB003
HANDLE=, xrefs: 00ACB037
[ALL, xrefs: 00ACB0E4
[HANDLE:, xrefs: 00ACB04A
[LAST, xrefs: 00ACB0EB

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 9908568319193d2ab875547d0dccd0d5c69ae9d8de9bd1f9b2930bbe107bbf2e
Instruction ID: bc6fa1887adb2255d9a942918037ab2a23e7622116392b9d919550b16675bc05
Opcode Fuzzy Hash: 9908568319193d2ab875547d0dccd0d5c69ae9d8de9bd1f9b2930bbe107bbf2e
Instruction Fuzzy Hash: 0931A231A88215A6DF24EB60DE57FAF73F49F11720F204568B45A710E2EF526F04C665

Function 00ACC2C0 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00ACC2D3
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00ACC2E5
SetWindowTextW.USER32(?,?), ref: 00ACC2FC
GetDlgItem.USER32(?,000003EA), ref: 00ACC311
SetWindowTextW.USER32(00000000,?), ref: 00ACC317
GetDlgItem.USER32(?,000003E9), ref: 00ACC327
SetWindowTextW.USER32(00000000,?), ref: 00ACC32D
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00ACC34E
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00ACC368
GetWindowRect.USER32(?,?), ref: 00ACC371
SetWindowTextW.USER32(?,?), ref: 00ACC3DC
GetDesktopWindow.USER32 ref: 00ACC3E2
GetWindowRect.USER32(00000000), ref: 00ACC3E9
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00ACC435
GetClientRect.USER32(?,?), ref: 00ACC442
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00ACC467
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00ACC492

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 1f13ebd2d34f44b3c2b96b8e4547c0cdfb1eae1701e540cbf61a99361c5f43ae
Instruction ID: b22d7d7e275b3f3e107d2d3a78ef7808f74c66d5d906e753f358959ee45b2329
Opcode Fuzzy Hash: 1f13ebd2d34f44b3c2b96b8e4547c0cdfb1eae1701e540cbf61a99361c5f43ae
Instruction Fuzzy Hash: 8E515A30900749AFDB20DFE8DE89F6EBBB5FF04714F01452CE686A66A0CB74A905CB50

Function 00AE5113 Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00AE5129
LoadCursorW.USER32(00000000,00007F00), ref: 00AE5134
LoadCursorW.USER32(00000000,00007F03), ref: 00AE513F
LoadCursorW.USER32(00000000,00007F8B), ref: 00AE514A
LoadCursorW.USER32(00000000,00007F01), ref: 00AE5155
LoadCursorW.USER32(00000000,00007F81), ref: 00AE5160
LoadCursorW.USER32(00000000,00007F88), ref: 00AE516B
LoadCursorW.USER32(00000000,00007F80), ref: 00AE5176
LoadCursorW.USER32(00000000,00007F86), ref: 00AE5181
LoadCursorW.USER32(00000000,00007F83), ref: 00AE518C
LoadCursorW.USER32(00000000,00007F85), ref: 00AE5197
LoadCursorW.USER32(00000000,00007F82), ref: 00AE51A2
LoadCursorW.USER32(00000000,00007F84), ref: 00AE51AD
LoadCursorW.USER32(00000000,00007F04), ref: 00AE51B8
LoadCursorW.USER32(00000000,00007F02), ref: 00AE51C3
LoadCursorW.USER32(00000000,00007F89), ref: 00AE51CE
GetCursorInfo.USER32(?), ref: 00AE51DE

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 70af4303015a780da3c9be10149e63e8e52a554538aca75e0fc27dbbf5a54323
Instruction ID: e000a99c4331225fdf715b93b968bff054c6ebb95b223840ddd3991376d059be
Opcode Fuzzy Hash: 70af4303015a780da3c9be10149e63e8e52a554538aca75e0fc27dbbf5a54323
Instruction Fuzzy Hash: 9831F4B0D4831A6ADB109FB69C899AFBEF8FF04754F50453AA50DE7280DA7865018EA1

Function 00AFA1EB Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AFA28B
DestroyWindow.USER32(?,?), ref: 00AFA305

Part of subcall function 00A77D2C: _memmove.LIBCMT ref: 00A77D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00AFA37F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00AFA3A1
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00AFA3B4
DestroyWindow.USER32(00000000), ref: 00AFA3D6
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00A70000,00000000), ref: 00AFA40D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00AFA426
GetDesktopWindow.USER32 ref: 00AFA43F
GetWindowRect.USER32(00000000), ref: 00AFA446
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00AFA45E
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00AFA476

Part of subcall function 00A725DB: GetWindowLongW.USER32(?,000000EB), ref: 00A725EC

Strings

tooltips_class32, xrefs: 00AFA378, 00AFA406
0, xrefs: 00AFA2A1

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: b25eda82b69055a4360d8b1e27fd393cd66d8d1f1c04121a59a0b243c01272a5
Instruction ID: cce968952afefc7e5f37d14aebce135840c9c03fe543c4467798ec9739e08dad
Opcode Fuzzy Hash: b25eda82b69055a4360d8b1e27fd393cd66d8d1f1c04121a59a0b243c01272a5
Instruction Fuzzy Hash: 33718075150248AFD720CFA8DC49FBA77E5EB98740F14461DFA898B2A1DB70E902CF12

Function 00AF43FB Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00AF448D
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00AF44D8

Strings

EXPAND, xrefs: 00AF458A
GETTEXT, xrefs: 00AF462B
UNCHECK, xrefs: 00AF46B4
CHECK, xrefs: 00AF44F8
GETTOTALCOUNT, xrefs: 00AF44BF
EXISTS, xrefs: 00AF4541
COLLAPSE, xrefs: 00AF451E
GETSELECTED, xrefs: 00AF45E8
ISCHECKED, xrefs: 00AF465B
GETITEMCOUNT, xrefs: 00AF45BA
SELECT, xrefs: 00AF4689

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 27cd067394995e6ec0fc252f5a2dfbc440add5dbff5e422de92e157ed4bf4921
Instruction ID: 509bcb8ff0e0de3e3a671b588e840339248fe33d355a14e07cd04b9d071db605
Opcode Fuzzy Hash: 27cd067394995e6ec0fc252f5a2dfbc440add5dbff5e422de92e157ed4bf4921
Instruction Fuzzy Hash: 21917F342047159FCF14EF50C991A7AB7E1AF89350F04886DF99A5B7A2DB30ED4ACB81

Function 00AFB832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00AFB8E8
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00AF91F4), ref: 00AFB944
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00AFB97D
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00AFB9C0
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00AFB9F7
FreeLibrary.KERNEL32(?), ref: 00AFBA03
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00AFBA13
DestroyCursor.USER32(?), ref: 00AFBA22
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00AFBA3F
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00AFBA4B

Part of subcall function 00A9307D: __wcsicmp_l.LIBCMT ref: 00A93106

Strings

.icl, xrefs: 00AFB85E
.dll, xrefs: 00AFB8A1
.exe, xrefs: 00AFB87E

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 3907162815-1154884017
Opcode ID: 6d14d4a20123fb56311a653342d973ff6599e940e49a36cc63ed93d5f35b079d
Instruction ID: a9a43f16fceb26747145b41185500d407f3ff39601a0470bd3f0dfc88332bdc8
Opcode Fuzzy Hash: 6d14d4a20123fb56311a653342d973ff6599e940e49a36cc63ed93d5f35b079d
Instruction Fuzzy Hash: E161C0B1A10619BEEB14DFA4CC85BBE77BCEF08751F108119FA15D61D0DB749981CBA0

Function 00ADA3DC Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00A79997: __itow.LIBCMT ref: 00A799C2
Part of subcall function 00A79997: __swprintf.LIBCMT ref: 00A79A0C

CharLowerBuffW.USER32(?,?), ref: 00ADA455
GetDriveTypeW.KERNEL32 ref: 00ADA4A2
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00ADA4EA
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00ADA521
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00ADA54F

Part of subcall function 00A77D2C: _memmove.LIBCMT ref: 00A77D66

Strings

close, xrefs: 00ADA45B
closed, xrefs: 00ADA469, 00ADA472
type cdaudio alias cd wait, xrefs: 00ADA4CD
wait, xrefs: 00ADA50C
set cd door , xrefs: 00ADA4F0
open, xrefs: 00ADA47C
close cd wait, xrefs: 00ADA53A
open , xrefs: 00ADA4B1

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: dd42dd3c3569d22d449d739e692f876dc0ef2973684d5eb3495ba44f45ab394f
Instruction ID: 211f0bcd3fe59f011a8d4877a843a5c6d0ea9c11694fcdd19e431c26854425b7
Opcode Fuzzy Hash: dd42dd3c3569d22d449d739e692f876dc0ef2973684d5eb3495ba44f45ab394f
Instruction Fuzzy Hash: E25139715043059FC700EF20DE9196AB7E4EF98758F10C96DF89A972A1DB31EE0ACB52

Function 00AFBA67 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00AF9239,?,?), ref: 00AFBA8A
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00AF9239,?,?,00000000,?), ref: 00AFBAA1
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00AF9239,?,?,00000000,?), ref: 00AFBAAC
CloseHandle.KERNEL32(00000000,?,?,?,?,00AF9239,?,?,00000000,?), ref: 00AFBAB9
GlobalLock.KERNEL32(00000000), ref: 00AFBAC2
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00AF9239,?,?,00000000,?), ref: 00AFBAD1
GlobalUnlock.KERNEL32(00000000), ref: 00AFBADA
CloseHandle.KERNEL32(00000000,?,?,?,?,00AF9239,?,?,00000000,?), ref: 00AFBAE1
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00AFBAF2
OleLoadPicture.OLEAUT32(?,00000000,00000000,00B02CAC,?), ref: 00AFBB0B
GlobalFree.KERNEL32(00000000), ref: 00AFBB1B
GetObjectW.GDI32(00000000,00000018,?), ref: 00AFBB3F
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00AFBB6A
DeleteObject.GDI32(00000000), ref: 00AFBB92
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00AFBBA8

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 7865de9e9530782b6866d18a91837d896fee37e1eff514857cd5f59385a5f968
Instruction ID: 283729a69fcaa5192f7d8454ae0f4a96bac0c43bbec90193e42f657f0aa3a3cd
Opcode Fuzzy Hash: 7865de9e9530782b6866d18a91837d896fee37e1eff514857cd5f59385a5f968
Instruction Fuzzy Hash: 6A411775600209EFDB11DFE5DC88EBABBB8EF89751F104168FA05D7260D7309902DB60

Function 00ADD925 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00ADDA9C
_wcscat.LIBCMT ref: 00ADDAB4
_wcscat.LIBCMT ref: 00ADDAC6
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00ADDADB
SetCurrentDirectoryW.KERNEL32(?), ref: 00ADDAEF
GetFileAttributesW.KERNEL32(?), ref: 00ADDB07
SetFileAttributesW.KERNEL32(?,00000000), ref: 00ADDB21
SetCurrentDirectoryW.KERNEL32(?), ref: 00ADDB33

Strings

*.*, xrefs: 00ADDB72

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: d0efb48d1954b135d7f2e892d7b8ff3b883079dac48267417f45559285835d5b
Instruction ID: af160b902eb284ea0dc7bb81202bd729d43f5da231586ab83233fba33908b956
Opcode Fuzzy Hash: d0efb48d1954b135d7f2e892d7b8ff3b883079dac48267417f45559285835d5b
Instruction Fuzzy Hash: 1D8182716082419FCB24EF64C9849AAB7E4BF88354F19882FF48ADB361E730DD45CB52

Function 00AE742F Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00AE74A4
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00AE74B0
CreateCompatibleDC.GDI32(?), ref: 00AE74BC
SelectObject.GDI32(00000000,?), ref: 00AE74C9
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00AE751D
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00AE7559
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00AE757D
SelectObject.GDI32(00000006,?), ref: 00AE7585
DeleteObject.GDI32(?), ref: 00AE758E
DeleteDC.GDI32(00000006), ref: 00AE7595
ReleaseDC.USER32(00000000,?), ref: 00AE75A0

Strings

(, xrefs: 00AE7525

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: cc3242bacd8495f80b7da5f0d25969fdb6ca35a93380d1ee00555ebbce50833f
Instruction ID: 219ce3817b59bd9db7a9ddd0513a8ee59aae86ea7a7dad4ce2ef0b2f08b08355
Opcode Fuzzy Hash: cc3242bacd8495f80b7da5f0d25969fdb6ca35a93380d1ee00555ebbce50833f
Instruction Fuzzy Hash: 33515A71904349EFCB25CFA9DC85EAEBBB9EF48310F14842DF98997250D731A941CB60

Function 00A76BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00A90AD7: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00A76C6C,?,00008000), ref: 00A90AF3

Part of subcall function 00A748AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A748A1,?,?,00A737C0,?), ref: 00A748CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00A76D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00A76E5A

Part of subcall function 00A759CD: _wcscpy.LIBCMT ref: 00A75A05

Part of subcall function 00A937BD: _iswctype.LIBCMT ref: 00A937C5

Strings

Unterminated string, xrefs: 00AAEB3D
EA06, xrefs: 00AAE7AB
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00AAE77A
AU3!, xrefs: 00A76CC1
Error opening the file, xrefs: 00AAE796, 00AAE811
>>>AUTOIT SCRIPT<<<, xrefs: 00AAE7EF
Bad directive syntax error, xrefs: 00AAEAF6

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: f497f35d0655c6dc514cc7d9859b1713bbe32006741304907e6e41e56d4bd0f4
Instruction ID: 898ee6bbac1a41fa5286fb93ece037512480d159767dc02f90ccc30d0cf624e9
Opcode Fuzzy Hash: f497f35d0655c6dc514cc7d9859b1713bbe32006741304907e6e41e56d4bd0f4
Instruction Fuzzy Hash: C902AC315083419FC724EF20C991AAFBBE5FF99354F04892DF48A972A1DB70DA49CB52

Function 00A745DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A745F9
GetMenuItemCount.USER32(00B35890), ref: 00AAD6FD
GetMenuItemCount.USER32(00B35890), ref: 00AAD7AD
GetCursorPos.USER32(?), ref: 00AAD7F1
SetForegroundWindow.USER32(00000000), ref: 00AAD7FA
TrackPopupMenuEx.USER32(00B35890,00000000,?,00000000,00000000,00000000), ref: 00AAD80D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00AAD819

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 840ffcbefcd2e25bce3dc8595500fdc015d0432b02a913bb0c2da049c32be776
Instruction ID: 254c33a652f2276bb5a4d4a7ed9d1aad0e875956e10f5012cecbe99dff3395bd
Opcode Fuzzy Hash: 840ffcbefcd2e25bce3dc8595500fdc015d0432b02a913bb0c2da049c32be776
Instruction Fuzzy Hash: 6C710670640209BFEB219F54DC49FAABF64FF06364F208216F55AAB1E0C7B16C10DB94

Function 00AF0EA5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AEFE38,?,?), ref: 00AF0EBC

Strings

HKLM, xrefs: 00AF0F3A
HKEY_CURRENT_USER, xrefs: 00AF0F9B
HKEY_LOCAL_MACHINE, xrefs: 00AF0F25
HKCR, xrefs: 00AF0F64
HKU, xrefs: 00AF0FCE
HKCC, xrefs: 00AF0F8A
HKEY_CLASSES_ROOT, xrefs: 00AF0F4F
HKEY_CURRENT_CONFIG, xrefs: 00AF0F79
HKCU, xrefs: 00AF0FAC
HKEY_USERS, xrefs: 00AF0FBD

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 9ffe0bfd4cc501a283d891b76e1155bace0446d86e8eff186701b6aeec293c69
Instruction ID: ac32a6e88a6d71e3cba7bde9c82603ac9260fa2b3b45a687e296090ef74856a2
Opcode Fuzzy Hash: 9ffe0bfd4cc501a283d891b76e1155bace0446d86e8eff186701b6aeec293c69
Instruction Fuzzy Hash: 27417A3120029E8FCF20EF50EAA0EFE37A0AF11340F544465FD595B292DB35995ADB60

Function 00ACFAD2 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00AAE5F9,00000010,?,Bad directive syntax error,00AFF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00ACFAF3
LoadStringW.USER32(00000000,?,00AAE5F9,00000010), ref: 00ACFAFA

Part of subcall function 00A77F41: _memmove.LIBCMT ref: 00A77F82

_wprintf.LIBCMT ref: 00ACFB2D
__swprintf.LIBCMT ref: 00ACFB4F
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00ACFBBE

Strings

., xrefs: 00ACFBA4
Line %d (File "%s"):, xrefs: 00ACFB64
%s (%d) : ==> %s.: %s %s, xrefs: 00ACFB28
Error: , xrefs: 00ACFB8C
Line %d:, xrefs: 00ACFB49

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 8e123d19d5a3a2a46dec9b424a003a2ee4ccb47da7629a0f3726633d2d86dfe6
Instruction ID: 261fc414ebcf59f782384cf84120b6154774d27e681477daf05f0aefe21b14d7
Opcode Fuzzy Hash: 8e123d19d5a3a2a46dec9b424a003a2ee4ccb47da7629a0f3726633d2d86dfe6
Instruction Fuzzy Hash: D6214D3290021AEFCF12EFA0CD56EEE7775BF18300F0484A9F519660A1DA719A19DB51

Function 00AD536E Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00A77D2C: _memmove.LIBCMT ref: 00A77D66

Part of subcall function 00A77A84: _memmove.LIBCMT ref: 00A77B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00AD53D7
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00AD53ED
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AD53FE
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00AD5410
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00AD5421

Strings

status PlayMe mode, xrefs: 00AD53D2
play PlayMe, xrefs: 00AD541C
play PlayMe wait, xrefs: 00AD540B
alias PlayMe, xrefs: 00AD53B0
close PlayMe, xrefs: 00AD53E8, 00AD5415
open , xrefs: 00AD5386

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 5643601070e458534b710a220b9e1bcd404ff662f4a5d73627f0a90fc47cbad0
Instruction ID: 0506a88a7a80f349df177e6382fcfd6b47e44885727bce84c8b4844523ced178
Opcode Fuzzy Hash: 5643601070e458534b710a220b9e1bcd404ff662f4a5d73627f0a90fc47cbad0
Instruction Fuzzy Hash: 4B11E220A4113939D720B7B1DC4ADFF7BBCEF91B40F00846AB40AA60E1DEA00D45C5A1

Function 00AD46F8 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 00AD4713
gethostname.WS2_32(?,00000100), ref: 00AD472D
gethostbyname.WS2_32(?), ref: 00AD473A
_wcscpy.LIBCMT ref: 00AD4762
_memmove.LIBCMT ref: 00AD4775
inet_ntoa.WS2_32(?), ref: 00AD4780
_strcat.LIBCMT ref: 00AD478E
_wcscpy.LIBCMT ref: 00AD47A5
WSACleanup.WS2_32 ref: 00AD47B3
_wcscpy.LIBCMT ref: 00AD47C1

Strings

0.0.0.0, xrefs: 00AD475C

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 5b5742550b3f6e37a7577897135574fc454de285b57495ddbc2424861e5f603c
Instruction ID: 75fc0a9274f89d95eae925a08ff3adb984a8fbe5510b73de2721faf2b3d255a9
Opcode Fuzzy Hash: 5b5742550b3f6e37a7577897135574fc454de285b57495ddbc2424861e5f603c
Instruction Fuzzy Hash: 0211E431A04118AFDF25A7A0ED4AEEA77FCDF46711F0401B6F44696291EF709A82C790

Function 00AD501C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00AD5021

Part of subcall function 00A9034A: timeGetTime.WINMM(?,75A8B400,00A80FDB), ref: 00A9034E

Sleep.KERNEL32(0000000A), ref: 00AD504D
EnumThreadWindows.USER32(?,Function_00064FCF,00000000), ref: 00AD5071
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00AD5093
SetActiveWindow.USER32 ref: 00AD50B2
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00AD50C0
SendMessageW.USER32(00000010,00000000,00000000), ref: 00AD50DF
Sleep.KERNEL32(000000FA), ref: 00AD50EA
IsWindow.USER32 ref: 00AD50F6
EndDialog.USER32(00000000), ref: 00AD5107

Strings

BUTTON, xrefs: 00AD5085

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 8017e0c7a4fda2ffadd56053ce04fd5f15efeeb2cce6125397cbdf1bebf691d3
Instruction ID: 64d8f3d1dec3f9425c185bcc5031d84fe8e451c6e043f4c89afbd97a08d4fe5f
Opcode Fuzzy Hash: 8017e0c7a4fda2ffadd56053ce04fd5f15efeeb2cce6125397cbdf1bebf691d3
Instruction Fuzzy Hash: 28219271200608BFEB10AFB0ED88B3A3B69EF54386B15513AF502823B0DF718D41CA71

Function 00ADD619 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A79997: __itow.LIBCMT ref: 00A799C2
Part of subcall function 00A79997: __swprintf.LIBCMT ref: 00A79A0C

CoInitialize.OLE32(00000000), ref: 00ADD676
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00ADD709
SHGetDesktopFolder.SHELL32(?), ref: 00ADD71D
CoCreateInstance.COMBASE(00B02D7C,00000000,00000001,00B28C1C,?), ref: 00ADD769
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00ADD7D8
CoTaskMemFree.COMBASE(?), ref: 00ADD830
_memset.LIBCMT ref: 00ADD86D
SHBrowseForFolderW.SHELL32(?), ref: 00ADD8A9
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00ADD8CC
CoTaskMemFree.COMBASE(00000000), ref: 00ADD8D3
CoTaskMemFree.COMBASE(00000000), ref: 00ADD90A
CoUninitialize.COMBASE ref: 00ADD90C

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 63ce75e62a3d01be5226a1405521ec0f194f1043fbef514935fb2c74b3daf2f2
Instruction ID: 4990ef90f67a90b7943f879140d1250f36bf4a6100ea15f1f947e0493c3ec84b
Opcode Fuzzy Hash: 63ce75e62a3d01be5226a1405521ec0f194f1043fbef514935fb2c74b3daf2f2
Instruction Fuzzy Hash: 86B1CB75A00109AFDB14DFA4C988DAEBBF9FF48314B148469E50AEB361DB31ED45CB50

Function 00AD034D Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00AD03C8
SetKeyboardState.USER32(?), ref: 00AD0433
GetAsyncKeyState.USER32(000000A0), ref: 00AD0453
GetKeyState.USER32(000000A0), ref: 00AD046A
GetAsyncKeyState.USER32(000000A1), ref: 00AD0499
GetKeyState.USER32(000000A1), ref: 00AD04AA
GetAsyncKeyState.USER32(00000011), ref: 00AD04D6
GetKeyState.USER32(00000011), ref: 00AD04E4
GetAsyncKeyState.USER32(00000012), ref: 00AD050D
GetKeyState.USER32(00000012), ref: 00AD051B
GetAsyncKeyState.USER32(0000005B), ref: 00AD0544
GetKeyState.USER32(0000005B), ref: 00AD0552

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 996cab30452840a3277f4776ae1b3d929ec7b4037f671bae8ec1f375bf82d321
Instruction ID: 00ffc08c08921ec1b6fb34c4d5736cca86421941a32aaace6b272173c68a9b50
Opcode Fuzzy Hash: 996cab30452840a3277f4776ae1b3d929ec7b4037f671bae8ec1f375bf82d321
Instruction Fuzzy Hash: 185196609087842AFB35DBB49515FAEBFB49F01380F48859F99C35A3C3DA649B4CCB61

Function 00ACC529 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00ACC545
GetWindowRect.USER32(00000000,?), ref: 00ACC557
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00ACC5B5
GetDlgItem.USER32(?,00000002), ref: 00ACC5C0
GetWindowRect.USER32(00000000,?), ref: 00ACC5D2
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00ACC626
GetDlgItem.USER32(?,000003E9), ref: 00ACC634
GetWindowRect.USER32(00000000,?), ref: 00ACC645
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00ACC688
GetDlgItem.USER32(?,000003EA), ref: 00ACC696
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00ACC6B3
InvalidateRect.USER32(?,00000000,00000001), ref: 00ACC6C0

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 51e09b677d9bc6f8231a52bb0dd689c58daa1c2e1762ef0403b9271172b161bd
Instruction ID: 7741e64d02907d06f4096a6607274bd71a58830bc90349b9e7c619ce67063376
Opcode Fuzzy Hash: 51e09b677d9bc6f8231a52bb0dd689c58daa1c2e1762ef0403b9271172b161bd
Instruction Fuzzy Hash: 02512E71B00205AFDB18CFA9DD99FAEBBB6EF88710F14812DF519D6290DB70A901CB54

Function 00A721A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00A725DB: GetWindowLongW.USER32(?,000000EB), ref: 00A725EC

GetSysColor.USER32(0000000F), ref: 00A721D3

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 223ae614b030d8c970270dbbd384d34e1e49667a9524cc14c7468261af7612a5
Instruction ID: baff14848aea126c85bd7ffb3d4d033da179999923cdde48e232b2083a86e97e
Opcode Fuzzy Hash: 223ae614b030d8c970270dbbd384d34e1e49667a9524cc14c7468261af7612a5
Instruction Fuzzy Hash: 18416031100540DEDB259FA8DC88BB937A5EF06731F24C365EE698A1E6C7318D42DB65

Function 00ADA931 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00AFF910), ref: 00ADA995
GetDriveTypeW.KERNEL32(00000061,00B289A0,00000061), ref: 00ADAA5F
_wcscpy.LIBCMT ref: 00ADAA89

Strings

ramdisk, xrefs: 00ADAA09
removable, xrefs: 00ADA9C7
cdrom, xrefs: 00ADA9B1
fixed, xrefs: 00ADA9DD
all, xrefs: 00ADA99B
network, xrefs: 00ADA9F3
unknown, xrefs: 00ADAA20

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 018e1caf6e4be34fc10f035486a0d5adbd7e2a20770850c3d50699c850cf626b
Instruction ID: f5b60f5370cd59d58ce72438fe29482a5134f7a9f89e9cd2cf0cc7fdf499509b
Opcode Fuzzy Hash: 018e1caf6e4be34fc10f035486a0d5adbd7e2a20770850c3d50699c850cf626b
Instruction Fuzzy Hash: 7751AB312183019FC710EF14CE91AAFB7E5EF94380F50892EF49A572A2DB309D49CA53

Function 00A79997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00A799C2
__swprintf.LIBCMT ref: 00A79A0C
__i64tow.LIBCMT ref: 00AAF93F

Strings

0x%p, xrefs: 00AAF921
False, xrefs: 00AAF907
%.15g, xrefs: 00A79A06
True, xrefs: 00AAF900

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: bb300f4a2c3fc20ded888d2d0628f73f55594e3621f5b32b4deacf4da5296f90
Instruction ID: 01ebcc4eb454bb4c61c02d1de7b60cbe225dd6bb1270a25f3b085d054a0c8bcf
Opcode Fuzzy Hash: bb300f4a2c3fc20ded888d2d0628f73f55594e3621f5b32b4deacf4da5296f90
Instruction Fuzzy Hash: DD41A572604605AEEF289B74DD42E6B77F4EB45310F20C8AEE54DD7291EB319941C711

Function 00AF7184 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AF719C
CreateMenu.USER32 ref: 00AF71B7
SetMenu.USER32(?,00000000), ref: 00AF71C6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AF7253
IsMenu.USER32(?), ref: 00AF7269
CreatePopupMenu.USER32 ref: 00AF7273
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00AF72A0
DrawMenuBar.USER32 ref: 00AF72A8

Strings

0, xrefs: 00AF7192
F, xrefs: 00AF7294

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 3776d53ac6e74ed20c47042f52576d12ee012dc68771660cf858b8407dcf28ed
Instruction ID: 0e5eaab71afd866a85bc3e2ae8ed6c7c4745c95bbd314ba56b41c76981ab6ade
Opcode Fuzzy Hash: 3776d53ac6e74ed20c47042f52576d12ee012dc68771660cf858b8407dcf28ed
Instruction Fuzzy Hash: 56412A75A01209EFDB20DFA4D984AEE7BF5FF49350F144129FA45A7360D731A920CBA0

Function 00AF74ED Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00AF7590
CreateCompatibleDC.GDI32(00000000), ref: 00AF7597
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00AF75AA
SelectObject.GDI32(00000000,00000000), ref: 00AF75B2
GetPixel.GDI32(00000000,00000000,00000000), ref: 00AF75BD
DeleteDC.GDI32(00000000), ref: 00AF75C6
GetWindowLongW.USER32(?,000000EC), ref: 00AF75D0
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00AF75E4
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00AF75F0

Strings

static, xrefs: 00AF7528

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 5f056c19a3c3b517b51c03225367aaf0c366387dc93d44af0e9877235ad575de
Instruction ID: ad63e9ae74c276dd7ad6fbc7d5942c9a9e2ff912c18025637982d27b72bb335a
Opcode Fuzzy Hash: 5f056c19a3c3b517b51c03225367aaf0c366387dc93d44af0e9877235ad575de
Instruction Fuzzy Hash: F1314C72105119BFDF119FE4DC48FEA3B69FF09761F114224FA15A61A0CB31D821DB64

Function 00A96F80 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A96FBB

Part of subcall function 00A98CA8: __getptd_noexit.LIBCMT ref: 00A98CA8

__gmtime64_s.LIBCMT ref: 00A97054
__gmtime64_s.LIBCMT ref: 00A9708A
__gmtime64_s.LIBCMT ref: 00A970A7
__allrem.LIBCMT ref: 00A970FD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A97119
__allrem.LIBCMT ref: 00A97130
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A9714E
__allrem.LIBCMT ref: 00A97165
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A97183
__invoke_watson.LIBCMT ref: 00A971F4

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction ID: e00d97d8aa2e35fd9ca582f0afe20a5a6ae7125309d6bf6876e1dd93dec9435f
Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction Fuzzy Hash: 6171E672B00716ABEF149F79DD42B6EB3E8AF55324F24422AF514D72C1EB74DA4087A0

Function 00AD281F Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AD283A
GetMenuItemInfoW.USER32(00B35890,000000FF,00000000,00000030), ref: 00AD289B
SetMenuItemInfoW.USER32(00B35890,00000004,00000000,00000030), ref: 00AD28D1
Sleep.KERNEL32(000001F4), ref: 00AD28E3
GetMenuItemCount.USER32(?), ref: 00AD2927
GetMenuItemID.USER32(?,00000000), ref: 00AD2943
GetMenuItemID.USER32(?,-00000001), ref: 00AD296D
GetMenuItemID.USER32(?,?), ref: 00AD29B2
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00AD29F8
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AD2A0C
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AD2A2D

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: e74b47a796cac6c3988173d8e9ac51f4bacc402dc7a2f96eecc0d591d203d798
Instruction ID: d3f3e0521b7f6a8ae2a2113b68c70b840e76c6666444524e50b485d203fdd542
Opcode Fuzzy Hash: e74b47a796cac6c3988173d8e9ac51f4bacc402dc7a2f96eecc0d591d203d798
Instruction Fuzzy Hash: 79618EB0900249AFDB21CFA4DD88BBEBBB9EF55344F14005AE843A7361D731AD06DB20

Function 00AF6F55 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00AF6FD7
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00AF6FDA
GetWindowLongW.USER32(?,000000F0), ref: 00AF6FFE
_memset.LIBCMT ref: 00AF700F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AF7021
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00AF7099

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 0765089f20f14a250c25a54c2777d13c2715241ef4d6af50c7d01fedc4919aeb
Instruction ID: 2e6f6b4a58baaa66e98fd0bb5980e9684f04b5aad80cd7db7e564b43ff1bf3e8
Opcode Fuzzy Hash: 0765089f20f14a250c25a54c2777d13c2715241ef4d6af50c7d01fedc4919aeb
Instruction Fuzzy Hash: 8D614A75A00208AFDB20DFA4CD81EEE77F8AB09710F144159FA15AB2A1C771AD45DB64

Function 00AC6EEE Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00AC6F15
SafeArrayAllocData.OLEAUT32(?), ref: 00AC6F6E
VariantInit.OLEAUT32(?), ref: 00AC6F80
SafeArrayAccessData.OLEAUT32(?,?), ref: 00AC6FA0
VariantCopy.OLEAUT32(?,?), ref: 00AC6FF3
SafeArrayUnaccessData.OLEAUT32(?), ref: 00AC7007
VariantClear.OLEAUT32(?), ref: 00AC701C
SafeArrayDestroyData.OLEAUT32(?), ref: 00AC7029
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00AC7032
VariantClear.OLEAUT32(?), ref: 00AC7044
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00AC704F

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 3248e9d8bef69618dfff1e08024732ec85fe188971fbf000cb8dab4b7a0fe9f7
Instruction ID: c14bf96e8638766b486f4534c2a1f9866bf4db32f2ace295319576aa9d0acc62
Opcode Fuzzy Hash: 3248e9d8bef69618dfff1e08024732ec85fe188971fbf000cb8dab4b7a0fe9f7
Instruction Fuzzy Hash: 9C414035A002199FCF00DFE8DC48EAEBBB9FF48355F018069E955A7261CB30A946CF90

Function 00AE5848 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 00AE58A9
inet_addr.WS2_32(?), ref: 00AE58EE
gethostbyname.WS2_32(?), ref: 00AE58FA
IcmpCreateFile.IPHLPAPI ref: 00AE5908
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00AE5978
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00AE598E
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00AE5A03
WSACleanup.WS2_32 ref: 00AE5A09

Strings

Ping, xrefs: 00AE592C

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 4f1aab6a3427e1092bb2bcf9376d5227b38f61e934e2dacb0dc0cab341763742
Instruction ID: 7f08dc4b3e72d3b6cab75b551430a04c6f510ab14db3d1f7d6422926a75ff68e
Opcode Fuzzy Hash: 4f1aab6a3427e1092bb2bcf9376d5227b38f61e934e2dacb0dc0cab341763742
Instruction Fuzzy Hash: 18518E31A047409FDB20EF75DD45B6AB7E0EF48724F14852AF99A9B2A1DB70EC00DB41

Function 00ADB54F Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00ADB55C
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00ADB5D2
GetLastError.KERNEL32 ref: 00ADB5DC
SetErrorMode.KERNEL32(00000000,READY), ref: 00ADB649

Strings

READONLY, xrefs: 00ADB614
NOTREADY, xrefs: 00ADB608
READY, xrefs: 00ADB622
INVALID, xrefs: 00ADB61B
UNKNOWN, xrefs: 00ADB601

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 98e467182a924b05bfd8314e78c83508a0840b44ba08eed7297a5db9538b7e54
Instruction ID: eab1e35ab0878bf808d010debaaecf91618e44bb6e0e034d8fe4088556c56c13
Opcode Fuzzy Hash: 98e467182a924b05bfd8314e78c83508a0840b44ba08eed7297a5db9538b7e54
Instruction Fuzzy Hash: 71317C35A00209DFDB10DFA4D985ABEB7B4EF48350F15816AE506DB3A1DB719A02CBA0

Function 00AC9251 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A77F41: _memmove.LIBCMT ref: 00A77F82

Part of subcall function 00ACAEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00ACAEC7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00AC92D6
GetDlgCtrlID.USER32 ref: 00AC92E1
GetParent.USER32 ref: 00AC92FD
SendMessageW.USER32(00000000,?,00000111,?), ref: 00AC9300
GetDlgCtrlID.USER32(?), ref: 00AC9309
GetParent.USER32(?), ref: 00AC9325
SendMessageW.USER32(00000000,?,?,00000111), ref: 00AC9328

Strings

ListBox, xrefs: 00AC9293
ComboBox, xrefs: 00AC925E

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 420582b46d2213d733b6d137e782a629435debde8059d74af1897ea7bc2ac4df
Instruction ID: 8d951a166e457046d0ca510ef3930de8b4f07c860b4bdad9f56b05e79287596d
Opcode Fuzzy Hash: 420582b46d2213d733b6d137e782a629435debde8059d74af1897ea7bc2ac4df
Instruction Fuzzy Hash: 3321B070E40248BFDF04EBA4CC89EFEBBB8EF59310F114169B961972E1DB755816DA20

Function 00AC933C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A77F41: _memmove.LIBCMT ref: 00A77F82

Part of subcall function 00ACAEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00ACAEC7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00AC93BF
GetDlgCtrlID.USER32 ref: 00AC93CA
GetParent.USER32 ref: 00AC93E6
SendMessageW.USER32(00000000,?,00000111,?), ref: 00AC93E9
GetDlgCtrlID.USER32(?), ref: 00AC93F2
GetParent.USER32(?), ref: 00AC940E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00AC9411

Strings

ListBox, xrefs: 00AC937E
ComboBox, xrefs: 00AC9349

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: a6c89f98001e069c9316fbd262844cbdda7da98300de0713e0ddab718e9fb723
Instruction ID: 73ebf495e1252c96a76b69d7808e9b0a3d315c9ec9973e074c7a61d9ae743788
Opcode Fuzzy Hash: a6c89f98001e069c9316fbd262844cbdda7da98300de0713e0ddab718e9fb723
Instruction Fuzzy Hash: 0121B374A40248BFDF04EBA4CD89EFEBBB4EF48300F118069F911972A1DB755916DA20

Function 00AC9425 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00AC9431
GetClassNameW.USER32(00000000,?,00000100), ref: 00AC9446
_wcscmp.LIBCMT ref: 00AC9458
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00AC94D3

Strings

list, xrefs: 00AC94B5
details, xrefs: 00AC9481
SHELLDLL_DefView, xrefs: 00AC9452
largeicons, xrefs: 00AC9467
smallicons, xrefs: 00AC949B

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 9d9e63ad08ccf5b309fa092fa90858362d948996900f8165ce5ec3d63b42e793
Instruction ID: a0f514b67b935682d8c718d68e85c5e398dfb4d39400188668e1b98e66da60e6
Opcode Fuzzy Hash: 9d9e63ad08ccf5b309fa092fa90858362d948996900f8165ce5ec3d63b42e793
Instruction Fuzzy Hash: 5E11E777388316BAEE142760AD0BEB773EC8F05320B21406AF908E40F1EE5158528558

Function 00AE89C0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00AE89EC
CoInitialize.OLE32(00000000), ref: 00AE8A19
CoUninitialize.COMBASE ref: 00AE8A23
GetRunningObjectTable.OLE32(00000000,?), ref: 00AE8B23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00AE8C50
CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002,?,00000001,00B02C0C), ref: 00AE8C84
CoGetObject.OLE32(?,00000000,00B02C0C,?), ref: 00AE8CA7
SetErrorMode.KERNEL32(00000000), ref: 00AE8CBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00AE8D3A
VariantClear.OLEAUT32(?), ref: 00AE8D4A

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: a09fcce87fc93ded016001b76f192e716f72d47a949f2880fd68ec0b5c973410
Instruction ID: c3ffbb946fa90c7ad5ce7d5ab3db87e5cb9e1d4127a62a98e22c25054dd60865
Opcode Fuzzy Hash: a09fcce87fc93ded016001b76f192e716f72d47a949f2880fd68ec0b5c973410
Instruction Fuzzy Hash: 28C154B1208345AFD700DF69C88492BBBE9FF89348F00496DF58A9B251DB75ED06CB52

Function 00AD7A39 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00AD7B15

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 6ed25771ec861bc9de57dce53cc2e09bbc95fde2bbacd0603d74882e16d90159
Instruction ID: df90bdb042b285f525d4008cb9c83f125451f5d3780b9e97136b76c166c8549b
Opcode Fuzzy Hash: 6ed25771ec861bc9de57dce53cc2e09bbc95fde2bbacd0603d74882e16d90159
Instruction Fuzzy Hash: 68B19E7590421A9FDB18DF94C885BBEB7F5EF08321F24446AE542EB351E734A941CFA0

Function 00AD14FF Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00AD1521
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00AD0599,?,00000001), ref: 00AD1535
GetWindowThreadProcessId.USER32(00000000), ref: 00AD153C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00AD0599,?,00000001), ref: 00AD154B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00AD155D
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00AD0599,?,00000001), ref: 00AD1576
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00AD0599,?,00000001), ref: 00AD1588
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00AD0599,?,00000001), ref: 00AD15CD
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00AD0599,?,00000001), ref: 00AD15E2
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00AD0599,?,00000001), ref: 00AD15ED

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: b44b440e4d7b31bcbd8b2eb3270b10ec6fcf4645d928afb665cc77265d7a0646
Instruction ID: 6fbb4f9fc12915078da74605e7ddac02b715248ce0c36c598fb2be0837a2cf5f
Opcode Fuzzy Hash: b44b440e4d7b31bcbd8b2eb3270b10ec6fcf4645d928afb665cc77265d7a0646
Instruction Fuzzy Hash: E7313E79900204BFDB11DF94FD88FB977AAAB94311F208026F906D72A0DB789D41CB60

Function 00A7FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00A7FC06
OleUninitialize.OLE32(?,00000000), ref: 00A7FCA5
UnregisterHotKey.USER32(?), ref: 00A7FDFC
DestroyWindow.USER32(?), ref: 00AB492F
FreeLibrary.KERNEL32(?), ref: 00AB4994
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00AB49C1

Strings

close all, xrefs: 00A7FC01

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: e4c86a1abfa39f70ce149183bc1090691b89b9e3719426fc9a6f317112f9fbfa
Instruction ID: c1607f1d4ef470681631d6ecaf715b49065b755ce91aaa41ab965fe640bf6a02
Opcode Fuzzy Hash: e4c86a1abfa39f70ce149183bc1090691b89b9e3719426fc9a6f317112f9fbfa
Instruction Fuzzy Hash: 47A14F31701212CFCB29EF54C995A6AF7A4BF04750F55C2ADE80AAB263DB30AD16CF54

Function 00ACA473 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00ACA844), ref: 00ACA782

Strings

INSTANCE, xrefs: 00ACA690
CLASS, xrefs: 00ACA501
TEXT, xrefs: 00ACA6B9
REGEXPCLASS, xrefs: 00ACA547
NAME, xrefs: 00ACA5B4
CLASSNN, xrefs: 00ACA524

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: bf0ee921d46a4f36a061567c49c08dee1b6407b087e210175d204c04c9cf4356
Instruction ID: 3ec0304111a6626ddc37d1e8f297d119511f79c015be40008fde06af10019c4f
Opcode Fuzzy Hash: bf0ee921d46a4f36a061567c49c08dee1b6407b087e210175d204c04c9cf4356
Instruction Fuzzy Hash: CA919E71A0060AABCF08EFA0C991FF9FBB4BF14348F55811DE85AA7141DF306999DB91

Function 00A72E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00A72EAE

Part of subcall function 00A71DB3: GetClientRect.USER32(?,?), ref: 00A71DDC
Part of subcall function 00A71DB3: GetWindowRect.USER32(?,?), ref: 00A71E1D
Part of subcall function 00A71DB3: ScreenToClient.USER32(?,?), ref: 00A71E45

GetDC.USER32 ref: 00AACEB2
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00AACEC5
SelectObject.GDI32(00000000,00000000), ref: 00AACED3
SelectObject.GDI32(00000000,00000000), ref: 00AACEE8
ReleaseDC.USER32(?,00000000), ref: 00AACEF0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00AACF7B

Strings

U, xrefs: 00AACE50

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 758effdf39b9c8ebd02fe3b15f52ad229ca7986d49a64031c95a4e1db44c38f4
Instruction ID: 54b18bdd87ae06f618d0985c00cfd07aa9ce8c6ee57e6fdeb4e4c6e89743a1c0
Opcode Fuzzy Hash: 758effdf39b9c8ebd02fe3b15f52ad229ca7986d49a64031c95a4e1db44c38f4
Instruction Fuzzy Hash: 8D718D31500209DFDF258F64CC84ABE7BB6FF4A360F14826AED595B2A6D7319841DF60

Function 00AE8D5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00AFF910), ref: 00AE8E3D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00AFF910), ref: 00AE8E71
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00AE8FEB
SysFreeString.OLEAUT32(?), ref: 00AE9015

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 1dc42289282299119583283ba37c7b3592ede0666472cd446c04c8a00fa4c531
Instruction ID: 81b236ec23a2563236db6a15cbc51d287991391e408da22eeb69d566f34783df
Opcode Fuzzy Hash: 1dc42289282299119583283ba37c7b3592ede0666472cd446c04c8a00fa4c531
Instruction Fuzzy Hash: DCF13B71A00209EFCF04DF95C888EAEB7BAFF49315F108599F919AB250DB31AE45CB50

Function 00AEF7A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AEF7C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00AEF95C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00AEF980
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00AEF9C0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00AEF9E2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00AEFB5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00AEFB90
CloseHandle.KERNEL32(?), ref: 00AEFBBF
CloseHandle.KERNEL32(?), ref: 00AEFC36

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 23bd0be74adee816286864e81973986e4e2e758967da66eae5b3f3991cdb527e
Instruction ID: bc8b868ccb002965deadf1cff9098d23d0bd72bf5c665f07a399d53f9a9a9b53
Opcode Fuzzy Hash: 23bd0be74adee816286864e81973986e4e2e758967da66eae5b3f3991cdb527e
Instruction Fuzzy Hash: B9E1B0316043419FCB14EF25C991B6ABBE5FF88354F14856DF89A9B2A2DB30EC41CB52

Function 00A7201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A71B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A72036,?,00000000,?,?,?,?,00A716CB,00000000,?), ref: 00A71B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00A720D3
KillTimer.USER32(-00000001,?,?,?,?,00A716CB,00000000,?,?,00A71AE2,?,?), ref: 00A7216E
DestroyAcceleratorTable.USER32(00000000), ref: 00AABE26
DeleteObject.GDI32(00000000), ref: 00AABE9C

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 2402799130-0
Opcode ID: edd8f52a120736e676fea4650a59dd14a2abb2896064204ddb07f0d3b5ebad09
Instruction ID: 25b05e02a706424babf552234610b9cfc3a47aff4e3cb35362eb33ebb66d7033
Opcode Fuzzy Hash: edd8f52a120736e676fea4650a59dd14a2abb2896064204ddb07f0d3b5ebad09
Instruction Fuzzy Hash: F1614531110A00DFCB359F54DD48B6AB7F1FF41312F60C529E6469BAA1CB71AC92DBA0

Function 00AD4D68 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00AD46AF: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00AD36DB,?), ref: 00AD46CC

Part of subcall function 00AD46AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00AD36DB,?), ref: 00AD46E5

Part of subcall function 00AD4AD8: GetFileAttributesW.KERNEL32(?,00AD374F), ref: 00AD4AD9

lstrcmpiW.KERNEL32(?,?), ref: 00AD4DE7
_wcscmp.LIBCMT ref: 00AD4E01
MoveFileW.KERNEL32(?,?), ref: 00AD4E1C

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: e5e6bbd3d65f4f526d241667afcae9c1905a8cc9a1a01dc67719866697658fae
Instruction ID: f165583afd3ce35415f2169587c0c40da0be0057ce7233158b1bf0dbdf595b7d
Opcode Fuzzy Hash: e5e6bbd3d65f4f526d241667afcae9c1905a8cc9a1a01dc67719866697658fae
Instruction Fuzzy Hash: 8B5144B2508784ABC724DBA0D9859DFB3ECAF89340F10492FF58AD3151EF34A688C756

Function 00AF8677 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00AF8731

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: c2524442cbbf87ab7996d4d83c5235ffd0fa42fe5b2ef75759edc46ab0a7ac34
Instruction ID: 503ffe55a479cfd3df6717bdc2c9a0aeb4a7e70cc519539ca512b4e1d2605e93
Opcode Fuzzy Hash: c2524442cbbf87ab7996d4d83c5235ffd0fa42fe5b2ef75759edc46ab0a7ac34
Instruction Fuzzy Hash: FF515D70600218BEEB209BE9CC89BBD7B64EF05390F604515FB15EA1E1CF79E990DB91

Function 00A72B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00AAC477
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00AAC499
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00AAC4B1
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00AAC4CF
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00AAC4F0
DestroyCursor.USER32(00000000), ref: 00AAC4FF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00AAC51C
DestroyCursor.USER32(?), ref: 00AAC52B

Part of subcall function 00AFA4E1: DeleteObject.GDI32(00000000), ref: 00AFA51A

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2975913752-0
Opcode ID: 64248dfde3a97a5377816f6f56128b60b6a63f3cd36ffdc2867ad3df339842d6
Instruction ID: 2bd9654af40ae1f74ac3f5aea38c1beddb0b21cfb3c8e41bc167cc414fb9e379
Opcode Fuzzy Hash: 64248dfde3a97a5377816f6f56128b60b6a63f3cd36ffdc2867ad3df339842d6
Instruction Fuzzy Hash: 7F514670A00209EFEB20DF64DC45BAA7BB5EF58720F108528F906972A0DB70AD91DB50

Function 00AC9930 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ACAC37: GetWindowThreadProcessId.USER32(?,00000000), ref: 00ACAC57
Part of subcall function 00ACAC37: GetCurrentThreadId.KERNEL32 ref: 00ACAC5E
Part of subcall function 00ACAC37: AttachThreadInput.USER32(00000000,?,00AC9945,?,00000001), ref: 00ACAC65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00AC9950
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00AC996D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00AC9970
MapVirtualKeyW.USER32(00000025,00000000), ref: 00AC9979
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00AC9997
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00AC999A
MapVirtualKeyW.USER32(00000025,00000000), ref: 00AC99A3
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00AC99BA
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00AC99BD

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 2e99f02ddb91a39d56eb735014798c25a0a99cd70642e2bbc9d7a1a08e5e7b84
Instruction ID: 61f7f67924c15d803fbe882175e7e78c1a72270bbb2ab44b9dd3cc9e57a355c2
Opcode Fuzzy Hash: 2e99f02ddb91a39d56eb735014798c25a0a99cd70642e2bbc9d7a1a08e5e7b84
Instruction Fuzzy Hash: 7511CE71550218BEF710ABA4CC89FBA7A2DEF4C795F110429F344AB1A0CAF25C11DAA8

Function 00AC8BE3 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00AC8864,00000B00,?,?), ref: 00AC8BEC
RtlAllocateHeap.NTDLL(00000000,?,00AC8864), ref: 00AC8BF3
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00AC8864,00000B00,?,?), ref: 00AC8C08
GetCurrentProcess.KERNEL32(?,00000000,?,00AC8864,00000B00,?,?), ref: 00AC8C10
DuplicateHandle.KERNEL32(00000000,?,00AC8864,00000B00,?,?), ref: 00AC8C13
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00AC8864,00000B00,?,?), ref: 00AC8C23
GetCurrentProcess.KERNEL32(00AC8864,00000000,?,00AC8864,00000B00,?,?), ref: 00AC8C2B
DuplicateHandle.KERNEL32(00000000,?,00AC8864,00000B00,?,?), ref: 00AC8C2E
CreateThread.KERNEL32(00000000,00000000,00AC8C54,00000000,00000000,00000000), ref: 00AC8C48

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
String ID:
API String ID: 1422014791-0
Opcode ID: 8ad34f7f1a04f311be2f244488e3598afb609c35388f2bcc5e539b41973ab954
Instruction ID: f20be04c053c6edf4702fb30cfb377fa738bf044d7d4ff2eadb14348348077b4
Opcode Fuzzy Hash: 8ad34f7f1a04f311be2f244488e3598afb609c35388f2bcc5e539b41973ab954
Instruction Fuzzy Hash: 5401A8B5240348FFEA10EBE5DC89F6B3BACEF89711F014521FB05DB2A1CA749811DA24

Function 00AE9228 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AE927C
VariantInit.OLEAUT32(?), ref: 00AE934D
VariantInit.OLEAUT32(?), ref: 00AE944E
VariantClear.OLEAUT32(?), ref: 00AE9458
VariantClear.OLEAUT32(?), ref: 00AE94B5

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00AE9431
Null Object assignment in FOR..IN loop, xrefs: 00AE92DD, 00AE940B, 00AE94C3

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: b5cf54e957bc56763078205cbc12328cb7427e92ea25194564587556995ce7a6
Instruction ID: 3b6df91e9f12f305b8ac8d8342dd572a3fa421bb0d075208528d04f90d0f3500
Opcode Fuzzy Hash: b5cf54e957bc56763078205cbc12328cb7427e92ea25194564587556995ce7a6
Instruction Fuzzy Hash: 8E917C71A00359ABDF24DFA6C848FAFBBB8EF45710F10855DF519AB280D7709946CBA0

Function 00AE9872 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00AC7432: CLSIDFromProgID.COMBASE ref: 00AC744F
Part of subcall function 00AC7432: ProgIDFromCLSID.COMBASE(?,00000000), ref: 00AC746A
Part of subcall function 00AC7432: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AC736C,80070057,?,?), ref: 00AC7478
Part of subcall function 00AC7432: CoTaskMemFree.COMBASE(00000000), ref: 00AC7488

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00AE991B
_memset.LIBCMT ref: 00AE9928
_memset.LIBCMT ref: 00AE9A6B
CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000000), ref: 00AE9A97
CoTaskMemFree.COMBASE(?), ref: 00AE9AA2

Strings

NULL Pointer assignment, xrefs: 00AE9AF0

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 3f8475f083efe1814e05ec1846d4f398fb586d84b8c14263ee5988c24d2be9b0
Instruction ID: 3ec2b3a44c4cfc793f32bac8336f9c1116059424e85142dbc9b1837550342199
Opcode Fuzzy Hash: 3f8475f083efe1814e05ec1846d4f398fb586d84b8c14263ee5988c24d2be9b0
Instruction Fuzzy Hash: 3E914871D00228ABDF10DFA5DD85EDEBBB8EF08750F10816AF519A7291DB709A45CFA0

Function 00AF6DB2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00AF6E56
SendMessageW.USER32(?,00001036,00000000,?), ref: 00AF6E6A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00AF6E84
_wcscat.LIBCMT ref: 00AF6EDF
SendMessageW.USER32(?,00001057,00000000,?), ref: 00AF6EF6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00AF6F24

Strings

SysListView32, xrefs: 00AF6E28

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: e340926938fcadf0ee7cab2b15b9a677ab7f386254c8a2e0bfb8094289711e55
Instruction ID: 3179a851a490a200b00e608642d06896562c34d17c6c4c8df643f3d0c855dc95
Opcode Fuzzy Hash: e340926938fcadf0ee7cab2b15b9a677ab7f386254c8a2e0bfb8094289711e55
Instruction Fuzzy Hash: B0416D75A00248AFEB219FA4CC85BEAB7F8EF08350F10446AF649E7191D6719D84CB64

Function 00AEEA47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00AD3C99: CreateToolhelp32Snapshot.KERNEL32 ref: 00AD3CBE
Part of subcall function 00AD3C99: Process32FirstW.KERNEL32(00000000,?), ref: 00AD3CCC
Part of subcall function 00AD3C99: CloseHandle.KERNEL32(00000000), ref: 00AD3D96

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00AEEAB8
GetLastError.KERNEL32 ref: 00AEEACB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00AEEAFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 00AEEB77
GetLastError.KERNEL32(00000000), ref: 00AEEB82
CloseHandle.KERNEL32(00000000), ref: 00AEEBB7

Strings

SeDebugPrivilege, xrefs: 00AEEAD6

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: e38056aba939c4aca157337ef628ee4d95c28d71b9b4ba1b3eb4b56b8fa21438
Instruction ID: 6b15816dfd7d0ee2fd1b494b0267b26030eaaed5c54ce65dad292237c2ef26ec
Opcode Fuzzy Hash: e38056aba939c4aca157337ef628ee4d95c28d71b9b4ba1b3eb4b56b8fa21438
Instruction Fuzzy Hash: 154199312002019FDB14EF64CD95F6EB7A5AF84314F09806DF9469F2D2CBB4A805CB96

Function 00AD302E Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00AD30CD

Strings

blank, xrefs: 00AD304F
warning, xrefs: 00AD30B6
info, xrefs: 00AD306E
stop, xrefs: 00AD309E
question, xrefs: 00AD3086

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 8ee7a110442802306b2c4a617a0b09f7da00013631ebdffbc88d47f5c53d2cc5
Instruction ID: f99aeb7ed50a2f876c1e317d01ca35cf937fa13d248f4d187eadab6ef2b06474
Opcode Fuzzy Hash: 8ee7a110442802306b2c4a617a0b09f7da00013631ebdffbc88d47f5c53d2cc5
Instruction Fuzzy Hash: 57112737708317BAEF209B54EC42CBE77EC9F15360F20406BF906A6382DAB55F4185A6

Function 00AD4339 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00AD4353
LoadStringW.USER32(00000000), ref: 00AD435A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00AD4370
LoadStringW.USER32(00000000), ref: 00AD4377
_wprintf.LIBCMT ref: 00AD439D
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00AD43BB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00AD4398

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: e4e1f67e05f458cd69b6c18b06f1e828a4fe46737ad0461fad29cb1ebc6ca56a
Instruction ID: 28ff97fd17cbf12bcc00af2ae3de910802551480f523d328212c1aec3f625565
Opcode Fuzzy Hash: e4e1f67e05f458cd69b6c18b06f1e828a4fe46737ad0461fad29cb1ebc6ca56a
Instruction Fuzzy Hash: 1F0162F290020CBFEB51DBE4DD89EF6776CDB08301F0005A6B709E6151EA749E858B75

Function 00A72A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00AAC347,00000004,00000000,00000000,00000000), ref: 00A72ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00AAC347,00000004,00000000,00000000,00000000,000000FF), ref: 00A72B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00AAC347,00000004,00000000,00000000,00000000), ref: 00AAC39A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00AAC347,00000004,00000000,00000000,00000000), ref: 00AAC406

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 7f00a4d048d6fc15fbe5e6c647efe64ade76dcc1d22a6cb784675896493a8826
Instruction ID: b7c97212cd0e4a6e05295449670fcfd3cd8f8f2768cbaf4a0526e9f625aa939c
Opcode Fuzzy Hash: 7f00a4d048d6fc15fbe5e6c647efe64ade76dcc1d22a6cb784675896493a8826
Instruction Fuzzy Hash: 1141EB316047809EEB359B68CD8977BBBE5AF86350F28C91DE04F8B5A0CB719846D721

Function 00AD716F Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00AD7186

Part of subcall function 00A90F36: std::exception::exception.LIBCMT ref: 00A90F6C
Part of subcall function 00A90F36: __CxxThrowException@8.LIBCMT ref: 00A90F81

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00AD71BD
RtlEnterCriticalSection.NTDLL(?), ref: 00AD71D9
_memmove.LIBCMT ref: 00AD7227
_memmove.LIBCMT ref: 00AD7244
RtlLeaveCriticalSection.NTDLL(?), ref: 00AD7253
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00AD7268
InterlockedExchange.KERNEL32(?,000001F6), ref: 00AD7287

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: d64d9a0c6a5e83d7f201b26c7fa21b237046f5c5be7a4b504968e665661bec44
Instruction ID: e3231cdfdd6dd821f98df73181fcebbcf23336a07f84d354b38dc24b14045a0c
Opcode Fuzzy Hash: d64d9a0c6a5e83d7f201b26c7fa21b237046f5c5be7a4b504968e665661bec44
Instruction Fuzzy Hash: 5C319272A00205EFCF24DF94DD85EAEB7B8EF45750F1441A5F9049B256DB309E11CBA0

Function 00AF6205 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00AF621D
GetDC.USER32(00000000), ref: 00AF6225
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AF6230
ReleaseDC.USER32(00000000,00000000), ref: 00AF623C
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00AF6278
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00AF6289
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00AF905C,?,?,000000FF,00000000,?,000000FF,?), ref: 00AF62C3
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00AF62E3

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 380e4192acde06e6d4fd425653038c28e61ac687b18934b7797ef895d0c5f90e
Instruction ID: bac792409c703d9749f6ed245cf4d597df1665e9842e817ea0e6a93d324c99bb
Opcode Fuzzy Hash: 380e4192acde06e6d4fd425653038c28e61ac687b18934b7797ef895d0c5f90e
Instruction Fuzzy Hash: F5313E726011146FEB118F94DC89FFA3BA9EF09761F044065FE48DA191DA759842CB64

Function 00A71424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d5f30de5531378b0ac26373e76ef7dfbc78a9ed912cae201c7cf349aa036a8
Instruction ID: ffdae4298ab56d418b32716b32e4b5e9a45369bcdb2f3b368dfd789ec414ec1f
Opcode Fuzzy Hash: 64d5f30de5531378b0ac26373e76ef7dfbc78a9ed912cae201c7cf349aa036a8
Instruction Fuzzy Hash: E2714B70900109EFCB14DF98CC89ABEBBB9FF85314F14C159F919AB252D734AA51CBA4

Function 00AFB385 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00D24B60), ref: 00AFB41F
IsWindowEnabled.USER32(00D24B60), ref: 00AFB42B
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00AFB50F
SendMessageW.USER32(00D24B60,000000B0,?,?), ref: 00AFB546
IsDlgButtonChecked.USER32(?,?), ref: 00AFB583
GetWindowLongW.USER32(00D24B60,000000EC), ref: 00AFB5A5
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00AFB5BD

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: d6e16d1e45cc4dd99e3e985bee402741c9e8b999cf232dd8eb25390f1fbf2c4f
Instruction ID: cbf73fb5f49e23464dc9ff81291f005ddd92bdfa030d04e444ae4ca04bdde21a
Opcode Fuzzy Hash: d6e16d1e45cc4dd99e3e985bee402741c9e8b999cf232dd8eb25390f1fbf2c4f
Instruction Fuzzy Hash: FA718E34615208EFDB24DFE4C994FBABBB5EF09301F144069FA56972A2CB31AD41CB20

Function 00AEF532 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AEF55C
_memset.LIBCMT ref: 00AEF625
ShellExecuteExW.SHELL32(?), ref: 00AEF66A

Part of subcall function 00A79997: __itow.LIBCMT ref: 00A799C2
Part of subcall function 00A79997: __swprintf.LIBCMT ref: 00A79A0C

Part of subcall function 00A8FE06: _wcscpy.LIBCMT ref: 00A8FE29

GetProcessId.KERNEL32(00000000), ref: 00AEF6E1
CloseHandle.KERNEL32(00000000), ref: 00AEF710

Strings

@, xrefs: 00AEF639

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 11cdbdbd54eef5a9da9fd5fa92a371500f3145657c35cdcfa3d238d49268d01f
Instruction ID: 935f0f05961928af0bd1119b40817f81ead0d6abc3174ad9379a7c94cf3bff4e
Opcode Fuzzy Hash: 11cdbdbd54eef5a9da9fd5fa92a371500f3145657c35cdcfa3d238d49268d01f
Instruction Fuzzy Hash: 5C61C175A006599FCF14EF95C9809AEBBF5FF48310F14846DE85AAB361CB30AD41CB90

Function 00AD127E Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00AD12BD
GetKeyboardState.USER32(?), ref: 00AD12D2
SetKeyboardState.USER32(?), ref: 00AD1333
PostMessageW.USER32(?,00000101,00000010,?), ref: 00AD1361
PostMessageW.USER32(?,00000101,00000011,?), ref: 00AD1380
PostMessageW.USER32(?,00000101,00000012,?), ref: 00AD13C6
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00AD13E9

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 582a2b571d24c362a3617dee49bafdca59112b9fb04ea065387c056f816cfa36
Instruction ID: 50428d22477d9398231a19f4339ef8809b275ef01be8d52eca0dec11fdfe9222
Opcode Fuzzy Hash: 582a2b571d24c362a3617dee49bafdca59112b9fb04ea065387c056f816cfa36
Instruction Fuzzy Hash: 0A51E6A0A087D53EFB364774CC45BBA7EA96F06304F08458AE0D689AC3C6D9EDC4D750

Function 00AD1097 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00AD10D6
GetKeyboardState.USER32(?), ref: 00AD10EB
SetKeyboardState.USER32(?), ref: 00AD114C
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00AD1178
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00AD1195
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00AD11D9
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00AD11FA

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e448f5c82ba9e8eb2a5e9068defa66d2526dcef556f83c77a16ae5a390273d9a
Instruction ID: 94747b8c8585520790d0a5e95d1f1107cd2f1c8de75e41118025a192c7e672b6
Opcode Fuzzy Hash: e448f5c82ba9e8eb2a5e9068defa66d2526dcef556f83c77a16ae5a390273d9a
Instruction Fuzzy Hash: B95118A06447D63DFB3287748C45BBABFA96F06300F08468FF1D686AC2D295EC89D750

Function 00AD56A4 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00AD56B1
_wcsncpy.LIBCMT ref: 00AD56E6
_wcsncpy.LIBCMT ref: 00AD5718
_wcsncpy.LIBCMT ref: 00AD574B
_wcsncpy.LIBCMT ref: 00AD578D
_wcsncpy.LIBCMT ref: 00AD57C7
_wcsncpy.LIBCMT ref: 00AD57F6

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 784ce88cdd1f7503b3c0afe22ebd8bf90a13967fdfa3502fb80b33f12841b7d9
Instruction ID: b9d8c2b6a7d31fc0ead94852f09c7255766aaacfe5e07c2a0187ca0b8d1d2307
Opcode Fuzzy Hash: 784ce88cdd1f7503b3c0afe22ebd8bf90a13967fdfa3502fb80b33f12841b7d9
Instruction Fuzzy Hash: C541A1A6D2061476CF11EBF49846EDFB7BCAF09310F108866F919E3221E634A745C3E6

Function 00AD36B5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00AD46AF: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00AD36DB,?), ref: 00AD46CC

Part of subcall function 00AD46AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00AD36DB,?), ref: 00AD46E5

lstrcmpiW.KERNEL32(?,?), ref: 00AD36FB
_wcscmp.LIBCMT ref: 00AD3717
MoveFileW.KERNEL32(?,?), ref: 00AD372F
_wcscat.LIBCMT ref: 00AD3777
SHFileOperationW.SHELL32(?), ref: 00AD37E3

Strings

\*.*, xrefs: 00AD3771

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 262f082e467a081b706f60c6d871be0b9fab03995adcb2cc3550f9e5cdfc18ab
Instruction ID: ddd32c362f34cff8e3ea9cafcae98d85b8b54766c776c9bbfe156f712d668941
Opcode Fuzzy Hash: 262f082e467a081b706f60c6d871be0b9fab03995adcb2cc3550f9e5cdfc18ab
Instruction Fuzzy Hash: F8419FB2508345AECB51EF64D541ADFB7E8EF88380F00092FB49AC3261EA34D748C756

Function 00AF72C3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AF72DC
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AF7383
IsMenu.USER32(?), ref: 00AF739B
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00AF73E3
DrawMenuBar.USER32 ref: 00AF73F6

Strings

0, xrefs: 00AF72D0

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: f68dd2515cedbba92d058470be31095d82f4b6614219f0d9a67572a682bfe7e3
Instruction ID: 5f2d0ef9f91e83589f12f866242a9fdc453aa0f93a82c43baf3a9f6d53ab57a7
Opcode Fuzzy Hash: f68dd2515cedbba92d058470be31095d82f4b6614219f0d9a67572a682bfe7e3
Instruction Fuzzy Hash: EA411575A04209EFDB20DF90D884AAEBBF8FF08315F148129FE559B260D730AD51DBA0

Function 00AF102D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00AF105C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00AF1086
FreeLibrary.KERNEL32(00000000), ref: 00AF113D

Part of subcall function 00AF102D: RegCloseKey.ADVAPI32(?), ref: 00AF10A3
Part of subcall function 00AF102D: FreeLibrary.KERNEL32(?), ref: 00AF10F5
Part of subcall function 00AF102D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00AF1118

RegDeleteKeyW.ADVAPI32(?,?), ref: 00AF10E0

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 6bb1b5dbf83341ea53ed56b3a1a52dc49ea8fd34ab8940b13f7cec5681b9c329
Instruction ID: 24d1814a67698b83993cf9d68027a2eda955e993978703c3e53789eeb9ab0b74
Opcode Fuzzy Hash: 6bb1b5dbf83341ea53ed56b3a1a52dc49ea8fd34ab8940b13f7cec5681b9c329
Instruction Fuzzy Hash: 9A31F9B190111DFFDB15DBD0DC89EFEB7BCEF09340F000169F611A2151EA749E859AA4

Function 00AF62FF Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00AF631E
GetWindowLongW.USER32(00D24B60,000000F0), ref: 00AF6351
GetWindowLongW.USER32(00D24B60,000000F0), ref: 00AF6386
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00AF63B8
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00AF63E2
GetWindowLongW.USER32(00000000,000000F0), ref: 00AF63F3
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00AF640D

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 00ed4c93ecf7e9fd27e905e6d56c65ec4e6e9e6f3c3bf7093513a751c7508ebc
Instruction ID: 94ecbe3caf441bb72cb9a2df39b01c1bd3967c7702fdf794df3a288bc9bcb378
Opcode Fuzzy Hash: 00ed4c93ecf7e9fd27e905e6d56c65ec4e6e9e6f3c3bf7093513a751c7508ebc
Instruction Fuzzy Hash: 5731E335644258AFDB21CF98DC85F6937E1FB4A710F2942A4F611CF2B2CB72A841DB51

Function 00AE6289 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE7EA0: inet_addr.WS2_32(00000000), ref: 00AE7ECB

socket.WS2_32(00000002,00000001,00000006), ref: 00AE62DC
WSAGetLastError.WS2_32(00000000), ref: 00AE62EB
ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00AE6324
connect.WSOCK32(00000000,?,00000010), ref: 00AE632D
WSAGetLastError.WS2_32 ref: 00AE6337
closesocket.WS2_32(00000000), ref: 00AE6360
ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00AE6379

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: df0190a424a4ece052004a0fd9ae18777041674c9222656b929239e3291c72b8
Instruction ID: 3513ca46f0936044dc26040034df3018a69ae9e337d5208bee2ff64f1c5a708e
Opcode Fuzzy Hash: df0190a424a4ece052004a0fd9ae18777041674c9222656b929239e3291c72b8
Instruction Fuzzy Hash: 8931B831600118AFDB10EFA5CD85BBE77B9EF547A0F048469FE459B291DB70AC05CBA1

Function 00ACF98F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00ACF9A2
__wcsnicmp.LIBCMT ref: 00ACF9C3
__wcsnicmp.LIBCMT ref: 00ACF9DD

Strings

#OnAutoItStartRegister, xrefs: 00ACF9D7
#notrayicon, xrefs: 00ACF99A
#requireadmin, xrefs: 00ACF9BD

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 8fd63f12ecad2fa15d91e86316a1bb14f5d41c3a30e69adad6e4f7ffb3bc854f
Instruction ID: 800a17dc3428604d7920fa98854fe9c7c90787d274c309207f3b5ea31ae00e04
Opcode Fuzzy Hash: 8fd63f12ecad2fa15d91e86316a1bb14f5d41c3a30e69adad6e4f7ffb3bc854f
Instruction Fuzzy Hash: 16214C332085117EDA31AB299C02FB7B3E99F51350F51843DF88A86191EB619D46C391

Function 00AF75FF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A71D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A71D73
Part of subcall function 00A71D35: GetStockObject.GDI32(00000011), ref: 00A71D87
Part of subcall function 00A71D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A71D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00AF7664
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00AF7671
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00AF767C
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00AF768B
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00AF7697

Strings

Msctls_Progress32, xrefs: 00AF7635

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 7f9843007a262028482d9e9f12708f54a05f50729ef67ffe5351670a74f19d92
Instruction ID: 21c7db16e3d73dccac374292ced9409e9341b8558258709b18fd0a9c3879c0f3
Opcode Fuzzy Hash: 7f9843007a262028482d9e9f12708f54a05f50729ef67ffe5351670a74f19d92
Instruction Fuzzy Hash: BC1193B111021DBEEF119FA4CC85EFB7F6DEF08758F014115B708A2050CA719C21DBA4

Function 00A94109 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 00A94123
GetProcAddress.KERNEL32(00000000), ref: 00A9412A
RtlEncodePointer.NTDLL(00000000), ref: 00A94136
RtlDecodePointer.NTDLL(00000001), ref: 00A94153

Strings

combase.dll, xrefs: 00A9411E
RoInitialize, xrefs: 00A94112

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: d645723b447c0d5ad198317eb76602b688d31fc47f04bc977d584e1f0f8f9bd3
Instruction ID: 1b624531ad1b249ef8f8c2b6c9731b70c70395d7d2c4d7a0ce140e7d98b984c3
Opcode Fuzzy Hash: d645723b447c0d5ad198317eb76602b688d31fc47f04bc977d584e1f0f8f9bd3
Instruction Fuzzy Hash: 36E0ED70790740AEDF109BB4EC4DB2939D4AB15B02F204674B511E60F0CBB5458ACA00

Function 00A941DE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00A940F8), ref: 00A941F8
GetProcAddress.KERNEL32(00000000), ref: 00A941FF
RtlEncodePointer.NTDLL(00000000), ref: 00A9420A
RtlDecodePointer.NTDLL(00A940F8), ref: 00A94225

Strings

RoUninitialize, xrefs: 00A941E7
combase.dll, xrefs: 00A941F3

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: a620198c805671560b95779b56e65422d3481474c27e95609082eaca44905122
Instruction ID: 034f9fef0e532422c82622a001e6c4e602319b5aaa49a4cffc76981a95f8d964
Opcode Fuzzy Hash: a620198c805671560b95779b56e65422d3481474c27e95609082eaca44905122
Instruction Fuzzy Hash: EBE0B6B0691700AFEB10DBE5EC0DF5A3AE4BB08B42F204225F111E61B0CFB64646DA14

Function 00AE6C19 Relevance: 9.2, APIs: 6, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WS2_32(00000000,?), ref: 00AE6D16
WSAGetLastError.WS2_32(00000000), ref: 00AE6D4A
htons.WS2_32(?), ref: 00AE6E00
inet_ntoa.WS2_32(?), ref: 00AE6DBD

Part of subcall function 00ACABF4: _strlen.LIBCMT ref: 00ACABFE
Part of subcall function 00ACABF4: _memmove.LIBCMT ref: 00ACAC20

_strlen.LIBCMT ref: 00AE6E5A
_memmove.LIBCMT ref: 00AE6EC3

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 0eaba83d6d6e1fd76b305dc4e3e284681a85ff5058635a78c1b37ad58901b9ef
Instruction ID: f11a2f3ebca88ee74165991ef79b877cfac39f90f378fa8c7885469642635d64
Opcode Fuzzy Hash: 0eaba83d6d6e1fd76b305dc4e3e284681a85ff5058635a78c1b37ad58901b9ef
Instruction Fuzzy Hash: 4B81DB31604240AFC710EB25CD86E6BB3E9EF94764F148929F5599B2A2DB70ED01CB92

Function 00AD6561 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AD66B4
_memmove.LIBCMT ref: 00AD65EF

Part of subcall function 00A79997: __itow.LIBCMT ref: 00A799C2
Part of subcall function 00A79997: __swprintf.LIBCMT ref: 00A79A0C

_memmove.LIBCMT ref: 00AD6662
_memmove.LIBCMT ref: 00AD6749
_memmove.LIBCMT ref: 00AD6762
_memmove.LIBCMT ref: 00AD677E

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: b808e00578c5bbebc54d8143590a9ab1dfbd786ead7e520a0c9d7068154000a0
Instruction ID: 9fc298ca8fd1d8adb685d67a7eb65617973bebf1b61b8e7eda81fe1fb300b64b
Opcode Fuzzy Hash: b808e00578c5bbebc54d8143590a9ab1dfbd786ead7e520a0c9d7068154000a0
Instruction Fuzzy Hash: 8861BF3160065A9FDF15EF20CE82EFE37A8AF48318F04855AF95A5B292DB34ED05CB50

Function 00AF026F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A77F41: _memmove.LIBCMT ref: 00A77F82

Part of subcall function 00AF0EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AEFE38,?,?), ref: 00AF0EBC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AF0348
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00AF0388
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00AF03AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00AF03D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00AF0417
RegCloseKey.ADVAPI32(00000000), ref: 00AF0424

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 35157a8f5d174951b0e067061da7d96805631a867fde72e205ffce5122b52e90
Instruction ID: 7a54c64e46e9550da4e8deee3c47d727a13954a730e9f180ce4d9c8398934c17
Opcode Fuzzy Hash: 35157a8f5d174951b0e067061da7d96805631a867fde72e205ffce5122b52e90
Instruction Fuzzy Hash: E2513D312082049FC714EFA4C985E6FBBE9FF88354F04891DF6458B1A2DB71E905CB52

Function 00AF5802 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00AF5864
GetMenuItemCount.USER32(00000000), ref: 00AF589B
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00AF58C3
GetMenuItemID.USER32(?,?), ref: 00AF5932
GetSubMenu.USER32(?,?), ref: 00AF5940
PostMessageW.USER32(?,00000111,?,00000000), ref: 00AF5991

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 83495043ca54d5ad7e8527e36809dae6c07bcfed72dbe9a80b73ebc6d6e03c37
Instruction ID: 8a810a70642c91ac389848eeac7f474d2bc5b71965cf113372e290a05ecc9665
Opcode Fuzzy Hash: 83495043ca54d5ad7e8527e36809dae6c07bcfed72dbe9a80b73ebc6d6e03c37
Instruction Fuzzy Hash: E8514C71E00619EFCF15DFA4C985AAEB7B4EF48360F108059FA55AB351CB70AE41CB90

Function 00ACF1FE Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00ACF218
VariantClear.OLEAUT32(00000013), ref: 00ACF28A
VariantClear.OLEAUT32(00000000), ref: 00ACF2E5
_memmove.LIBCMT ref: 00ACF30F
VariantClear.OLEAUT32(?), ref: 00ACF35C
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00ACF38A

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 1da7be3b057dacbdaccc2c01d777b8af70b1fa2e84a1e7e04ff7cf5895cfab91
Instruction ID: 74104a0a55fdb53002a4e1e51bc51da3a4f66048623eee6e18b4cf509b79f959
Opcode Fuzzy Hash: 1da7be3b057dacbdaccc2c01d777b8af70b1fa2e84a1e7e04ff7cf5895cfab91
Instruction Fuzzy Hash: 035137B5A00249AFCB14CF58C884EAAB7B9FF4C314B168569ED59DB301D730EA11CBA0

Function 00AD2502 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AD2550
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AD259B
IsMenu.USER32(00000000), ref: 00AD25BB
CreatePopupMenu.USER32 ref: 00AD25EF
GetMenuItemCount.USER32(000000FF), ref: 00AD264D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00AD267E

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 4220f301a6f4ada9c8034ee1ef5b8c2fc1950000c845019268338ffdb462e7a9
Instruction ID: 573342d6306ba663c7e5df429f4a8b8290344f2bd866ffdd169d231894c26a25
Opcode Fuzzy Hash: 4220f301a6f4ada9c8034ee1ef5b8c2fc1950000c845019268338ffdb462e7a9
Instruction Fuzzy Hash: 02517C70A00349AFDF20CFA8D988BADBBF5EF65314F14416AE85297390E770DA45CB51

Function 00A71765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00A72612: GetWindowLongW.USER32(?,000000EB), ref: 00A72623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00A7179A
GetWindowRect.USER32(?,?), ref: 00A717FE
ScreenToClient.USER32(?,?), ref: 00A7181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00A7182C
EndPaint.USER32(?,?), ref: 00A71876

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 05af357f4a05a57abf973cf15a8ede1c26cdbfe8655ab826f463310ef6a46874
Instruction ID: bc6e68a67e824d35edf420ca6dcc29819de9a41f2e4cf8aafa93625e6d15c133
Opcode Fuzzy Hash: 05af357f4a05a57abf973cf15a8ede1c26cdbfe8655ab826f463310ef6a46874
Instruction Fuzzy Hash: F9417371104600AFD720DF69CC84F7A7BF8EB45724F148669FA98872A2CB309845DB62

Function 00AFB6D2 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00B357B0,00000000,00D24B60,?,?,00B357B0,?,00AFB5DC,?,?), ref: 00AFB746
EnableWindow.USER32(00000000,00000000), ref: 00AFB76A
ShowWindow.USER32(00B357B0,00000000,00D24B60,?,?,00B357B0,?,00AFB5DC,?,?), ref: 00AFB7CA
ShowWindow.USER32(00000000,00000004,?,00AFB5DC,?,?), ref: 00AFB7DC
EnableWindow.USER32(00000000,00000001), ref: 00AFB800
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00AFB823

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 68242f4290359a92980ab5e594e96c7e5b038120fa210e6f1e98e4e942f7618e
Instruction ID: 270ea2f1afe4c37d3227a3eec4862776dedbeef677603d268765597b08c8bea9
Opcode Fuzzy Hash: 68242f4290359a92980ab5e594e96c7e5b038120fa210e6f1e98e4e942f7618e
Instruction Fuzzy Hash: B4415434611148EFDB21DFA4C889BA47BF5FF45394F1841B9FA498F262C731A846CBA1

Function 00AE71B3 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00AE4F57,?,?,00000000,00000001), ref: 00AE71C1

Part of subcall function 00AE3AB6: GetWindowRect.USER32(?,?), ref: 00AE3AC9

GetDesktopWindow.USER32 ref: 00AE71EB
GetWindowRect.USER32(00000000), ref: 00AE71F2
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00AE7224

Part of subcall function 00AD52EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AD5363

GetCursorPos.USER32(?), ref: 00AE7250
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00AE72AE

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 03ba04d502b6b31edefc6e1546beba515aec851368d94196a55b0fc9bc82d040
Instruction ID: 36f09bf022b70c94cbeccdb405ee918112b69bc76103a3fb87822a986d9d05af
Opcode Fuzzy Hash: 03ba04d502b6b31edefc6e1546beba515aec851368d94196a55b0fc9bc82d040
Instruction Fuzzy Hash: FF31D272509345AFD720DF95C849B9FB7A9FF88314F00092AF58597191DB30E909CB92

Function 00ADEBAF Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00A79997: __itow.LIBCMT ref: 00A799C2
Part of subcall function 00A79997: __swprintf.LIBCMT ref: 00A79A0C

Part of subcall function 00A8FE06: _wcscpy.LIBCMT ref: 00A8FE29

_wcstok.LIBCMT ref: 00ADED20
_wcscpy.LIBCMT ref: 00ADEDAF
_memset.LIBCMT ref: 00ADEDE2

Strings

X, xrefs: 00ADEE1F

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 766400fe693e48b25fa31fc7141e61bf6a0c54dfe4ecf74e3644cfa9e89c191d
Instruction ID: 86254d79f0ca7574631c3ca92b90d1d1d316ebe93ba9d19e54651a0e2d2fdd03
Opcode Fuzzy Hash: 766400fe693e48b25fa31fc7141e61bf6a0c54dfe4ecf74e3644cfa9e89c191d
Instruction Fuzzy Hash: E3C14F716083009FC724EF64C985A5EB7E4BF89350F14896EF49A9B3A1DB70ED45CB82

Function 00AC8B3B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC83D1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AC83E8
Part of subcall function 00AC83D1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AC83F2
Part of subcall function 00AC83D1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AC8401
Part of subcall function 00AC83D1: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00AC8408
Part of subcall function 00AC83D1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AC841E

GetLengthSid.ADVAPI32(?,00000000,00AC8757), ref: 00AC8B8C
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00AC8B98
RtlAllocateHeap.NTDLL(00000000), ref: 00AC8B9F
CopySid.ADVAPI32(00000000,00000000,?), ref: 00AC8BB8
GetProcessHeap.KERNEL32(00000000,00000000,00AC8757), ref: 00AC8BCC
HeapFree.KERNEL32(00000000), ref: 00AC8BD3

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 169236558-0
Opcode ID: 1436a173e6afa83373556539b39a5db98c7d59a437f724c4adb4d6af098c6f8c
Instruction ID: f36c89b40408b933cecbdb8a2f482f59a59d5ee972ae0541691ac70550aa9ceb
Opcode Fuzzy Hash: 1436a173e6afa83373556539b39a5db98c7d59a437f724c4adb4d6af098c6f8c
Instruction Fuzzy Hash: 001164B2600205FFDB10DBA4CC09FAEBBA8FF45365F158129E84597250DA3AAE01CB60

Function 00ACBA52 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00ACBA77
GetDeviceCaps.GDI32(00000000,00000058), ref: 00ACBA88
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00ACBA8F
ReleaseDC.USER32(00000000,00000000), ref: 00ACBA97
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00ACBAAE
MulDiv.KERNEL32(000009EC,?,?), ref: 00ACBAC0

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: d2db176a3b471c415d9ffe4dde2978e6d43d976b029eccf7908abba72ffb7926
Instruction ID: 849234675456d51c8caa185db848806b367f8f2f783a644cd5703745145d62d8
Opcode Fuzzy Hash: d2db176a3b471c415d9ffe4dde2978e6d43d976b029eccf7908abba72ffb7926
Instruction Fuzzy Hash: 49012175A40218BFEF109BE59D45F5EBFA8EF48751F004065FA04A7291DA719911CFA0

Function 00A902E2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A90313
MapVirtualKeyW.USER32(00000010,00000000), ref: 00A9031B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A90326
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A90331
MapVirtualKeyW.USER32(00000011,00000000), ref: 00A90339
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A90341

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 351413aa5660da6a4c94523d45d8cd65a116a74fd35b0f350c4fd4fd4bd9ba5a
Instruction ID: b652299aa226ed352c6daa0a518323c791d1217189c300c072fd1419f85e57db
Opcode Fuzzy Hash: 351413aa5660da6a4c94523d45d8cd65a116a74fd35b0f350c4fd4fd4bd9ba5a
Instruction Fuzzy Hash: F9016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C87941C7F5A864CBE5

Function 00AD5490 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00AD54A0
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00AD54B6
GetWindowThreadProcessId.USER32(?,?), ref: 00AD54C5
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AD54D4
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AD54DE
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AD54E5

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 093b2c0c67f327bf900b02a1a0f9988f170635ba8c545f2f173b5394ad8c0470
Instruction ID: f84cedc485b2749c345cef58fc585f2c7ce8970073ff54a793ab6b86c43e8449
Opcode Fuzzy Hash: 093b2c0c67f327bf900b02a1a0f9988f170635ba8c545f2f173b5394ad8c0470
Instruction Fuzzy Hash: 1BF01D32641158BFE7219BE29C0DEFB7A7CEFCAB11F000169FA05D11909BA55A02C6B5

Function 00AD72D9 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00AD72EC
RtlEnterCriticalSection.NTDLL(?), ref: 00AD72FD
TerminateThread.KERNEL32(00000000,000001F6,?,00A81044,?,?), ref: 00AD730A
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00A81044,?,?), ref: 00AD7317

Part of subcall function 00AD6CDE: CloseHandle.KERNEL32(00000000,?,00AD7324,?,00A81044,?,?), ref: 00AD6CE8

InterlockedExchange.KERNEL32(?,000001F6), ref: 00AD732A
RtlLeaveCriticalSection.NTDLL(?), ref: 00AD7331

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: ecfb19070f06debff1239686d4ca04e736a7f7fcd6abd850b6d99634a6b4fa99
Instruction ID: c28579195598fb3e6828456141fe25d5f26a730e2021646f0b24ee63901b76a8
Opcode Fuzzy Hash: ecfb19070f06debff1239686d4ca04e736a7f7fcd6abd850b6d99634a6b4fa99
Instruction Fuzzy Hash: BAF05E76140612EFE7115BE4ED8C9EA772AEF49702B000532F603951A0DB755812CBA0

Function 00AE8702 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00AE8728
CharUpperBuffW.USER32(?,?), ref: 00AE8837
VariantClear.OLEAUT32(?), ref: 00AE89AF

Part of subcall function 00AD760B: VariantInit.OLEAUT32(00000000), ref: 00AD764B
Part of subcall function 00AD760B: VariantCopy.OLEAUT32(00000000,?), ref: 00AD7654
Part of subcall function 00AD760B: VariantClear.OLEAUT32(00000000), ref: 00AD7660

Strings

AUTOIT.ERROR, xrefs: 00AE883D
Incorrect Parameter format, xrefs: 00AE8760, 00AE8922

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: d13a5e76e66384a75ba832123834b24dccd418c9834664cb1ce5c4f8a72d92e8
Instruction ID: 5658e3194877a0e245d51e3e19d2e0774c2a0d8de68e29b9e81d6639968acc97
Opcode Fuzzy Hash: d13a5e76e66384a75ba832123834b24dccd418c9834664cb1ce5c4f8a72d92e8
Instruction Fuzzy Hash: C291AE35A083419FC700DF25C98096BBBF4EF89754F14896EF89A8B362DB31E905CB52

Function 00AD2D8E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A8FE06: _wcscpy.LIBCMT ref: 00A8FE29

_memset.LIBCMT ref: 00AD2E7F
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00AD2EAE
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00AD2F61
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00AD2F8F

Strings

0, xrefs: 00AD2E6B

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 665846bed442502edd60cf0f80a4eb8f4724b13b96469264c622fabfb9e0f64e
Instruction ID: 475efcc0530e6951acbf59b2066114a9bb37b3d9975b693e29e189363d226438
Opcode Fuzzy Hash: 665846bed442502edd60cf0f80a4eb8f4724b13b96469264c622fabfb9e0f64e
Instruction Fuzzy Hash: A551B1716083019ED7259F28C845B6BBBF4EFA9350F144A2EF896D32A1DB70CD14C792

Function 00ACD87B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 00ACD8E3
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00ACD919
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00ACD92A
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00ACD9AC

Strings

DllGetClassObject, xrefs: 00ACD91F

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 44d4d606515ebb79f09523cdb1ba20768e3e83f6c93d68e0070b055be0320c98
Instruction ID: bb87a4e05ef8cda1a5974ccdc5dcd105def62acab98ca708016562d057d1f8f5
Opcode Fuzzy Hash: 44d4d606515ebb79f09523cdb1ba20768e3e83f6c93d68e0070b055be0320c98
Instruction Fuzzy Hash: 6C418B76600204EFDB14CF54C884FAABBB9EF4A314B1281BDE9099F245D7B1DD44CBA0

Function 00AD2A4B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AD2AB8
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00AD2AD4
DeleteMenu.USER32(?,00000007,00000000), ref: 00AD2B1A
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00B35890,00000000), ref: 00AD2B63

Strings

0, xrefs: 00AD2AAD

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: c540e5628baeb19da7655b7df5bda7dc82230b4432837c51ecf8935cfeb748b6
Instruction ID: 351f815afef238223a18872dd64353f08c53c057f30c20f3617e589a81dbf875
Opcode Fuzzy Hash: c540e5628baeb19da7655b7df5bda7dc82230b4432837c51ecf8935cfeb748b6
Instruction Fuzzy Hash: FF41A0302043029FD720DF24C885B6ABBE9EF95320F10466FF9A697391D7B0E905CB62

Function 00AED8B9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00AED8D9

Part of subcall function 00A779AB: _memmove.LIBCMT ref: 00A779F9

Strings

stdcall, xrefs: 00AED95B
none, xrefs: 00AED9B4
winapi, xrefs: 00AED94A
cdecl, xrefs: 00AED930

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: d4c3ff29e3df0f8f9fbea7b03833402f7e127324b9b95b1b8e63bcaf3b883703
Instruction ID: 976e6bc29d24d2f65a516c7bddd8318747aa91c708b36238d3c5e444c0579530
Opcode Fuzzy Hash: d4c3ff29e3df0f8f9fbea7b03833402f7e127324b9b95b1b8e63bcaf3b883703
Instruction Fuzzy Hash: 9D31C471A04619AFCF00EF55CD909EEB3F4FF05710B10C66AE869976D2CB71A905CB90

Function 00AC9152 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A77F41: _memmove.LIBCMT ref: 00A77F82

Part of subcall function 00ACAEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00ACAEC7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00AC91D6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00AC91E9
SendMessageW.USER32(?,00000189,?,00000000), ref: 00AC9219

Part of subcall function 00A77D2C: _memmove.LIBCMT ref: 00A77D66

Strings

ListBox, xrefs: 00AC9195
ComboBox, xrefs: 00AC9160

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 62669f6782025d95e377d2ed468d00c48194c1b303a414f67bbc3698b86aa101
Instruction ID: b62aff439c7fef1bf8fd737ee4bfaf86cb9cf0c7aa27ef29b02c7352db571386
Opcode Fuzzy Hash: 62669f6782025d95e377d2ed468d00c48194c1b303a414f67bbc3698b86aa101
Instruction Fuzzy Hash: 4021BD71A001087EDB14ABA49C8ADFFB7A8DF45360B158629B869A72E1DB354D0AD610

Function 00A7410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00AAD51C

Part of subcall function 00A77D2C: _memmove.LIBCMT ref: 00A77D66

_memset.LIBCMT ref: 00A7418D
_wcscpy.LIBCMT ref: 00A741E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A741F1

Strings

Line: , xrefs: 00AAD545

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: a8ef17acbe8bf3b12a253eb61295fba08e537f5b8a930d497e5b626ecce58379
Instruction ID: 5cadee5f93bf9fdcef46b80b993379c8576173b789a283bb6df52fcfe398b577
Opcode Fuzzy Hash: a8ef17acbe8bf3b12a253eb61295fba08e537f5b8a930d497e5b626ecce58379
Instruction Fuzzy Hash: C331A171508304AED771EBA0DD45BEF77E8AF58300F20C61AF599930A1EF70A648CB92

Function 00AE1943 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00AE1962
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00AE1988
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00AE19B8
InternetCloseHandle.WININET(00000000), ref: 00AE19FF

Part of subcall function 00AE2599: GetLastError.KERNEL32(?,?,00AE192D,00000000,00000000,00000001), ref: 00AE25AE
Part of subcall function 00AE2599: SetEvent.KERNEL32(?,?,00AE192D,00000000,00000000,00000001), ref: 00AE25C3

Strings

, xrefs: 00AE19A9

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 7a38751949b6f210fbdd2b4e51a0d5ab5dfac7c0203d605ad5a92bdacfcd8888
Instruction ID: 3716ebc31f58db3d3f8d3d28ea2b8f0e4a0f9ad471571c4196edfbc665f03c42
Opcode Fuzzy Hash: 7a38751949b6f210fbdd2b4e51a0d5ab5dfac7c0203d605ad5a92bdacfcd8888
Instruction Fuzzy Hash: 6221BEB2500258BFEB21EFA1DD95EBF76FCEB48744F10012AF40596241EA349E0597B1

Function 00AF6419 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A71D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A71D73
Part of subcall function 00A71D35: GetStockObject.GDI32(00000011), ref: 00A71D87
Part of subcall function 00A71D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A71D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00AF6493
LoadLibraryW.KERNEL32(?), ref: 00AF649A
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00AF64AF
DestroyWindow.USER32(?), ref: 00AF64B7

Strings

SysAnimate32, xrefs: 00AF646E

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: d9f41bd88d22aefb35dd3d92d69028010f82711a53850f9cee7aff449eb1283c
Instruction ID: cb7b5b49d889bc1851025d2a97109885d44ed5b964d4fcbb43cfbc18e88e24cd
Opcode Fuzzy Hash: d9f41bd88d22aefb35dd3d92d69028010f82711a53850f9cee7aff449eb1283c
Instruction Fuzzy Hash: 7B218B71600209AFEF20AFE4DE80EBA37A9EF49365F108629FA5497190C7318C51A760

Function 00AD6E45 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00AD6E65
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AD6E98
GetStdHandle.KERNEL32(0000000C), ref: 00AD6EAA
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00AD6EE4

Strings

nul, xrefs: 00AD6EDF

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 2023301d6aad6730212e36e2ef30576ebf257d174c63b6dd0a71543ac38326b3
Instruction ID: b8453cd47d64d659790901d7bb07dad89f7fed7356a4f02ef55f2e7c65e88be4
Opcode Fuzzy Hash: 2023301d6aad6730212e36e2ef30576ebf257d174c63b6dd0a71543ac38326b3
Instruction Fuzzy Hash: 11217179600205AFDB209F69DC05AEA7BF4AF54720F20462AFCA2D73D0DF709851CB50

Function 00AD6F13 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00AD6F32
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AD6F64
GetStdHandle.KERNEL32(000000F6), ref: 00AD6F75
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00AD6FAF

Strings

nul, xrefs: 00AD6FAA

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 2209f6a1e0aeafb469ef369689b1d9f3313b3d070962c770fddea273f6eef8fa
Instruction ID: 54a4f2879697e0bc9606e0202b926f2d4d1dca4fd52ea21600a518c046f36d01
Opcode Fuzzy Hash: 2209f6a1e0aeafb469ef369689b1d9f3313b3d070962c770fddea273f6eef8fa
Instruction Fuzzy Hash: E821B371600705AFDB209FA8AC44AA977F8AF59720F20465BFCA2D73D0D770A851CB50

Function 00ADACCA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00ADACDE
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00ADAD32
__swprintf.LIBCMT ref: 00ADAD4B
SetErrorMode.KERNEL32(00000000,00000001,00000000,00AFF910), ref: 00ADAD89

Strings

%lu, xrefs: 00ADAD45

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 9da4f1be09646012cb53f743f0f8c34515c803bb577fcc47b57c3c0282779e1e
Instruction ID: 3724ed33f8ff938e3f89c862cf49062ac5488ddff47789c0fb7b96437a541cb8
Opcode Fuzzy Hash: 9da4f1be09646012cb53f743f0f8c34515c803bb577fcc47b57c3c0282779e1e
Instruction Fuzzy Hash: 39214135A00209AFCB10DFA5CD85EAE77F9EF89714B048069F509EB351DB71EA41CB61

Function 00ACA30F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A77D2C: _memmove.LIBCMT ref: 00A77D66

Part of subcall function 00ACA15C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00ACA179
Part of subcall function 00ACA15C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00ACA18C
Part of subcall function 00ACA15C: GetCurrentThreadId.KERNEL32 ref: 00ACA193
Part of subcall function 00ACA15C: AttachThreadInput.USER32(00000000), ref: 00ACA19A

GetFocus.USER32 ref: 00ACA334

Part of subcall function 00ACA1A5: GetParent.USER32(?), ref: 00ACA1B3

GetClassNameW.USER32(?,?,00000100), ref: 00ACA37D
EnumChildWindows.USER32(?,00ACA3F5), ref: 00ACA3A5
__swprintf.LIBCMT ref: 00ACA3BF

Strings

%s%d, xrefs: 00ACA3B9

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 6d64ed4b9c55c2f0f31f37284a491cfc14ee65b70c8d20e3113c6b8e67ab16c0
Instruction ID: e0167f7badf8aedef3ab097101a1c8bb39ac4817e7d00694587cbf4eb2424100
Opcode Fuzzy Hash: 6d64ed4b9c55c2f0f31f37284a491cfc14ee65b70c8d20e3113c6b8e67ab16c0
Instruction Fuzzy Hash: 4C11AF752002097BDF11BFA0DD86FFA77B8AF55704F048079BA1CAA252CA705D468B75

Function 00AEEC69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00AEED1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00AEED4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00AEEE7E
CloseHandle.KERNEL32(?), ref: 00AEEEFF

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 2f12d7cda42d9ca5985b4ae055cb484e15653a9f41ef3d38f85cffd55ada86b4
Instruction ID: 367fc0fc864252a485dde3b19a54ad07306f10d6422a5740f82f2f4924bf630d
Opcode Fuzzy Hash: 2f12d7cda42d9ca5985b4ae055cb484e15653a9f41ef3d38f85cffd55ada86b4
Instruction Fuzzy Hash: 70815E716003009FD720EF29CD86B2BB7E5AF88720F14C91DF999DB292DB70AC418B95

Function 00A9558D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A955EB
_memcpy_s.LIBCMT ref: 00A9565D
__read_nolock.LIBCMT ref: 00A956BB
__filbuf.LIBCMT ref: 00A956DE
_memset.LIBCMT ref: 00A95722

Part of subcall function 00A98CA8: __getptd_noexit.LIBCMT ref: 00A98CA8

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 17c9c7776e299596ed796557eca7f8bd29831e9b0e98da48d3161094909ff33f
Instruction ID: 5c2593cea51e3b24eb8f9bc64d80bc1a6f4092faf12fcd549da5c1067680f909
Opcode Fuzzy Hash: 17c9c7776e299596ed796557eca7f8bd29831e9b0e98da48d3161094909ff33f
Instruction Fuzzy Hash: B751B270F00B05DBDF268FB9C98266E77F6AF41320F288729F825962D1D7719E508B40

Function 00AF00C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A77F41: _memmove.LIBCMT ref: 00A77F82

Part of subcall function 00AF0EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AEFE38,?,?), ref: 00AF0EBC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AF0188
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00AF01C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00AF020E
RegCloseKey.ADVAPI32(?,?), ref: 00AF023A
RegCloseKey.ADVAPI32(00000000), ref: 00AF0247

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: eda6e44e409beacee9ec620dd4ea0a930e6619965d84110b37252f4d94d33f8c
Instruction ID: 5b69ef31a52a72097f61b01c89e72eb1d3860d1c10abdc66d838ae2b5c3e6b0c
Opcode Fuzzy Hash: eda6e44e409beacee9ec620dd4ea0a930e6619965d84110b37252f4d94d33f8c
Instruction Fuzzy Hash: DB511A71208204AFD714EBA4DD85E7EB7E8FF88714F04892DB69987292DB70E905CB52

Function 00AED9DC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00A79997: __itow.LIBCMT ref: 00A799C2
Part of subcall function 00A79997: __swprintf.LIBCMT ref: 00A79A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00AEDA3B
GetProcAddress.KERNEL32(00000000,?), ref: 00AEDABE
GetProcAddress.KERNEL32(00000000,00000000), ref: 00AEDADA
GetProcAddress.KERNEL32(00000000,?), ref: 00AEDB1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00AEDB35

Part of subcall function 00A75B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00AD793F,?,?,00000000), ref: 00A75B8C
Part of subcall function 00A75B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00AD793F,?,?,00000000,?,?), ref: 00A75BB0

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 45fe051a47881629fcc53dba5e3c80fadb1478e99e3a9d3a1036507c5201016d
Instruction ID: fe56ff8f19a7feca108bc8047e3d9c9f55222d0d517edcd426352f716f9ced8f
Opcode Fuzzy Hash: 45fe051a47881629fcc53dba5e3c80fadb1478e99e3a9d3a1036507c5201016d
Instruction Fuzzy Hash: 0C512635A00245DFDB01EFA9C9849AEB7F4EF48320B05C06AE919AB351DB30AE45CF91

Function 00ADE5FD Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00ADE6AB
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00ADE6D4
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00ADE713

Part of subcall function 00A79997: __itow.LIBCMT ref: 00A799C2
Part of subcall function 00A79997: __swprintf.LIBCMT ref: 00A79A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00ADE738
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00ADE740

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: da315b1cd69f4d59d06a35fa57becad5b8bfd2d69eef6588da9730b4d397615e
Instruction ID: 7b69ea01c870fb11ad15e345381f3ecde098f9748d350e6e66e6ec6972f54554
Opcode Fuzzy Hash: da315b1cd69f4d59d06a35fa57becad5b8bfd2d69eef6588da9730b4d397615e
Instruction Fuzzy Hash: D2512D35A00605DFDF15EF64CA819AEBBF5EF48314B14C099E949AB361CB31ED11DB50

Function 00AFA088 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b337a774825ef89d3641b13731b6bd0bdc2937bf9eaae741acb86bf039592df
Instruction ID: 3d632355cfaffd90e7817c22095a5416f5e00e3b8ecb57b365725298ab6f459f
Opcode Fuzzy Hash: 0b337a774825ef89d3641b13731b6bd0bdc2937bf9eaae741acb86bf039592df
Instruction Fuzzy Hash: 7B41A4B5900248AFD720DFA8CC45FF9BBB8EB19350F160365FA1AA72E1C7309D41DA55

Function 00A72344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A72357
ScreenToClient.USER32(00B357B0,?), ref: 00A72374
GetAsyncKeyState.USER32(00000001), ref: 00A72399
GetAsyncKeyState.USER32(00000002), ref: 00A723A7

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 417ddf68bcfb59b0432aab6b2bcdfc59642347eddac353f3f9f58af156f3c087
Instruction ID: 18595a691b06e96110b0754c89d4470897f9b5696eed9a90caf75846b6f41620
Opcode Fuzzy Hash: 417ddf68bcfb59b0432aab6b2bcdfc59642347eddac353f3f9f58af156f3c087
Instruction Fuzzy Hash: 91416E75A04119FBDF159FA8CC44BE9BB74FB05364F20832AF828972D1C734A994DB91

Function 00AC6700 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AC673D
TranslateAcceleratorW.USER32(?,?,?), ref: 00AC6789
TranslateMessage.USER32(?), ref: 00AC67B2
DispatchMessageW.USER32(?), ref: 00AC67BC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AC67CB

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 78efd34ba988e75a6211952d3176462e363fddfbfb9f25f119a89e2b679631d3
Instruction ID: 245cf3cca52da044ac28deafbd59c3b4d585e0cdb5105da13db1654be3302e01
Opcode Fuzzy Hash: 78efd34ba988e75a6211952d3176462e363fddfbfb9f25f119a89e2b679631d3
Instruction Fuzzy Hash: F031A471904646EFDB20CFB48C44FBA7BE8AF01308F25496DE421C71A1EB25E889D790

Function 00AC8CE1 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00AC8CF2
PostMessageW.USER32(?,00000201,00000001), ref: 00AC8D9C
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00AC8DA4
PostMessageW.USER32(?,00000202,00000000), ref: 00AC8DB2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00AC8DBA

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: a9cb580b9e3e466c7363f517d189c72ebd567b7b9e9aaf460770420969efc1ee
Instruction ID: e987665496fa5306129df8a3d4f96dd87a3ab9188b76c32b612cada6edf9632d
Opcode Fuzzy Hash: a9cb580b9e3e466c7363f517d189c72ebd567b7b9e9aaf460770420969efc1ee
Instruction Fuzzy Hash: BA31BA72500219EFDF14CFA8D948BAE3BB5FF14315F114229F926EA2D0CBB89914DB90

Function 00ACB4AE Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00ACB4C6
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00ACB4E3
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00ACB51B
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00ACB541
_wcsstr.LIBCMT ref: 00ACB54B

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: bda87761128d1acd3218ff8ef24e902dd9f7a707d83ccaed2736ca49e102eb31
Instruction ID: 02f756eb84c16d27394244c3746f3d9467e2e4dcff015de9d02697c2f990968c
Opcode Fuzzy Hash: bda87761128d1acd3218ff8ef24e902dd9f7a707d83ccaed2736ca49e102eb31
Instruction Fuzzy Hash: E021F532214244BEEB259B799D0AF7B7BACDF49760F01802DF805DA1A1EF62CC01D6A0

Function 00AFB17F Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00A72612: GetWindowLongW.USER32(?,000000EB), ref: 00A72623

GetWindowLongW.USER32(?,000000F0), ref: 00AFB1C6
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00AFB1EB
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00AFB203
GetSystemMetrics.USER32(00000004), ref: 00AFB22C
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00AE0FA5,00000000), ref: 00AFB24A

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 9f7a977209757126a843210a7b5e7ebc57b83539f44542d394be5ab13e362b2b
Instruction ID: 764008325c65b36d4440371097e1257284c2378e8560a1a62101b7dd8d12671c
Opcode Fuzzy Hash: 9f7a977209757126a843210a7b5e7ebc57b83539f44542d394be5ab13e362b2b
Instruction Fuzzy Hash: 73216071524619AFCB209FB8CC08BBE37B4EB05721F144734BA26D72E0E7309911DBA0

Function 00AC95C9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AC95E2

Part of subcall function 00A77D2C: _memmove.LIBCMT ref: 00A77D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00AC9614
__itow.LIBCMT ref: 00AC962C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00AC9654
__itow.LIBCMT ref: 00AC9665

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: e68ce4b3aa3e482a27ac8f19a3aeccdcfe5c28d0acaee1890e56c884e85d7bdd
Instruction ID: a9e254845bf4391e3780f1475de7376ead3c62d492d68d9069f34d7636cfa958
Opcode Fuzzy Hash: e68ce4b3aa3e482a27ac8f19a3aeccdcfe5c28d0acaee1890e56c884e85d7bdd
Instruction Fuzzy Hash: 3821B331700218BBDB20ABA48D8DFBF7BA8EF59710F064029F904D7291EA708D41D795

Function 00A712F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A7134D
SelectObject.GDI32(?,00000000), ref: 00A7135C
BeginPath.GDI32(?), ref: 00A71373
SelectObject.GDI32(?,00000000), ref: 00A7139C

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: fffdc4d6a6acb25660f3d3411fca2682ea4945e00d52f7ab339f1d5b86a9893a
Instruction ID: 9dc1e231342f73862f646ee07b7391b669097a2baa64921e11336c7a9b4428d0
Opcode Fuzzy Hash: fffdc4d6a6acb25660f3d3411fca2682ea4945e00d52f7ab339f1d5b86a9893a
Instruction Fuzzy Hash: B1214C34900608EFDB219F69EC44B6D7BE8FB00321F24C226F9189B1B1DB719992DF90

Function 00AD4B3A Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00AD4B61
__beginthreadex.LIBCMT ref: 00AD4B7F
MessageBoxW.USER32(?,?,?,?), ref: 00AD4B94
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00AD4BAA
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00AD4BB1

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: bf2591fbc9b673b625752ed77ebbf45821090ce7232ab350d2583caf86a8e0a6
Instruction ID: 97525b2446654b9c03dd184a7169a66803ef39eca14747ef3465eeb769ed0f8a
Opcode Fuzzy Hash: bf2591fbc9b673b625752ed77ebbf45821090ce7232ab350d2583caf86a8e0a6
Instruction Fuzzy Hash: 6C11E572904644BFCB109BE89C08AAF7FACEB59320F14436AF915D3351DA71C90087A0

Function 00AC852A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AC8546
GetLastError.KERNEL32(?,00AC800A,?,?,?), ref: 00AC8550
GetProcessHeap.KERNEL32(00000008,?,?,00AC800A,?,?,?), ref: 00AC855F
RtlAllocateHeap.NTDLL(00000000,?,00AC800A), ref: 00AC8566
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AC857D

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
String ID:
API String ID: 883493501-0
Opcode ID: 64725fd0d3bea2056454a685a2bb42864b7884ecee5690b72d408dba286b8f43
Instruction ID: a4ae144afd7d0c7429c510b1b27fd19c9ca026528fe6e25031712ac9e4053157
Opcode Fuzzy Hash: 64725fd0d3bea2056454a685a2bb42864b7884ecee5690b72d408dba286b8f43
Instruction Fuzzy Hash: F3014B75240208EFDB218FE6DC88D6B7BACFF8A355B14053AF909C2220DA728D01CA60

Function 00AD52EB Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AD5307
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00AD5315
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AD531D
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00AD5327
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AD5363

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 3b4e71784125a3301936a7a8969b94e3969c4b106f3c68e30af3e5c47d430410
Instruction ID: 8251ee0b0f813a5a0e122cb7583eb845eacd4f21d20ab35d443d42af4de37182
Opcode Fuzzy Hash: 3b4e71784125a3301936a7a8969b94e3969c4b106f3c68e30af3e5c47d430410
Instruction Fuzzy Hash: 52013532C01A19DBCF00EBF5E8989EDBB78BF08351F05055AEA56B2240CB709551C7A5

Function 00AC7432 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.COMBASE ref: 00AC744F
ProgIDFromCLSID.COMBASE(?,00000000), ref: 00AC746A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AC736C,80070057,?,?), ref: 00AC7478
CoTaskMemFree.COMBASE(00000000), ref: 00AC7488
CLSIDFromString.COMBASE(?,?), ref: 00AC7494

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: aa400221420faf4732bc8ff36e4b4c3f279a8ebf46d0081a0f0d669fe7d9af3a
Instruction ID: 69cbb532a7e126c7bc5292953c9ca3ca9d456629a5508ecb517429242ad098db
Opcode Fuzzy Hash: aa400221420faf4732bc8ff36e4b4c3f279a8ebf46d0081a0f0d669fe7d9af3a
Instruction Fuzzy Hash: 9B014872601218AFDB149FA4DD44BAE7FADEF447A2F158028FD09D6220E732DD419AA0

Function 00AC83D1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AC83E8
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AC83F2
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AC8401
RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00AC8408
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AC841E

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: 9c40fd067a1df69c2ff3034a4b483382b0be46e7a0ff880693b86c9ceb80c2ae
Instruction ID: 70b9a452114c67fdaf28f4d1e780b160795ced1cc6677fa4b2c6ca6fe6ed5a46
Opcode Fuzzy Hash: 9c40fd067a1df69c2ff3034a4b483382b0be46e7a0ff880693b86c9ceb80c2ae
Instruction Fuzzy Hash: 1FF04F35204206BFEB109FE5DC89F7B3BACFF89754B000529F945C6150DB659C42DA60

Function 00AC8432 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00AC8449
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00AC8453
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AC8462
RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00AC8469
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AC847F

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: fea8f7240c8ad118a19b74eabddd737797838945551c3c86b8f856a39365caa1
Instruction ID: 3fee89f1f45385f5442129f6f9f2f3fa55ea531b1859e60fc3bc68a8312e4caf
Opcode Fuzzy Hash: fea8f7240c8ad118a19b74eabddd737797838945551c3c86b8f856a39365caa1
Instruction Fuzzy Hash: 94F04931200205AFEB215FE5EC88F7B3BACFF89794B050129FA59C7250DB659942DA60

Function 00ACC4A5 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00ACC4B9
GetWindowTextW.USER32(00000000,?,00000100), ref: 00ACC4D0
MessageBeep.USER32(00000000), ref: 00ACC4E8
KillTimer.USER32(?,0000040A), ref: 00ACC504
EndDialog.USER32(?,00000001), ref: 00ACC51E

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: c65315e1dc8641536541b11fe99fba68ca9c28ad264ebf9d3940c8fcd85c4b1e
Instruction ID: 75121e970099a6ab6e922b8b8c0da464b49b5598dce6b11fcef1692f6ad254e9
Opcode Fuzzy Hash: c65315e1dc8641536541b11fe99fba68ca9c28ad264ebf9d3940c8fcd85c4b1e
Instruction Fuzzy Hash: 6A016230540708ABEB249BA0DD4EFA677B8FF00B16F01466DE586E14E1DBE06955CA80

Function 00A713B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00A713BF
StrokeAndFillPath.GDI32(?,?,00AABA08,00000000,?), ref: 00A713DB
SelectObject.GDI32(?,00000000), ref: 00A713EE
DeleteObject.GDI32 ref: 00A71401
StrokePath.GDI32(?), ref: 00A7141C

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 1ae715c8061685fff4b428c94e8ad85059e2c89821c2bac0283b39395b4e5fc5
Instruction ID: 04f793aeeb06fb2b39d8bbbe9789213a63a6c366e0abc31b51b49d4f66aca8cb
Opcode Fuzzy Hash: 1ae715c8061685fff4b428c94e8ad85059e2c89821c2bac0283b39395b4e5fc5
Instruction Fuzzy Hash: E7F0EC30004B08EFDB219FAAEC4CB6C3FE5AB01326F28C225E5694A0F1DB314996DF54

Function 00AC8C54 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00AC8C5F
CloseHandle.KERNEL32(?), ref: 00AC8C74
CloseHandle.KERNEL32(?), ref: 00AC8C7C
GetProcessHeap.KERNEL32(00000000,?), ref: 00AC8C85
HeapFree.KERNEL32(00000000), ref: 00AC8C8C

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessSingleWait
String ID:
API String ID: 3751786701-0
Opcode ID: 43e027351a707b602f0165a48bfd42bf238874014750b57c1f0089568b135be7
Instruction ID: 7d410ae4bd9950e2bac5ab6309ba298b8b2fbe198c29dc22731a38b6d731e21d
Opcode Fuzzy Hash: 43e027351a707b602f0165a48bfd42bf238874014750b57c1f0089568b135be7
Instruction Fuzzy Hash: D7E0C237004002FFDA01AFE2EC0C92ABF69FF89362B148230F32986070CB329422DB54

Function 00ADC423 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00ADC4BE
CoCreateInstance.COMBASE(00B02D6C,00000000,00000001,00B02BDC,?), ref: 00ADC4D6

Part of subcall function 00A77F41: _memmove.LIBCMT ref: 00A77F82

CoUninitialize.COMBASE ref: 00ADC743

Strings

.lnk, xrefs: 00ADC452, 00ADC47A, 00ADC484

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 8b0879cc4edb075e3ac72822b441ccbc3ad047de3a14e6fee48d2117f938efa6
Instruction ID: 5083957b07c7775dc3baf9920896001f5e89d399d48f7402d9a2b3864ca1c235
Opcode Fuzzy Hash: 8b0879cc4edb075e3ac72822b441ccbc3ad047de3a14e6fee48d2117f938efa6
Instruction Fuzzy Hash: A1A11C71108205AFD300EF64CD95EABB7F8FF95354F00896DF15A971A1DB70AA09CB52

Function 00A82E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00A90F36: std::exception::exception.LIBCMT ref: 00A90F6C
Part of subcall function 00A90F36: __CxxThrowException@8.LIBCMT ref: 00A90F81

Part of subcall function 00A77F41: _memmove.LIBCMT ref: 00A77F82

Part of subcall function 00A77BB1: _memmove.LIBCMT ref: 00A77C0B

__swprintf.LIBCMT ref: 00A8302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00A82EC6

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: c4f7b203668bce7ab30e3a77edfab2de6f81188015832eb39c1583be8f5235f5
Instruction ID: c8493c77baff7f3d0f52aab058741eaf4224f9b6f77f3ee72101aae3add819b7
Opcode Fuzzy Hash: c4f7b203668bce7ab30e3a77edfab2de6f81188015832eb39c1583be8f5235f5
Instruction Fuzzy Hash: E4916D725082019FCB18FF24C995C6FB7F8EF95750F04891DF8869B2A2DA60EE44CB52

Function 00ADB9C7 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A748AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A748A1,?,?,00A737C0,?), ref: 00A748CE

CoInitialize.OLE32(00000000), ref: 00ADBA47
CoCreateInstance.COMBASE(00B02D6C,00000000,00000001,00B02BDC,?), ref: 00ADBA60
CoUninitialize.COMBASE ref: 00ADBA7D

Part of subcall function 00A79997: __itow.LIBCMT ref: 00A799C2
Part of subcall function 00A79997: __swprintf.LIBCMT ref: 00A79A0C

Strings

.lnk, xrefs: 00ADBA29, 00ADBA37

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 8be16cf84e741e5ac50d1073f3a1fb8e0ed97053b99a4723e8497936f366b2fc
Instruction ID: a4ffb29a77c4a0e08eec2b9eed038d468530f8c11a957e9c992b3b032ad2406b
Opcode Fuzzy Hash: 8be16cf84e741e5ac50d1073f3a1fb8e0ed97053b99a4723e8497936f366b2fc
Instruction Fuzzy Hash: D7A145756043019FCB10DF14C984D6ABBE5FF88324F15899AF89A9B3A1CB31ED45CB91

Function 00A9518D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00A9521D

Part of subcall function 00AA0270: __87except.LIBCMT ref: 00AA02AB

Strings

pow, xrefs: 00A951F5, 00A95212

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: ef111b9eacc106427d593880b59c7a60ebf333fb89cab8a1887692a619d88956
Instruction ID: 37cbbe43fc34dedfaeb3188453aa8982c33f8fd91c5eb9ae73abea6f8d3ca029
Opcode Fuzzy Hash: ef111b9eacc106427d593880b59c7a60ebf333fb89cab8a1887692a619d88956
Instruction Fuzzy Hash: 5F513670F0CA0197DF226B34C952BAF6BE4EB52710F248958F0958B1E5EF348CC99B56

Function 00A9017B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00A901C0
+, xrefs: 00A901B7

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 3c02581f635b190157c06d66940b543b453f7a317440b1d9319123a9224cf3b1
Instruction ID: 5ef9d1f5e73baf167d20f4bee54c79c29eadc0ae7519a4f10dded6aed1f7fe7b
Opcode Fuzzy Hash: 3c02581f635b190157c06d66940b543b453f7a317440b1d9319123a9224cf3b1
Instruction Fuzzy Hash: 4451EF75A042469FCF299F68C884FFA7BB4EF55310F558059FC919B2A0E730AC82CB60

Function 00A862F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A863A8
_memmove.LIBCMT ref: 00A86444
_memset.LIBCMT ref: 00A86468

Strings

ERCP, xrefs: 00A86313

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 43d1ddf0502e9390922961bb7b1144781d89f55ebb7604d90794b310c33915ac
Instruction ID: e1b8c67ff2df14f7fb7284d80f44edce4eede73c4d6d90933e49b32ee706e16c
Opcode Fuzzy Hash: 43d1ddf0502e9390922961bb7b1144781d89f55ebb7604d90794b310c33915ac
Instruction Fuzzy Hash: 28518171A00319DFEB24DF55CA85BAABBF4FF04714F20856EE55ACB241E771AA84CB40

Function 00AC9AB7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AD17ED: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00AC9558,?,?,00000034,00000800,?,00000034), ref: 00AD1817

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00AC9B01

Part of subcall function 00AD17B8: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00AC9587,?,?,00000800,?,00001073,00000000,?,?), ref: 00AD17E2

Part of subcall function 00AD170F: GetWindowThreadProcessId.USER32(?,?), ref: 00AD173A
Part of subcall function 00AD170F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00AC951C,00000034,?,?,00001004,00000000,00000000), ref: 00AD174A
Part of subcall function 00AD170F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00AC951C,00000034,?,?,00001004,00000000,00000000), ref: 00AD1760

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00AC9B6E
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00AC9BBB

Strings

@, xrefs: 00AC9BD3

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 950bb622c70d2ce1a74e0371b4b7e1959607d88f7bc09077d6b864fc9a8d7083
Instruction ID: f53f9ddb18ea9300467624c5fbbbf61fcf9b96739f40b688201d9b7d30c3f58d
Opcode Fuzzy Hash: 950bb622c70d2ce1a74e0371b4b7e1959607d88f7bc09077d6b864fc9a8d7083
Instruction Fuzzy Hash: 34411B76900218BFDB10EBA4CD85EEEBBB8AF09300F114099FA55B7291DA716E45CF61

Function 00AF7978 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00AFF910,00000000,?,?,?,?), ref: 00AF7A11
GetWindowLongW.USER32 ref: 00AF7A2E
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00AF7A3E

Strings

SysTreeView32, xrefs: 00AF79E3

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 9d2e9f24f9f3500fb05bb4d930217fb8b02e0bec5ed9cc2e87e1430c3191dce1
Instruction ID: 8edfdc0417a53cabd98931c15039bb800ab3e52a67d11b934e7476328c688af8
Opcode Fuzzy Hash: 9d2e9f24f9f3500fb05bb4d930217fb8b02e0bec5ed9cc2e87e1430c3191dce1
Instruction Fuzzy Hash: 6931AE3120460AABDB219FB8CC41BFA77A9AF05364F248725F9B9932E0C770A9518B50

Function 00AF740B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00AF7493
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00AF74A7
SendMessageW.USER32(?,00001002,00000000,?), ref: 00AF74CB

Strings

SysMonthCal32, xrefs: 00AF745E

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 7078b01a07554505656a20f8af03c7b08c9e9f7c5c2558b3fddbe05995a5655a
Instruction ID: 4d1e117f79309db2cf9fbb3f220ac3843be8bc70e40590184e4495e6a6096db3
Opcode Fuzzy Hash: 7078b01a07554505656a20f8af03c7b08c9e9f7c5c2558b3fddbe05995a5655a
Instruction Fuzzy Hash: C821A13250021DABDF218F94DC86FEE3BB9EF48724F110214FE59AB191DA75A851DBA0

Function 00AF6CE2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00AF6D6D
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00AF6D7D
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00AF6DA2

Strings

Listbox, xrefs: 00AF6D3A

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 81c205fff026089f0a15857e80ec89cccbece323e7ada908e99058561e5ac8de
Instruction ID: 7950e6e0ac8876e95b42559112511b9cccb43e4449230d4d457d19c96ddaffc8
Opcode Fuzzy Hash: 81c205fff026089f0a15857e80ec89cccbece323e7ada908e99058561e5ac8de
Instruction Fuzzy Hash: 01219232610118BFEF118F94DC85FBB3BBAEF89754F118124FA449B1A0CA71AC5297A0

Function 00AF7740 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00AF77A4
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00AF77B9
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00AF77C6

Strings

msctls_trackbar32, xrefs: 00AF777B

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: f8716e47de09a51d066256597436211bb928a66afeefa451257de8f1eecaa4c4
Instruction ID: 56b5a84a95e75ed4e3f8dd21bf66c8b372374ccf1e790edf73c28b83cee7bdef
Opcode Fuzzy Hash: f8716e47de09a51d066256597436211bb928a66afeefa451257de8f1eecaa4c4
Instruction Fuzzy Hash: 4811E332254208BEEF20AFA4CC45FEB7BADEF88B14F114118FB45A60E0D671A811CB20

Function 00AEC104 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00AB1CB7,?), ref: 00AEC112
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00AEC124

Strings

GetSystemWow64DirectoryW, xrefs: 00AEC11E
kernel32.dll, xrefs: 00AEC10D

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: f06597b55cc0ad591b80be3e41519370105ae1545f3425a61ba5311bf469dadf
Instruction ID: e77cf546fbc5b1a2e90b660e25fffebb118768fe436722e11cd62fa325d0abc7
Opcode Fuzzy Hash: f06597b55cc0ad591b80be3e41519370105ae1545f3425a61ba5311bf469dadf
Instruction Fuzzy Hash: 75E0C278200323CFDB209FAAD808A9276E4EF09368B408539E889C2260E774C842C720

Function 00A74C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A74C2E), ref: 00A74CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00A74CB5

Strings

GetNativeSystemInfo, xrefs: 00A74CAF
kernel32.dll, xrefs: 00A74C9E

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 6afdf57144ede72bfe383a15a5955bf30d0d2bc86352057190913315bb56c186
Instruction ID: b9abd4fde79dc72e33a025b72eda3f5734fbfd5d73d6f47046b624a4d3c6242f
Opcode Fuzzy Hash: 6afdf57144ede72bfe383a15a5955bf30d0d2bc86352057190913315bb56c186
Instruction Fuzzy Hash: D7D05E30510727DFDB209FF2DE5862676E5BF09791B11CC3EE98AD6250E770D880CA50

Function 00A74D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A74CE1,?), ref: 00A74DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A74DB4

Strings

Wow64RevertWow64FsRedirection, xrefs: 00A74DAE
kernel32.dll, xrefs: 00A74D9D

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 23d8323185def68bbe5de3aae848d0ff4892b3edbbd4cd42189e2a012d767ff0
Instruction ID: 281b29d6745e2b86e5a526bf9dafd5e2d8981a240058a02acc1ba0bc9a305fa0
Opcode Fuzzy Hash: 23d8323185def68bbe5de3aae848d0ff4892b3edbbd4cd42189e2a012d767ff0
Instruction Fuzzy Hash: F0D05E30550723DFEB309FB1DC59A6676E4AF09355B11CC3EE9DAD6260E770D880CA50

Function 00A74D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A74D2E,?,00A74F4F,?,00B352F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A74D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A74D81

Strings

Wow64DisableWow64FsRedirection, xrefs: 00A74D7B
kernel32.dll, xrefs: 00A74D6A

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 1d3c149ca8c2d1ad8c67a7f3aa82874cfc0abc8a0cc4cf04c074c625e6712c31
Instruction ID: d2293a3b7c5041e8dd7f1b7f7d8be98d7e925560565b22c035bd515a2bdb84d1
Opcode Fuzzy Hash: 1d3c149ca8c2d1ad8c67a7f3aa82874cfc0abc8a0cc4cf04c074c625e6712c31
Instruction Fuzzy Hash: FCD01730610723DFDB309FB1DC4862676E8BF19352B11C93AA5CAD6260E770D880CA50

Function 00AF0E72 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00AF10C1), ref: 00AF0E80
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00AF0E92

Strings

RegDeleteKeyExW, xrefs: 00AF0E8C
advapi32.dll, xrefs: 00AF0E7B

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: b92d02e8da305c8ac48956aab58b4b0d65cbe06a02b874394ae5ddc9a2108a1d
Instruction ID: 8e57ca9e36b6c47baddc50ed155260f20464b5b5f4287e5be4d52c5a46f62bda
Opcode Fuzzy Hash: b92d02e8da305c8ac48956aab58b4b0d65cbe06a02b874394ae5ddc9a2108a1d
Instruction Fuzzy Hash: FCD01770610727CFD7309FB5D918AA676E4AF14352F118C7AA68ED2260E774C880CA50

Function 00AE91F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00AE8E09,?,00AFF910), ref: 00AE9203
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00AE9215

Strings

kernel32.dll, xrefs: 00AE91FE
GetModuleHandleExW, xrefs: 00AE920F

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 9bb7d253325685015794cc4e2658921883de5d79c0b749cc6d2079991fdec517
Instruction ID: e6d073f606dd2c4245b924f9a6bd39e7d9415d1d3f65ffce6e184a938158e78d
Opcode Fuzzy Hash: 9bb7d253325685015794cc4e2658921883de5d79c0b749cc6d2079991fdec517
Instruction Fuzzy Hash: 41D01730554727EFDB209FB2DD4865776E6AF05751F118C3AAA86D66A0EB70C880CA50

Function 00AB1A6D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00AB1A71
__swprintf.LIBCMT ref: 00AB1AA2

Strings

WIN_XPe, xrefs: 00AB1AE1
%.3d, xrefs: 00AB1A7C

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: b0376dd76089c3d0a555a2d6026966b05bd3be5556d880c4356194910ef85e80
Instruction ID: 24b122a311af9647813ba641928b3ab305a4fea97450be00654a4b4651caf832
Opcode Fuzzy Hash: b0376dd76089c3d0a555a2d6026966b05bd3be5556d880c4356194910ef85e80
Instruction Fuzzy Hash: B4D01272805119EACB04D6D18C95CF973BCAB08351F948456F50AA2041E225AB95DA21

Function 00AC74A5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8b6d890f1e404dd7e55e94c615968cc70fb1693b892112cd307d4b5ff4edb1e
Instruction ID: 6601d482d27676935e47f469dc7da659bfebe238242b4bb408da3402c2eee903
Opcode Fuzzy Hash: d8b6d890f1e404dd7e55e94c615968cc70fb1693b892112cd307d4b5ff4edb1e
Instruction Fuzzy Hash: 1FC10875A0421AEFCB14CF98C884EAEBBB5FF48714B16859CE815EB251D730ED81DB90

Function 00AEE13E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00AEE1D2
CharLowerBuffW.USER32(?,?), ref: 00AEE215

Part of subcall function 00AED8B9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00AED8D9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00AEE415
_memmove.LIBCMT ref: 00AEE428

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: d44a3e01f8b3dbb5b84966aa2f2881dfc53d4cdd2cf8fc858f5b3758c6eff6d3
Instruction ID: cfa408f194abcb330fce545a10aee1f8f5d81d9ffcceefb20d349a4e8effa067
Opcode Fuzzy Hash: d44a3e01f8b3dbb5b84966aa2f2881dfc53d4cdd2cf8fc858f5b3758c6eff6d3
Instruction Fuzzy Hash: B8C15971A083419FCB04DF29C48096ABBF4FF88754F14896EF99A9B351D731E946CB82

Function 00AE81A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00AE81D8
CoUninitialize.COMBASE ref: 00AE81E3

Part of subcall function 00ACD87B: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 00ACD8E3

VariantInit.OLEAUT32(?), ref: 00AE81EE
VariantClear.OLEAUT32(?), ref: 00AE84BF

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: e1b0840b298023af1110e3f8c25dcfe24d3ea11888966d638f1cb99f86d26455
Instruction ID: c65b640fba57bf40e211c007c6a31eb6606613ac4e723a578d1fffc025c53ae0
Opcode Fuzzy Hash: e1b0840b298023af1110e3f8c25dcfe24d3ea11888966d638f1cb99f86d26455
Instruction Fuzzy Hash: 8CA146752047429FDB10DF15C981B2AB7E4FF88760F048459FA9A9B3A2CB34ED01CB86

Function 00AC7858 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.COMBASE(?,00000000), ref: 00AC7A12
CoTaskMemFree.COMBASE(00000000), ref: 00AC7A2A
CLSIDFromProgID.COMBASE(?,?), ref: 00AC7A4F
_memcmp.LIBCMT ref: 00AC7A70

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 7db42b198d91800a756c78b9b1f59173fa3f790d5b16bda5e2ff7e05edab2793
Instruction ID: 4c0572fdc2b5b8981df832043125b503cfa6e46cd81f53de578b98839c8670b6
Opcode Fuzzy Hash: 7db42b198d91800a756c78b9b1f59173fa3f790d5b16bda5e2ff7e05edab2793
Instruction Fuzzy Hash: D3810A71A00109EFCB04DF94C988EEEB7B9FF89315F218599E515AB250DB71AE06CF60

Function 00AC6BD3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00AC6BE4
SysAllocString.OLEAUT32(00000000), ref: 00AC6C8D
VariantCopy.OLEAUT32 ref: 00AC6CBC
VariantClear.OLEAUT32(?), ref: 00AC6CE3

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: e95e01dc7fcc2a0d1ae4c421f2bb51a3da1b30282b7df84543da90673bc3ca7b
Instruction ID: 93fd25c2070ba2d6a614a21744e38c9de9b389a1f05c0e0c3f59b2ac99725119
Opcode Fuzzy Hash: e95e01dc7fcc2a0d1ae4c421f2bb51a3da1b30282b7df84543da90673bc3ca7b
Instruction Fuzzy Hash: B3518030704B029BDB25EF65D895F6AB3F5EF48310B21882FE59BCB2A1DA7098408B15

Function 00AF9826 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00D30C38,?), ref: 00AF9895
ScreenToClient.USER32(00000002,00000002), ref: 00AF98C8
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00AF9935

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 2e34410cc2fd0e79b53608e5c9584d252b0aa931a330c211f2967495be1a3067
Instruction ID: 3e2233431e77dc397b306b74a4fcab72ea30a2a91f6dd0348ecef7501dad97fe
Opcode Fuzzy Hash: 2e34410cc2fd0e79b53608e5c9584d252b0aa931a330c211f2967495be1a3067
Instruction Fuzzy Hash: 24513E35A00209EFCF24DFA4D980ABE7BB6FF85360F218159F9559B2A0D771AD41CB90

Function 00ADB880 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00ADB92A
GetLastError.KERNEL32(?,00000000), ref: 00ADB950
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00ADB975
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00ADB9A1

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 7e61398736ea2528875dfbcf074ff59b972d83c8558c1aa52502736b4a8f20e2
Instruction ID: 7a28605f8c0e97af87543c0d928be1f8f70afca8608d0c4a3c548b0ec2fb0291
Opcode Fuzzy Hash: 7e61398736ea2528875dfbcf074ff59b972d83c8558c1aa52502736b4a8f20e2
Instruction Fuzzy Hash: 36413839600650DFCF11EF55C984A5ABBF1EF89324B09C49AE94A9B362CB30FD01DB95

Function 00AF8883 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00AF8910

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 88cdcc21ea2829e8b215074d22f94964e025970dfc7b27ce8c84005b6c31046d
Instruction ID: 08adc44b494f3d4da2758985c0ddce8972c84939f42d88bbe87292e59bdb3c07
Opcode Fuzzy Hash: 88cdcc21ea2829e8b215074d22f94964e025970dfc7b27ce8c84005b6c31046d
Instruction Fuzzy Hash: 34319E3460110CBFEF209BD8CC85BBC37A5AB06350F644515FB51E72E1CFB9A9809A92

Function 00AFAB69 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00AFAB92
GetWindowRect.USER32(?,?), ref: 00AFAC08
PtInRect.USER32(?,?,00AFC07E), ref: 00AFAC18
MessageBeep.USER32(00000000), ref: 00AFAC89

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 347551be552dd3c186f209f56b4bd668ae4be2d01cbcd55cfe01337eef83fd16
Instruction ID: c240bee5874395ba50d090b6470eaaaf94b74be0426a17c0c78ac864bb7f722c
Opcode Fuzzy Hash: 347551be552dd3c186f209f56b4bd668ae4be2d01cbcd55cfe01337eef83fd16
Instruction Fuzzy Hash: 18415CB0600619DFCB21CFD8C884AB97BF5FF58711F2481A9FA189B265D730E946CB52

Function 00AD0E07 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00AD0E58
SetKeyboardState.USER32(00000080,?,00000001), ref: 00AD0E74
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00AD0EDA
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00AD0F2C

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 0d8eb7df485d286af2a0617012fff8685e0d9280d647b0677d014890a01932e6
Instruction ID: 5dda8ce8234a339596ae58ec9c721c286da5e022641d382bae1a4a6d6d3de25e
Opcode Fuzzy Hash: 0d8eb7df485d286af2a0617012fff8685e0d9280d647b0677d014890a01932e6
Instruction Fuzzy Hash: 9C313730940218AEFB34CB658805FFABB75EF88310F18461BF192523D1CB7589469795

Function 00AD0F42 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00AD0F97
SetKeyboardState.USER32(00000080,?,00008000), ref: 00AD0FB3
PostMessageW.USER32(00000000,00000101,00000000), ref: 00AD1012
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00AD1064

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b911c63b458b3541d318e81ddea779e15e6fb5b636d9f60cbe5e70a23c4f7a40
Instruction ID: 56da687b73e7a5cc8de1cf510dbf80dbb860f4dfcb2d5b4609bbcaeb79630905
Opcode Fuzzy Hash: b911c63b458b3541d318e81ddea779e15e6fb5b636d9f60cbe5e70a23c4f7a40
Instruction Fuzzy Hash: 59313830A40288FEFF349B65C808BFABBB5AF49311F14421BE497923D1C37889C197A1

Function 00AA6345 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00AA637B
__isleadbyte_l.LIBCMT ref: 00AA63A9
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00AA63D7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00AA640D

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 8021b684fa533733c14730825917f724ba5525f6018feccdab47647680457938
Instruction ID: 9146a91b4d650e762687df9ec0a694c277c600783ff51f3350acd369aacf47b1
Opcode Fuzzy Hash: 8021b684fa533733c14730825917f724ba5525f6018feccdab47647680457938
Instruction Fuzzy Hash: FF318E31600246AFDF218F65C984ABA7BB5FF46310F194129E8648B1D1E731D852DF60

Function 00AF4F57 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00AF4F6B

Part of subcall function 00AD3685: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00AD369F
Part of subcall function 00AD3685: GetCurrentThreadId.KERNEL32 ref: 00AD36A6
Part of subcall function 00AD3685: AttachThreadInput.USER32(00000000,?,00AD50AC), ref: 00AD36AD

GetCaretPos.USER32(?), ref: 00AF4F7C
ClientToScreen.USER32(00000000,?), ref: 00AF4FB7
GetForegroundWindow.USER32 ref: 00AF4FBD

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: a6118758747c4db1df6dad789a9ec8cf73a4672f0d3bc08c0162620ce1829276
Instruction ID: 01c2ab9074da59926db058c371dd003f607741754e52fa4f2c555e924929b1b7
Opcode Fuzzy Hash: a6118758747c4db1df6dad789a9ec8cf73a4672f0d3bc08c0162620ce1829276
Instruction Fuzzy Hash: 2F313C72D00108AFDB00EFA5CD859EFB7F9EF88300F11806AE505E7251EA759E45CBA1

Function 00AC897E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC8432: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00AC8449
Part of subcall function 00AC8432: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00AC8453
Part of subcall function 00AC8432: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AC8462
Part of subcall function 00AC8432: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00AC8469
Part of subcall function 00AC8432: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AC847F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00AC89CB
_memcmp.LIBCMT ref: 00AC89EE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AC8A24
HeapFree.KERNEL32(00000000), ref: 00AC8A2B

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 2182266621-0
Opcode ID: fa17104706ee3feab3ec68f752b56629bdc82bd98f07d3debafa285f832e9117
Instruction ID: 362805dfe0d83d426d64f01732216c45fc54c1c6f2a571ca82eefdb0865e898c
Opcode Fuzzy Hash: fa17104706ee3feab3ec68f752b56629bdc82bd98f07d3debafa285f832e9117
Instruction Fuzzy Hash: F6216972E40109EFDF10DFA4C945FAEB7B8FF44395F16405AE854A7240EB34AA05CB51

Function 00A90B0C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00A90B2E

Part of subcall function 00A75B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00AD793F,?,?,00000000), ref: 00A75B8C
Part of subcall function 00A75B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00AD793F,?,?,00000000,?,?), ref: 00A75BB0

_fprintf.LIBCMT ref: 00A90B65
OutputDebugStringW.KERNEL32(?), ref: 00AC6111

Part of subcall function 00A94C1A: _flsall.LIBCMT ref: 00A94C33

__setmode.LIBCMT ref: 00A90B9A

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 097088bc41dd7de4d022928528930e377143fcd0c7f8078ce1c05f9ac53932c5
Instruction ID: c988ae5115de87213ae90e4311877b680a102c32f0544a3da561ca6f9cf9d3e1
Opcode Fuzzy Hash: 097088bc41dd7de4d022928528930e377143fcd0c7f8078ce1c05f9ac53932c5
Instruction Fuzzy Hash: 12113672A042047EDF04B7B49D82EBE7BE99F49320F14816AF208A7292EF615C428795

Function 00AE187D Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00AE18B9

Part of subcall function 00AE1943: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00AE1962
Part of subcall function 00AE1943: InternetCloseHandle.WININET(00000000), ref: 00AE19FF

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: e528458523ebb440946a8abdf7a1dfb8ff139acac97693a4bdccf44ada2c20d7
Instruction ID: 84d652bfa579e9496c3fa74c61d1c2f6997d1ec396f9ec712e5bef4b9e53a2b0
Opcode Fuzzy Hash: e528458523ebb440946a8abdf7a1dfb8ff139acac97693a4bdccf44ada2c20d7
Instruction Fuzzy Hash: 0621F071200755BFEB119FA29D10FBAB7ADFF48700F10402AFA5596651DB31E811D7A0

Function 00AD3A6E Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00AFFAC0), ref: 00AD3AA8
GetLastError.KERNEL32 ref: 00AD3AB7
CreateDirectoryW.KERNEL32(?,00000000), ref: 00AD3AC6
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00AFFAC0), ref: 00AD3B23

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: cfc5e082a6ca98c1c6433f34d4b320e1bac6b86c057707ec6f6bdee7116e85d2
Instruction ID: a2b23ee975844c06c2a83c517e60c9f93c94ae9d9050fc0c7274a1d3db19d7fa
Opcode Fuzzy Hash: cfc5e082a6ca98c1c6433f34d4b320e1bac6b86c057707ec6f6bdee7116e85d2
Instruction Fuzzy Hash: D82194316083059F8710DF64C9808AAB7E4EE55754F148A6BF49AC73A1D731DE46CB83

Function 00AA5262 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00AA5281

Part of subcall function 00A9588C: __FF_MSGBANNER.LIBCMT ref: 00A958A3
Part of subcall function 00A9588C: __NMSG_WRITE.LIBCMT ref: 00A958AA
Part of subcall function 00A9588C: RtlAllocateHeap.NTDLL(00D10000,00000000,00000001), ref: 00A958CF

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: c5f6ce60be3af2ec0def5e1a90ffafbc7480cd8eef73948eb1af2c8a04df599d
Instruction ID: 34c60f88b4072a87ef197c59ac6f71736ede5965ffaf0dc9612b626c656e469d
Opcode Fuzzy Hash: c5f6ce60be3af2ec0def5e1a90ffafbc7480cd8eef73948eb1af2c8a04df599d
Instruction Fuzzy Hash: 5011A732E01A15AFDF252FB0AD057AE37D8AF06360B20453AF9059B190DF3889448B59

Function 00A74531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A74560

Part of subcall function 00A7410D: _memset.LIBCMT ref: 00A7418D
Part of subcall function 00A7410D: _wcscpy.LIBCMT ref: 00A741E1
Part of subcall function 00A7410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A741F1

KillTimer.USER32(?,00000001,?,?), ref: 00A745B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A745C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00AAD5FE

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 8a57a9ccaafde0a017f61bf1313cc9832a6560df5d73c30d5ac5ea7b4b05618a
Instruction ID: d9af24a6bb7949377ca7e7cbb75fd12355909bbeb54702f813973c5af92f6a4d
Opcode Fuzzy Hash: 8a57a9ccaafde0a017f61bf1313cc9832a6560df5d73c30d5ac5ea7b4b05618a
Instruction Fuzzy Hash: 2621C2B0904784AFEB328B648C55BE7BBEC9F06308F04809EE69E57281D7746E85CB51

Function 00AC88D9 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00AC890A
OpenProcessToken.ADVAPI32(00000000), ref: 00AC8911
CloseHandle.KERNEL32(00000004), ref: 00AC892B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00AC895A

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
String ID:
API String ID: 2621361867-0
Opcode ID: 1535993b7a69fe0a906ae4782efcbc188b22b58f4b735a228b6e06fea7bcc5aa
Instruction ID: d616b6551174c66963b78c1e393af67f8bb58c914847309ca6720ddb638da680
Opcode Fuzzy Hash: 1535993b7a69fe0a906ae4782efcbc188b22b58f4b735a228b6e06fea7bcc5aa
Instruction Fuzzy Hash: DE114A72500209AFDB01CFE8DD49FEA7BA9FF08348F054068FE04A2160C7768D61DB61

Function 00AE647F Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A75B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00AD793F,?,?,00000000), ref: 00A75B8C
Part of subcall function 00A75B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00AD793F,?,?,00000000,?,?), ref: 00A75BB0

gethostbyname.WS2_32(?), ref: 00AE64AF
WSAGetLastError.WS2_32(00000000), ref: 00AE64BA
_memmove.LIBCMT ref: 00AE64E7
inet_ntoa.WS2_32(?), ref: 00AE64F2

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 9a6fc3ef5548efbd8cce81ed2f985247f9f6cd03b623e36c3cef99be3fd86b80
Instruction ID: ee7aabe5a5d06eb05fd06b90643a934c374cea4cce3991c0dfcdb40dfb8b6af3
Opcode Fuzzy Hash: 9a6fc3ef5548efbd8cce81ed2f985247f9f6cd03b623e36c3cef99be3fd86b80
Instruction Fuzzy Hash: 5B115E31900108AFCB04EBE4DE86DAEB7B8AF58350B148065F50AA7261DF70AE04CBA1

Function 00AC8E03 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00AC8E23
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AC8E35
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AC8E4B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AC8E66

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1379e3c52bb91ea28d82fed1b4b62bbbbd0966008781c85ce65cd353a7353a94
Instruction ID: 17a0544f360a5bae448fdb2eb9e58d6ea91f9f3b8b1c2456d0453c7935abe2ff
Opcode Fuzzy Hash: 1379e3c52bb91ea28d82fed1b4b62bbbbd0966008781c85ce65cd353a7353a94
Instruction Fuzzy Hash: 59114879900218FFEB10DFA5C884FADBBB8FF08710F214095E900B7290DA71AE10DB94

Function 00AD1473 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00AD001E,?,00AD1071,?,00008000), ref: 00AD1490
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00AD001E,?,00AD1071,?,00008000), ref: 00AD14B5
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00AD001E,?,00AD1071,?,00008000), ref: 00AD14BF
Sleep.KERNEL32(?,?,?,?,?,?,?,00AD001E,?,00AD1071,?,00008000), ref: 00AD14F2

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 709ea65f7bce8d29a94b44edf030b27309ac4739aa79645bb826928df3fff8ba
Instruction ID: 5ecdda6121dbebf40dc3fb4f629a483d0f83395797d55e9c21fd99eb3a0ea059
Opcode Fuzzy Hash: 709ea65f7bce8d29a94b44edf030b27309ac4739aa79645bb826928df3fff8ba
Instruction Fuzzy Hash: 85112AB2D00529EBCF00DFE5D988AEEBB78FF09751F014156EA46B6340CB309551CB95

Function 00AA7137 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00AA715B

Part of subcall function 00AA7842: __fltout2.LIBCMT ref: 00AA786B

__cftog_l.LIBCMT ref: 00AA7181
__cftoe_l.LIBCMT ref: 00AA71B3

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 08b1706a449c89b57afb6d53a3f326d744e00ce359c7812389836ccfa407fc55
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 7901483214814ABBCF125F84CC058EE3FA6BF1A394B598615FE585A171D336C9B2AB81

Function 00AFB2F9 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00AFB318
ScreenToClient.USER32(?,?), ref: 00AFB330
ScreenToClient.USER32(?,?), ref: 00AFB354
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00AFB36F

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 826043f7ce511f051eecd834ae0c05189ccba1ec9d7e80c0127f30cdfd96aec6
Instruction ID: f85dc5141c9091dcc9b1673493175ca719a05b41546db8263ad08c34d3118f35
Opcode Fuzzy Hash: 826043f7ce511f051eecd834ae0c05189ccba1ec9d7e80c0127f30cdfd96aec6
Instruction Fuzzy Hash: 71113475D00249EFDB41CFD8C4849EEBBB5FF08210F104166E914E3620D735AA55CF50

Function 00AFB669 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AFB678
_memset.LIBCMT ref: 00AFB687
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00B36F20,00B36F64), ref: 00AFB6B6
CloseHandle.KERNEL32 ref: 00AFB6C8

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 54fbe6fa2df031edce158cebb02316dc092f7c880000d6c35ab2e0faea7f0945
Instruction ID: 8b388ac28ba960c7794c02fcb48fa17dacc21b408ff15d9711945085572af9e7
Opcode Fuzzy Hash: 54fbe6fa2df031edce158cebb02316dc092f7c880000d6c35ab2e0faea7f0945
Instruction Fuzzy Hash: F4F0FEB6640308BFE61067A5BC46FBB7BACEB09754F108025BA08DA1A6DB755C1087B8

Function 00AD6C83 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00AD6C8F

Part of subcall function 00AD776D: _memset.LIBCMT ref: 00AD77A2

_memmove.LIBCMT ref: 00AD6CB2
_memset.LIBCMT ref: 00AD6CBF
RtlLeaveCriticalSection.NTDLL(?), ref: 00AD6CCF

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 55c34354c72f7c9ff7ee1c62976554a59421ad75f996dd648e06220320b998c8
Instruction ID: 7a6fc079f3158d769f6735ef02a28b05f26d2cbdef55d3cb320ab3d24020e070
Opcode Fuzzy Hash: 55c34354c72f7c9ff7ee1c62976554a59421ad75f996dd648e06220320b998c8
Instruction Fuzzy Hash: 05F05E3A200104AFCF016F95DD85E8ABB6AEF45320F048065FE095E22AC731A912CBB4

Function 00ACA15C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00ACA179
GetWindowThreadProcessId.USER32(?,00000000), ref: 00ACA18C
GetCurrentThreadId.KERNEL32 ref: 00ACA193
AttachThreadInput.USER32(00000000), ref: 00ACA19A

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 0b7b833f0c7240f437488422c23202bec0585e184893fb8b6b5c47d3245d5d0d
Instruction ID: bc8c076f3b7a268ef863321e3f241df0e2433431e30551bd0926e8e2798ead01
Opcode Fuzzy Hash: 0b7b833f0c7240f437488422c23202bec0585e184893fb8b6b5c47d3245d5d0d
Instruction Fuzzy Hash: CAE0A531545268BADB209BE2DC0DFE77F5CEF267A1F458129B609D90A0CA718941CBA1

Function 00A72218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00A72231
SetTextColor.GDI32(?,000000FF), ref: 00A7223B
SetBkMode.GDI32(?,00000001), ref: 00A72250
GetStockObject.GDI32(00000005), ref: 00A72258
GetWindowDC.USER32(?,00000000), ref: 00AAC003
GetPixel.GDI32(00000000,00000000,00000000), ref: 00AAC010
GetPixel.GDI32(00000000,?,00000000), ref: 00AAC029
GetPixel.GDI32(00000000,00000000,?), ref: 00AAC042
GetPixel.GDI32(00000000,?,?), ref: 00AAC062
ReleaseDC.USER32(?,00000000), ref: 00AAC06D

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 1669e2609035c7a95d7b0a8d3e64a80898ea870d35a6276369e2b68afd69a304
Instruction ID: 69d962b7d5a9ca0c3755a1c56e8c5a548d4e42e0259e3b253d5e8e14005e3e5e
Opcode Fuzzy Hash: 1669e2609035c7a95d7b0a8d3e64a80898ea870d35a6276369e2b68afd69a304
Instruction Fuzzy Hash: E7E0C932504244EEEF219FE4EC4D7E83B14EF56336F148366FA69980E187728A91DB25

Function 00AC8A3A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00AC8A43
OpenThreadToken.ADVAPI32(00000000,?,?,?,00AC860E), ref: 00AC8A4A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00AC860E), ref: 00AC8A57
OpenProcessToken.ADVAPI32(00000000,?,?,?,00AC860E), ref: 00AC8A5E

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: b1d17fb3e1851bcfd596534ea8900debeb1befaf22d63b10f811005806a06c8d
Instruction ID: 0fb7896cc317a3e4a8a5aa0e16df5fb9ae246e78ccf7e80870f966aa91bcc837
Opcode Fuzzy Hash: b1d17fb3e1851bcfd596534ea8900debeb1befaf22d63b10f811005806a06c8d
Instruction Fuzzy Hash: CCE08636641211DFD7209FF06D0CFA63BACFF507D2F064838B645CA040EA349542C750

Function 00AB20B6 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00AB20B6
GetDC.USER32(00000000), ref: 00AB20C0
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00AB20E0
ReleaseDC.USER32(?), ref: 00AB2101

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 392cb3a6e67a4d7d80c7394d58deda63e9a79465eb71d9deeb9f319f8dfca074
Instruction ID: 4a0083c0a9c328843d6859e82b07551103514e5925eb81f704683cca2e3f1b7e
Opcode Fuzzy Hash: 392cb3a6e67a4d7d80c7394d58deda63e9a79465eb71d9deeb9f319f8dfca074
Instruction Fuzzy Hash: 6DE0C275800204EFCB51AFE088486AEBBB5AF48350F10C02AE85AD6221DB388542DF40

Function 00AB20CA Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00AB20CA
GetDC.USER32(00000000), ref: 00AB20D4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00AB20E0
ReleaseDC.USER32(?), ref: 00AB2101

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 992eec224bb0930b801e47806ef0ae16baa65cce7a29e74a543c704b30a8b839
Instruction ID: 0dbc30daa1ca5bcf45658e4b46552d58f5b47d088b17e7aed4d8db565aa3f436
Opcode Fuzzy Hash: 992eec224bb0930b801e47806ef0ae16baa65cce7a29e74a543c704b30a8b839
Instruction Fuzzy Hash: 03E0CAB5800204AFCB519FE088486AEBBB1AF48360B108029E95AE6220DB389142DF40

Function 00ACB5B5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00ACB780

Strings

AutoIt3GUI, xrefs: 00ACB6F8
Container, xrefs: 00ACB6FD

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 5482f8bbf19d0746857d288ac1b106cf22e36adaf2f049469f79cce129e52d6b
Instruction ID: 8440641410b3d3773354469dd85b4c61b4fa8fdb5bc27411f121e67a15779a46
Opcode Fuzzy Hash: 5482f8bbf19d0746857d288ac1b106cf22e36adaf2f049469f79cce129e52d6b
Instruction Fuzzy Hash: 26913970610601AFDB14DF68C895F66BBF8FF48710F15856DE94ACB6A1DBB1E840CB60

Function 00ADB038 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00A8FE06: _wcscpy.LIBCMT ref: 00A8FE29

Part of subcall function 00A79997: __itow.LIBCMT ref: 00A799C2
Part of subcall function 00A79997: __swprintf.LIBCMT ref: 00A79A0C

__wcsnicmp.LIBCMT ref: 00ADB0B9
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00ADB182

Strings

LPT, xrefs: 00ADB0B3

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 226839ffc0ddec7c1011a432a2d9ffe2971b95e8e3eb9250eacb5d7b66402bc5
Instruction ID: f727d65a2f71e7259c63e8293d1215e110a7a4bf4ebeb2c324ca8c18b1316632
Opcode Fuzzy Hash: 226839ffc0ddec7c1011a432a2d9ffe2971b95e8e3eb9250eacb5d7b66402bc5
Instruction Fuzzy Hash: 06619276A10215EFCB14DF94C991EAEB7F4EF48310F05816AF546AB391DB70AE40CBA0

Function 00A82AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00A82AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00A82AE1

Strings

@, xrefs: 00A82AD5

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 9421114234b0a51e55769624f6c8cc8f597d4c018f727b95a584b0ebb0b0d797
Instruction ID: 99252fd8a760f128cabfd0c5785c73ceeefbb646b1a7bf3f9316b981c89b841a
Opcode Fuzzy Hash: 9421114234b0a51e55769624f6c8cc8f597d4c018f727b95a584b0ebb0b0d797
Instruction Fuzzy Hash: EE5145724187449BD320AF10DC86BABBBF8FF85354F81885EF1D9411A1DB30852ACB6A

Function 00AD97DD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00A7506B: __fread_nolock.LIBCMT ref: 00A75089

_wcscmp.LIBCMT ref: 00AD98CD
_wcscmp.LIBCMT ref: 00AD98E0

Strings

FILE, xrefs: 00AD9819

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: b46a816d89ce74c255f410d0b98eafe0246ba6856a8fa56edc83dc0e13bc3101
Instruction ID: 7e1783ea4eb887922bfef341690e763f4d2d08653c13874cc72b8127312f3965
Opcode Fuzzy Hash: b46a816d89ce74c255f410d0b98eafe0246ba6856a8fa56edc83dc0e13bc3101
Instruction Fuzzy Hash: 0C41D571A0061ABEDF219FA0CC85FEFB7BDDF45710F00847AB905A7291DAB19D0587A1

Function 00AE26A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AE26B4
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00AE26EA

Strings

|, xrefs: 00AE26BB

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: c336cdec5389eee169fabbed3042818bb7105a8b38489e14d37a6573277b9143
Instruction ID: 3fc802f57aa7ab443ddd0680aee4214e0c8333a9bb6c98f282d2a62ac31b429d
Opcode Fuzzy Hash: c336cdec5389eee169fabbed3042818bb7105a8b38489e14d37a6573277b9143
Instruction Fuzzy Hash: 82310671800119AFCF01EFA5CD85EEEBFB9FF08310F108069F819A6166EB315A56DB61

Function 00AF7AA3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00AF7B93
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00AF7BA8

Strings

', xrefs: 00AF7AFC

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 8e001eb90b2824f33a2e65a26ff6508c4cf79d4f1980538cb1e12ba323c0f554
Instruction ID: 25f061cd4b4d01a3eb0a6516a0c4f894e1b8fef14e47b7330d41eb9b1bebfac0
Opcode Fuzzy Hash: 8e001eb90b2824f33a2e65a26ff6508c4cf79d4f1980538cb1e12ba323c0f554
Instruction Fuzzy Hash: 4F410774A052099FDB14DFA9C881BEEBBB5FF09340F10416AEA05AB391D770A951CF90

Function 00AF6A95 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00AF6B49
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00AF6B85

Strings

static, xrefs: 00AF6AE5

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 9739f0988d27cd0bc6d49791abfe2933fb123ee47d42c15a43d9d65739e56d08
Instruction ID: 32404dbbf679cdd69f2974bc0db81d3d60084ca5460f0c0b4aa1918a5aa125fe
Opcode Fuzzy Hash: 9739f0988d27cd0bc6d49791abfe2933fb123ee47d42c15a43d9d65739e56d08
Instruction Fuzzy Hash: 87314F71110608AEDB10DFA4CC81AFB77B9FF48764F109519F999D7190DB31AC51D760

Function 00AD2B9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AD2C09
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00AD2C44

Strings

0, xrefs: 00AD2C02

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: d831156d4f5540f24d0df5cd1158119780e962639bf4daae1ed86069a111447a
Instruction ID: 772c64d0517e5b67bfe558656a27b130e14ab3c6a06d74c08d7117580b5ef4d5
Opcode Fuzzy Hash: d831156d4f5540f24d0df5cd1158119780e962639bf4daae1ed86069a111447a
Instruction Fuzzy Hash: E631A5316102099FEB34CF58D985BAEBBF9EF15351F14401AE986A73A0E7709E44CB50

Function 00AE3AFF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00AE3B7C

Part of subcall function 00A77F41: _memmove.LIBCMT ref: 00A77F82

Strings

AUTOITCALLVARIABLE%d, xrefs: 00AE3B6E
, $, xrefs: 00AE3BBC

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: a2b2c7de61a680fd694357f428cdaa09dadf66fc3684b1e0221ca7052d184b66
Instruction ID: cf9a8432cf18ab382ce85ddd9b6589eae8683d484f0b437e4434454583bd4919
Opcode Fuzzy Hash: a2b2c7de61a680fd694357f428cdaa09dadf66fc3684b1e0221ca7052d184b66
Instruction Fuzzy Hash: 4C217131600228ABCF10EF65DD86EAE77B5FF48700F508499F409AB281DB30EE45CBA1

Function 00AF6706 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00AF6793
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AF679E

Strings

Combobox, xrefs: 00AF6760

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 6146e921020d009b51e1cdc8d91db7d224b76d2fcd6f5735de225cf73ef674b9
Instruction ID: 7277dd66e3e0cece20660194b99d071cc55022ecf7fa0be7cdbd7f97d9148894
Opcode Fuzzy Hash: 6146e921020d009b51e1cdc8d91db7d224b76d2fcd6f5735de225cf73ef674b9
Instruction Fuzzy Hash: 9611987530020DAFEF21DF94DD81EFB376AEB44368F104125FA1897294D6319C519760

Function 00AF6C39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00A71D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A71D73
Part of subcall function 00A71D35: GetStockObject.GDI32(00000011), ref: 00A71D87
Part of subcall function 00A71D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A71D91

GetWindowRect.USER32(00000000,?), ref: 00AF6CA3
GetSysColor.USER32(00000012), ref: 00AF6CBD

Strings

static, xrefs: 00AF6C80

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: b1e3e4946513ca92f2ac74dac4a3b354fa3b64a91ca6867957cb04b1d8c1e20b
Instruction ID: e8d67a90595b4f5dc08d56b6ca0c333abc16fcb3e39660d36e7466f1aea9044e
Opcode Fuzzy Hash: b1e3e4946513ca92f2ac74dac4a3b354fa3b64a91ca6867957cb04b1d8c1e20b
Instruction Fuzzy Hash: D7212972510209AFDB14DFE8DC45AFA7BB8FB08314F004629FA95D3251DA35E861DB60

Function 00AF6952 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00AF69D4
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00AF69E3

Strings

edit, xrefs: 00AF69B8

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: f60839d20b65e2a6c6c30a2f76e13b12cc54fb7ebac6b548ca9711c34b239b6c
Instruction ID: 03a5a4d7119ebc316ae3171340f2f6ee0bd827c3e59faabf9895563249e44b5f
Opcode Fuzzy Hash: f60839d20b65e2a6c6c30a2f76e13b12cc54fb7ebac6b548ca9711c34b239b6c
Instruction Fuzzy Hash: 86113D71500108AFEF109FB4DD84AFB3B69EF053A4F604724FAA5971D4CBB19C519B60

Function 00AD2CA7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AD2D1A
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00AD2D39

Strings

0, xrefs: 00AD2D10

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: d47c2c8d65a3cc7a6e51143df7d338b0e1743c4264b6526c4669fb4bc60a6581
Instruction ID: 210c4d3f0d37fe70c2f4285889c0ad32f5056b26fb4bca2cea061907e8d8058c
Opcode Fuzzy Hash: d47c2c8d65a3cc7a6e51143df7d338b0e1743c4264b6526c4669fb4bc60a6581
Instruction Fuzzy Hash: 29110831D01114ABCB20DB98DC84B9D77BAAB25300F140167EC56EB3A0D730ED06D7A1

Function 00AE22EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00AE2342
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00AE236B

Strings

<local>, xrefs: 00AE2333

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 5ba5e00c470406f0819f4ab84414661b9e0d3e6b435950855b1eab15eb21e8fa
Instruction ID: 0f9a890512895b3184b3f6c0c33f9794b0b1994b8147b58265a3f59c872b34b9
Opcode Fuzzy Hash: 5ba5e00c470406f0819f4ab84414661b9e0d3e6b435950855b1eab15eb21e8fa
Instruction Fuzzy Hash: 6311AC705016A6BADB248F538C89FFBFBACEF16351F10822AF9495A000D2746991CBF0

Function 00AC90C7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A77F41: _memmove.LIBCMT ref: 00A77F82

Part of subcall function 00ACAEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00ACAEC7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00AC9135

Strings

ListBox, xrefs: 00AC90FF
ComboBox, xrefs: 00AC90D4

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 964f6c71059502e39c7517bc57f9f10472ae7aba0a386b646a234822d313770e
Instruction ID: c76ce3f4ef363599881ad2c30acc7a3babf7c5e4cb1becdaa37f4e2981c95804
Opcode Fuzzy Hash: 964f6c71059502e39c7517bc57f9f10472ae7aba0a386b646a234822d313770e
Instruction Fuzzy Hash: BD014530A44229ABCB04EBA4CC9ADFE3368EF06320B14475DF836672D1DE311808C250

Function 00AD8E3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AD8E55
__fread_nolock.LIBCMT ref: 00AD8E6A

Strings

EA06, xrefs: 00AD8E9C

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 1f1d9202fe004ae068905e95c4b1984a0b0178ef7e18d571092c3719bbc7fc47
Instruction ID: ec3547a577ce45b3b0aeaa1a68a57e0d36de9f7952722f2b1c39c14494c2e288
Opcode Fuzzy Hash: 1f1d9202fe004ae068905e95c4b1984a0b0178ef7e18d571092c3719bbc7fc47
Instruction Fuzzy Hash: 4401F972D042286EDF28C7A8CC16EEEBBF8DB05301F00459BF552D2181E9B4E6048B60

Function 00AC8FBF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A77F41: _memmove.LIBCMT ref: 00A77F82

Part of subcall function 00ACAEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00ACAEC7

SendMessageW.USER32(?,00000180,00000000,?), ref: 00AC902D

Strings

ListBox, xrefs: 00AC8FF7
ComboBox, xrefs: 00AC8FCC

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 3cf302e07d1e2b771b0c5cec34562660d00a35caaf3ff3c15a556ca5867e8088
Instruction ID: e203cf449e20383f7e1f463604db89a4b92fc91ec745cce2fe67b3f96cabb19d
Opcode Fuzzy Hash: 3cf302e07d1e2b771b0c5cec34562660d00a35caaf3ff3c15a556ca5867e8088
Instruction Fuzzy Hash: 05012B71A411186BCB14E7A4CE96FFF77ACDF05340F25406DB80667291DE255F08D2B1

Function 00AC9044 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A77F41: _memmove.LIBCMT ref: 00A77F82

Part of subcall function 00ACAEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00ACAEC7

SendMessageW.USER32(?,00000182,?,00000000), ref: 00AC90B0

Strings

ListBox, xrefs: 00AC907C
ComboBox, xrefs: 00AC9051

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 1db6befad19719e7ed2a9770f7c2a8021ba5be7f7f6764fee9637c7224850a4c
Instruction ID: b626544f4bce1e17e9a74826933571d74525ec9cd5655ba5a25ff8e153156439
Opcode Fuzzy Hash: 1db6befad19719e7ed2a9770f7c2a8021ba5be7f7f6764fee9637c7224850a4c
Instruction Fuzzy Hash: 5B012671A41118ABCB00E7A4CE8AFFF77ACDF14340F258069B80673292DE255E09D2B2

Function 00AD4FCF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00AD4FED
_wcscmp.LIBCMT ref: 00AD4FFF

Strings

#32770, xrefs: 00AD4FF9

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 93195548105657c383a396cf630b5f0ef0358a4881a152884f8d35f11111eadf
Instruction ID: 2d2db30d12a3b6b13e64536da0c0209e6d9119e5fdf7ce1d668df66e62d15d8c
Opcode Fuzzy Hash: 93195548105657c383a396cf630b5f0ef0358a4881a152884f8d35f11111eadf
Instruction Fuzzy Hash: E0E09232A002296ADB20ABA9AC09EA7F7ECEB55761F010067BD04D3151D9609A4587E5

Function 00AAB441 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00AAB494: _memset.LIBCMT ref: 00AAB4A1

Part of subcall function 00A90AC0: InitializeCriticalSectionAndSpinCount.KERNEL32(00B34158,00000000,00B34144,00AAB470,?,?,?,00A7100A), ref: 00A90AC5

IsDebuggerPresent.KERNEL32(?,?,?,00A7100A), ref: 00AAB474
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00A7100A), ref: 00AAB483

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00AAB47E

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: b36fd91e0260c33635db1c48e235fffb5617afb3223f29e53dca4eea076019ff
Instruction ID: 838845fcbddaeb06a74282bc3b4685c6d2ef1f0955bef982adc5c8a1cc807ac0
Opcode Fuzzy Hash: b36fd91e0260c33635db1c48e235fffb5617afb3223f29e53dca4eea076019ff
Instruction Fuzzy Hash: 90E065712107108FD730DFA8E904B967BE0AF08344F01CA6CE896C7792EBB5E485CBA1

Function 00AF59CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00AF59D7
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00AF59EA

Part of subcall function 00AD52EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AD5363

Strings

Shell_TrayWnd, xrefs: 00AF59D0

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 408efe74f9c2d84538e27166609503a9d69014c7ff3db9be8c93766b723d9dae
Instruction ID: 12c0cf212c9e50cbb078d6f8617e6379c769b9fa902e7e8545accc912516f5b4
Opcode Fuzzy Hash: 408efe74f9c2d84538e27166609503a9d69014c7ff3db9be8c93766b723d9dae
Instruction Fuzzy Hash: A5D0C935784311BAE6A4ABB0AC1BFE66A54AF10B50F000825B25AAA2E0C9E4A805C654

Function 00AF5A01 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00AF5A17
PostMessageW.USER32(00000000), ref: 00AF5A1E

Part of subcall function 00AD52EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AD5363

Strings

Shell_TrayWnd, xrefs: 00AF5A10

Memory Dump Source

Source File: 00000000.00000002.2041885572.0000000000A71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.2041856289.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B24000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041885572.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042055506.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042075287.0000000000B9A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_INVOICE.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 8b9e29d86b207d4a71bb37544128469110a6849c5b77fa2b6189fda865046fef
Instruction ID: e40c70932866f9cdf011093bd0eedcf9f3ee6a41703f958878ab307572f662eb
Opcode Fuzzy Hash: 8b9e29d86b207d4a71bb37544128469110a6849c5b77fa2b6189fda865046fef
Instruction Fuzzy Hash: 40D0C9317813117AE6A4ABB0AC0BFE66654AB14B50F000825B256EA2E0C9E4A805C654

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report INVOICE.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut15A9.tmp

C:\Users\user\AppData\Local\Temp\spiketop

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
INVOICE.exe

Function 00A73B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00A73633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
timewindowregistryCOMMON

Function 00A74AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00A74FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00B99A00 Relevance: 7.7, APIs: 5, Instructions: 206
librarymemoryloaderCOMMON

Function 00AD91FE Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00A771EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00A73A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00A73778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 00A73025 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 65
registrywindowclipboardCOMMON

Function 00A73041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54
registrywindowclipboardCOMMON

Function 00CE2600 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00A739E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 00CE23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 153
fileCOMMON

Function 00A769CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre