Edit tour

Windows Analysis Report
Invoice OMS.132.2024 - S10.08 (2).exe

Overview

General Information

Sample name:	Invoice OMS.132.2024 - S10.08 (2).exe
Analysis ID:	1559978
MD5:	b95f3f7fde33104937c0decb1ca3578a
SHA1:	0709d05a21c6d1237e52d112a3d6906da35b55b6
SHA256:	94a0c046ffd2adb16f5860458b2bf453324ff531267e8ddb8e187a98a8dd6e4c
Tags:	exeuser-lowmal3
Infos:

Detection

FormBook

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evaded block containing many API calls

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Invoice OMS.132.2024 - S10.08 (2).exe (PID: 7288 cmdline: "C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe" MD5: B95F3F7FDE33104937C0DECB1CA3578A)

svchost.exe (PID: 7504 cmdline: "C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1493926467.0000000000620000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1493721577.0000000000410000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.410000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.410000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe", CommandLine: "C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe", ParentImage: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe, ParentProcessId: 7288, ParentProcessName: Invoice OMS.132.2024 - S10.08 (2).exe, ProcessCommandLine: "C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe", ProcessId: 7504, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe", CommandLine: "C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe", ParentImage: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe, ParentProcessId: 7288, ParentProcessName: Invoice OMS.132.2024 - S10.08 (2).exe, ProcessCommandLine: "C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe", ProcessId: 7504, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Invoice OMS.132.2024 - S10.08 (2).exe	ReversingLabs: Detection: 44%
Source: Invoice OMS.132.2024 - S10.08 (2).exe	Virustotal: Detection: 28%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1493926467.0000000000620000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1493721577.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Invoice OMS.132.2024 - S10.08 (2).exe

Joe Sandbox ML: detected

Source: Invoice OMS.132.2024 - S10.08 (2).exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: Invoice OMS.132.2024 - S10.08 (2).exe, 00000000.00000003.1305344009.0000000003570000.00000004.00001000.00020000.00000000.sdmp, Invoice OMS.132.2024 - S10.08 (2).exe, 00000000.00000003.1296547878.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1450928280.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1453537095.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1494195041.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1494195041.000000000319E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Invoice OMS.132.2024 - S10.08 (2).exe, 00000000.00000003.1305344009.0000000003570000.00000004.00001000.00020000.00000000.sdmp, Invoice OMS.132.2024 - S10.08 (2).exe, 00000000.00000003.1296547878.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1450928280.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1453537095.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1494195041.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1494195041.000000000319E000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B16CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B16CA9
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B160DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_00B160DD
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B163F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_00B163F9
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B1EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B1EB60
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B1F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00B1F5FA
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B1F56F FindFirstFileW,FindClose,	0_2_00B1F56F
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B21B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B21B2F
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B21C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B21C8A
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B21F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B21F94

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Code function: 0_2_00B24EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00B24EB5

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Code function: 0_2_00B26B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00B26B0C

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Code function: 0_2_00B26D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00B26D07

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

0_2_00B26B0C

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Code function: 0_2_00B12B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00B12B37

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Code function: 0_2_00B3F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00B3F7FF

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1493926467.0000000000620000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1493721577.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: This is a third-party compiled AutoIt script.	0_2_00AD3D19
Source: Invoice OMS.132.2024 - S10.08 (2).exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Invoice OMS.132.2024 - S10.08 (2).exe, 00000000.00000000.1280281470.0000000000B7E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_3de21ef3-c
Source: Invoice OMS.132.2024 - S10.08 (2).exe, 00000000.00000000.1280281470.0000000000B7E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_0248dd6b-d
Source: Invoice OMS.132.2024 - S10.08 (2).exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a434adac-6
Source: Invoice OMS.132.2024 - S10.08 (2).exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_0b288764-3

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Invoice OMS.132.2024 - S10.08 (2).exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0043CA93 NtClose,	2_2_0043CA93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072B60 NtClose,LdrInitializeThunk,	2_2_03072B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03072DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030735C0 NtCreateMutant,LdrInitializeThunk,	2_2_030735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03074340 NtSetContextThread,	2_2_03074340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03074650 NtSuspendThread,	2_2_03074650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072B80 NtQueryInformationFile,	2_2_03072B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072BA0 NtEnumerateValueKey,	2_2_03072BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072BE0 NtQueryValueKey,	2_2_03072BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072BF0 NtAllocateVirtualMemory,	2_2_03072BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072AB0 NtWaitForSingleObject,	2_2_03072AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072AD0 NtReadFile,	2_2_03072AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072AF0 NtWriteFile,	2_2_03072AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072F30 NtCreateSection,	2_2_03072F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072F60 NtCreateProcessEx,	2_2_03072F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072F90 NtProtectVirtualMemory,	2_2_03072F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072FA0 NtQuerySection,	2_2_03072FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072FB0 NtResumeThread,	2_2_03072FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072FE0 NtCreateFile,	2_2_03072FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072E30 NtWriteVirtualMemory,	2_2_03072E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072E80 NtReadVirtualMemory,	2_2_03072E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072EA0 NtAdjustPrivilegesToken,	2_2_03072EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072EE0 NtQueueApcThread,	2_2_03072EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072D00 NtSetInformationFile,	2_2_03072D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072D10 NtMapViewOfSection,	2_2_03072D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072D30 NtUnmapViewOfSection,	2_2_03072D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072DB0 NtEnumerateKey,	2_2_03072DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072DD0 NtDelayExecution,	2_2_03072DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072C00 NtQueryInformationProcess,	2_2_03072C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072C60 NtCreateKey,	2_2_03072C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072C70 NtFreeVirtualMemory,	2_2_03072C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072CA0 NtQueryInformationToken,	2_2_03072CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072CC0 NtQueryVirtualMemory,	2_2_03072CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072CF0 NtOpenProcess,	2_2_03072CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03073010 NtOpenDirectoryObject,	2_2_03073010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03073090 NtSetValueKey,	2_2_03073090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030739B0 NtGetContextThread,	2_2_030739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03073D10 NtOpenProcessToken,	2_2_03073D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03073D70 NtOpenThread,	2_2_03073D70

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Code function: 0_2_00B16685: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00B16685

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Code function: 0_2_00B0AF64 GetCurrentProcess,OpenProcessToken,CreateEnvironmentBlock,CloseHandle,CreateProcessWithLogonW,DestroyEnvironmentBlock,

0_2_00B0AF64

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Code function: 0_2_00B179D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00B179D3

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00AFB043	0_2_00AFB043
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00AE3200	0_2_00AE3200
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00AE3B70	0_2_00AE3B70
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B0410F	0_2_00B0410F
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00AF02A4	0_2_00AF02A4
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00ADE3B0	0_2_00ADE3B0
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B0038E	0_2_00B0038E
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00AF06D9	0_2_00AF06D9
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B0467F	0_2_00B0467F
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B3AACE	0_2_00B3AACE
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B04BEF	0_2_00B04BEF
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00AFCCC1	0_2_00AFCCC1
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00AD6F07	0_2_00AD6F07
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00ADAF50	0_2_00ADAF50
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B331BC	0_2_00B331BC
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00AFD1B9	0_2_00AFD1B9
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00AEB11F	0_2_00AEB11F
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00AF123A	0_2_00AF123A
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B0724D	0_2_00B0724D
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00AD93F0	0_2_00AD93F0
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B113CA	0_2_00B113CA
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00AEF563	0_2_00AEF563
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00AD96C0	0_2_00AD96C0
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B1B6CC	0_2_00B1B6CC
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00AD77B0	0_2_00AD77B0
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B3F7FF	0_2_00B3F7FF
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B079C9	0_2_00B079C9
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00AEFA57	0_2_00AEFA57
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00AD9B60	0_2_00AD9B60
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00AF9ED0	0_2_00AF9ED0
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00AEFE6F	0_2_00AEFE6F
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00AD7FA3	0_2_00AD7FA3
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00ECE900	0_2_00ECE900
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00411ACB	2_2_00411ACB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0043F0B3	2_2_0043F0B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004201D3	2_2_004201D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004132F0	2_2_004132F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00412A90	2_2_00412A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E3D3	2_2_0041E3D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004203F3	2_2_004203F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00426B8E	2_2_00426B8E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00426B93	2_2_00426B93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00411C40	2_2_00411C40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00411C3A	2_2_00411C3A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E51C	2_2_0041E51C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E523	2_2_0041E523
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00412E49	2_2_00412E49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00412E50	2_2_00412E50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00412F19	2_2_00412F19
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00412720	2_2_00412720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FA352	2_2_030FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E3F0	2_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031003E6	2_2_031003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C02C0	2_2_030C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030100	2_2_03030100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C8158	2_2_030C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F41A2	2_2_030F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031001AA	2_2_031001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F81CC	2_2_030F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03064750	2_2_03064750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303C7C0	2_2_0303C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305C6E0	2_2_0305C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03100591	2_2_03100591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4420	2_2_030E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F2446	2_2_030F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EE4F6	2_2_030EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FAB40	2_2_030FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F6BD7	2_2_030F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03056962	2_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0310A9A6	2_2_0310A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304A840	2_2_0304A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03042840	2_2_03042840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030268B8	2_2_030268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E8F0	2_2_0306E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03082F28	2_2_03082F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03060F30	2_2_03060F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E2F30	2_2_030E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B4F40	2_2_030B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BEFA0	2_2_030BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032FC8	2_2_03032FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304CFE0	2_2_0304CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FEE26	2_2_030FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040E59	2_2_03040E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052E90	2_2_03052E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FCE93	2_2_030FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FEEDB	2_2_030FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304AD00	2_2_0304AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DCD1F	2_2_030DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03058DBF	2_2_03058DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303ADE0	2_2_0303ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040C00	2_2_03040C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0CB5	2_2_030E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030CF2	2_2_03030CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F132D	2_2_030F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302D34C	2_2_0302D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0308739A	2_2_0308739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030452A0	2_2_030452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305B2C0	2_2_0305B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E12ED	2_2_030E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307516C	2_2_0307516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302F172	2_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0310B16B	2_2_0310B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304B1B0	2_2_0304B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EF0CC	2_2_030EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030470C0	2_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F70E9	2_2_030F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FF0E0	2_2_030FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FF7B0	2_2_030FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030317EC	2_2_030317EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03085630	2_2_03085630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F16CC	2_2_030F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F7571	2_2_030F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DD5B0	2_2_030DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031095C3	2_2_031095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FF43F	2_2_030FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03031460	2_2_03031460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFB76	2_2_030FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305FB80	2_2_0305FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B5BF0	2_2_030B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307DBF9	2_2_0307DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFA49	2_2_030FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F7A46	2_2_030F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B3A6C	2_2_030B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DDAAC	2_2_030DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03085AA0	2_2_03085AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E1AA3	2_2_030E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EDAC6	2_2_030EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D5910	2_2_030D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03049950	2_2_03049950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305B950	2_2_0305B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AD800	2_2_030AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030438E0	2_2_030438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFF09	2_2_030FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03041F92	2_2_03041F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFFB1	2_2_030FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03049EB0	2_2_03049EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03043D40	2_2_03043D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F1D5A	2_2_030F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F7D73	2_2_030F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305FDC0	2_2_0305FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B9C32	2_2_030B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFCF2	2_2_030FFCF2

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 030AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0302B970 appears 283 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 030BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03075130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03087E54 appears 109 times
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: String function: 00AEEC2F appears 68 times
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: String function: 00AFF8A0 appears 35 times
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: String function: 00AF6AC0 appears 42 times

Source: Invoice OMS.132.2024 - S10.08 (2).exe, 00000000.00000003.1298217262.0000000003643000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Invoice OMS.132.2024 - S10.08 (2).exe
Source: Invoice OMS.132.2024 - S10.08 (2).exe, 00000000.00000003.1303445419.00000000037ED000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Invoice OMS.132.2024 - S10.08 (2).exe

Source: Invoice OMS.132.2024 - S10.08 (2).exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.troj.evad.winEXE@3/2@0/0

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Code function: 0_2_00B1CE7A GetLastError,FormatMessageW,

0_2_00B1CE7A

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B0AB84 AdjustTokenPrivileges,CloseHandle,		0_2_00B0AB84
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B0B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00B0B134

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Code function: 0_2_00B1E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00B1E1FD

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Code function: 0_2_00B16532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

0_2_00B16532

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Code function: 0_2_00B2C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_00B2C18C

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Code function: 0_2_00AD406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00AD406B

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

File created: C:\Users\user\AppData\Local\Temp\aut1CB7.tmp

Jump to behavior

Source: Invoice OMS.132.2024 - S10.08 (2).exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Invoice OMS.132.2024 - S10.08 (2).exe	ReversingLabs: Detection: 44%
Source: Invoice OMS.132.2024 - S10.08 (2).exe	Virustotal: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe "C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe"
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe"
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe"	Jump to behavior

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Section loaded: ntmarta.dll	Jump to behavior

Source: Invoice OMS.132.2024 - S10.08 (2).exe

Static file information: File size 1213952 > 1048576

Source: Invoice OMS.132.2024 - S10.08 (2).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Invoice OMS.132.2024 - S10.08 (2).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Invoice OMS.132.2024 - S10.08 (2).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Invoice OMS.132.2024 - S10.08 (2).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Invoice OMS.132.2024 - S10.08 (2).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Invoice OMS.132.2024 - S10.08 (2).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Invoice OMS.132.2024 - S10.08 (2).exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: Invoice OMS.132.2024 - S10.08 (2).exe, 00000000.00000003.1305344009.0000000003570000.00000004.00001000.00020000.00000000.sdmp, Invoice OMS.132.2024 - S10.08 (2).exe, 00000000.00000003.1296547878.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1450928280.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1453537095.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1494195041.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1494195041.000000000319E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Invoice OMS.132.2024 - S10.08 (2).exe, 00000000.00000003.1305344009.0000000003570000.00000004.00001000.00020000.00000000.sdmp, Invoice OMS.132.2024 - S10.08 (2).exe, 00000000.00000003.1296547878.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1450928280.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1453537095.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1494195041.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1494195041.000000000319E000.00000040.00001000.00020000.00000000.sdmp

Source: Invoice OMS.132.2024 - S10.08 (2).exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Invoice OMS.132.2024 - S10.08 (2).exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Invoice OMS.132.2024 - S10.08 (2).exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Invoice OMS.132.2024 - S10.08 (2).exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Invoice OMS.132.2024 - S10.08 (2).exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Code function: 0_2_00AEE01E LoadLibraryA,GetProcAddress,

0_2_00AEE01E

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00AF6B05 push ecx; ret	0_2_00AF6B18
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00AFBDAA push edi; ret	0_2_00AFBDAC
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00AFBEC3 push esi; ret	0_2_00AFBEC5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00412055 push edx; iretd	2_2_00412056
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004118A1 push edx; iretd	2_2_004118A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041218B push ebp; iretd	2_2_00412192
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D9B6 push FFFFFFEBh; iretd	2_2_0041D9BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042F9B8 push 13D671DEh; iretd	2_2_0042F9BD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042AA30 push edx; retf	2_2_0042AA31
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004292F1 push edx; ret	2_2_004292F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00434281 push ds; retf	2_2_00434287
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00435433 push edi; ret	2_2_00435483
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00433D54 push 00000063h; retf	2_2_00433D83
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00413570 push eax; ret	2_2_00413572
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00424E8B pushfd ; iretd	2_2_00424E91
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A7C3 push edi; ret	2_2_0041A7F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D7CA push ecx; ret	2_2_0041D7CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030309AD push ecx; mov dword ptr [esp], ecx	2_2_030309B6

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B38111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00B38111
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00AEEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00AEEB42

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Code function: 0_2_00AF123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00AF123A

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

API/Special instruction interceptor: Address: ECE524

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0307096E rdtsc

2_2_0307096E

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Evaded block: after key decision

graph_0-87892

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	API coverage: 4.5 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 7520

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B16CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B16CA9
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B160DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_00B160DD
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B163F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_00B163F9
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B1EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B1EB60
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B1F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00B1F5FA
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B1F56F FindFirstFileW,FindClose,	0_2_00B1F56F
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B21B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B21B2F
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B21C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B21C8A
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B21F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B21F94

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Code function: 0_2_00AEDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00AEDDC0

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0307096E rdtsc

2_2_0307096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00427B23 LdrLoadDll,

2_2_00427B23

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Code function: 0_2_00B26AAF BlockInput,

0_2_00B26AAF

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Code function: 0_2_00AD3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00AD3D19

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Code function: 0_2_00B03920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_00B03920

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Code function: 0_2_00AEE01E LoadLibraryA,GetProcAddress,

0_2_00AEE01E

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00ECD110 mov eax, dword ptr fs:[00000030h]	0_2_00ECD110
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00ECE7F0 mov eax, dword ptr fs:[00000030h]	0_2_00ECE7F0
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00ECE790 mov eax, dword ptr fs:[00000030h]	0_2_00ECE790
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]	2_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]	2_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]	2_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C310 mov ecx, dword ptr fs:[00000030h]	2_2_0302C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03050310 mov ecx, dword ptr fs:[00000030h]	2_2_03050310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03108324 mov eax, dword ptr fs:[00000030h]	2_2_03108324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03108324 mov ecx, dword ptr fs:[00000030h]	2_2_03108324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03108324 mov eax, dword ptr fs:[00000030h]	2_2_03108324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03108324 mov eax, dword ptr fs:[00000030h]	2_2_03108324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov ecx, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FA352 mov eax, dword ptr fs:[00000030h]	2_2_030FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D8350 mov ecx, dword ptr fs:[00000030h]	2_2_030D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0310634F mov eax, dword ptr fs:[00000030h]	2_2_0310634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D437C mov eax, dword ptr fs:[00000030h]	2_2_030D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]	2_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]	2_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]	2_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]	2_2_0305438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]	2_2_0305438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]	2_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]	2_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]	2_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EC3CD mov eax, dword ptr fs:[00000030h]	2_2_030EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]	2_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]	2_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]	2_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]	2_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]	2_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]	2_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]	2_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]	2_2_030D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]	2_2_030D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030663FF mov eax, dword ptr fs:[00000030h]	2_2_030663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302823B mov eax, dword ptr fs:[00000030h]	2_2_0302823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B8243 mov eax, dword ptr fs:[00000030h]	2_2_030B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B8243 mov ecx, dword ptr fs:[00000030h]	2_2_030B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0310625D mov eax, dword ptr fs:[00000030h]	2_2_0310625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A250 mov eax, dword ptr fs:[00000030h]	2_2_0302A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036259 mov eax, dword ptr fs:[00000030h]	2_2_03036259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]	2_2_030EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]	2_2_030EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]	2_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]	2_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]	2_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302826B mov eax, dword ptr fs:[00000030h]	2_2_0302826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]	2_2_0306E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]	2_2_0306E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]	2_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]	2_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]	2_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]	2_2_030402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]	2_2_030402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031062D6 mov eax, dword ptr fs:[00000030h]	2_2_031062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]	2_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]	2_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]	2_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118 mov ecx, dword ptr fs:[00000030h]	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F0115 mov eax, dword ptr fs:[00000030h]	2_2_030F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03060124 mov eax, dword ptr fs:[00000030h]	2_2_03060124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov ecx, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C156 mov eax, dword ptr fs:[00000030h]	2_2_0302C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C8158 mov eax, dword ptr fs:[00000030h]	2_2_030C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]	2_2_03036154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]	2_2_03036154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104164 mov eax, dword ptr fs:[00000030h]	2_2_03104164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104164 mov eax, dword ptr fs:[00000030h]	2_2_03104164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03070185 mov eax, dword ptr fs:[00000030h]	2_2_03070185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]	2_2_030EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]	2_2_030EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]	2_2_030D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]	2_2_030D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]	2_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]	2_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]	2_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]	2_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]	2_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]	2_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]	2_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]	2_2_030F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]	2_2_030F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031061E5 mov eax, dword ptr fs:[00000030h]	2_2_031061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030601F8 mov eax, dword ptr fs:[00000030h]	2_2_030601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B4000 mov ecx, dword ptr fs:[00000030h]	2_2_030B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]	2_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]	2_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]	2_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]	2_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A020 mov eax, dword ptr fs:[00000030h]	2_2_0302A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C020 mov eax, dword ptr fs:[00000030h]	2_2_0302C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6030 mov eax, dword ptr fs:[00000030h]	2_2_030C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032050 mov eax, dword ptr fs:[00000030h]	2_2_03032050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6050 mov eax, dword ptr fs:[00000030h]	2_2_030B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305C073 mov eax, dword ptr fs:[00000030h]	2_2_0305C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303208A mov eax, dword ptr fs:[00000030h]	2_2_0303208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030280A0 mov eax, dword ptr fs:[00000030h]	2_2_030280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C80A8 mov eax, dword ptr fs:[00000030h]	2_2_030C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F60B8 mov eax, dword ptr fs:[00000030h]	2_2_030F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_030F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B20DE mov eax, dword ptr fs:[00000030h]	2_2_030B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0302A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030380E9 mov eax, dword ptr fs:[00000030h]	2_2_030380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B60E0 mov eax, dword ptr fs:[00000030h]	2_2_030B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0302C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030720F0 mov ecx, dword ptr fs:[00000030h]	2_2_030720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C700 mov eax, dword ptr fs:[00000030h]	2_2_0306C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030710 mov eax, dword ptr fs:[00000030h]	2_2_03030710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03060710 mov eax, dword ptr fs:[00000030h]	2_2_03060710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]	2_2_0306C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]	2_2_0306C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]	2_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306273C mov ecx, dword ptr fs:[00000030h]	2_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]	2_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AC730 mov eax, dword ptr fs:[00000030h]	2_2_030AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306674D mov esi, dword ptr fs:[00000030h]	2_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]	2_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]	2_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030750 mov eax, dword ptr fs:[00000030h]	2_2_03030750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE75D mov eax, dword ptr fs:[00000030h]	2_2_030BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]	2_2_03072750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]	2_2_03072750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B4755 mov eax, dword ptr fs:[00000030h]	2_2_030B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038770 mov eax, dword ptr fs:[00000030h]	2_2_03038770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D678E mov eax, dword ptr fs:[00000030h]	2_2_030D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030307AF mov eax, dword ptr fs:[00000030h]	2_2_030307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E47A0 mov eax, dword ptr fs:[00000030h]	2_2_030E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0303C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B07C3 mov eax, dword ptr fs:[00000030h]	2_2_030B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]	2_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]	2_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]	2_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_030BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]	2_2_030347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]	2_2_030347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE609 mov eax, dword ptr fs:[00000030h]	2_2_030AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072619 mov eax, dword ptr fs:[00000030h]	2_2_03072619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E627 mov eax, dword ptr fs:[00000030h]	2_2_0304E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03066620 mov eax, dword ptr fs:[00000030h]	2_2_03066620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068620 mov eax, dword ptr fs:[00000030h]	2_2_03068620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303262C mov eax, dword ptr fs:[00000030h]	2_2_0303262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304C640 mov eax, dword ptr fs:[00000030h]	2_2_0304C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]	2_2_030F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]	2_2_030F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]	2_2_0306A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]	2_2_0306A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03062674 mov eax, dword ptr fs:[00000030h]	2_2_03062674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]	2_2_03034690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]	2_2_03034690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0306C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030666B0 mov eax, dword ptr fs:[00000030h]	2_2_030666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0306A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0306A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]	2_2_030B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]	2_2_030B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6500 mov eax, dword ptr fs:[00000030h]	2_2_030C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]	2_2_03038550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]	2_2_03038550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]	2_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]	2_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]	2_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032582 mov eax, dword ptr fs:[00000030h]	2_2_03032582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032582 mov ecx, dword ptr fs:[00000030h]	2_2_03032582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03064588 mov eax, dword ptr fs:[00000030h]	2_2_03064588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E59C mov eax, dword ptr fs:[00000030h]	2_2_0306E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]	2_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]	2_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]	2_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]	2_2_030545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]	2_2_030545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]	2_2_0306E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]	2_2_0306E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030365D0 mov eax, dword ptr fs:[00000030h]	2_2_030365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0306A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0306A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030325E0 mov eax, dword ptr fs:[00000030h]	2_2_030325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]	2_2_0306C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]	2_2_0306C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]	2_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]	2_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]	2_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]	2_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]	2_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]	2_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C427 mov eax, dword ptr fs:[00000030h]	2_2_0302C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A430 mov eax, dword ptr fs:[00000030h]	2_2_0306A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EA456 mov eax, dword ptr fs:[00000030h]	2_2_030EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302645D mov eax, dword ptr fs:[00000030h]	2_2_0302645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305245A mov eax, dword ptr fs:[00000030h]	2_2_0305245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC460 mov ecx, dword ptr fs:[00000030h]	2_2_030BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]	2_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]	2_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]	2_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EA49A mov eax, dword ptr fs:[00000030h]	2_2_030EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030364AB mov eax, dword ptr fs:[00000030h]	2_2_030364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030644B0 mov ecx, dword ptr fs:[00000030h]	2_2_030644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_030BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030304E5 mov ecx, dword ptr fs:[00000030h]	2_2_030304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104B00 mov eax, dword ptr fs:[00000030h]	2_2_03104B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]	2_2_0305EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]	2_2_0305EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]	2_2_030F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]	2_2_030F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]	2_2_030E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]	2_2_030E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]	2_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]	2_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]	2_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]	2_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]	2_2_030C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]	2_2_030C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D8B42 mov eax, dword ptr fs:[00000030h]	2_2_030D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FAB40 mov eax, dword ptr fs:[00000030h]	2_2_030FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028B50 mov eax, dword ptr fs:[00000030h]	2_2_03028B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DEB50 mov eax, dword ptr fs:[00000030h]	2_2_030DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302CB7E mov eax, dword ptr fs:[00000030h]	2_2_0302CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]	2_2_03040BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]	2_2_03040BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_030E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_030E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]	2_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]	2_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]	2_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]	2_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]	2_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]	2_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_030DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]	2_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]	2_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]	2_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EBFC mov eax, dword ptr fs:[00000030h]	2_2_0305EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_030BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BCA11 mov eax, dword ptr fs:[00000030h]	2_2_030BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA24 mov eax, dword ptr fs:[00000030h]	2_2_0306CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EA2E mov eax, dword ptr fs:[00000030h]	2_2_0305EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]	2_2_03054A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]	2_2_03054A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA38 mov eax, dword ptr fs:[00000030h]	2_2_0306CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]	2_2_03040A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]	2_2_03040A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]	2_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]	2_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]	2_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DEA60 mov eax, dword ptr fs:[00000030h]	2_2_030DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]	2_2_030ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]	2_2_030ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104A80 mov eax, dword ptr fs:[00000030h]	2_2_03104A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068A90 mov edx, dword ptr fs:[00000030h]	2_2_03068A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]	2_2_03038AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]	2_2_03038AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03086AA4 mov eax, dword ptr fs:[00000030h]	2_2_03086AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]	2_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]	2_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]	2_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030AD0 mov eax, dword ptr fs:[00000030h]	2_2_03030AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]	2_2_03064AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]	2_2_03064AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]	2_2_0306AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]	2_2_0306AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]	2_2_030AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]	2_2_030AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC912 mov eax, dword ptr fs:[00000030h]	2_2_030BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]	2_2_03028918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]	2_2_03028918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B892A mov eax, dword ptr fs:[00000030h]	2_2_030B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C892B mov eax, dword ptr fs:[00000030h]	2_2_030C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B0946 mov eax, dword ptr fs:[00000030h]	2_2_030B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104940 mov eax, dword ptr fs:[00000030h]	2_2_03104940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]	2_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]	2_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]	2_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]	2_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307096E mov edx, dword ptr fs:[00000030h]	2_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]	2_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]	2_2_030D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]	2_2_030D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC97C mov eax, dword ptr fs:[00000030h]	2_2_030BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]	2_2_030309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]	2_2_030309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B89B3 mov esi, dword ptr fs:[00000030h]	2_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]	2_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]	2_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C69C0 mov eax, dword ptr fs:[00000030h]	2_2_030C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030649D0 mov eax, dword ptr fs:[00000030h]	2_2_030649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_030FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_030BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]	2_2_030629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]	2_2_030629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC810 mov eax, dword ptr fs:[00000030h]	2_2_030BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov ecx, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A830 mov eax, dword ptr fs:[00000030h]	2_2_0306A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]	2_2_030D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]	2_2_030D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03042840 mov ecx, dword ptr fs:[00000030h]	2_2_03042840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03060854 mov eax, dword ptr fs:[00000030h]	2_2_03060854

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Code function: 0_2_00B0A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00B0A66C

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00AF81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00AF81AC
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00AF8189 SetUnhandledExceptionFilter,		0_2_00AF8189

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 360008

Jump to behavior

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Code function: 0_2_00B0B106 LogonUserW,

0_2_00B0B106

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Code function: 0_2_00AD3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00AD3D19

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Code function: 0_2_00B1411C SendInput,keybd_event,

0_2_00B1411C

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Code function: 0_2_00B174BB mouse_event,

0_2_00B174BB

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe"

Jump to behavior

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

0_2_00B0A66C

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Code function: 0_2_00B171FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00B171FA

Source: Invoice OMS.132.2024 - S10.08 (2).exe	Binary or memory string: Shell_TrayWnd
Source: Invoice OMS.132.2024 - S10.08 (2).exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Code function: 0_2_00AF65C4 cpuid

0_2_00AF65C4

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Code function: 0_2_00B2091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

0_2_00B2091D

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Code function: 0_2_00B4B340 GetUserNameW,

0_2_00B4B340

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Code function: 0_2_00B01E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00B01E8E

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe

Code function: 0_2_00AEDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00AEDDC0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1493926467.0000000000620000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1493721577.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: Invoice OMS.132.2024 - S10.08 (2).exe	Binary or memory string: WIN_81
Source: Invoice OMS.132.2024 - S10.08 (2).exe	Binary or memory string: WIN_XP
Source: Invoice OMS.132.2024 - S10.08 (2).exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: Invoice OMS.132.2024 - S10.08 (2).exe	Binary or memory string: WIN_XPe
Source: Invoice OMS.132.2024 - S10.08 (2).exe	Binary or memory string: WIN_VISTA
Source: Invoice OMS.132.2024 - S10.08 (2).exe	Binary or memory string: WIN_7
Source: Invoice OMS.132.2024 - S10.08 (2).exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1493926467.0000000000620000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1493721577.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B28C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_00B28C4F
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B2923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00B2923B
Source: C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe	Code function: 0_2_00B058C5 RpcBindingSetOption,_LocaleUpdate::_LocaleUpdate,_memset,WideCharToMultiByte,GetLastError,_memset,	0_2_00B058C5

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	2 Valid Accounts	2 Valid Accounts	2 Valid Accounts	21 Input Capture	2 System Time Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	LSASS Memory	15 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	21 Access Token Manipulation	2 Virtualization/Sandbox Evasion	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	212 Process Injection	21 Access Token Manipulation	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	212 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	115 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Invoice OMS.132.2024 - S10.08 (2).exe	45%	ReversingLabs	Win32.Trojan.AutoitInject
Invoice OMS.132.2024 - S10.08 (2).exe	28%	Virustotal		Browse
Invoice OMS.132.2024 - S10.08 (2).exe	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1559978
Start date and time:	2024-11-21 09:00:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Invoice OMS.132.2024 - S10.08 (2).exe
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@3/2@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 52 Number of non-executed functions: 298
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
03:01:21	API Interceptor	3x Sleep call for process: svchost.exe modified

Process:	C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe
File Type:	data
Category:	dropped
Size (bytes):	289280
Entropy (8bit):	7.995498366466015
Encrypted:	true
SSDEEP:	6144:9F6GunUup6+2cGUwWtjtrKZIttUPET2d5+LtkhUnJaIxbUJ/R:ZBup/GatjtrKCbEE05+9n0EE
MD5:	B4862BC6F279C204DE434C6A6F4003FC
SHA1:	486F5733883ADD4E2E1127FE4512282E3756E169
SHA-256:	D064354F474650CC630A2A9E387468E12EA2F3ECB2AF83578B5C97A04FBA83DD
SHA-512:	9BBA567050F2164F735B2C13FC25F894835B16BEFB7218BF7A9871D24FF4FE424BC0B9BAFA385120D044AEA4451A5C8F0C50FD2F775CFD9FE80BBBFCDD31F652
Malicious:	false
Reputation:	low
Preview:	...XN0G1T35L..3I.38YIIUN.WLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5X.0G1^,.BC.:...9..h.&&$l1+8R*,]gR1][#7cQ,.AM7i ;n...a48Q=c=J;t35LCC3IK21.t)2.r7+.d7R.W...jSR.Y..S_.S...s7+..>V0pP .P35LCC3Ibv8Y.HTN.!..YW5XM0G1.37MHB8I2k<YIIUNOWLA.C5XM G1PC1LCCsI2#8YIKUNIWLAYW5XK0G1P35LC37I218YIIUNMW..YW%XM G1P3%LCS3I238YYIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35Lm7V1F38Y=.QNOGLAY.1XM G1P35LCC3I238YiIU.OWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238Y

C:\Users\user\AppData\Local\Temp\parachronistic

Download File

Process:	C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe
File Type:	data
Category:	dropped
Size (bytes):	289280
Entropy (8bit):	7.995498366466015
Encrypted:	true
SSDEEP:	6144:9F6GunUup6+2cGUwWtjtrKZIttUPET2d5+LtkhUnJaIxbUJ/R:ZBup/GatjtrKCbEE05+9n0EE
MD5:	B4862BC6F279C204DE434C6A6F4003FC
SHA1:	486F5733883ADD4E2E1127FE4512282E3756E169
SHA-256:	D064354F474650CC630A2A9E387468E12EA2F3ECB2AF83578B5C97A04FBA83DD
SHA-512:	9BBA567050F2164F735B2C13FC25F894835B16BEFB7218BF7A9871D24FF4FE424BC0B9BAFA385120D044AEA4451A5C8F0C50FD2F775CFD9FE80BBBFCDD31F652
Malicious:	false
Reputation:	low
Preview:	...XN0G1T35L..3I.38YIIUN.WLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5X.0G1^,.BC.:...9..h.&&$l1+8R*,]gR1][#7cQ,.AM7i ;n...a48Q=c=J;t35LCC3IK21.t)2.r7+.d7R.W...jSR.Y..S_.S...s7+..>V0pP .P35LCC3Ibv8Y.HTN.!..YW5XM0G1.37MHB8I2k<YIIUNOWLA.C5XM G1PC1LCCsI2#8YIKUNIWLAYW5XK0G1P35LC37I218YIIUNMW..YW%XM G1P3%LCS3I238YYIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35Lm7V1F38Y=.QNOGLAY.1XM G1P35LCC3I238YiIU.OWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238YIIUNOWLAYW5XM0G1P35LCC3I238Y

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.147157754135686
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Invoice OMS.132.2024 - S10.08 (2).exe
File size:	1'213'952 bytes
MD5:	b95f3f7fde33104937c0decb1ca3578a
SHA1:	0709d05a21c6d1237e52d112a3d6906da35b55b6
SHA256:	94a0c046ffd2adb16f5860458b2bf453324ff531267e8ddb8e187a98a8dd6e4c
SHA512:	fc5acafd0776f00412f18fa7e1f3680eb416fe8d7814fa6ab029a1f257d8a4962b2488bbee6d0e796835cacf23c13a5d4d817bd3ba5ee305a348b23028dfa065
SSDEEP:	24576:/tb20pkaCqT5TBWgNQ7a3j6yNM24tzYHtCLmy596A:8Vg5tQ7a3j63tUH4LrP5
TLSH:	0D45CF1373DE8361C3B25273BA65B701AEBF782506A5F96B2FD4093DE820122525E773
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x425f74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x673E6B33 [Wed Nov 20 23:05:23 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3d95adbf13bbe79dc24dccb401c12091

Entrypoint Preview

Instruction
call 00007F390452747Fh
jmp 00007F390451A494h
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F390451A61Ah
cmp edi, eax
jc 00007F390451A97Eh
bt dword ptr [004C0158h], 01h
jnc 00007F390451A619h
rep movsb
jmp 00007F390451A92Ch
cmp ecx, 00000080h
jc 00007F390451A7E4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F390451A620h
bt dword ptr [004BA370h], 01h
jc 00007F390451AAF0h
bt dword ptr [004C0158h], 00000000h
jnc 00007F390451A7BDh
test edi, 00000003h
jne 00007F390451A7CEh
test esi, 00000003h
jne 00007F390451A7ADh
bt edi, 02h
jnc 00007F390451A61Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F390451A623h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F390451A675h
bt esi, 03h
jnc 00007F390451A6C8h
movdqa xmm1, dqword ptr [esi+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x5f5c0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x124000	0x6c4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2730	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x860	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b54f	0x8b600	f437a6545e938612764dbb0a314376fc	False	0.5699499019058296	data	6.680413749210956	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2cc42	0x2ce00	827ffd24759e8e420890ecf164be989e	False	0.330464397632312	data	5.770192333189168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9d54	0x6200	e0a519f8e3a35fae0d9c2cfd5a4bacfc	False	0.16402264030612246	data	2.002691099965349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0x5f5c0	0x5f600	6ae5b0c78840ac09f079fbab52dd441e	False	0.9315740702817824	data	7.90166259659564	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x124000	0xa474	0xa600	0bc98f8631ef0bde830a7f83bb06ff08	False	0.5017884036144579	data	5.245426654116355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xc8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xca038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xca4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xca4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcaa84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcc7b8	0x568c5	data			1.000327220515598
RT_GROUP_ICON	0x123080	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1230f8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x12310c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x123120	0x14	data	English	Great Britain	1.25
RT_VERSION	0x123134	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x123210	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain	0.5116525423728814

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Target ID:	0
Start time:	03:01:02
Start date:	21/11/2024
Path:	C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe"
Imagebase:	0xad0000
File size:	1'213'952 bytes
MD5 hash:	B95F3F7FDE33104937C0DECB1CA3578A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:01:04
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Invoice OMS.132.2024 - S10.08 (2).exe"
Imagebase:	0x6c0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1493926467.0000000000620000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1493721577.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	1.5%
Signature Coverage:	8%
Total number of Nodes:	2000
Total number of Limit Nodes:	62

Executed Functions

Function 00AFB043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a28f74efcadbebfb86e9c43ce2d0e5d59aa4b0433f61f3ca0ac019b0cff43474
Instruction ID: 517912013cc3a1a8f2046c545f1196b801a77220655bf15f3351c9a647211f76
Opcode Fuzzy Hash: a28f74efcadbebfb86e9c43ce2d0e5d59aa4b0433f61f3ca0ac019b0cff43474
Instruction Fuzzy Hash: 19327C75A122288FCB24DF98DD816E9B7B5FF46310F1841D9E50AE7A81D7309E80CF62

Function 00AD3D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00AD3AA3,?), ref: 00AD3D45
IsDebuggerPresent.KERNEL32(?,?,?,?,00AD3AA3,?), ref: 00AD3D57
GetFullPathNameW.KERNEL32(00007FFF,?,?,00B91148,00B91130,?,?,?,?,00AD3AA3,?), ref: 00AD3DC8

Part of subcall function 00AD6430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00AD3DEE,00B91148,?,?,?,?,?,00AD3AA3,?), ref: 00AD6471

SetCurrentDirectoryW.KERNEL32(?,?,?,00AD3AA3,?), ref: 00AD3E48
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00B828F4,00000010), ref: 00B41CCE
SetCurrentDirectoryW.KERNEL32(?,00B91148,?,?,?,?,?,00AD3AA3,?), ref: 00B41D06
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00B6DAB4,00B91148,?,?,?,?,?,00AD3AA3,?), ref: 00B41D89
ShellExecuteW.SHELL32(00000000,?,?,?,?,00AD3AA3), ref: 00B41D90

Part of subcall function 00AD3E6E: GetSysColorBrush.USER32(0000000F), ref: 00AD3E79
Part of subcall function 00AD3E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00AD3E88
Part of subcall function 00AD3E6E: LoadIconW.USER32(00000063), ref: 00AD3E9E
Part of subcall function 00AD3E6E: LoadIconW.USER32(000000A4), ref: 00AD3EB0
Part of subcall function 00AD3E6E: LoadIconW.USER32(000000A2), ref: 00AD3EC2
Part of subcall function 00AD3E6E: RegisterClassExW.USER32(?), ref: 00AD3F30

Part of subcall function 00AD36B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00AD36E6
Part of subcall function 00AD36B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00AD3707
Part of subcall function 00AD36B8: ShowWindow.USER32(00000000,?,?,?,?,00AD3AA3,?), ref: 00AD371B
Part of subcall function 00AD36B8: ShowWindow.USER32(00000000,?,?,?,?,00AD3AA3,?), ref: 00AD3724

Part of subcall function 00AD4FFC: _memset.LIBCMT ref: 00AD5022
Part of subcall function 00AD4FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00AD50CB

Strings

runas, xrefs: 00B41D84
This is a third-party compiled AutoIt script., xrefs: 00B41CC8

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 438480954-3287110873
Opcode ID: 5c74a5b6da3507141e887538dfb03f7572d74c68e2f2cfde8cb813a12b33f743
Instruction ID: da788962e1bd0cb7d1ff0c3f7c1301df99cd5bf48d11e965e130a85e4380b769
Opcode Fuzzy Hash: 5c74a5b6da3507141e887538dfb03f7572d74c68e2f2cfde8cb813a12b33f743
Instruction Fuzzy Hash: B151E332E0424ABACF11ABF8DE46EED7BB5DB05740F0045A7F113672A2DE744A45DB22

Function 00AEDDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00AEDDEC
GetCurrentProcess.KERNEL32(00000000,00B6DC38,?,?), ref: 00AEDEAC
GetNativeSystemInfo.KERNELBASE(?,00B6DC38,?,?), ref: 00AEDF01
FreeLibrary.KERNEL32(00000000,?,?), ref: 00AEDF0C
FreeLibrary.KERNEL32(00000000,?,?), ref: 00AEDF1F
GetSystemInfo.KERNEL32(?,00B6DC38,?,?), ref: 00AEDF29
GetSystemInfo.KERNEL32(?,00B6DC38,?,?), ref: 00AEDF35

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
String ID:
API String ID: 3851250370-0
Opcode ID: f944e2d1d261daa731fff07471c75819c435d1549d7505c634fde38ba9bf19ac
Instruction ID: e15ee9df223b40212e410225c784d36d0490ade57ffef9a94458c7f9ab4332b3
Opcode Fuzzy Hash: f944e2d1d261daa731fff07471c75819c435d1549d7505c634fde38ba9bf19ac
Instruction Fuzzy Hash: 9161BDB180A3C4CFCF15CF6999C51E97FB4AF29300B1989D9D8459F34BC624CA48DB66

Function 00AD406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00AD449E,?,?,00000000,00000001), ref: 00AD407B
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00AD449E,?,?,00000000,00000001), ref: 00AD4092
LoadResource.KERNEL32(?,00000000,?,?,00AD449E,?,?,00000000,00000001,?,?,?,?,?,?,00AD41FB), ref: 00B44F1A
SizeofResource.KERNEL32(?,00000000,?,?,00AD449E,?,?,00000000,00000001,?,?,?,?,?,?,00AD41FB), ref: 00B44F2F
LockResource.KERNEL32(00AD449E,?,?,00AD449E,?,?,00000000,00000001,?,?,?,?,?,?,00AD41FB,00000000), ref: 00B44F42

Strings

SCRIPT, xrefs: 00AD4088

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 6b4c2545799ca7ac487412a2e599d047e8e2e1d9891f00c08beb0b103255c3a1
Instruction ID: 22bab5948f4ec629d336a67a5959c2148ae107363ed0c93609c8cd00752fb04d
Opcode Fuzzy Hash: 6b4c2545799ca7ac487412a2e599d047e8e2e1d9891f00c08beb0b103255c3a1
Instruction Fuzzy Hash: 2B115A70240701AFE7318B25EC49F277BB9EBC9B51F1086ADF612872A0DB72DD008A21

Function 00B16CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00B42F49), ref: 00B16CB9
FindFirstFileW.KERNELBASE(?,?), ref: 00B16CCA
FindClose.KERNEL32(00000000), ref: 00B16CDA

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 8ed0334806937029db313d7dc633a608e23cd9adff598f30a8fab21f01a9b398
Instruction ID: c031ebb9052a6bc2f740af6536d4861e1ae3173b012663eb902fa568c5cb2b53
Opcode Fuzzy Hash: 8ed0334806937029db313d7dc633a608e23cd9adff598f30a8fab21f01a9b398
Instruction Fuzzy Hash: E2E0D8318119115782206738EC0D4E97BACDA0533AF500795F471D21D0EB70DD9045E5

Function 00AE3B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON

Download Yara Rule

Strings

@, xrefs: 00AE4176

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: @
API String ID: 3728558374-2766056989
Opcode ID: 8c528394d03da7320a13ca7ce774979e74c987cf3a7372fe0cc35979466978e7
Instruction ID: 2ce1dcf4da6be899ce2e5f3039b5388bd448a7caf238e093d130c229914a9af3
Opcode Fuzzy Hash: 8c528394d03da7320a13ca7ce774979e74c987cf3a7372fe0cc35979466978e7
Instruction Fuzzy Hash: 1072CE31E04248EFCF14DF99C985ABEB7F5EF48300F14809AE906AB251DB71AE45CB91

Function 00AE3200 Relevance: 1.0, Instructions: 986COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 877a1e409ba5eece1e4a61b9368964b3aa3a59fc9357a7d6dea7fc7025866b6d
Instruction ID: 14266d41572d3e4fbac7d2a836300ba5e6a575fdc76707ec1d9eedf6c8d93b78
Opcode Fuzzy Hash: 877a1e409ba5eece1e4a61b9368964b3aa3a59fc9357a7d6dea7fc7025866b6d
Instruction Fuzzy Hash: 809269716083819FDB24DF19C584B6ABBE1FF88304F14889DE98A8B352D771ED45CB92

Function 00ADE8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00ADE959
timeGetTime.WINMM ref: 00ADEBFA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00ADED2E
TranslateMessage.USER32(?), ref: 00ADED3F
DispatchMessageW.USER32(?), ref: 00ADED4A
LockWindowUpdate.USER32(00000000), ref: 00ADED79
DestroyWindow.USER32 ref: 00ADED85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00ADED9F
Sleep.KERNEL32(0000000A), ref: 00B45270
TranslateMessage.USER32(?), ref: 00B459F7
DispatchMessageW.USER32(?), ref: 00B45A05
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B45A19

Strings

@GUI_WINHANDLE, xrefs: 00B45360
@GUI_CTRLID, xrefs: 00B45314
@GUI_CTRLHANDLE, xrefs: 00B453AC
@TRAY_ID, xrefs: 00B454C9

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: 364062dddf9a28201bf0241add8a3382acb60feb986c66e6a15ddd713855bf3f
Instruction ID: a232569fbd615ec1e89c3f63e53aef59fc2ef188ed494d184a13e2644648d0ea
Opcode Fuzzy Hash: 364062dddf9a28201bf0241add8a3382acb60feb986c66e6a15ddd713855bf3f
Instruction Fuzzy Hash: 5A62B0705047419FDB20EF24C985BAA77E4FF44304F1449AEF9868F292DB71E948DB62

Function 00B05C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 00B05EC3
___createFile.LIBCMT ref: 00B05F04
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00B05F2D
__dosmaperr.LIBCMT ref: 00B05F34
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00B05F47
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00B05F6A
__dosmaperr.LIBCMT ref: 00B05F73
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00B05F7C
__set_osfhnd.LIBCMT ref: 00B05FAC
__lseeki64_nolock.LIBCMT ref: 00B06016
__close_nolock.LIBCMT ref: 00B0603C
__chsize_nolock.LIBCMT ref: 00B0606C
__lseeki64_nolock.LIBCMT ref: 00B0607E
__lseeki64_nolock.LIBCMT ref: 00B06176
__lseeki64_nolock.LIBCMT ref: 00B0618B
__close_nolock.LIBCMT ref: 00B061EB

Part of subcall function 00AFEA9C: CloseHandle.KERNELBASE(00000000,00B7EEF4,00000000,?,00B06041,00B7EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00AFEAEC
Part of subcall function 00AFEA9C: GetLastError.KERNEL32(?,00B06041,00B7EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00AFEAF6
Part of subcall function 00AFEA9C: __free_osfhnd.LIBCMT ref: 00AFEB03
Part of subcall function 00AFEA9C: __dosmaperr.LIBCMT ref: 00AFEB25

Part of subcall function 00AF7C0E: __getptd_noexit.LIBCMT ref: 00AF7C0E

__lseeki64_nolock.LIBCMT ref: 00B0620D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00B06342
___createFile.LIBCMT ref: 00B06361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00B0636E
__dosmaperr.LIBCMT ref: 00B06375
__free_osfhnd.LIBCMT ref: 00B06395
__invoke_watson.LIBCMT ref: 00B063C3
__wsopen_helper.LIBCMT ref: 00B063DD

Strings

@, xrefs: 00B05F98

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: 9e7a9f773b2441d182432f5860702b04097047920c451da2445fff8e75d84823
Instruction ID: 2e721acf0c0efa8692a425248ef08e6b22581fea49112cb8b2e4fcbcd332468d
Opcode Fuzzy Hash: 9e7a9f773b2441d182432f5860702b04097047920c451da2445fff8e75d84823
Instruction Fuzzy Hash: E122367190060A9FEF359F68DC85BBE7FA1EF10310F2442A9F561AB2E1D6358D60CB91

Function 00B1FA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy.LIBCMT ref: 00B1FA96
_wcschr.LIBCMT ref: 00B1FAA4
_wcscpy.LIBCMT ref: 00B1FABB
_wcscat.LIBCMT ref: 00B1FACA
_wcscat.LIBCMT ref: 00B1FAE8
_wcscpy.LIBCMT ref: 00B1FB09
__wsplitpath.LIBCMT ref: 00B1FBE6
_wcscpy.LIBCMT ref: 00B1FC0B
_wcscpy.LIBCMT ref: 00B1FC1D
_wcscpy.LIBCMT ref: 00B1FC32
_wcscat.LIBCMT ref: 00B1FC47
_wcscat.LIBCMT ref: 00B1FC59
_wcscat.LIBCMT ref: 00B1FC6E

Part of subcall function 00B1BFA4: _wcscmp.LIBCMT ref: 00B1C03E
Part of subcall function 00B1BFA4: __wsplitpath.LIBCMT ref: 00B1C083
Part of subcall function 00B1BFA4: _wcscpy.LIBCMT ref: 00B1C096
Part of subcall function 00B1BFA4: _wcscat.LIBCMT ref: 00B1C0A9
Part of subcall function 00B1BFA4: __wsplitpath.LIBCMT ref: 00B1C0CE
Part of subcall function 00B1BFA4: _wcscat.LIBCMT ref: 00B1C0E4
Part of subcall function 00B1BFA4: _wcscat.LIBCMT ref: 00B1C0F7

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00B1FA61

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 2955681530-2806939583
Opcode ID: fa5056e509812c1311e604d91f40695c017b4aea23634a1d80733a9891447265
Instruction ID: a4859c8fa35e11ff2b975a120218e2e9f61a75452274833581a863e5f756e442
Opcode Fuzzy Hash: fa5056e509812c1311e604d91f40695c017b4aea23634a1d80733a9891447265
Instruction Fuzzy Hash: F091A4725047059FCB10EB54CA51FABB3E8FF94310F4448ADF9599B292DB30EA44CB92

Function 00B1BFA4 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 316
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B1BDB4: __time64.LIBCMT ref: 00B1BDBE

Part of subcall function 00AD4517: _fseek.LIBCMT ref: 00AD452F

__wsplitpath.LIBCMT ref: 00B1C083

Part of subcall function 00AF1DFC: __wsplitpath_helper.LIBCMT ref: 00AF1E3C

_wcscpy.LIBCMT ref: 00B1C096
_wcscat.LIBCMT ref: 00B1C0A9
__wsplitpath.LIBCMT ref: 00B1C0CE
_wcscat.LIBCMT ref: 00B1C0E4
_wcscat.LIBCMT ref: 00B1C0F7
_wcscmp.LIBCMT ref: 00B1C03E

Part of subcall function 00B1C56D: _wcscmp.LIBCMT ref: 00B1C65D
Part of subcall function 00B1C56D: _wcscmp.LIBCMT ref: 00B1C670

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00B1C2A1
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B1C338
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B1C34E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B1C35F
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B1C371

Strings

p1Mw`KNw, xrefs: 00B1C2A1, 00B1C338, 00B1C35F, 00B1C371

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID: p1Mw`KNw
API String ID: 2378138488-3626030660
Opcode ID: aa5bd941efc7d3dfd846630231ae7aaab16a2e640f6cb8f526373b6ab40de76c
Instruction ID: 40ed1e71464d707cb381d9f6af2704985e181b1f8b6c07a762a2977669170b80
Opcode Fuzzy Hash: aa5bd941efc7d3dfd846630231ae7aaab16a2e640f6cb8f526373b6ab40de76c
Instruction Fuzzy Hash: 2DC12BB1940219AFDF21DFA5CD81EEEBBF9EF49300F4040A6F609E6151DB309A848F65

Function 00AD3F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00AD3F86
RegisterClassExW.USER32(00000030), ref: 00AD3FB0
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AD3FC1
InitCommonControlsEx.COMCTL32(?), ref: 00AD3FDE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AD3FEE
LoadIconW.USER32(000000A9), ref: 00AD4004
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AD4013

Strings

TaskbarCreated, xrefs: 00AD3FB6
AutoIt v3 GUI, xrefs: 00AD3FA2
0, xrefs: 00AD3F68
+, xrefs: 00AD3F6F

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 7f1dda746b2e95c21d38a2d3eccfcf7f6555feb5ce63ec028a1c4c51dd597fc8
Instruction ID: 197decd602eab60d9606f0a97ebaf70ed20b307024e92f94042caa215249e72e
Opcode Fuzzy Hash: 7f1dda746b2e95c21d38a2d3eccfcf7f6555feb5ce63ec028a1c4c51dd597fc8
Instruction Fuzzy Hash: C721E4B5D00309AFDB109FA8ED89B8DBBB4FB08701F04465AF611A72A0DBB505449FA1

Function 00AD3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00AD37B3
KillTimer.USER32(?,00000001), ref: 00AD37DD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00AD3800
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AD380B
CreatePopupMenu.USER32 ref: 00AD381F
PostQuitMessage.USER32(00000000), ref: 00AD382E

Strings

TaskbarCreated, xrefs: 00AD3806

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 64f5a7c3f842a16c579d464c5354f23c28d099e9a65a52e80f1b535619093c67
Instruction ID: bbb36a35e1e94a41391308dd6ebec4bd3da9ece597f2c3cd3a45e7317b26493b
Opcode Fuzzy Hash: 64f5a7c3f842a16c579d464c5354f23c28d099e9a65a52e80f1b535619093c67
Instruction Fuzzy Hash: D941F4F7500647ABDF20DB6CDD4AB7A36A9F704341F000967F503932A0CA659E90A763

Function 00AD3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00AD3E79
LoadCursorW.USER32(00000000,00007F00), ref: 00AD3E88
LoadIconW.USER32(00000063), ref: 00AD3E9E
LoadIconW.USER32(000000A4), ref: 00AD3EB0
LoadIconW.USER32(000000A2), ref: 00AD3EC2

Part of subcall function 00AD4024: LoadImageW.USER32(00AD0000,00000063,00000001,00000010,00000010,00000000), ref: 00AD4048

RegisterClassExW.USER32(?), ref: 00AD3F30

Part of subcall function 00AD3F53: GetSysColorBrush.USER32(0000000F), ref: 00AD3F86
Part of subcall function 00AD3F53: RegisterClassExW.USER32(00000030), ref: 00AD3FB0
Part of subcall function 00AD3F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AD3FC1
Part of subcall function 00AD3F53: InitCommonControlsEx.COMCTL32(?), ref: 00AD3FDE
Part of subcall function 00AD3F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AD3FEE
Part of subcall function 00AD3F53: LoadIconW.USER32(000000A9), ref: 00AD4004
Part of subcall function 00AD3F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AD4013

Strings

#, xrefs: 00AD3F09
AutoIt v3, xrefs: 00AD3F1F
0, xrefs: 00AD3F02

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 5482dfdc2f1afc36354f990fd73d0e9b8d6fa4a307cb53879b9fe30dcbc83aad
Instruction ID: 664cdbac3754af9dfdf2b595c568a82d4f4acfc34cfe380906210b2cefd0796f
Opcode Fuzzy Hash: 5482dfdc2f1afc36354f990fd73d0e9b8d6fa4a307cb53879b9fe30dcbc83aad
Instruction Fuzzy Hash: 31215EB1D04315ABCB11DFADEE46A99BFF5FB48310F008A2BE215A73A0DB7546409F91

Function 00ECD8E0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00ECD9B1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00ECDBD7

Memory Dump Source

Source File: 00000000.00000002.1309320525.0000000000ECB000.00000040.00000020.00020000.00000000.sdmp, Offset: 00ECB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ecb000_Invoice OMS.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
Instruction ID: 8d09faa15328e0bc5e61320d6ec3b02efc33c1d73a2c32f690d4b9acd7dbfa10
Opcode Fuzzy Hash: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
Instruction Fuzzy Hash: 50A11570E04208EBDB14CFA4CA94FEEB7B5BF48304F209169E515BB280D7769E42CB94

Function 00AD49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00AD4A1D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00B441DB
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00B4421A
RegCloseKey.ADVAPI32(?), ref: 00B44249

Strings

Include, xrefs: 00B441D3, 00B44212
Software\AutoIt v3\AutoIt, xrefs: 00AD4A13

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: 4f164eb2c1c39ed39686f80159d0f5f30ef324a746b2dff5d226466a6087b331
Instruction ID: ffd56a6bb47ee54207ec9adde714b6207cad094536a16ba8040538ffc7dad0b8
Opcode Fuzzy Hash: 4f164eb2c1c39ed39686f80159d0f5f30ef324a746b2dff5d226466a6087b331
Instruction Fuzzy Hash: 6F114F71A11209BFEB14ABA4CE96EBF7BBCEF04344F0000A5B506E71A1EB709E41DB50

Function 00AD36B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00AD36E6
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00AD3707
ShowWindow.USER32(00000000,?,?,?,?,00AD3AA3,?), ref: 00AD371B
ShowWindow.USER32(00000000,?,?,?,?,00AD3AA3,?), ref: 00AD3724

Strings

edit, xrefs: 00AD3701
AutoIt v3, xrefs: 00AD36DE, 00AD36E3, 00AD36E4

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 574d6e55c20d7438c2b68dfa21cee1dca13ac5b1c022186cff4d4fd8518a728d
Instruction ID: 8d8ba5211a438d50ec7be7496c5cd5f7710ce5da272bc7a0f16df0be5b22f5db
Opcode Fuzzy Hash: 574d6e55c20d7438c2b68dfa21cee1dca13ac5b1c022186cff4d4fd8518a728d
Instruction Fuzzy Hash: 63F0F471A402D17AD731976B6D09E773E7ED7C6F20F00455FBA04931B0C9660895EA71

Function 00ECD650 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 166
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00ECD540: Sleep.KERNELBASE(000001F4), ref: 00ECD551

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00ECD7CE

Strings

YW5XM0G1P35LCC3I238YIIUNOWLA, xrefs: 00ECD837, 00ECD83A

Memory Dump Source

Source File: 00000000.00000002.1309320525.0000000000ECB000.00000040.00000020.00020000.00000000.sdmp, Offset: 00ECB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ecb000_Invoice OMS.jbxd

Similarity

API ID: CreateFileSleep
String ID: YW5XM0G1P35LCC3I238YIIUNOWLA
API String ID: 2694422964-1780391576
Opcode ID: a0e59b44fdc633359cb063c9dcff101d0c7da137abc964d5995db92ba9b62e37
Instruction ID: 20829923b74d1e47bf026ce070f33a2545161bd96f51e14c4d2351bd532a2f4b
Opcode Fuzzy Hash: a0e59b44fdc633359cb063c9dcff101d0c7da137abc964d5995db92ba9b62e37
Instruction Fuzzy Hash: 1B718430D08388DAEB15D7E4D854BEEBB75AF19304F0441A9E248BB2C1D7BA1B45CBA5

Function 00AD51AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00AD522F
_wcscpy.LIBCMT ref: 00AD5283
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00AD5293
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00B43CB0

Strings

Line: , xrefs: 00B43CD9

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy
String ID: Line:
API String ID: 1053898822-1585850449
Opcode ID: fa35e17c782292f4f2b6a10ce7c9ae7a5f213c4d5926f0184e444909eba6806b
Instruction ID: d212af0a82e25cbcb790cff428ac0ebb0cd55a5c56650c255d740fe5380291bb
Opcode Fuzzy Hash: fa35e17c782292f4f2b6a10ce7c9ae7a5f213c4d5926f0184e444909eba6806b
Instruction Fuzzy Hash: EF3190714087416FD721EB64ED46FDA77E8EB44310F004A1BF596932A2EF70A648CB96

Function 00AD4139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 00AD41A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00AD39FE,?,00000001), ref: 00AD41DB

_free.LIBCMT ref: 00B436B7
_free.LIBCMT ref: 00B436FE

Part of subcall function 00ADC833: __wsplitpath.LIBCMT ref: 00ADC93E
Part of subcall function 00ADC833: _wcscpy.LIBCMT ref: 00ADC953
Part of subcall function 00ADC833: _wcscat.LIBCMT ref: 00ADC968
Part of subcall function 00ADC833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00ADC978

Strings

Bad directive syntax error, xrefs: 00B436E4
>>>AUTOIT SCRIPT<<<, xrefs: 00B43491

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 805182592-1757145024
Opcode ID: 93f26aad274a5e17b4dbf1ed97564c74f703326dcf51c3ac72dfa3c7c736d533
Instruction ID: 173be274ecafe9938b76d2b16fb231df6607ada03c2abc75b80126530fa09e06
Opcode Fuzzy Hash: 93f26aad274a5e17b4dbf1ed97564c74f703326dcf51c3ac72dfa3c7c736d533
Instruction Fuzzy Hash: 84919D71910219AFCF04EFA4CD919EEB7F4FF18710F5444AAF816AB291DB309A45DBA0

Function 00AD4A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00AD5374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00B91148,?,00AD61FF,?,00000000,00000001,00000000), ref: 00AD5392

Part of subcall function 00AD49FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00AD4A1D

_wcscat.LIBCMT ref: 00B42D80
_wcscat.LIBCMT ref: 00B42DB5

Strings

\, xrefs: 00B42DA2
\Include\, xrefs: 00AD4B0A

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: _wcscat$FileModuleNameOpen
String ID: \$\Include\
API String ID: 3592542968-2640467822
Opcode ID: 2321a311a0d6470f3a833b22118b72f523feef01d6b5151477ce645c82b6d20f
Instruction ID: 30ced1cede5c36c9b86baff081d828d36ed92f7d8d8c3a6df9793a28f434aa7d
Opcode Fuzzy Hash: 2321a311a0d6470f3a833b22118b72f523feef01d6b5151477ce645c82b6d20f
Instruction Fuzzy Hash: DE515FB6C05350ABC714EF65DB828AAB7F4FF59300B80456FF645A3261EF309A18CB56

Function 00AF34AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 00AF34FE

Part of subcall function 00AF7C0E: __getptd_noexit.LIBCMT ref: 00AF7C0E

@_EH4_CallFilterFunc@8.LIBCMT ref: 00AF3539
__wopenfile.LIBCMT ref: 00AF3549

Strings

<G, xrefs: 00AF34CD, 00AF34F0, 00AF34FC

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: 373ca821d28d19ac22f825ccc74314f2e9c688175ef373d1b7a26ffc919ee391
Instruction ID: d5ad2206c46dcf5843531cc502dcbb317978c89494021e8048c40449ffa8fc28
Opcode Fuzzy Hash: 373ca821d28d19ac22f825ccc74314f2e9c688175ef373d1b7a26ffc919ee391
Instruction Fuzzy Hash: 22110672A0020EAFDF22BFF48D4267E76B4AF45391B148425FA15DB291EB34CA0197B1

Function 00AED298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00AED28B,SwapMouseButtons,00000004,?), ref: 00AED2BC
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00AED28B,SwapMouseButtons,00000004,?,?,?,?,00AEC865), ref: 00AED2DD
RegCloseKey.KERNELBASE(00000000,?,?,00AED28B,SwapMouseButtons,00000004,?,?,?,?,00AEC865), ref: 00AED2FF

Strings

Control Panel\Mouse, xrefs: 00AED2BA

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: f450379f75410a8a83fcbe0810a9e2ac0bc5a0d14f2c3e48c6d849935cd37bc3
Instruction ID: 0b7fdc6be289afb9958a3c311061d13b307154fdba29066e12bbc99733d46540
Opcode Fuzzy Hash: f450379f75410a8a83fcbe0810a9e2ac0bc5a0d14f2c3e48c6d849935cd37bc3
Instruction Fuzzy Hash: 15117975611249BFDB218FA5CC84EEF7BB8EF04740F004569E901EB110E731AE409B60

Function 00ECC540 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00ECCCFB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00ECCD91
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00ECCDB3

Memory Dump Source

Source File: 00000000.00000002.1309320525.0000000000ECB000.00000040.00000020.00020000.00000000.sdmp, Offset: 00ECB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ecb000_Invoice OMS.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 9ff7d806dc6ef1cc8f26af8a7a5011723b62bd23310367b846ce676590f9e849
Instruction ID: f8da7f9f08e1956c88234bf8640f79ff3758db5972e076cae182e0d15a38a22f
Opcode Fuzzy Hash: 9ff7d806dc6ef1cc8f26af8a7a5011723b62bd23310367b846ce676590f9e849
Instruction Fuzzy Hash: 58621930A142589BEB24CBA4C941BDEB772EF58304F1091A9E10DFB394E7769E81CB59

Function 00B1C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00AD4517: _fseek.LIBCMT ref: 00AD452F

Part of subcall function 00B1C56D: _wcscmp.LIBCMT ref: 00B1C65D
Part of subcall function 00B1C56D: _wcscmp.LIBCMT ref: 00B1C670

_free.LIBCMT ref: 00B1C4DD
_free.LIBCMT ref: 00B1C4E4
_free.LIBCMT ref: 00B1C54F

Part of subcall function 00AF1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00AF7A85), ref: 00AF1CB1
Part of subcall function 00AF1C9D: GetLastError.KERNEL32(00000000,?,00AF7A85), ref: 00AF1CC3

_free.LIBCMT ref: 00B1C557

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 0291d278fd3c0ee10044b808818b9d6c21fdc9175ee32bef741d63fe6815c47f
Instruction ID: d15289d719f1f26863d256ea042bb98b3384552d6eefad0a2ec17b0cbc155320
Opcode Fuzzy Hash: 0291d278fd3c0ee10044b808818b9d6c21fdc9175ee32bef741d63fe6815c47f
Instruction Fuzzy Hash: B1514CB5904219AFDF149F64DC81AEDBBB9EF48300F1040AEB259A3241DB715E808F59

Function 00AEEB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AEEBB2

Part of subcall function 00AD51AF: _memset.LIBCMT ref: 00AD522F
Part of subcall function 00AD51AF: _wcscpy.LIBCMT ref: 00AD5283
Part of subcall function 00AD51AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00AD5293

KillTimer.USER32(?,00000001,?,?), ref: 00AEEC07
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00AEEC16
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B43C88

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: a36c53d356bae20801cff792ee844979330c5d321e42256e33d9c1e49960e687
Instruction ID: 564fa5dc277a6182955e9cf8d14d957ce6d9059fad3c0a00c22b7982a0cc0203
Opcode Fuzzy Hash: a36c53d356bae20801cff792ee844979330c5d321e42256e33d9c1e49960e687
Instruction Fuzzy Hash: 4821D7709047949FE732DB288895BE7BFECDB45708F14048EE68A57242C7742B859B51

Function 00AD40E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B43725
GetOpenFileNameW.COMDLG32 ref: 00B4376F

Part of subcall function 00AD660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AD53B1,?,?,00AD61FF,?,00000000,00000001,00000000), ref: 00AD662F

Part of subcall function 00AD40A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00AD40C6

Strings

X, xrefs: 00B4373E

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: a05814c235ca6e6cfd1267e970ac35ef6f7d463e94f83bc3098168f048199200
Instruction ID: 2169d403bc2047b8d87d557f6a905928c78caa33d6c8e7db1203f84edb21eced
Opcode Fuzzy Hash: a05814c235ca6e6cfd1267e970ac35ef6f7d463e94f83bc3098168f048199200
Instruction Fuzzy Hash: 9D21C371A00288ABCF01DFD8C805BEE7BF89F49704F00405AE505A7341DBB49A898F65

Function 00B1C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00B1C72F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00B1C746

Strings

aut, xrefs: 00B1C740

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 7e4da19bd6936c90a84177dc21728a7a16de336ff8b050c18ad58cb734fa991e
Instruction ID: 64c95a97be15d9d9caa0d6bc0c6037e0fab6e3a5d07511ed695122a1d6f4b5be
Opcode Fuzzy Hash: 7e4da19bd6936c90a84177dc21728a7a16de336ff8b050c18ad58cb734fa991e
Instruction Fuzzy Hash: 33D05E7150030EABDB20AB90DC0EF8AB7ACA700B05F0002E0B651A60B1DAB5E6998B55

Function 00B2F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4220f51711dc4617f17dcf9784281d4530b9472262d63caa51245610b39ebdfc
Instruction ID: 7ae7bcdf8d3a985cf2644dc9e7d2ea041f12181c8272f64056dfaa558d34f3f0
Opcode Fuzzy Hash: 4220f51711dc4617f17dcf9784281d4530b9472262d63caa51245610b39ebdfc
Instruction Fuzzy Hash: 81F169716043129FC710DF28C594B6AB7F5FF88314F10896EF9999B292DB30E945CB82

Function 00AD4FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AD5022
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00AD50CB

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: 34fd67f155c455a6bd0dc9c5d4db7f5470107f2b44a3f0531c8d62c9d219ad46
Instruction ID: c35f49780d3c752722664b3daeae05b03a45a0e3dea60e4bd6cb5bca4eff8226
Opcode Fuzzy Hash: 34fd67f155c455a6bd0dc9c5d4db7f5470107f2b44a3f0531c8d62c9d219ad46
Instruction Fuzzy Hash: F5314BB1904701DFD721DF38D98569BBBE4FB49305F00092FE59A87351EB71AA44CB92

Function 00AF395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00AF3973

Part of subcall function 00AF81C2: __NMSG_WRITE.LIBCMT ref: 00AF81E9
Part of subcall function 00AF81C2: __NMSG_WRITE.LIBCMT ref: 00AF81F3

__NMSG_WRITE.LIBCMT ref: 00AF397A

Part of subcall function 00AF821F: GetModuleFileNameW.KERNEL32(00000000,00B90312,00000104,00000000,00000001,00000000), ref: 00AF82B1
Part of subcall function 00AF821F: ___crtMessageBoxW.LIBCMT ref: 00AF835F

Part of subcall function 00AF1145: ___crtCorExitProcess.LIBCMT ref: 00AF114B
Part of subcall function 00AF1145: ExitProcess.KERNEL32 ref: 00AF1154

Part of subcall function 00AF7C0E: __getptd_noexit.LIBCMT ref: 00AF7C0E

RtlAllocateHeap.NTDLL(00C90000,00000000,00000001,00000001,00000000,?,?,00AEF507,?,0000000E), ref: 00AF399F

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 85bc429470b2fd5f1c34f887d6a747036882c5ef53dcf4bbd8670f20211e461a
Instruction ID: c1940fad7c991c5dc66451a6c84aea859ed0dec564ee92f0fa1ec92341b71576
Opcode Fuzzy Hash: 85bc429470b2fd5f1c34f887d6a747036882c5ef53dcf4bbd8670f20211e461a
Instruction Fuzzy Hash: 5101963335560E9AEF213BE9DDA2B7E23589F81760F21012AF745D7181DFF49D418660

Function 00B1C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00B1C385,?,?,?,?,?,00000004), ref: 00B1C6F2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00B1C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00B1C708
CloseHandle.KERNEL32(00000000,?,00B1C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00B1C70F

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: fb40d7a34bdf31d32938cdcf9f46253615da2c41c1b10d178938aae9b47ee396
Instruction ID: f7bcb7c02cbc136ef1cf0a193edde275c090ee6ba5ccd971444a875aa4c5aea9
Opcode Fuzzy Hash: fb40d7a34bdf31d32938cdcf9f46253615da2c41c1b10d178938aae9b47ee396
Instruction Fuzzy Hash: AEE08632180714B7D7311F54AC09FCA7F58EB05761F104250FB147A0F09BB129518799

Function 00B1BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B1BB72

Part of subcall function 00AF1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00AF7A85), ref: 00AF1CB1
Part of subcall function 00AF1C9D: GetLastError.KERNEL32(00000000,?,00AF7A85), ref: 00AF1CC3

_free.LIBCMT ref: 00B1BB83
_free.LIBCMT ref: 00B1BB95

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8d6c99314b0704041c66cbc9d98ad607d1a0ae96d99a55b8255782f8bd4ba31d
Instruction ID: 1c02c281477d3f8f0f80924f1411f9fabd0f682dbcb59b2dfe530e9d9d5e340a
Opcode Fuzzy Hash: 8d6c99314b0704041c66cbc9d98ad607d1a0ae96d99a55b8255782f8bd4ba31d
Instruction Fuzzy Hash: 5FE02BA1304700C3CA3067B86F44EF313CCCF04310794084DB519E3186DF20F88084B4

Function 00AD2322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 00AD22A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00AD24F1), ref: 00AD2303

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00AD25A1
CoInitialize.OLE32(00000000), ref: 00AD2618
CloseHandle.KERNEL32(00000000), ref: 00B4503A

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 3815369404-0
Opcode ID: 616e407c3bb83d4a11cda9f98437e8394f40882e577d02813696b730a7937f49
Instruction ID: fedffdd29851f9995ccd979540e26d45d2d073c1f1726462ee752cf586e47439
Opcode Fuzzy Hash: 616e407c3bb83d4a11cda9f98437e8394f40882e577d02813696b730a7937f49
Instruction Fuzzy Hash: F171BDB59053839B8705EF6EAB90594BBF4BBA93407914AAFD01AD73B1CF304404EF18

Function 00AD3A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00AD3A73

Part of subcall function 00AF1405: __lock.LIBCMT ref: 00AF140B

Part of subcall function 00AD3ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00AD3AF3
Part of subcall function 00AD3ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00AD3B08

Part of subcall function 00AD3D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00AD3AA3,?), ref: 00AD3D45
Part of subcall function 00AD3D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00AD3AA3,?), ref: 00AD3D57
Part of subcall function 00AD3D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00B91148,00B91130,?,?,?,?,00AD3AA3,?), ref: 00AD3DC8
Part of subcall function 00AD3D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00AD3AA3,?), ref: 00AD3E48

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00AD3AB3

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
String ID:
API String ID: 924797094-0
Opcode ID: f9531f1e0e696049f0d346800a22f701f9905d80d17cd17cb68dbb8dd980f146
Instruction ID: 38dcce1e4613d0ae2a8b884f95a372dfe9823541f14429bdf76da1f47220a9c8
Opcode Fuzzy Hash: f9531f1e0e696049f0d346800a22f701f9905d80d17cd17cb68dbb8dd980f146
Instruction Fuzzy Hash: EF11CD729043419FC700EF6AEA05A1AFBE9EBD4750F008A1FF585832B1DFB18950CB92

Function 00AFE9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 00AFEA29
__close_nolock.LIBCMT ref: 00AFEA42

Part of subcall function 00AF7BDA: __getptd_noexit.LIBCMT ref: 00AF7BDA

Part of subcall function 00AF7C0E: __getptd_noexit.LIBCMT ref: 00AF7C0E

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: 91ead2d26bc84961997028bec7b1e318c5e0842ab7784f1fec78d9c4297b144d
Instruction ID: 55f6a1849a6745991d3334335b5a4f0d8a0be0ee40e9271f11548a6fe27e1a36
Opcode Fuzzy Hash: 91ead2d26bc84961997028bec7b1e318c5e0842ab7784f1fec78d9c4297b144d
Instruction Fuzzy Hash: 91118272905A1C9ED711FFE8CA4177C7AA16F823B2F264340F6255F1F2CBB48C4186A1

Function 00AEF4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00AF395C: __FF_MSGBANNER.LIBCMT ref: 00AF3973
Part of subcall function 00AF395C: __NMSG_WRITE.LIBCMT ref: 00AF397A
Part of subcall function 00AF395C: RtlAllocateHeap.NTDLL(00C90000,00000000,00000001,00000001,00000000,?,?,00AEF507,?,0000000E), ref: 00AF399F

std::exception::exception.LIBCMT ref: 00AEF51E
__CxxThrowException@8.LIBCMT ref: 00AEF533

Part of subcall function 00AF6805: RaiseException.KERNEL32(?,?,0000000E,00B86A30,?,?,?,00AEF538,0000000E,00B86A30,?,00000001), ref: 00AF6856

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 63370df49fd21bb7f1a94e080d0193c02bcdb0d0be330126e637379a5eea7aa5
Instruction ID: 418589229c464c9f8755be62ca9f77e44ba2449ee3d5907dfd1dfc85edf0d8ac
Opcode Fuzzy Hash: 63370df49fd21bb7f1a94e080d0193c02bcdb0d0be330126e637379a5eea7aa5
Instruction Fuzzy Hash: A1F0A43210425DABDB14BFD9DA11AEF77E8AF00354F6045A9FA04D2181DBB1964486B5

Function 00AF35E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00AF7C0E: __getptd_noexit.LIBCMT ref: 00AF7C0E

__lock_file.LIBCMT ref: 00AF3629

Part of subcall function 00AF4E1C: __lock.LIBCMT ref: 00AF4E3F

__fclose_nolock.LIBCMT ref: 00AF3634

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 24a103ce028fd28ed38d60a02708ef84e4192f67dedf28b315e87a54f94c9b1f
Instruction ID: 9e1960882e0b0dac8b7572e40b35b79744a1a5458989ce92d2e1a8d7f91efc05
Opcode Fuzzy Hash: 24a103ce028fd28ed38d60a02708ef84e4192f67dedf28b315e87a54f94c9b1f
Instruction Fuzzy Hash: 99F0903384120CAADF517BE5890277FBAA06F40734F258108F620EB2D1CB7C8A019B55

Function 00ECC53D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00ECCCFB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00ECCD91
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00ECCDB3

Memory Dump Source

Source File: 00000000.00000002.1309320525.0000000000ECB000.00000040.00000020.00020000.00000000.sdmp, Offset: 00ECB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ecb000_Invoice OMS.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 282d440d23347d33a5333bc70feb3b77e7ffa06fe9f8fdc76eda24defaf3804a
Instruction ID: 697526aa7d9c4d29c3258b29a0d4d874ab1ffb64332c85c6e4aea60be84caf4d
Opcode Fuzzy Hash: 282d440d23347d33a5333bc70feb3b77e7ffa06fe9f8fdc76eda24defaf3804a
Instruction Fuzzy Hash: D512CF24E14658C6EB24DF64D8507DEB232EF68300F1060ED910DEB7A5E77B5E81CB5A

Function 00AF2957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 00AF2A0B

Part of subcall function 00AF7C0E: __getptd_noexit.LIBCMT ref: 00AF7C0E

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: __flush__getptd_noexit
String ID:
API String ID: 4101623367-0
Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction ID: d09793af0f1f257b88c5b526af35c44187c8389d5f5264a17ffdeb250e55ddc6
Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction Fuzzy Hash: D541937160170E9FDB289FE9C8C16BE7BB6AF443A0B24852DFA55C7244EBB0DD418B40

Function 00AEED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00AEEDC7

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 33edd4b1a788ac8424220eaca19400f88434d594fbbdfb9b651dad01104c4a72
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 4231D674A00146DBD718DF5AC8C0A69FBB6FF49340B6486A5E409CB356DB31EDC1CB90

Function 00B3040F Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B30519

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f7ea4faea13020c8bf98ff7d715d2bfca135c84bdf77ed988b34917bf806d562
Instruction ID: 340b138c6f7b6a391c60f74e287c211f7a51cfd34a809895708cbe0eb06de051
Opcode Fuzzy Hash: f7ea4faea13020c8bf98ff7d715d2bfca135c84bdf77ed988b34917bf806d562
Instruction Fuzzy Hash: 5A319E36204928DFCF05AF05D0E066E7BB1FF98320F21848AEA951B386DB70A901CF81

Function 00B49A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00B49A80

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 89c10da7d33dd2753e137f13a025b69ba32b7e1f2c09a37c2239b6291d665497
Instruction ID: 2af2ed2774097cd52bd33ec75aba4474ed5972c8b860fb95919a204abf35e6b0
Opcode Fuzzy Hash: 89c10da7d33dd2753e137f13a025b69ba32b7e1f2c09a37c2239b6291d665497
Instruction Fuzzy Hash: 2B413A745046518FDB24DF19C484B1ABBE0FF45308F2989ACE99A4B362C776F885CF52

Function 00AD41A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AD4214: FreeLibrary.KERNEL32(00000000,?), ref: 00AD4247

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00AD39FE,?,00000001), ref: 00AD41DB

Part of subcall function 00AD4291: FreeLibrary.KERNEL32(00000000), ref: 00AD42C4

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: eff272471e8412d9dc0e3171a872bdbdad122d7c600cf66dd9257722765692fe
Instruction ID: 4ebd78d2831ca1cd4f8fa334155bbafb927025ec4be762a0ae3d6601f94e1aeb
Opcode Fuzzy Hash: eff272471e8412d9dc0e3171a872bdbdad122d7c600cf66dd9257722765692fe
Instruction Fuzzy Hash: B111A331600306ABDF10AB74DE16FEE77F99F48700F10842AB597AA2C1EF70DA459B60

Function 00B49B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00B49B51

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: b25435e9d16e9ce2253be7e294abda0f11b6b4694658480dd74065f210350748
Instruction ID: 2231920ef147beebae4a8ba285631c7947326f8cbc220cdd9eaceb1860a09901
Opcode Fuzzy Hash: b25435e9d16e9ce2253be7e294abda0f11b6b4694658480dd74065f210350748
Instruction Fuzzy Hash: 3D21F6705086458FDB24EF65C584E1ABBF1BF84304F2589A8E9964B261C772E885CF52

Function 00AFAF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 00AFAFC0

Part of subcall function 00AF7BDA: __getptd_noexit.LIBCMT ref: 00AF7BDA

Part of subcall function 00AF7C0E: __getptd_noexit.LIBCMT ref: 00AF7C0E

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: 4bb1cd2e9fc2e1a90c3c8985b845b2d8030d16064ce35a2457ae05ee734ebc55
Instruction ID: 7de5df5380501a65e98f95f6ad25905d3fb4ed549bcd989865006cac39473f8a
Opcode Fuzzy Hash: 4bb1cd2e9fc2e1a90c3c8985b845b2d8030d16064ce35a2457ae05ee734ebc55
Instruction Fuzzy Hash: C4116D728156189FD7127FE8CA4277D7A70AF42331F194240F6755F1E2CBB489018BB1

Function 00AD39DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e908df7db2011151d19b897d4a4948494f90a1a3426dd436a38c65c5f4b6a17e
Instruction ID: ee82f6a6b67b3fba36109123911ebee1c9f2cb4d95f33b0638fec3b44aab7bb9
Opcode Fuzzy Hash: e908df7db2011151d19b897d4a4948494f90a1a3426dd436a38c65c5f4b6a17e
Instruction Fuzzy Hash: EF01863150010DAFCF04EFA4C9828FEBFB4EF14344F408066B522972A5EA309B49DB60

Function 00AF2AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00AF2AED

Part of subcall function 00AF7C0E: __getptd_noexit.LIBCMT ref: 00AF7C0E

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 6801d55aea08258f1d2ae3264db0aa758e9de9da07abe3a453dad08134b9e3d4
Instruction ID: e48712ac99d7a873326a21bf2148661192bd5c4205887ad9dafcd5f1c0d6f02f
Opcode Fuzzy Hash: 6801d55aea08258f1d2ae3264db0aa758e9de9da07abe3a453dad08134b9e3d4
Instruction Fuzzy Hash: DFF0C23150060DABEF21BFE5CD023BF76A1BF00350F148415F6109B1A1C778CA12DB41

Function 00AD4252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,00AD39FE,?,00000001), ref: 00AD4286

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 46542015cabc252b88b0d75361f955c314c66cc990f21388c0dac242293d1b11
Instruction ID: 364b3a6faed0813aadaf9d44a5c2ad8feea5a9b86269cb3c7c123527e2613b72
Opcode Fuzzy Hash: 46542015cabc252b88b0d75361f955c314c66cc990f21388c0dac242293d1b11
Instruction Fuzzy Hash: 49F015B1505702CFCB349F64D8908A6BBF4AF183263248A6FF1D782610C7329980DB50

Function 00AD40A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00AD40C6

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 2c65621bc82ef0b93da1819b9b7fe9da14b50bf4d7624008233865a89481c019
Instruction ID: 1bb62ed6d50cd2f5b3feedba85c6811270a043c14842c8ac461231564d28d9ac
Opcode Fuzzy Hash: 2c65621bc82ef0b93da1819b9b7fe9da14b50bf4d7624008233865a89481c019
Instruction Fuzzy Hash: 8DE0CD365002255BC7119694CC46FFA77ADDF886D0F0501B5F905E7354DD749DC18690

Function 00ECD53C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00ECD551

Memory Dump Source

Source File: 00000000.00000002.1309320525.0000000000ECB000.00000040.00000020.00020000.00000000.sdmp, Offset: 00ECB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ecb000_Invoice OMS.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 1d6ba0f452e1155bb6bbe627c2e66123b4b9141181cfb22c5ec0b6bfde00214d
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: C8E09A7494410DEFDB00EFA4DA496AE7BB4EF04301F1005A5FD05E7680DA319A558A62

Function 00ECD540 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00ECD551

Memory Dump Source

Source File: 00000000.00000002.1309320525.0000000000ECB000.00000040.00000020.00020000.00000000.sdmp, Offset: 00ECB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ecb000_Invoice OMS.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: deb4c14359349a1cb97614173193f9c7090747603803e6b819d0fbee4e5024ba
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 87E0E67494410DDFDB00EFB4DA496AE7FB4EF04301F100165FD01E2280D6319E50CA62

Non-executed Functions

Function 00B3F7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00AEB34E: GetWindowLongW.USER32(?,000000EB), ref: 00AEB35F

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 00B3F87D
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B3F8DC
GetWindowLongW.USER32(?,000000F0), ref: 00B3F919
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B3F940
SendMessageW.USER32 ref: 00B3F966
_wcsncpy.LIBCMT ref: 00B3F9D2
GetKeyState.USER32(00000011), ref: 00B3F9F3
GetKeyState.USER32(00000009), ref: 00B3FA00
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B3FA16
GetKeyState.USER32(00000010), ref: 00B3FA20
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B3FA4F
SendMessageW.USER32 ref: 00B3FA72
SendMessageW.USER32(?,00001030,?,00B3E059), ref: 00B3FB6F
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 00B3FB85
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00B3FB96
SetCapture.USER32(?), ref: 00B3FB9F
ClientToScreen.USER32(?,?), ref: 00B3FC03
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00B3FC0F
InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 00B3FC29
ReleaseCapture.USER32 ref: 00B3FC34
GetCursorPos.USER32(?), ref: 00B3FC69
ScreenToClient.USER32(?,?), ref: 00B3FC76
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B3FCD8
SendMessageW.USER32 ref: 00B3FD02
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B3FD41
SendMessageW.USER32 ref: 00B3FD6C
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00B3FD84
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00B3FD8F
GetCursorPos.USER32(?), ref: 00B3FDB0
ScreenToClient.USER32(?,?), ref: 00B3FDBD
GetParent.USER32(?), ref: 00B3FDD9
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B3FE3F
SendMessageW.USER32 ref: 00B3FE6F
ClientToScreen.USER32(?,?), ref: 00B3FEC5
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00B3FEF1
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B3FF19
SendMessageW.USER32 ref: 00B3FF3C
ClientToScreen.USER32(?,?), ref: 00B3FF86
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00B3FFB6
GetWindowLongW.USER32(?,000000F0), ref: 00B4004B

Strings

@GUI_DRAGID, xrefs: 00B3FBCC
F, xrefs: 00B3FF42

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 2516578528-4164748364
Opcode ID: 9ba7b8afdfe4fcf7a1fbdbff84ef3aeeeccf163ec9ef04e15fb9c50486f763bf
Instruction ID: 7217ac46b8768e6ecbfdfaea48334721bf1c58a027b92fb0cae9139c75729bdd
Opcode Fuzzy Hash: 9ba7b8afdfe4fcf7a1fbdbff84ef3aeeeccf163ec9ef04e15fb9c50486f763bf
Instruction Fuzzy Hash: 13329A74A04346EFDB24CF68C884B6ABBE4FF48354F240AA9F695872A1CB30DC45DB51

Function 00B3AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00B3B1CD

Strings

%d/%02d/%02d, xrefs: 00B3AEFC

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: d1542b5c612c4787a6119b60c4a90800b006bf8d4ab42c890f61506898fcb481
Instruction ID: 037e348adcdac069836c256a78591358599d176300714c04cd78a19d56ebbcd5
Opcode Fuzzy Hash: d1542b5c612c4787a6119b60c4a90800b006bf8d4ab42c890f61506898fcb481
Instruction Fuzzy Hash: 0D12C071500208ABEB249F64CC89FAE7BF8FF45710F2042A9FA55EB2D5DB709942CB11

Function 00AEEB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 00AEEB4A
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B43AEA
IsIconic.USER32(000000FF), ref: 00B43AF3
ShowWindow.USER32(000000FF,00000009), ref: 00B43B00
SetForegroundWindow.USER32(000000FF), ref: 00B43B0A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B43B20
GetCurrentThreadId.KERNEL32 ref: 00B43B27
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00B43B33
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00B43B44
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00B43B4C
AttachThreadInput.USER32(00000000,?,00000001), ref: 00B43B54
SetForegroundWindow.USER32(000000FF), ref: 00B43B57
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B43B6C
keybd_event.USER32(00000012,00000000), ref: 00B43B77
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B43B81
keybd_event.USER32(00000012,00000000), ref: 00B43B86
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B43B8F
keybd_event.USER32(00000012,00000000), ref: 00B43B94
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B43B9E
keybd_event.USER32(00000012,00000000), ref: 00B43BA3
SetForegroundWindow.USER32(000000FF), ref: 00B43BA6
AttachThreadInput.USER32(000000FF,?,00000000), ref: 00B43BCD

Strings

Shell_TrayWnd, xrefs: 00B43AE5

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 805b96f2248ec5ee379999a9a149fe40c8429baad1a4b0ac5f7bf43f2ada706b
Instruction ID: 36aabdff5d46899dd88c3dfa41a95eaca7f239be514ab8ca9e17b68b1da10ac1
Opcode Fuzzy Hash: 805b96f2248ec5ee379999a9a149fe40c8429baad1a4b0ac5f7bf43f2ada706b
Instruction Fuzzy Hash: 1731A571A403187BEB306B659C89F7F3EACEB44B51F144195FA04EB1D0DAB05E01ABA0

Function 00B160DD Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 174filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B16EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B15FA6,?), ref: 00B16ED8

Part of subcall function 00B16EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B15FA6,?), ref: 00B16EF1

Part of subcall function 00B1725E: __wsplitpath.LIBCMT ref: 00B1727B
Part of subcall function 00B1725E: __wsplitpath.LIBCMT ref: 00B1728E

Part of subcall function 00B172CB: GetFileAttributesW.KERNEL32(?,00B16019), ref: 00B172CC

_wcscat.LIBCMT ref: 00B16149
_wcscat.LIBCMT ref: 00B16167
__wsplitpath.LIBCMT ref: 00B1618E
FindFirstFileW.KERNEL32(?,?), ref: 00B161A4
_wcscpy.LIBCMT ref: 00B16209
_wcscat.LIBCMT ref: 00B1621C
_wcscat.LIBCMT ref: 00B1622F
lstrcmpiW.KERNEL32(?,?), ref: 00B1625D
DeleteFileW.KERNEL32(?), ref: 00B1626E
MoveFileW.KERNEL32(?,?), ref: 00B16289
MoveFileW.KERNEL32(?,?), ref: 00B16298
CopyFileW.KERNEL32(?,?,00000000), ref: 00B162AD
DeleteFileW.KERNEL32(?), ref: 00B162BE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B162E1
FindClose.KERNEL32(00000000), ref: 00B162FD
FindClose.KERNEL32(00000000), ref: 00B1630B

Strings

p1Mw`KNw, xrefs: 00B161BA
\*.*, xrefs: 00B16138, 00B16147, 00B16165

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
String ID: \*.*$p1Mw`KNw
API String ID: 1917200108-2160596699
Opcode ID: 79715feb4eba034aaa3929497a6e897fddebe45127b11b1abbbbd94f16f708d9
Instruction ID: 9b4948926ac6f9d66b21df7859184d2ef858a039b2a6d5b90c605a402cb49118
Opcode Fuzzy Hash: 79715feb4eba034aaa3929497a6e897fddebe45127b11b1abbbbd94f16f708d9
Instruction Fuzzy Hash: BE51007280821C6ACB21EBA5DC44EEB77FCAF05300F4505E6E545E3141EE769B89CFA4

Function 00B26B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00B6DC00), ref: 00B26B36
IsClipboardFormatAvailable.USER32(0000000D), ref: 00B26B44
GetClipboardData.USER32(0000000D), ref: 00B26B4C
CloseClipboard.USER32 ref: 00B26B58
GlobalLock.KERNEL32(00000000), ref: 00B26B74
CloseClipboard.USER32 ref: 00B26B7E
GlobalUnlock.KERNEL32(00000000), ref: 00B26B93
IsClipboardFormatAvailable.USER32(00000001), ref: 00B26BA0
GetClipboardData.USER32(00000001), ref: 00B26BA8
GlobalLock.KERNEL32(00000000), ref: 00B26BB5
GlobalUnlock.KERNEL32(00000000), ref: 00B26BE9
CloseClipboard.USER32 ref: 00B26CF6

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 115da885216d9c8851213a4df3b4f516ca739afa254ac367c40978082105a3cf
Instruction ID: 12ac3139a77b616befeb9191dfb06a6272efc01765ecb959918d980ab0b9e330
Opcode Fuzzy Hash: 115da885216d9c8851213a4df3b4f516ca739afa254ac367c40978082105a3cf
Instruction Fuzzy Hash: 635182712403016BD310BF60DD8AF6E77E8EF44B11F4006AAF65AD72E1DF60D806CA62

Function 00B1F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B1F62B
FindClose.KERNEL32(00000000), ref: 00B1F67F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B1F6A4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B1F6BB
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B1F6E2
__swprintf.LIBCMT ref: 00B1F72E
__swprintf.LIBCMT ref: 00B1F767
__swprintf.LIBCMT ref: 00B1F7BB

Part of subcall function 00AF172B: __woutput_l.LIBCMT ref: 00AF1784

__swprintf.LIBCMT ref: 00B1F809
__swprintf.LIBCMT ref: 00B1F858
__swprintf.LIBCMT ref: 00B1F8A7
__swprintf.LIBCMT ref: 00B1F8F6

Strings

%02d, xrefs: 00B1F7B0, 00B1F7B9, 00B1F807, 00B1F856, 00B1F8A5, 00B1F8F4
%4d%02d%02d%02d%02d%02d, xrefs: 00B1F728
%4d, xrefs: 00B1F761

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 835046349-2428617273
Opcode ID: 471c471f352d267ddcf82875b745a5cc82922a71e2f21ceb77d2d19b0a8a5d2f
Instruction ID: 8fbb3db13aded65eadd48b64a473bab1154f75bd292619f95bbdeb4840101e00
Opcode Fuzzy Hash: 471c471f352d267ddcf82875b745a5cc82922a71e2f21ceb77d2d19b0a8a5d2f
Instruction Fuzzy Hash: B5A1FFB2508345ABC310EBA5C985DAFB7ECEF94704F84092EF59683152EB34D949CB62

Function 00B21B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 00B21B50
_wcscmp.LIBCMT ref: 00B21B65
_wcscmp.LIBCMT ref: 00B21B7C
GetFileAttributesW.KERNEL32(?), ref: 00B21B8E
SetFileAttributesW.KERNEL32(?,?), ref: 00B21BA8
FindNextFileW.KERNEL32(00000000,?), ref: 00B21BC0
FindClose.KERNEL32(00000000), ref: 00B21BCB
FindFirstFileW.KERNEL32(*.*,?), ref: 00B21BE7
_wcscmp.LIBCMT ref: 00B21C0E
_wcscmp.LIBCMT ref: 00B21C25
SetCurrentDirectoryW.KERNEL32(?), ref: 00B21C37
SetCurrentDirectoryW.KERNEL32(00B839FC), ref: 00B21C55
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B21C5F
FindClose.KERNEL32(00000000), ref: 00B21C6C
FindClose.KERNEL32(00000000), ref: 00B21C7C

Strings

*.*, xrefs: 00B21BE2

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 3bc9022dc667397435e316182b9f1873863b4417af6fdfa55912887bd1847646
Instruction ID: 400c3320f681ff5b9665bc89ee0a455faea11ba72c449347ab80ed5673061189
Opcode Fuzzy Hash: 3bc9022dc667397435e316182b9f1873863b4417af6fdfa55912887bd1847646
Instruction Fuzzy Hash: E731C535500229AADF20AFE4EC49BDE77ECDF15311F1046E5F905E30A0EB74DA458B64

Function 00B21C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 00B21CAB
_wcscmp.LIBCMT ref: 00B21CC0
_wcscmp.LIBCMT ref: 00B21CD7

Part of subcall function 00B16BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00B16BEF

FindNextFileW.KERNEL32(00000000,?), ref: 00B21D06
FindClose.KERNEL32(00000000), ref: 00B21D11
FindFirstFileW.KERNEL32(*.*,?), ref: 00B21D2D
_wcscmp.LIBCMT ref: 00B21D54
_wcscmp.LIBCMT ref: 00B21D6B
SetCurrentDirectoryW.KERNEL32(?), ref: 00B21D7D
SetCurrentDirectoryW.KERNEL32(00B839FC), ref: 00B21D9B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B21DA5
FindClose.KERNEL32(00000000), ref: 00B21DB2
FindClose.KERNEL32(00000000), ref: 00B21DC2

Strings

*.*, xrefs: 00B21D28

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 1a0464c04507a385d02d80483d61dc8326bafff50648139c82f22c5c5b15a37b
Instruction ID: 75e052358dd27b4e125786082d5812c2222c5c5c0db22789ea8fda6b294a4cc2
Opcode Fuzzy Hash: 1a0464c04507a385d02d80483d61dc8326bafff50648139c82f22c5c5b15a37b
Instruction Fuzzy Hash: B531D83150062AAACF20AFA4EC49ADE77ECDF55364F104AE1F905A30A0DB71DE45CB64

Function 00B2091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00B209DF
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B209EF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00B209FB
__wsplitpath.LIBCMT ref: 00B20A59
_wcscat.LIBCMT ref: 00B20A71
_wcscat.LIBCMT ref: 00B20A83
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B20A98
SetCurrentDirectoryW.KERNEL32(?), ref: 00B20AAC
SetCurrentDirectoryW.KERNEL32(?), ref: 00B20ADE
SetCurrentDirectoryW.KERNEL32(?), ref: 00B20AFF
_wcscpy.LIBCMT ref: 00B20B0B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00B20B4A

Strings

*.*, xrefs: 00B20B05

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: ace784991150dd45fb21bb891a3650b706c01b04c35848b121cf281b2a8239b6
Instruction ID: 458960c109d34d56ece7ad3fee93af1c78231a1ed2398bea9f8f38740ffdce26
Opcode Fuzzy Hash: ace784991150dd45fb21bb891a3650b706c01b04c35848b121cf281b2a8239b6
Instruction Fuzzy Hash: 446189725083159FC710EF64D984AAEB3E8FF89310F04499EF98AC7252DB31E945CB92

Function 00B0A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00B0ABD7
Part of subcall function 00B0ABBB: GetLastError.KERNEL32(?,00B0A69F,?,?,?), ref: 00B0ABE1
Part of subcall function 00B0ABBB: GetProcessHeap.KERNEL32(00000008,?,?,00B0A69F,?,?,?), ref: 00B0ABF0
Part of subcall function 00B0ABBB: HeapAlloc.KERNEL32(00000000,?,00B0A69F,?,?,?), ref: 00B0ABF7
Part of subcall function 00B0ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00B0AC0E

Part of subcall function 00B0AC56: GetProcessHeap.KERNEL32(00000008,00B0A6B5,00000000,00000000,?,00B0A6B5,?), ref: 00B0AC62
Part of subcall function 00B0AC56: HeapAlloc.KERNEL32(00000000,?,00B0A6B5,?), ref: 00B0AC69
Part of subcall function 00B0AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00B0A6B5,?), ref: 00B0AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B0A6D0
_memset.LIBCMT ref: 00B0A6E5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B0A704
GetLengthSid.ADVAPI32(?), ref: 00B0A715
GetAce.ADVAPI32(?,00000000,?), ref: 00B0A752
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B0A76E
GetLengthSid.ADVAPI32(?), ref: 00B0A78B
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00B0A79A
HeapAlloc.KERNEL32(00000000), ref: 00B0A7A1
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B0A7C2
CopySid.ADVAPI32(00000000), ref: 00B0A7C9
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B0A7FA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B0A820
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B0A834

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 54051919214d9debaf26ab05e795847118634cce0b02a753f6c54031e625911e
Instruction ID: 7ad02c3249cdd09b91d9d0f9016d4e4feb84e7333e6565f3a2e2d20f17d183c4
Opcode Fuzzy Hash: 54051919214d9debaf26ab05e795847118634cce0b02a753f6c54031e625911e
Instruction Fuzzy Hash: 21514971900309ABDF10DFA5DC54AEEBBB9FF04300F0486A9F911AB291DB349A06CB61

Function 00B163F9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 89fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B16EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B15FA6,?), ref: 00B16ED8

Part of subcall function 00B172CB: GetFileAttributesW.KERNEL32(?,00B16019), ref: 00B172CC

_wcscat.LIBCMT ref: 00B16441
__wsplitpath.LIBCMT ref: 00B1645F
FindFirstFileW.KERNEL32(?,?), ref: 00B16474
_wcscpy.LIBCMT ref: 00B164A3
_wcscat.LIBCMT ref: 00B164B8
_wcscat.LIBCMT ref: 00B164CA
DeleteFileW.KERNEL32(?), ref: 00B164DA
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B164EB
FindClose.KERNEL32(00000000), ref: 00B16506

Strings

p1Mw`KNw, xrefs: 00B164DA
\*.*, xrefs: 00B1643B

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*$p1Mw`KNw
API String ID: 2643075503-2160596699
Opcode ID: c08daf42b23e00f53ce3c56e45547433ecb372e5d51a31bbe52752fd92664453
Instruction ID: 30a819c05e7791ca620edd1ee4accdd6450334cd6fef543167fcb0b23553f8e1
Opcode Fuzzy Hash: c08daf42b23e00f53ce3c56e45547433ecb372e5d51a31bbe52752fd92664453
Instruction Fuzzy Hash: BE31B4B2408388AAC721DBE48885EEB77DCAF55300F400A6AF6D8C3142EA35D54987A7

Function 00AD6F07 Relevance: 18.4, Strings: 14, Instructions: 883COMMON

Download Yara Rule

Strings

UCP), xrefs: 00B52C8F
BSR_ANYCRLF), xrefs: 00B52EA0
LIMIT_MATCH=, xrefs: 00B52CF2
CRLF), xrefs: 00B52E43
NO_START_OPT), xrefs: 00B52CD1
LIMIT_RECURSION=, xrefs: 00B52D7E
CR), xrefs: 00B52E09
ANYCRLF), xrefs: 00B52E7D
ANY), xrefs: 00B52E60
BSR_UNICODE), xrefs: 00B52EBA
UTF16), xrefs: 00B52C56
UTF), xrefs: 00B52C7C
NO_AUTO_POSSESS), xrefs: 00B52CB0
LF), xrefs: 00B52E26

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 4cd72b624d5cb470ff57bef369447cfd33feeaf73e40957ad6135187895c5983
Instruction ID: 06b54b4a480547905ab636143afe1096de60be598f6b8b4e1175bc1a4518cd62
Opcode Fuzzy Hash: 4cd72b624d5cb470ff57bef369447cfd33feeaf73e40957ad6135187895c5983
Instruction Fuzzy Hash: 94726E71E042199BDB18CF58C8817AEB7F5FF09710F1481AAE816EB380EB749E45DB90

Function 00B331BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B33C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B32BB5,?,?), ref: 00B33C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B3328E

Part of subcall function 00AD936C: __swprintf.LIBCMT ref: 00AD93AB
Part of subcall function 00AD936C: __itow.LIBCMT ref: 00AD93DF

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B3332D
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00B333C5
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00B33604
RegCloseKey.ADVAPI32(00000000), ref: 00B33611

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 862041e59b1af99f0e7aa7eea7339d84d7d6fabc75e383ddbb387976971c308a
Instruction ID: c3a2b2339dfd7a17474ddd5e0faeb35b1dbd39da74870a15f9e8405a00190702
Opcode Fuzzy Hash: 862041e59b1af99f0e7aa7eea7339d84d7d6fabc75e383ddbb387976971c308a
Instruction Fuzzy Hash: FCE16B31604200AFCB15DF29C991E2BBBE8FF88710F1485ADF44ADB2A1DB31E905CB52

Function 00B12B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00B12B5F
GetAsyncKeyState.USER32(000000A0), ref: 00B12BE0
GetKeyState.USER32(000000A0), ref: 00B12BFB
GetAsyncKeyState.USER32(000000A1), ref: 00B12C15
GetKeyState.USER32(000000A1), ref: 00B12C2A
GetAsyncKeyState.USER32(00000011), ref: 00B12C42
GetKeyState.USER32(00000011), ref: 00B12C54
GetAsyncKeyState.USER32(00000012), ref: 00B12C6C
GetKeyState.USER32(00000012), ref: 00B12C7E
GetAsyncKeyState.USER32(0000005B), ref: 00B12C96
GetKeyState.USER32(0000005B), ref: 00B12CA8

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 9641de125effbbdc4eaf68d314983215a7d758d5abd800aae6fc03d711317a03
Instruction ID: a0fa51f54383a1526dcde80b8a945096e925df18585f5404106d83c84492e828
Opcode Fuzzy Hash: 9641de125effbbdc4eaf68d314983215a7d758d5abd800aae6fc03d711317a03
Instruction Fuzzy Hash: D441E7345087CA6EFF359B6489043EABEE0EF21344F8440D9D6C6572C1EBA499E4C7E2

Function 00B26D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00B26D2E
EmptyClipboard.USER32 ref: 00B26D34
GlobalAlloc.KERNEL32(00000002,?), ref: 00B26D49
CloseClipboard.USER32 ref: 00B26DE8

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 759a7704e2a90a9dd23b75ccf8610c13d88364d104bb618b33185c3433072687
Instruction ID: 88cf70791072566f0b44bb5ee8107158741199c7f9e92e0f617df9fbd1c35f2c
Opcode Fuzzy Hash: 759a7704e2a90a9dd23b75ccf8610c13d88364d104bb618b33185c3433072687
Instruction Fuzzy Hash: 1A21A131300214AFDB11AF68ED49B2D77E8EF44751F0485AAF90ADB261CF71EC028B51

Function 00B2C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 00B09ABF: CLSIDFromProgID.OLE32 ref: 00B09ADC
Part of subcall function 00B09ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00B09AF7
Part of subcall function 00B09ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00B09B05
Part of subcall function 00B09ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00B09B15

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00B2C235
_memset.LIBCMT ref: 00B2C242
_memset.LIBCMT ref: 00B2C360
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 00B2C38C
CoTaskMemFree.OLE32(?), ref: 00B2C397

Strings

NULL Pointer assignment, xrefs: 00B2C3E5

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: e22df6bb6f2db6f58b05ecde24f2bc673542a35b18aff7b35a47ac1a8548fccf
Instruction ID: 3247872b83cceb37e1da3592d38c60f6fff4a5fbd4130447ca96c18c7f737ad7
Opcode Fuzzy Hash: e22df6bb6f2db6f58b05ecde24f2bc673542a35b18aff7b35a47ac1a8548fccf
Instruction Fuzzy Hash: D5912F71D00229EBDB10DF94EC95EEEBBB9EF04710F10815AF519A7291DB709A45CFA0

Function 00B21F94 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00B21FE1
Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00B22011
_wcscmp.LIBCMT ref: 00B22025
_wcscmp.LIBCMT ref: 00B22040
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00B220DE
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00B220F4

Strings

*.*, xrefs: 00B21FC3

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep
String ID: *.*
API String ID: 3356411064-438819550
Opcode ID: dd0075f5f832674bc267235eb9620ca98edeb2cf360c7b548ae5071f60ce457c
Instruction ID: 69950b7325f8aae156065276f89b39947083f01a301c5914e7bfb9ccd648938c
Opcode Fuzzy Hash: dd0075f5f832674bc267235eb9620ca98edeb2cf360c7b548ae5071f60ce457c
Instruction Fuzzy Hash: 4E417C7190021AAFCF14EFA4D945AEEBBB4FF05314F104596E919A3291DB709A84CB50

Function 00B179D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B0B180
Part of subcall function 00B0B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B0B1AD
Part of subcall function 00B0B134: GetLastError.KERNEL32 ref: 00B0B1BA

ExitWindowsEx.USER32(?,00000000), ref: 00B17A0F

Strings

SeShutdownPrivilege, xrefs: 00B179DD
, xrefs: 00B179FD
@, xrefs: 00B17A02

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: cd401c8aeaf95a42e0479ee767c62fdd93bbf151c2a415e4c2cdb8f5ca2786bd
Instruction ID: 8b0566786c94402291c8236d8ac72f5f32e159ea8282539b8fa87bcae2abce45
Opcode Fuzzy Hash: cd401c8aeaf95a42e0479ee767c62fdd93bbf151c2a415e4c2cdb8f5ca2786bd
Instruction Fuzzy Hash: 660188716F93116AE72856649C9ABFE76E8DF00741F6405E4B953A30D1DD615F8081A0

Function 00B28C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00B28CA8
WSAGetLastError.WSOCK32(00000000), ref: 00B28CB7
bind.WSOCK32(00000000,?,00000010), ref: 00B28CD3
listen.WSOCK32(00000000,00000005), ref: 00B28CE2
WSAGetLastError.WSOCK32(00000000), ref: 00B28CFC
closesocket.WSOCK32(00000000,00000000), ref: 00B28D10

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 9dc9f1c773e4efa7957ac11f31dd0bdc289169ec22ad3e92cb3b8d69f4561b0a
Instruction ID: 95020c4d64884d5302fb7eaa7c7fc8a0de3913f4cc122f551427b0849f25de87
Opcode Fuzzy Hash: 9dc9f1c773e4efa7957ac11f31dd0bdc289169ec22ad3e92cb3b8d69f4561b0a
Instruction Fuzzy Hash: 8621B4316012119FCB20EF68DD85B6E77E9EF48311F144199F91AA73D2CB70AD458B51

Function 00B0AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00B0AFAE
OpenProcessToken.ADVAPI32(00000000), ref: 00B0AFB5
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00B0AFC4
CloseHandle.KERNEL32(00000004), ref: 00B0AFCF
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B0AFFE
DestroyEnvironmentBlock.USERENV(00000000), ref: 00B0B012

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 56e03cc06b60e856cebcce7e2a06dbe3632429405adf5123c89e621a5a17a1d8
Instruction ID: 597acd57fe3448e421fda48b60c811e2e9ec280f8fb60c944a5e82fd86b18d88
Opcode Fuzzy Hash: 56e03cc06b60e856cebcce7e2a06dbe3632429405adf5123c89e621a5a17a1d8
Instruction Fuzzy Hash: 6D21797210030AABDF129FA4DD49FAE7FE9EF48305F048495FA01A21A1D7769D60EB61

Function 00B16532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00B16554
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00B16564
Process32NextW.KERNEL32(00000000,0000022C), ref: 00B16583
__wsplitpath.LIBCMT ref: 00B165A7
_wcscat.LIBCMT ref: 00B165BA
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00B165F9

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: 14bab6dff26abfd6b2479eba51bf916b697cf93f3ed83158f3b52731744bc2ea
Instruction ID: b3112f9646da63a595da77c0bb08923272a8d22dcc32876462ec8cabd0f89e7d
Opcode Fuzzy Hash: 14bab6dff26abfd6b2479eba51bf916b697cf93f3ed83158f3b52731744bc2ea
Instruction Fuzzy Hash: 9021417190021CABDB20ABA4CD88BE9BBFDAB58300F5004E9F505E7141DB719FC5CB60

Function 00B2923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00B2A84E

socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00B29296
WSAGetLastError.WSOCK32(00000000,00000000), ref: 00B292B9

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: d22d98133ccdfe3db2d149b8c0d2cdaff0bd9cd1e940ff07d685bcb2ccf8fba5
Instruction ID: ce35e56c62ff9987699c5c65b4838070958a0673651b9142018f98454c6c02bc
Opcode Fuzzy Hash: d22d98133ccdfe3db2d149b8c0d2cdaff0bd9cd1e940ff07d685bcb2ccf8fba5
Instruction Fuzzy Hash: 4441EF71A00210AFDB10BB68C982F7E77EDEF48324F14458DF91AAB382DA749D018B91

Function 00B1EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B1EB8A
_wcscmp.LIBCMT ref: 00B1EBBA
_wcscmp.LIBCMT ref: 00B1EBCF
FindNextFileW.KERNEL32(00000000,?), ref: 00B1EBE0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00B1EC0E

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 7999437af15898700dfe67dec4e2776c9872a16c575b924adcb7dcb1f7a172fe
Instruction ID: ad8164aeb7b2c70df2a19c9c7592b2eac319dac6bfab1f34047f3dc6f82bd87c
Opcode Fuzzy Hash: 7999437af15898700dfe67dec4e2776c9872a16c575b924adcb7dcb1f7a172fe
Instruction Fuzzy Hash: D541BE35604702CFC718DF68C891AAAB7E4FF49324F10459DF96A8B3A1DB31E980CB91

Function 00B38111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00B38160
IsWindowEnabled.USER32 ref: 00B3816E
GetForegroundWindow.USER32(?,?,00000001), ref: 00B3817B
IsIconic.USER32 ref: 00B38189
IsZoomed.USER32 ref: 00B38197

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: cc2acb6e83ab508889b54637735de5692a86854f93bbde7336d84347b0416a30
Instruction ID: baa85511af30018b03fdf3ed42d0843adca9016a61ce59324f5e76ea46794312
Opcode Fuzzy Hash: cc2acb6e83ab508889b54637735de5692a86854f93bbde7336d84347b0416a30
Instruction Fuzzy Hash: 9A11B231300B116BE7211F26DC44B6F7BDCEF58761F1404A9F84AE7241CF70A90386A2

Function 00AD9B60 Relevance: 7.3, Strings: 5, Instructions: 1055COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00AD9ED4
VUUU, xrefs: 00AD9E95
ERCP, xrefs: 00AD9C32
VUUU, xrefs: 00AD9EA7
VUUU, xrefs: 00B5BE14

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 31ac34fa93cce68e06128fbafb5cba6318fc3106381981247e330a54d3baea77
Instruction ID: aae3e831900c67961cf3be3434a745bbf13b6eb8a671027625c5c0dddebfd00e
Opcode Fuzzy Hash: 31ac34fa93cce68e06128fbafb5cba6318fc3106381981247e330a54d3baea77
Instruction Fuzzy Hash: 19925C71A0021ACBDF24CF58C880BAEB7B2FB54315F1481EAE856AB380D7759D85DF91

Function 00AEE01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00AEE014,774D0AE0,00AEDEF1,00B6DC38,?,?), ref: 00AEE02C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00AEE03E

Strings

GetNativeSystemInfo, xrefs: 00AEE038
kernel32.dll, xrefs: 00AEE027

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: d6990c2db3eb9eeaf25cc518e4e6deaed270fb06913faf602560dd5cb74074c9
Instruction ID: 00fb556e6ab3a58c0d6b6a98360ff11eee7da5b14351cabace6ea38e499bafec
Opcode Fuzzy Hash: d6990c2db3eb9eeaf25cc518e4e6deaed270fb06913faf602560dd5cb74074c9
Instruction Fuzzy Hash: CFD0C770540B139FD7369F75EC0875276D4EB04712F184599F495E3570DBB4D880CB54

Function 00B113CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00B113DC

Strings

(, xrefs: 00B11422
|, xrefs: 00B1140C

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: d9b54886b44c2e8327ded9cb864ffefbe44889b4b431f28416ace72a9340b83a
Instruction ID: 402362640e2efdf19dd236c4c97466c113ec0a049fcbd1703f09d4e3477b4955
Opcode Fuzzy Hash: d9b54886b44c2e8327ded9cb864ffefbe44889b4b431f28416ace72a9340b83a
Instruction Fuzzy Hash: C1323775A007059FC728CF69C4809AAB7F1FF48710B51C9AEE59ADB3A1D770E981CB44

Function 00AEB11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON

Download Yara Rule

APIs

Part of subcall function 00AEB34E: GetWindowLongW.USER32(?,000000EB), ref: 00AEB35F

DefDlgProcW.USER32(?,?,?,?,?), ref: 00AEB22F

Part of subcall function 00AEB55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00AEB5A5

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Proc$LongWindow
String ID:
API String ID: 2749884682-0
Opcode ID: 615e0736245e412178d398b53564d792eeb5bdf946c04f15be6f08c589176df6
Instruction ID: 228d81135e91c791d9713cc292ed013655622309463f8c20238a5ef42a12e6fb
Opcode Fuzzy Hash: 615e0736245e412178d398b53564d792eeb5bdf946c04f15be6f08c589176df6
Instruction Fuzzy Hash: AAA14670534186BADB286B2F5C8DEFF29ACFF52350F10065AF612D6691DB25DE00E272

Function 00B24EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00B243BF,00000000), ref: 00B24FA6
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00B24FD2

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: f0f94ac8d42669b46fa2b490fe28136cc9c54dc63c94981a6c0b6aa701e873d4
Instruction ID: cccdd7ee79b97eb64ec4e9fee6e1c424473c8649b38c1a20ff21744aa3efc93c
Opcode Fuzzy Hash: f0f94ac8d42669b46fa2b490fe28136cc9c54dc63c94981a6c0b6aa701e873d4
Instruction Fuzzy Hash: 2C41D671504619BFEB219E84ED81EBF77FCEB80754F1040AAF20DA6580DB719E419AA0

Function 00B1E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B1E20D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00B1E267
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00B1E2B4

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: b6fcaacb77eb7b1d07f544d1c68c74a892f89cdcd4fd24200d06c6f80589c280
Instruction ID: 075f62f2b86b3f4da27baaab89d671f49c50085243dee74a5f295dd05d303f17
Opcode Fuzzy Hash: b6fcaacb77eb7b1d07f544d1c68c74a892f89cdcd4fd24200d06c6f80589c280
Instruction Fuzzy Hash: 19212A35A00618EFCB00EFA5D985AEDBBF8FF48310F1484AAE905AB251DB31D945CB50

Function 00B0B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00AEF4EA: std::exception::exception.LIBCMT ref: 00AEF51E
Part of subcall function 00AEF4EA: __CxxThrowException@8.LIBCMT ref: 00AEF533

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B0B180
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B0B1AD
GetLastError.KERNEL32 ref: 00B0B1BA

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 7ec31ca091cae283543ab185a53e3170ca2c4b0bedcb324ca020a562a6adec63
Instruction ID: 205e258c4118e934f903c2334817043b27a55e3fb692c72035bd8620a9ed73a4
Opcode Fuzzy Hash: 7ec31ca091cae283543ab185a53e3170ca2c4b0bedcb324ca020a562a6adec63
Instruction Fuzzy Hash: 1711BFB1410304AFE728AF54DCC5D2BBBFCEF44310B2085AEE056A7280DB70FC418A60

Function 00B16685 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00B166AF
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,0000000C,?,00000000), ref: 00B166EC
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00B166F5

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 4abf0cf7a1181eecfdf4134ff1a482eed1cd00e661e9e4290eed39e2a01816a5
Instruction ID: 6b5105845cc77c8cdb05da1c2dd58e91ecfc925b97eb9fcf012530cd4b19621b
Opcode Fuzzy Hash: 4abf0cf7a1181eecfdf4134ff1a482eed1cd00e661e9e4290eed39e2a01816a5
Instruction Fuzzy Hash: 19118EB2D00228BEE7118BA8DC45FEFBBECEB09714F104696F901E7190C2B49E4487A5

Function 00B171FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00B17223
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00B1723A
FreeSid.ADVAPI32(?), ref: 00B1724A

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 64b8a66d3c9bdbde1bb2c8dd0614aa31649a4733af305f58eebc2cecc71f40ee
Instruction ID: 4986e396fc1d3ad354e5e156112f6b7e72e76f6edffe4fabc9401b9fa7b03124
Opcode Fuzzy Hash: 64b8a66d3c9bdbde1bb2c8dd0614aa31649a4733af305f58eebc2cecc71f40ee
Instruction Fuzzy Hash: 78F01275944309BFDF04DFE4DD99AEDBBB8EF08301F5045A9A502E31D1E6705645CB10

Function 00B1F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B1F599
FindClose.KERNEL32(00000000), ref: 00B1F5C9

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: eac17c5a9c85da29edee37b9aa9afe49801fa7e4043cd87fa4b493a38e0fcb8f
Instruction ID: 32fd1886a82262dd00ecf837461f59ef1e784077418c66cb537f0f1fc115cdbd
Opcode Fuzzy Hash: eac17c5a9c85da29edee37b9aa9afe49801fa7e4043cd87fa4b493a38e0fcb8f
Instruction Fuzzy Hash: 5D11A1326006019FD710EF29D845A6EB7E9FF94325F00895EF8A5D7291CB70AD018B91

Function 00B1CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00B2BE6A,?,?,00000000,?), ref: 00B1CEA7
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00B2BE6A,?,?,00000000,?), ref: 00B1CEB9

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 0df61fed3ddd4bca3c03f9277f5f6a715abe3d61796500dae883117df08361bb
Instruction ID: 8de76f23f02267e509aac3b0e97e435ea0410b46808878f5278af5fb3f2dacc4
Opcode Fuzzy Hash: 0df61fed3ddd4bca3c03f9277f5f6a715abe3d61796500dae883117df08361bb
Instruction Fuzzy Hash: 96F08271100329BBDB209FA4DC49FEA776DFF083A1F0041A6F915D7181DA70AA80CBA1

Function 00B1411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00B14153
keybd_event.USER32(?,7707C0D0,?,00000000), ref: 00B14166

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: b3567f547b90e3a3dbc8857224a87c4e81dabf5883a4197efe8ccb995956f044
Instruction ID: c3262b33563228212ca00db30872e99c9ff988c8a8452de1345b4dbc9678f091
Opcode Fuzzy Hash: b3567f547b90e3a3dbc8857224a87c4e81dabf5883a4197efe8ccb995956f044
Instruction Fuzzy Hash: 1DF06D7080034DAFEB059FA0C805BFE7FB0EF10305F008049F965AA191D77986529FA0

Function 00B0AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B0ACC0), ref: 00B0AB99
CloseHandle.KERNEL32(?,?,00B0ACC0), ref: 00B0ABAB

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 999d6086438380b988203d05e77e9dc18fce9cae9fc4dc824e688af13a350c46
Instruction ID: 503a91bd18087b7ab43d358696479a2c59fceb26c6061f42b871772434a95205
Opcode Fuzzy Hash: 999d6086438380b988203d05e77e9dc18fce9cae9fc4dc824e688af13a350c46
Instruction Fuzzy Hash: 3EE0E671000610AFE7252F55ED05D777BE9EF0432172089A9F45981470DB635C90DB50

Function 00AF81AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00AF6DB3,-0000031A,?,?,00000001), ref: 00AF81B1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00AF81BA

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a91e676a017f509aa60cc21610fb29472e167b8d18207652201991e9c3d17914
Instruction ID: e846c2c4444afbe38602585d2baa6ccc627c1ac06ecb848195528d722d9cd5db
Opcode Fuzzy Hash: a91e676a017f509aa60cc21610fb29472e167b8d18207652201991e9c3d17914
Instruction Fuzzy Hash: E0B09231144708ABDB502BA1EC09B587F68EB08653F004190F60D860718FB255508A9A

Function 00AD77B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AD7921

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 7e0c4f9bfb0c6f4a5ab0d25a36c52535ac1fed122f491d77f34e88329769ba87
Instruction ID: ed8b6ccb8852b35df005d89b206d553928e74f1053523701429a2aee2564d36b
Opcode Fuzzy Hash: 7e0c4f9bfb0c6f4a5ab0d25a36c52535ac1fed122f491d77f34e88329769ba87
Instruction Fuzzy Hash: 07A22A75904219CFDB28CF58C4807ADBBF1FF48314F2581AAD85AAB391E7349E85DB50

Function 00AD7FA3 Relevance: 2.3, APIs: 1, Instructions: 806COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AD7921

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 55a4864a91d7bfb8b23967414fede8c18cc1ac1bc4e9ae209e5950b28ec4cdf1
Instruction ID: 031f2509734daee8415581c13a91e40a7875a36557d7e712345fb70f292f3469
Opcode Fuzzy Hash: 55a4864a91d7bfb8b23967414fede8c18cc1ac1bc4e9ae209e5950b28ec4cdf1
Instruction Fuzzy Hash: FA724975900219DBCB28CF58C4807ADB7B2FF49315F2585EADC56AB390E734AE85CB90

Function 00AFD1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f5efc9108bc031f6dc5c1eea88649761e4d512ace2770f71489644171828bde
Instruction ID: bd6e9a2f7318dbe6ed5d801783b4d8b0d3a24005d55bfe655759506ba21b33ad
Opcode Fuzzy Hash: 1f5efc9108bc031f6dc5c1eea88649761e4d512ace2770f71489644171828bde
Instruction Fuzzy Hash: C7320421D29F054DE7239634CC62336A299AFB73D4F15D727F819B6DA6EF69C8834100

Function 00AD96C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 3860eabd3b1fc3407ed62274e27d2e6a2f8fc68b303fd85c18ba300333364d6c
Instruction ID: e5f7f7a992616d1e588fbb63beed14ffb943f96899becfd8e17cd5324ad4eada
Opcode Fuzzy Hash: 3860eabd3b1fc3407ed62274e27d2e6a2f8fc68b303fd85c18ba300333364d6c
Instruction Fuzzy Hash: 092268726083419FD724DF14C991BABBBE4EF84710F10491EF89A9B3A1DB71E945CB82

Function 00B0038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65927c261fee16b1d91134193490fe47596529e815fd7eec5ef7ffb3cc3d41ad
Instruction ID: ae9218e0c64190c98b2021294af2c64a54fc779ffb676507b1733346c6b9ce98
Opcode Fuzzy Hash: 65927c261fee16b1d91134193490fe47596529e815fd7eec5ef7ffb3cc3d41ad
Instruction Fuzzy Hash: 89B11130D2AF414DC32396398831336BA9CAFBB2D5F91D71BFC1A71DA2EB2581934180

Function 00B1B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00B1B6DF

Part of subcall function 00AF344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00B1BDC3,00000000,?,?,?,?,00B1BF70,00000000,?), ref: 00AF3453
Part of subcall function 00AF344A: __aulldiv.LIBCMT ref: 00AF3473

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: ada0818587bbe6856eb48543b05ebd60eea6767c4e85cdd5829a3aa042eb06d5
Instruction ID: b68f6606ceba2e4ad3f7581977e8eea99fcfadc411c42a6a08e0b2d43db7845d
Opcode Fuzzy Hash: ada0818587bbe6856eb48543b05ebd60eea6767c4e85cdd5829a3aa042eb06d5
Instruction Fuzzy Hash: 5421AF726345108BC729CF68C881AA2F7E1EB95710B648E7DE4E5CB2C0CB74BE45CB54

Function 00B26AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00B26ACA

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: c16839546c1022bf79677c7640bf1cd23ff8bd6352ddfb0760f7225000bf2552
Instruction ID: dc5f21f58cf7b01aa9c714760b61ed8d44058b40235b3db83a23a2e31805a3d0
Opcode Fuzzy Hash: c16839546c1022bf79677c7640bf1cd23ff8bd6352ddfb0760f7225000bf2552
Instruction Fuzzy Hash: B9E048362002146FC700EF59D504E96B7ECEFB5751F04C456F94AD7361DAB0F8048B90

Function 00B174BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00B174DE

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: d565dd6a18ab0a7d66678ce82e56ddcbf4950ab4958ae216da680678e1075927
Instruction ID: e5a231e49ce17b65103816d0a08cf3e0d1f3bd6eef067396087835e4549daffc
Opcode Fuzzy Hash: d565dd6a18ab0a7d66678ce82e56ddcbf4950ab4958ae216da680678e1075927
Instruction Fuzzy Hash: DBD067A56AC70569F9690724DC1FFF619A8F3207C1FD492C9B582CB6C1BC9058C59122

Function 00B0B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00B0AD3E), ref: 00B0B124

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 12aa20067d74b02f97acdc782f349ffe0075f2d0f305daa16196678fa4704af5
Instruction ID: 9c102b9702c3a0cb635c473088da554e54a43e505183e5d913f47fcd0a57dc53
Opcode Fuzzy Hash: 12aa20067d74b02f97acdc782f349ffe0075f2d0f305daa16196678fa4704af5
Instruction Fuzzy Hash: A4D09E321A464EAEDF125FA4DC06EAF3F6AEB04701F448511FA15D60A1C675D532EB50

Function 00B4B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 00B4B352

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 3c954514f070fc56961eabc8a234b410bf2dce4b0bf8ebbd10b8917687dfcb95
Instruction ID: 2f99d49db02257a8a3b4fba8b9505982a8bbf1cc2bcdd752cc3272cbf7321e7b
Opcode Fuzzy Hash: 3c954514f070fc56961eabc8a234b410bf2dce4b0bf8ebbd10b8917687dfcb95
Instruction Fuzzy Hash: 9DC04CB1400109DFC751CBC0CD88AEEB7BCAB04301F1441D19105F2150DB709B459B72

Function 00AF8189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00AF818F

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b8d7acd418338d6b1f4212f17d4732d6a0c585c1f745ed786428e2748d476027
Instruction ID: 59c73e286d75eda6b27fe060f9ab2f65f4405050f5c1b1620b7e20ff57843a89
Opcode Fuzzy Hash: b8d7acd418338d6b1f4212f17d4732d6a0c585c1f745ed786428e2748d476027
Instruction Fuzzy Hash: 49A0113000020CAB8F002B82EC088883F2CEA002A2B0000A0F80C020208B22A8A08A8A

Function 00ADE3B0 Relevance: .5, Instructions: 540COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9efd512486f2a53855d69d4620f9acfade7c259f7e0343dfabb13c7e5fa5c020
Instruction ID: 39384c238d649908a29a63003de5195986111d2493d99a94888126bc75913864
Opcode Fuzzy Hash: 9efd512486f2a53855d69d4620f9acfade7c259f7e0343dfabb13c7e5fa5c020
Instruction Fuzzy Hash: E922AE74A04205DFDB24EF58C490AAEB7F1FF18304F24816AE95AAF351E735AD81CB91

Function 00AD93F0 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8745edaafb3aaf8be82910e67801a97da974af885266f92c280b42214fd78a2b
Instruction ID: df33f88ee672cb87388270db869d6b00427da5c9e9adbb0d33195e4c4da8c637
Opcode Fuzzy Hash: 8745edaafb3aaf8be82910e67801a97da974af885266f92c280b42214fd78a2b
Instruction Fuzzy Hash: D6127A70A00209AFDF04DFA5DA81AAEB7F5FF48300F50856AE806E7255EB35EE14DB54

Function 00ADAF50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: 62a488efdf06990fed8ddf5c91095120b72319471918724f652d26b68d7cff05
Instruction ID: 831697da6dff40a96fcaf22ec20dfe8553c2304961970f7810856b6cc07984a4
Opcode Fuzzy Hash: 62a488efdf06990fed8ddf5c91095120b72319471918724f652d26b68d7cff05
Instruction Fuzzy Hash: B6028F70A00209DBCF04DF69D981AAEB7F5EF48300F5580AAF806DB395EB31DA15DB91

Function 00AF02A4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: 1dbf2d12d3e535bd705aab5dcfa7f74060df058a6474e9a50d82b8ed2042e67e
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: F5C1A5322051D70EDF6D477A883483EFAA19AA17B171A076DE8B3CB4D6EF20D524D620

Function 00AF06D9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: 1f544af8567deb65c48ba40622c86fa19ccf2bf2d8cf66f2cd9ea06a6f529869
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: 8DC193322051D70DDF2D477A887483EFAA19AA2BB171B176DE4B3CB4D6EF20D524D620

Function 00AEFE6F Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 9390130a8f4901919a53995a384f814350244f4e58fe748cd30dfff4b8118011
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 8EC191322051D70EDF2D473A883493EFAA19AA27B171B076DE4B3CB5D6EF20D564D620

Function 00AEFA57 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: a5a5badc4f223b972ebb3597961dca30c9b71881a119be421d6449f241ea0911
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 13C16A322090D30EDF2D473B887443EBAA19AA2BB571A077DD8B3CB5D5EE20D564D620

Function 00ECE900 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1309320525.0000000000ECB000.00000040.00000020.00020000.00000000.sdmp, Offset: 00ECB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ecb000_Invoice OMS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 6ce25c98183ce6923856678efff12069e7d5d782bf3b00b60d40ccbaaf710faf
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: CB41B371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB50

Function 00ECE7F0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1309320525.0000000000ECB000.00000040.00000020.00020000.00000000.sdmp, Offset: 00ECB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ecb000_Invoice OMS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 9cfd37edd3b2288f10d2eb8b5f591ca36f3e340e524077920b8f9158ff4efbb1
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: D2018079A00209EFCB58DF98C6909AEF7B5FB48310B648599E809A7301D731AE42DB80

Function 00ECE790 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1309320525.0000000000ECB000.00000040.00000020.00020000.00000000.sdmp, Offset: 00ECB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ecb000_Invoice OMS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 649781335f524550b825a885a8e8bc8b8e53dff3d6754445bc592c2b86184e48
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: FF019278A00209EFCB44DF98C690DAEF7F5FB58310F20859AE809A7741D731AE42DB80

Function 00ECD110 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1309320525.0000000000ECB000.00000040.00000020.00020000.00000000.sdmp, Offset: 00ECB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ecb000_Invoice OMS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00B3D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00B3D2DB
GetSysColorBrush.USER32(0000000F), ref: 00B3D30C
GetSysColor.USER32(0000000F), ref: 00B3D318
SetBkColor.GDI32(?,000000FF), ref: 00B3D332
SelectObject.GDI32(?,00000000), ref: 00B3D341
InflateRect.USER32(?,000000FF,000000FF), ref: 00B3D36C
GetSysColor.USER32(00000010), ref: 00B3D374
CreateSolidBrush.GDI32(00000000), ref: 00B3D37B
FrameRect.USER32(?,?,00000000), ref: 00B3D38A
DeleteObject.GDI32(00000000), ref: 00B3D391
InflateRect.USER32(?,000000FE,000000FE), ref: 00B3D3DC
FillRect.USER32(?,?,00000000), ref: 00B3D40E
GetWindowLongW.USER32(?,000000F0), ref: 00B3D439

Part of subcall function 00B3D575: GetSysColor.USER32(00000012), ref: 00B3D5AE
Part of subcall function 00B3D575: SetTextColor.GDI32(?,?), ref: 00B3D5B2
Part of subcall function 00B3D575: GetSysColorBrush.USER32(0000000F), ref: 00B3D5C8
Part of subcall function 00B3D575: GetSysColor.USER32(0000000F), ref: 00B3D5D3
Part of subcall function 00B3D575: GetSysColor.USER32(00000011), ref: 00B3D5F0
Part of subcall function 00B3D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B3D5FE
Part of subcall function 00B3D575: SelectObject.GDI32(?,00000000), ref: 00B3D60F
Part of subcall function 00B3D575: SetBkColor.GDI32(?,00000000), ref: 00B3D618
Part of subcall function 00B3D575: SelectObject.GDI32(?,?), ref: 00B3D625
Part of subcall function 00B3D575: InflateRect.USER32(?,000000FF,000000FF), ref: 00B3D644
Part of subcall function 00B3D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B3D65B
Part of subcall function 00B3D575: GetWindowLongW.USER32(00000000,000000F0), ref: 00B3D670
Part of subcall function 00B3D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B3D698

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 530fa8740897e75e8f456d5ec0a87331023f299f39cb0b65afcad43fd6bda17f
Instruction ID: 6b7e91e1804b8cd7f4abd0ccb2fc39aecf771f3f1cb65edcc4e56eccf0a2fd40
Opcode Fuzzy Hash: 530fa8740897e75e8f456d5ec0a87331023f299f39cb0b65afcad43fd6bda17f
Instruction Fuzzy Hash: 27914D71408301AFD7219F64EC48B6BBBE9FB89326F200B59F562971E0DB71D944CB52

Function 00AEB8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00AEB98B
DeleteObject.GDI32(00000000), ref: 00AEB9CD
DeleteObject.GDI32(00000000), ref: 00AEB9D8
DestroyIcon.USER32(00000000), ref: 00AEB9E3
DestroyWindow.USER32(00000000), ref: 00AEB9EE
SendMessageW.USER32(?,00001308,?,00000000), ref: 00B4D2AA
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00B4D2E3
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 00B4D711

Part of subcall function 00AEB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00AEB759,?,00000000,?,?,?,?,00AEB72B,00000000,?), ref: 00AEBA58

SendMessageW.USER32 ref: 00B4D758
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00B4D76F
ImageList_Destroy.COMCTL32(00000000), ref: 00B4D785
ImageList_Destroy.COMCTL32(00000000), ref: 00B4D790

Strings

0, xrefs: 00B4D5A5

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 1d5ddb5b52287768cc14801546bb5ae25459e7f9dd4436bc3cb8758e281aa06e
Instruction ID: 4a9b18cb7961129f4e52f7f689b88fc87067afde959b9f287d88f6b00fa556b4
Opcode Fuzzy Hash: 1d5ddb5b52287768cc14801546bb5ae25459e7f9dd4436bc3cb8758e281aa06e
Instruction Fuzzy Hash: EE128E30204251DFDB21CF25C998BAABBF5FF05305F1445A9E989CB662CB31ED42DBA1

Function 00B1DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B1DBD6
GetDriveTypeW.KERNEL32(?,00B6DC54,?,\\.\,00B6DC00), ref: 00B1DCC3
SetErrorMode.KERNEL32(00000000,00B6DC54,?,\\.\,00B6DC00), ref: 00B1DE29

Strings

SCSI, xrefs: 00B1DD93
Fibre, xrefs: 00B1DDB6
PhysicalDrive, xrefs: 00B1DC67
\\.\, xrefs: 00B1DC2B
Removable, xrefs: 00B1DD15
iSCSI, xrefs: 00B1DDCB
USB, xrefs: 00B1DDBD
MMC, xrefs: 00B1DDE7
ATAPI, xrefs: 00B1DD9A
RAID, xrefs: 00B1DDC4
Virtual, xrefs: 00B1DDEE
SSA, xrefs: 00B1DDAF
CDROM, xrefs: 00B1DCF7
Network, xrefs: 00B1DD01
RAMDisk, xrefs: 00B1DCED
1394, xrefs: 00B1DDA8
ATA, xrefs: 00B1DDA1
SATA, xrefs: 00B1DDD9
SAS, xrefs: 00B1DDD2
Fixed, xrefs: 00B1DD0B
FileBackedVirtual, xrefs: 00B1DDF5
Unknown, xrefs: 00B1DCE3, 00B1DD8C
SSD, xrefs: 00B1DD50

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: d0c41c8ff62e3aac595441d8e94f78d0011af9052f90a34551bb641057d28ca6
Instruction ID: b8155fd53961fbb847d58d2038c9e85f32b96a227c6c0524c725b0ba984c0054
Opcode Fuzzy Hash: d0c41c8ff62e3aac595441d8e94f78d0011af9052f90a34551bb641057d28ca6
Instruction Fuzzy Hash: 6E51B470248302EBC710EF14D9C19AAB7E1FB94F11BA449EAF447972B1DB60D9C6DB42

Function 00ADCC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00ADCC68
__wcsnicmp.LIBCMT ref: 00ADCC80
__wcsnicmp.LIBCMT ref: 00ADCC98
__wcsnicmp.LIBCMT ref: 00ADCCB0
__wcsnicmp.LIBCMT ref: 00ADCCC8
__wcsnicmp.LIBCMT ref: 00ADCCE0
__wcsnicmp.LIBCMT ref: 00ADCCF8
__wcsnicmp.LIBCMT ref: 00ADCD0C
__wcsnicmp.LIBCMT ref: 00ADCD4D
__wcsnicmp.LIBCMT ref: 00ADCD61
__wcsnicmp.LIBCMT ref: 00ADCD75
__wcsnicmp.LIBCMT ref: 00ADCD89

Strings

#include-once, xrefs: 00ADCCC2
#notrayicon, xrefs: 00ADCC7A
Cannot parse #include, xrefs: 00B42FA1
#OnAutoItStartRegister, xrefs: 00ADCCAA
#include, xrefs: 00ADCCDA
#pragma compile, xrefs: 00ADCC62
Unterminated group of comments, xrefs: 00B42FB4
#ce, xrefs: 00ADCD83
#comments-start, xrefs: 00ADCCF2, 00ADCD47
#requireadmin, xrefs: 00ADCC92
#cs, xrefs: 00ADCD06, 00ADCD5B
Bad directive syntax error, xrefs: 00B42ECB
#comments-end, xrefs: 00ADCD6F

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 851f63d7d5392aa6a0ad0c08dff8cad01f148f7a6d78e11a23f4ca3e77848ccb
Instruction ID: d26a81e49d090ac91490cecffbccc6699139f4b9a707e04180d2ebba4e0bbc30
Opcode Fuzzy Hash: 851f63d7d5392aa6a0ad0c08dff8cad01f148f7a6d78e11a23f4ca3e77848ccb
Instruction Fuzzy Hash: CD810B3064020AABCB10BF64CE42FBE77B9EF24750F840076F906A72D2EB60DA45D291

Function 00B3C6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 00B3C788
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00B3C83E
SendMessageW.USER32(?,00001102,00000002,?), ref: 00B3C859
SendMessageW.USER32(?,000000F1,?,00000000), ref: 00B3CB15

Strings

0, xrefs: 00B3C89C

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: c9b88008f30cc6200d08ce63a1f072ffa2474b0451ae9965226c6db887efe93b
Instruction ID: 4a8f5f9c70f7d1d97148ee12e12e6c4dd8ba5ed2c646bcd15ce26c8a6e3647bc
Opcode Fuzzy Hash: c9b88008f30cc6200d08ce63a1f072ffa2474b0451ae9965226c6db887efe93b
Instruction Fuzzy Hash: E8F10371104305AFE7218F68CC89BAABFE4FF49354F240AADF598E62A1D774C941CB91

Function 00B3638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00B6DC00), ref: 00B36449

Strings

GETCURRENTLINE, xrefs: 00B36704
UNCHECK, xrefs: 00B366A1
ISVISIBLE, xrefs: 00B36455
GETLINECOUNT, xrefs: 00B366E4
ADDSTRING, xrefs: 00B36536
FINDSTRING, xrefs: 00B36596
DELSTRING, xrefs: 00B36569
TABLEFT, xrefs: 00B364A7
SETCURRENTSELECTION, xrefs: 00B365D6
GETSELECTED, xrefs: 00B366C1
CURRENTTAB, xrefs: 00B364DD
HIDEDROPDOWN, xrefs: 00B36520
EDITPASTE, xrefs: 00B3675B
ISCHECKED, xrefs: 00B36659
GETCURRENTCOL, xrefs: 00B36724
CHECK, xrefs: 00B3668B
GETLINE, xrefs: 00B3678B
SHOWDROPDOWN, xrefs: 00B36500
TABRIGHT, xrefs: 00B364BD
SENDCOMMANDID, xrefs: 00B367CA
GETCURRENTSELECTION, xrefs: 00B36603
ISENABLED, xrefs: 00B3648C
SELECTSTRING, xrefs: 00B36626

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: edff9b488229e33978092b34bfbd9b7088934deb95bb0a5c09059b8adbccdf8b
Instruction ID: f4d2aa509617275df7a469aab889b77be4035a8f607e9efaaca83015325bd3bc
Opcode Fuzzy Hash: edff9b488229e33978092b34bfbd9b7088934deb95bb0a5c09059b8adbccdf8b
Instruction Fuzzy Hash: 5AC185352046469BCB04FF14C691A6E77E5EF99344F6088D9F8865B3E2DB30ED4ACB81

Function 00B3D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00B3D5AE
SetTextColor.GDI32(?,?), ref: 00B3D5B2
GetSysColorBrush.USER32(0000000F), ref: 00B3D5C8
GetSysColor.USER32(0000000F), ref: 00B3D5D3
CreateSolidBrush.GDI32(?), ref: 00B3D5D8
GetSysColor.USER32(00000011), ref: 00B3D5F0
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B3D5FE
SelectObject.GDI32(?,00000000), ref: 00B3D60F
SetBkColor.GDI32(?,00000000), ref: 00B3D618
SelectObject.GDI32(?,?), ref: 00B3D625
InflateRect.USER32(?,000000FF,000000FF), ref: 00B3D644
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B3D65B
GetWindowLongW.USER32(00000000,000000F0), ref: 00B3D670
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B3D698
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00B3D6BF
InflateRect.USER32(?,000000FD,000000FD), ref: 00B3D6DD
DrawFocusRect.USER32(?,?), ref: 00B3D6E8
GetSysColor.USER32(00000011), ref: 00B3D6F6
SetTextColor.GDI32(?,00000000), ref: 00B3D6FE
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00B3D712
SelectObject.GDI32(?,00B3D2A5), ref: 00B3D729
DeleteObject.GDI32(?), ref: 00B3D734
SelectObject.GDI32(?,?), ref: 00B3D73A
DeleteObject.GDI32(?), ref: 00B3D73F
SetTextColor.GDI32(?,?), ref: 00B3D745
SetBkColor.GDI32(?,?), ref: 00B3D74F

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 9aa1fcd2ce8e83176613b8208b98790f49d6b6ba6814b28440dc5906f1e64a62
Instruction ID: 2b3430593a24bf7c2789a3a3bdbc04bc3b204ba21188b3d11f355e8b89b43178
Opcode Fuzzy Hash: 9aa1fcd2ce8e83176613b8208b98790f49d6b6ba6814b28440dc5906f1e64a62
Instruction Fuzzy Hash: 43513E71900208AFDF21AFA4DC48FAE7BB9FB08321F214655F915AB2A1DB719A40CF50

Function 00B3B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00B3B7B0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B3B7C1
CharNextW.USER32(0000014E), ref: 00B3B7F0
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00B3B831
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00B3B847
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B3B858
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00B3B875
SetWindowTextW.USER32(?,0000014E), ref: 00B3B8C7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00B3B8DD
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B3B90E
_memset.LIBCMT ref: 00B3B933
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00B3B97C
_memset.LIBCMT ref: 00B3B9DB
SendMessageW.USER32 ref: 00B3BA05
SendMessageW.USER32(?,00001074,?,00000001), ref: 00B3BA5D
SendMessageW.USER32(?,0000133D,?,?), ref: 00B3BB0A
InvalidateRect.USER32(?,00000000,00000001), ref: 00B3BB2C
GetMenuItemInfoW.USER32(?), ref: 00B3BB76
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B3BBA3
DrawMenuBar.USER32(?), ref: 00B3BBB2
SetWindowTextW.USER32(?,0000014E), ref: 00B3BBDA

Strings

0, xrefs: 00B3BB4F

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 11dde4d9acf78e057c497a44112c0b26e064ea2eaa97964d71da7574d475d173
Instruction ID: 6698c03e08659ad4677b977c7c6e912938eca96fdbbfff33080f6658dfcbb333
Opcode Fuzzy Hash: 11dde4d9acf78e057c497a44112c0b26e064ea2eaa97964d71da7574d475d173
Instruction Fuzzy Hash: 88E17175900218AFDF209F65CC85EEE7BB8EF05714F208196FA19AB195DB708A41DF60

Function 00B3764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00B3778A
GetDesktopWindow.USER32 ref: 00B3779F
GetWindowRect.USER32(00000000), ref: 00B377A6
GetWindowLongW.USER32(?,000000F0), ref: 00B37808
DestroyWindow.USER32(?), ref: 00B37834
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00B3785D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B3787B
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00B378A1
SendMessageW.USER32(?,00000421,?,?), ref: 00B378B6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00B378C9
IsWindowVisible.USER32(?), ref: 00B378E9
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00B37904
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00B37918
GetWindowRect.USER32(?,?), ref: 00B37930
MonitorFromPoint.USER32(?,?,00000002), ref: 00B37956
GetMonitorInfoW.USER32 ref: 00B37970
CopyRect.USER32(?,?), ref: 00B37987
SendMessageW.USER32(?,00000412,00000000), ref: 00B379F2

Strings

0, xrefs: 00B37735
tooltips_class32, xrefs: 00B37856
(, xrefs: 00B37965

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 834ca61fc145a4e728530fe177046a047aeb5804f54568755b8a143847d8fed1
Instruction ID: b19719b478b5a9149f3a417744d19498a6f3af86e2ca41c85406a2afcfb70564
Opcode Fuzzy Hash: 834ca61fc145a4e728530fe177046a047aeb5804f54568755b8a143847d8fed1
Instruction Fuzzy Hash: 4FB1B3B1648301AFD714DF65C988B6ABBE4FF88310F108A5DF5999B291DB70EC05CB92

Function 00B16CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00B16CFB
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00B16D21
_wcscpy.LIBCMT ref: 00B16D4F
_wcscmp.LIBCMT ref: 00B16D5A
_wcscat.LIBCMT ref: 00B16D70
_wcsstr.LIBCMT ref: 00B16D7B
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00B16D97
_wcscat.LIBCMT ref: 00B16DE0
_wcscat.LIBCMT ref: 00B16DE7
_wcsncpy.LIBCMT ref: 00B16E12

Strings

StringFileInfo\, xrefs: 00B16D6A
%u.%u.%u.%u, xrefs: 00B16E75
DefaultLangCodepage, xrefs: 00B16DFA
04090000, xrefs: 00B16DCD
\VarFileInfo\Translation, xrefs: 00B16D8F

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: aa0f2f876062446423e4f45174844ec81902ac2e0da0463233a8eb7a2b5e5a56
Instruction ID: abf11ec7dd18d0cbd4c6b7f6056b0ee9f9226fea6004d82a483b1521dbe334a2
Opcode Fuzzy Hash: aa0f2f876062446423e4f45174844ec81902ac2e0da0463233a8eb7a2b5e5a56
Instruction Fuzzy Hash: E741E572A00208BBE700BBB49E47EBF77ECDF45710F1401A5FA01A6192EA759A11D7A1

Function 00AEA856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00AEA939
GetSystemMetrics.USER32(00000007), ref: 00AEA941
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00AEA96C
GetSystemMetrics.USER32(00000008), ref: 00AEA974
GetSystemMetrics.USER32(00000004), ref: 00AEA999
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00AEA9B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 00AEA9C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00AEA9F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00AEAA0D
GetClientRect.USER32(00000000,000000FF), ref: 00AEAA2B
GetStockObject.GDI32(00000011), ref: 00AEAA47
SendMessageW.USER32(00000000,00000030,00000000), ref: 00AEAA52

Part of subcall function 00AEB63C: GetCursorPos.USER32(000000FF), ref: 00AEB64F
Part of subcall function 00AEB63C: ScreenToClient.USER32(00000000,000000FF), ref: 00AEB66C
Part of subcall function 00AEB63C: GetAsyncKeyState.USER32(00000001), ref: 00AEB691
Part of subcall function 00AEB63C: GetAsyncKeyState.USER32(00000002), ref: 00AEB69F

SetTimer.USER32(00000000,00000000,00000028,00AEAB87), ref: 00AEAA79

Strings

AutoIt v3 GUI, xrefs: 00AEA9F1

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 31885964dd1125ecac64a2eba2d93147730ec43ea5d3bd738d0f0bfdb6e2e523
Instruction ID: 5e4354fa618c3daf096bf27474125418a6a3c87235da2294496bcdbfb42f4749
Opcode Fuzzy Hash: 31885964dd1125ecac64a2eba2d93147730ec43ea5d3bd738d0f0bfdb6e2e523
Instruction Fuzzy Hash: 73B19971A0030AAFDB14DFA9DD49BAE7BB4FB18311F114269FA15E7290DB30E840DB51

Function 00AD2EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00AD2F7A
IsWindow.USER32(?), ref: 00B422FD

Strings

LAST, xrefs: 00B420B6
HANDLE, xrefs: 00B420E2
ACTIVE, xrefs: 00B420CC
INSTANCE, xrefs: 00B4223C
TITLE, xrefs: 00B42292
REGEXPTITLE, xrefs: 00B420F8
REGEXPCLASS, xrefs: 00B42149
CLASS, xrefs: 00B42128
ALL, xrefs: 00B42264

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Window$Foreground
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 62970417-1919597938
Opcode ID: c1ba9b5d786ce031a67c0897b659c9340a0fe02c773a89c80528f34e7713d7b8
Instruction ID: faaace54002f01845c465c9a1aaf9eb75741398e385ea041ce00ca46d0eb210d
Opcode Fuzzy Hash: c1ba9b5d786ce031a67c0897b659c9340a0fe02c773a89c80528f34e7713d7b8
Instruction Fuzzy Hash: 68D1E831104742DFCB04EF54C581AAABBF0FF58340F504A9DF456936A1DB70EA9AEB91

Function 00B33639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B33735
RegCreateKeyExW.ADVAPI32(?,?,00000000,00B6DC00,00000000,?,00000000,?,?), ref: 00B337A3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00B337EB
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00B33874
RegCloseKey.ADVAPI32(?), ref: 00B33B94
RegCloseKey.ADVAPI32(00000000), ref: 00B33BA1

Strings

REG_SZ, xrefs: 00B338B2
REG_EXPAND_SZ, xrefs: 00B33811
REG_DWORD, xrefs: 00B33A65
REG_QWORD, xrefs: 00B33AE2
REG_MULTI_SZ, xrefs: 00B3395C
REG_BINARY, xrefs: 00B33B2F

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: f26c48518956ca56c14bf15110415c4b2a67f48d1649db205b8333c6c50c5504
Instruction ID: f16c6c12dec96e22de87ddfc26fe4be0fee7444ffc9d082627f9cab27c96d54e
Opcode Fuzzy Hash: f26c48518956ca56c14bf15110415c4b2a67f48d1649db205b8333c6c50c5504
Instruction Fuzzy Hash: CF024A752046019FCB14EF28C995E2AB7E5FF88720F14859DF99A9B3A1DB30ED01CB81

Function 00B36BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B36C56
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00B36D16

Strings

VIEWCHANGE, xrefs: 00B36ECD
SELECTINVERT, xrefs: 00B36DDE
FINDITEM, xrefs: 00B36E81
GETSELECTED, xrefs: 00B36E3C
GETTEXT, xrefs: 00B36CBF
SELECT, xrefs: 00B36DA8
GETITEMCOUNT, xrefs: 00B36C84
SELECTCLEAR, xrefs: 00B36D8D
DESELECT, xrefs: 00B36DFC
ISSELECTED, xrefs: 00B36D21
GETSUBITEMCOUNT, xrefs: 00B36CA1
GETSELECTEDCOUNT, xrefs: 00B36CF9
SELECTALL, xrefs: 00B36D75

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 2db8f6d5532a103f90d5192194684a0ec9e72d88769e208c1e3c908a92ae4372
Instruction ID: 76d8b27728dea2a7411b11f79fdc116834c9cec1cb1717d0e570a822e0765ddc
Opcode Fuzzy Hash: 2db8f6d5532a103f90d5192194684a0ec9e72d88769e208c1e3c908a92ae4372
Instruction Fuzzy Hash: 43A14131204641AFCB14EF14C991A6AB7E5FF99314F6489ADF8565B3D2DB30EC0ACB81

Function 00B0CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00B0CF91
__swprintf.LIBCMT ref: 00B0D032
_wcscmp.LIBCMT ref: 00B0D045
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00B0D09A
_wcscmp.LIBCMT ref: 00B0D0D6
GetClassNameW.USER32(?,?,00000400), ref: 00B0D10D
GetDlgCtrlID.USER32(?), ref: 00B0D15F
GetWindowRect.USER32(?,?), ref: 00B0D195
GetParent.USER32(?), ref: 00B0D1B3
ScreenToClient.USER32(00000000), ref: 00B0D1BA
GetClassNameW.USER32(?,?,00000100), ref: 00B0D234
_wcscmp.LIBCMT ref: 00B0D248
GetWindowTextW.USER32(?,?,00000400), ref: 00B0D26E
_wcscmp.LIBCMT ref: 00B0D282

Strings

%s%u, xrefs: 00B0D02C

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: 45fdaadb39ed1107aef84e2a509869884f136c213f5b3313b4bd5501815d03ab
Instruction ID: 18af7148868816970b92329b777ada3e56c7a2ce0b898e093417ef902c8e6043
Opcode Fuzzy Hash: 45fdaadb39ed1107aef84e2a509869884f136c213f5b3313b4bd5501815d03ab
Instruction Fuzzy Hash: C8A1AE71604306ABD714DFA4C984FAABBE8FF44354F008659FA9A921D0DB30E946CB91

Function 00B0D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00B0D8EB
_wcscmp.LIBCMT ref: 00B0D8FC
GetWindowTextW.USER32(00000001,?,00000400), ref: 00B0D924
CharUpperBuffW.USER32(?,00000000), ref: 00B0D941
_wcscmp.LIBCMT ref: 00B0D95F
_wcsstr.LIBCMT ref: 00B0D970
GetClassNameW.USER32(00000018,?,00000400), ref: 00B0D9A8
_wcscmp.LIBCMT ref: 00B0D9B8
GetWindowTextW.USER32(00000002,?,00000400), ref: 00B0D9DF
GetClassNameW.USER32(00000018,?,00000400), ref: 00B0DA28
_wcscmp.LIBCMT ref: 00B0DA38
GetClassNameW.USER32(00000010,?,00000400), ref: 00B0DA60
GetWindowRect.USER32(00000004,?), ref: 00B0DAC9

Strings

ThumbnailClass, xrefs: 00B0D9B3, 00B0DA33
@, xrefs: 00B0D8C6

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 13317780d8ee47b179c550f5bdb2d9f71683aa162753db7d4d18dfddf98dd7fd
Instruction ID: 10f7e1bcd4a6dac94f20c54a09f49b35b0fdf9743f5ede6c4395bced054fb4ae
Opcode Fuzzy Hash: 13317780d8ee47b179c550f5bdb2d9f71683aa162753db7d4d18dfddf98dd7fd
Instruction Fuzzy Hash: 68819F311083059BDB11DF94C985FAA7FE8EF84314F0485AAFD8A9A0D6DB30DD46CBA1

Function 00B0D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00B0D753

Strings

[LAST, xrefs: 00B0D800
LAST, xrefs: 00B0D718
[REGEXPTITLE:, xrefs: 00B0D77B
ACTIVE, xrefs: 00B0D72E
HANDLE=, xrefs: 00B0D74C
[CLASS:, xrefs: 00B0D7A3
REGEXP=, xrefs: 00B0D768
[ACTIVE, xrefs: 00B0D740
[HANDLE:, xrefs: 00B0D75F
[ALL, xrefs: 00B0D7F9
ALL, xrefs: 00B0D7E7
CLASSNAME=, xrefs: 00B0D790

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 10d476f7fbbe2073488c8429f18ce18a637f947c4ba075736ec08b5de71408a8
Instruction ID: 9d2e24167a3bb76f1a17c7703928e35b71bd07651deb5bc0e3ec286509f51770
Opcode Fuzzy Hash: 10d476f7fbbe2073488c8429f18ce18a637f947c4ba075736ec08b5de71408a8
Instruction Fuzzy Hash: F4313E31644209A6DB14FBA0DE53EAD7BE49F20754F6001AAF552711F1EB61AE04CB51

Function 00B0EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00B0EAB0
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00B0EAC2
SetWindowTextW.USER32(?,?), ref: 00B0EAD9
GetDlgItem.USER32(?,000003EA), ref: 00B0EAEE
SetWindowTextW.USER32(00000000,?), ref: 00B0EAF4
GetDlgItem.USER32(?,000003E9), ref: 00B0EB04
SetWindowTextW.USER32(00000000,?), ref: 00B0EB0A
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00B0EB2B
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00B0EB45
GetWindowRect.USER32(?,?), ref: 00B0EB4E
SetWindowTextW.USER32(?,?), ref: 00B0EBB9
GetDesktopWindow.USER32 ref: 00B0EBBF
GetWindowRect.USER32(00000000), ref: 00B0EBC6
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00B0EC12
GetClientRect.USER32(?,?), ref: 00B0EC1F
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00B0EC44
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00B0EC6F

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 58bd05171f6070d95bf52de00df34a3794367a10c87f771874e27a9686821d21
Instruction ID: 1221b9445c42a16a0e9ab2a5c950ac019e1702dc1513e8d22a8eb1b61d13d18d
Opcode Fuzzy Hash: 58bd05171f6070d95bf52de00df34a3794367a10c87f771874e27a9686821d21
Instruction Fuzzy Hash: FE512C71900709AFDB219FA8CD89B6EBFF5FF08705F004A68E596A25A0DB74E945CB10

Function 00B279B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00B279C6
LoadCursorW.USER32(00000000,00007F00), ref: 00B279D1
LoadCursorW.USER32(00000000,00007F03), ref: 00B279DC
LoadCursorW.USER32(00000000,00007F8B), ref: 00B279E7
LoadCursorW.USER32(00000000,00007F01), ref: 00B279F2
LoadCursorW.USER32(00000000,00007F81), ref: 00B279FD
LoadCursorW.USER32(00000000,00007F88), ref: 00B27A08
LoadCursorW.USER32(00000000,00007F80), ref: 00B27A13
LoadCursorW.USER32(00000000,00007F86), ref: 00B27A1E
LoadCursorW.USER32(00000000,00007F83), ref: 00B27A29
LoadCursorW.USER32(00000000,00007F85), ref: 00B27A34
LoadCursorW.USER32(00000000,00007F82), ref: 00B27A3F
LoadCursorW.USER32(00000000,00007F84), ref: 00B27A4A
LoadCursorW.USER32(00000000,00007F04), ref: 00B27A55
LoadCursorW.USER32(00000000,00007F02), ref: 00B27A60
LoadCursorW.USER32(00000000,00007F89), ref: 00B27A6B
GetCursorInfo.USER32(?), ref: 00B27A7B

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 50e6ed01fc8b6d0c16c78f5591f450ffc7fd1fc7e63503c20f678c04e3ed5ac1
Instruction ID: 14927a6f5f770819f534deed9bfa0ad20a4def89d6bed5729eb5d099f03be525
Opcode Fuzzy Hash: 50e6ed01fc8b6d0c16c78f5591f450ffc7fd1fc7e63503c20f678c04e3ed5ac1
Instruction Fuzzy Hash: A43118B1D4831A6ADF109FB69C8999FBFF8FF04750F50452AE50DE7280DA78A5008FA5

Function 00ADC833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 00AEE968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00ADC8B7,?,00002000,?,?,00000000,?,00AD419E,?,?,?,00B6DC00), ref: 00AEE984

Part of subcall function 00AD660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AD53B1,?,?,00AD61FF,?,00000000,00000001,00000000), ref: 00AD662F

__wsplitpath.LIBCMT ref: 00ADC93E

Part of subcall function 00AF1DFC: __wsplitpath_helper.LIBCMT ref: 00AF1E3C

_wcscpy.LIBCMT ref: 00ADC953
_wcscat.LIBCMT ref: 00ADC968
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00ADC978
SetCurrentDirectoryW.KERNEL32(?), ref: 00ADCABE

Part of subcall function 00ADB337: _wcscpy.LIBCMT ref: 00ADB36F

Strings

AU3!, xrefs: 00ADC90C
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00B43098
EA06, xrefs: 00B430C9
Bad directive syntax error, xrefs: 00B43429
Error opening the file, xrefs: 00B430B4, 00B4313D
Unterminated string, xrefs: 00B43470
>>>AUTOIT SCRIPT<<<, xrefs: 00B4311B

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2258743419-1018226102
Opcode ID: ee2091670e324314db282674ae27c86567945949541cd4effeb6b683a595e9a8
Instruction ID: 5bc1186129ddecf3018765054c7797c46b7a34157115e8d65a6f7b1dad124793
Opcode Fuzzy Hash: ee2091670e324314db282674ae27c86567945949541cd4effeb6b683a595e9a8
Instruction Fuzzy Hash: 9A12BA715083419FC724EF24C981AAFBBE5EF98710F44096EF58A933A1DB30DA49DB52

Function 00B3CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B3CEFB
DestroyWindow.USER32(?,?), ref: 00B3CF73
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00B3CFF4
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00B3D016
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B3D025
DestroyWindow.USER32(?), ref: 00B3D042
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00AD0000,00000000), ref: 00B3D075
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B3D094
GetDesktopWindow.USER32 ref: 00B3D0A9
GetWindowRect.USER32(00000000), ref: 00B3D0B0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B3D0C2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00B3D0DA

Part of subcall function 00AEB526: GetWindowLongW.USER32(?,000000EB), ref: 00AEB537

Strings

0, xrefs: 00B3CF1B
tooltips_class32, xrefs: 00B3CFED, 00B3D06E

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
String ID: 0$tooltips_class32
API String ID: 3877571568-3619404913
Opcode ID: 86d365885da58204ca20b2782273ce3cfbf9cd7dcae60947b19db2d984b21797
Instruction ID: 128d36966a5f430e278872573ede530ab96929e7ebe1d44aa25289cddd556f08
Opcode Fuzzy Hash: 86d365885da58204ca20b2782273ce3cfbf9cd7dcae60947b19db2d984b21797
Instruction Fuzzy Hash: 1371EEB0540305AFD724CF28DC94F667BF5EB88B04F244A5EF985872A1DB70E946DB22

Function 00B3F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00AEB34E: GetWindowLongW.USER32(?,000000EB), ref: 00AEB35F

DragQueryPoint.SHELL32(?,?), ref: 00B3F37A

Part of subcall function 00B3D7DE: ClientToScreen.USER32(?,?), ref: 00B3D807
Part of subcall function 00B3D7DE: GetWindowRect.USER32(?,?), ref: 00B3D87D
Part of subcall function 00B3D7DE: PtInRect.USER32(?,?,00B3ED5A), ref: 00B3D88D

SendMessageW.USER32(?,000000B0,?,?), ref: 00B3F3E3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00B3F3EE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00B3F411
_wcscat.LIBCMT ref: 00B3F441
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00B3F458
SendMessageW.USER32(?,000000B0,?,?), ref: 00B3F471
SendMessageW.USER32(?,000000B1,?,?), ref: 00B3F488
SendMessageW.USER32(?,000000B1,?,?), ref: 00B3F4AA
DragFinish.SHELL32(?), ref: 00B3F4B1
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00B3F59C

Strings

@GUI_DRAGID, xrefs: 00B3F510
@GUI_DRAGFILE, xrefs: 00B3F54B
@GUI_DROPID, xrefs: 00B3F4D1

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 0bfe4f4300a9312ff3b21c6d57423b8d64832d41da2ca96c3044e7cefce3aaa4
Instruction ID: 9d78e6d1a7dcb0026ad15a4ad818e0cbac188addaff2bf7dc6ab87184b190a00
Opcode Fuzzy Hash: 0bfe4f4300a9312ff3b21c6d57423b8d64832d41da2ca96c3044e7cefce3aaa4
Instruction Fuzzy Hash: 9F614A71508301AFC711EF64DD85EAFBBF8EF88710F500A5EB595932A1DB709A09CB52

Function 00B1AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00B1AB3D
VariantCopy.OLEAUT32(?,?), ref: 00B1AB46
VariantClear.OLEAUT32(?), ref: 00B1AB52
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00B1AC40
__swprintf.LIBCMT ref: 00B1AC70
VarR8FromDec.OLEAUT32(?,?), ref: 00B1AC9C
VariantInit.OLEAUT32(?), ref: 00B1AD4D
SysFreeString.OLEAUT32(00000016), ref: 00B1ADDF
VariantClear.OLEAUT32(?), ref: 00B1AE35
VariantClear.OLEAUT32(?), ref: 00B1AE44
VariantInit.OLEAUT32(00000000), ref: 00B1AE80

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00B1AC6A
Default, xrefs: 00B1ACFD

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: f51a25d77caef174b6df19a604e6eff85b588e7a5845efb1bdff91d3f0bbc839
Instruction ID: d532a6906b031b40274fa6ac7f2e3a55c14aadd31fda11431a74221a5dce1969
Opcode Fuzzy Hash: f51a25d77caef174b6df19a604e6eff85b588e7a5845efb1bdff91d3f0bbc839
Instruction Fuzzy Hash: 00D1D171606245DBDB209F65D885BEAB7F5FF04B00FA484D5E4099B280DB74FC80DBA2

Function 00B3716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B371FC
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B37247

Strings

EXPAND, xrefs: 00B372E1
ISCHECKED, xrefs: 00B373B2
UNCHECK, xrefs: 00B3740B
CHECK, xrefs: 00B37267
GETITEMCOUNT, xrefs: 00B37311
GETTOTALCOUNT, xrefs: 00B3722A
COLLAPSE, xrefs: 00B3728D
GETSELECTED, xrefs: 00B3733F
EXISTS, xrefs: 00B372B0
GETTEXT, xrefs: 00B37382
SELECT, xrefs: 00B373E0

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: e59b99fec17bc0dba6476dda8ea154c5898f83fa3944bd05b495c4116c599370
Instruction ID: af96af19e60c0ee3162f3253896d28d667b4e566d82df86417967fffba02c876
Opcode Fuzzy Hash: e59b99fec17bc0dba6476dda8ea154c5898f83fa3944bd05b495c4116c599370
Instruction Fuzzy Hash: 599162712447419BCB14FF14C991A6EBBE5AF99310F20489DF8566B3A2DF30ED46CB81

Function 00B3E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00B3E5AB
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00B3BEAF), ref: 00B3E607
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B3E647
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B3E68C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B3E6C3
FreeLibrary.KERNEL32(?,00000004,?,?,?,?,00B3BEAF), ref: 00B3E6CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B3E6DF
DestroyIcon.USER32(?,?,?,?,?,00B3BEAF), ref: 00B3E6EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00B3E70B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00B3E717

Part of subcall function 00AF0FA7: __wcsicmp_l.LIBCMT ref: 00AF1030

Strings

.icl, xrefs: 00B3E521
.dll, xrefs: 00B3E564
.exe, xrefs: 00B3E541

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 5ca6a1e4d0d1996997cd222e04accbaeedd16e26b99d083dc53cc3d260c13a4f
Instruction ID: 587a4a11b33b137dab26cb1fd3f94bda6f37c25971b03ae05bbee175ab9fcee7
Opcode Fuzzy Hash: 5ca6a1e4d0d1996997cd222e04accbaeedd16e26b99d083dc53cc3d260c13a4f
Instruction Fuzzy Hash: FD61B071500219FAEB24DF64CD46FBE77A8FB18715F204246F925E61D1EBB0E980CB60

Function 00B1D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00AD936C: __swprintf.LIBCMT ref: 00AD93AB
Part of subcall function 00AD936C: __itow.LIBCMT ref: 00AD93DF

CharLowerBuffW.USER32(?,?), ref: 00B1D292
GetDriveTypeW.KERNEL32 ref: 00B1D2DF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B1D327
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B1D35E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B1D38C

Strings

type cdaudio alias cd wait, xrefs: 00B1D30A
close cd wait, xrefs: 00B1D377
wait, xrefs: 00B1D349
open , xrefs: 00B1D2EE
closed, xrefs: 00B1D2A6, 00B1D2AF
close, xrefs: 00B1D298
set cd door , xrefs: 00B1D32D
open, xrefs: 00B1D2B9

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1148790751-4113822522
Opcode ID: 95b739a09f7265da6ae0e449a279b48ea111027d38295334b4920967f0284caa
Instruction ID: 7f810b27c2cd7c529fa35ebbc58023c6b4e2e61f05b81c214c80a15917d87a0f
Opcode Fuzzy Hash: 95b739a09f7265da6ae0e449a279b48ea111027d38295334b4920967f0284caa
Instruction Fuzzy Hash: A6517B711047059FC700EF24C98196EB7F8EF88B58F50499EF896A7261DB31EE06CB92

Function 00B126BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00B43973,00000016,0000138C,00000016,?,00000016,00B6DDB4,00000000,?), ref: 00B126F1
LoadStringW.USER32(00000000,?,00B43973,00000016), ref: 00B126FA
GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00B43973,00000016,0000138C,00000016,?,00000016,00B6DDB4,00000000,?,00000016), ref: 00B1271C
LoadStringW.USER32(00000000,?,00B43973,00000016), ref: 00B1271F
__swprintf.LIBCMT ref: 00B1276F
__swprintf.LIBCMT ref: 00B12780
_wprintf.LIBCMT ref: 00B12829
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B12840

Strings

Error: , xrefs: 00B127F7
%s (%d) : ==> %s: %s %s, xrefs: 00B12824
Line %d:, xrefs: 00B1277A
^ ERROR, xrefs: 00B127D5
Line %d (File "%s"):, xrefs: 00B12769

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 618562835-2268648507
Opcode ID: f82cada295ebcb6d219c0d3c3b02c7da03e4dafb198376ee950b262ea588bfda
Instruction ID: b15795f27a0ebadf67a61e3937bdbf7f8d062bb128345b7fc1acadd559c60894
Opcode Fuzzy Hash: f82cada295ebcb6d219c0d3c3b02c7da03e4dafb198376ee950b262ea588bfda
Instruction Fuzzy Hash: 00411272800219BACB14FBE0DE86DEEB7B8EF14740F5001A6B502771A2DE345F55CB60

Function 00B1D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B1D0D8
__swprintf.LIBCMT ref: 00B1D0FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 00B1D137
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00B1D15C
_memset.LIBCMT ref: 00B1D17B
_wcsncpy.LIBCMT ref: 00B1D1B7
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00B1D1EC
CloseHandle.KERNEL32(00000000), ref: 00B1D1F7
RemoveDirectoryW.KERNEL32(?), ref: 00B1D200
CloseHandle.KERNEL32(00000000), ref: 00B1D20A

Strings

\??\%s, xrefs: 00B1D0F4
:, xrefs: 00B1D11B
\, xrefs: 00B1D110

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 3ca6f83528b258507c5e28f11238752d0a29d35c6e3ded484b2971451ea26630
Instruction ID: 56080e5c72cbc76076acf5435686f07c8e3bdcb7cd20a244bdfa0f0eec242dfd
Opcode Fuzzy Hash: 3ca6f83528b258507c5e28f11238752d0a29d35c6e3ded484b2971451ea26630
Instruction Fuzzy Hash: 083190B2500209ABDB21DFA0CC49FEB77FCEF88741F5041E6F619E2161EB7096858B24

Function 00B3E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00B3BEF4,?,?), ref: 00B3E754
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00B3BEF4,?,?,00000000,?), ref: 00B3E76B
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00B3BEF4,?,?,00000000,?), ref: 00B3E776
CloseHandle.KERNEL32(00000000,?,?,?,?,00B3BEF4,?,?,00000000,?), ref: 00B3E783
GlobalLock.KERNEL32(00000000), ref: 00B3E78C
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00B3BEF4,?,?,00000000,?), ref: 00B3E79B
GlobalUnlock.KERNEL32(00000000), ref: 00B3E7A4
CloseHandle.KERNEL32(00000000,?,?,?,?,00B3BEF4,?,?,00000000,?), ref: 00B3E7AB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00B3BEF4,?,?,00000000,?), ref: 00B3E7BC
OleLoadPicture.OLEAUT32(?,00000000,00000000,00B5D9BC,?), ref: 00B3E7D5
GlobalFree.KERNEL32(00000000), ref: 00B3E7E5
GetObjectW.GDI32(00000000,00000018,?), ref: 00B3E809
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00B3E834
DeleteObject.GDI32(00000000), ref: 00B3E85C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00B3E872

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 63602fdc97b1b2455a60fef39221f265141552a24e628faa0bb7b7829be7ee8d
Instruction ID: d4032f7df8e0ecb6fe17350e9fd17d93aba0768de4b856cff4539bbde8042080
Opcode Fuzzy Hash: 63602fdc97b1b2455a60fef39221f265141552a24e628faa0bb7b7829be7ee8d
Instruction Fuzzy Hash: 38412975600304FFDB219F65DC88EAA7BB8EB89712F204199F915E72A0DB319D41DB60

Function 00B205F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00B2076F
_wcscat.LIBCMT ref: 00B20787
_wcscat.LIBCMT ref: 00B20799
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B207AE
SetCurrentDirectoryW.KERNEL32(?), ref: 00B207C2
GetFileAttributesW.KERNEL32(?), ref: 00B207DA
SetFileAttributesW.KERNEL32(?,00000000), ref: 00B207F4
SetCurrentDirectoryW.KERNEL32(?), ref: 00B20806

Strings

*.*, xrefs: 00B20845

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 5375ec06e5286a392815cdb37827b2887aabd9159ccdfb7fd48f979a967832da
Instruction ID: bf518e61083118dee0bc8e9bf74ce51eba63697e8b913f52a28e4977a5cdfb80
Opcode Fuzzy Hash: 5375ec06e5286a392815cdb37827b2887aabd9159ccdfb7fd48f979a967832da
Instruction Fuzzy Hash: E681B0715143159FCB21EF64D88496FB7E8FBD8300F14886EF88AD7252EB30D9458B92

Function 00B3EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AEB34E: GetWindowLongW.USER32(?,000000EB), ref: 00AEB35F

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B3EF3B
GetFocus.USER32 ref: 00B3EF4B
GetDlgCtrlID.USER32(00000000), ref: 00B3EF56
_memset.LIBCMT ref: 00B3F081
GetMenuItemInfoW.USER32 ref: 00B3F0AC
GetMenuItemCount.USER32(00000000), ref: 00B3F0CC
GetMenuItemID.USER32(?,00000000), ref: 00B3F0DF
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 00B3F113
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 00B3F15B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B3F193
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00B3F1C8

Strings

0, xrefs: 00B3F079

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 2b1b218044b9a50aa364ac67e3486f7effceb25a7dc0c03c1169414ee36c53b4
Instruction ID: 08768d6e12f2a451a7806ef4a4aa676f2bf006cee32f095fb73b5a6f7641182b
Opcode Fuzzy Hash: 2b1b218044b9a50aa364ac67e3486f7effceb25a7dc0c03c1169414ee36c53b4
Instruction Fuzzy Hash: B3819F71904302AFDB20CF15D984A7BBBE4FF88314F2049AEF995A7291D770D905CBA2

Function 00B0A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00B0ABD7
Part of subcall function 00B0ABBB: GetLastError.KERNEL32(?,00B0A69F,?,?,?), ref: 00B0ABE1
Part of subcall function 00B0ABBB: GetProcessHeap.KERNEL32(00000008,?,?,00B0A69F,?,?,?), ref: 00B0ABF0
Part of subcall function 00B0ABBB: HeapAlloc.KERNEL32(00000000,?,00B0A69F,?,?,?), ref: 00B0ABF7
Part of subcall function 00B0ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00B0AC0E

Part of subcall function 00B0AC56: GetProcessHeap.KERNEL32(00000008,00B0A6B5,00000000,00000000,?,00B0A6B5,?), ref: 00B0AC62
Part of subcall function 00B0AC56: HeapAlloc.KERNEL32(00000000,?,00B0A6B5,?), ref: 00B0AC69
Part of subcall function 00B0AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00B0A6B5,?), ref: 00B0AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B0A8CB
_memset.LIBCMT ref: 00B0A8E0
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B0A8FF
GetLengthSid.ADVAPI32(?), ref: 00B0A910
GetAce.ADVAPI32(?,00000000,?), ref: 00B0A94D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B0A969
GetLengthSid.ADVAPI32(?), ref: 00B0A986
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00B0A995
HeapAlloc.KERNEL32(00000000), ref: 00B0A99C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B0A9BD
CopySid.ADVAPI32(00000000), ref: 00B0A9C4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B0A9F5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B0AA1B
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B0AA2F

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: d9b8d5e4a79ba20cb1871a90f5dcc634119731af1c7e3f863d42f261beb1bef8
Instruction ID: 56c80cc8cce18cac6d64623a1a66260b72e9cf0bab2fc2d67f6e69875f5cf44b
Opcode Fuzzy Hash: d9b8d5e4a79ba20cb1871a90f5dcc634119731af1c7e3f863d42f261beb1bef8
Instruction Fuzzy Hash: 78511971A00209AFDF10DFA4DD95AEEBBB9FF04301F048599F915A72D0DB359A06CB61

Function 00B29DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B29E36
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00B29E42
CreateCompatibleDC.GDI32(?), ref: 00B29E4E
SelectObject.GDI32(00000000,?), ref: 00B29E5B
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00B29EAF
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00B29EEB
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00B29F0F
SelectObject.GDI32(00000006,?), ref: 00B29F17
DeleteObject.GDI32(?), ref: 00B29F20
DeleteDC.GDI32(00000006), ref: 00B29F27
ReleaseDC.USER32(00000000,?), ref: 00B29F32

Strings

(, xrefs: 00B29ED7

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 846d0a5ab18285fb98306c902e4e0ef16af2c4953b26502202487ff718fa8fa5
Instruction ID: 250ca1c3b26c24006cd1ef00277d79d73e7fbc0a108dcd3db0b58e2f81643032
Opcode Fuzzy Hash: 846d0a5ab18285fb98306c902e4e0ef16af2c4953b26502202487ff718fa8fa5
Instruction Fuzzy Hash: 31514771900319AFCB25DFA8D885EAEBBF9FF48310F14895DF959A7250C731A8418BA0

Function 00B1CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 00B1CCA3
LoadStringW.USER32(?,?,00000FFF,?), ref: 00B1CCC5
__swprintf.LIBCMT ref: 00B1CD1E
__swprintf.LIBCMT ref: 00B1CD37
_wprintf.LIBCMT ref: 00B1CDED
_wprintf.LIBCMT ref: 00B1CE0B

Strings

Error: , xrefs: 00B1CDB5
^ ERROR, xrefs: 00B1CD8F
"%s" (%d) : ==> %s:, xrefs: 00B1CE06
"%s" (%d) : ==> %s:%s%s, xrefs: 00B1CDE8
Line %d (File "%s"):, xrefs: 00B1CD18, 00B1CD31

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-2391861430
Opcode ID: 4b21b46d117fff9666477c72c00f172ba4c9cc91c946a0f71157d9bfb9c1707a
Instruction ID: 757742b105c3771705b2b28275bfc289ae0dff8e4062c975d2045900e5ea2c4a
Opcode Fuzzy Hash: 4b21b46d117fff9666477c72c00f172ba4c9cc91c946a0f71157d9bfb9c1707a
Instruction Fuzzy Hash: A2516F71840109BACB15FBE0DE46EEEBBB9EF04300F5001A6F50672161EB316E95DF60

Function 00B1CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00B1CA8F
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00B1CAB0
__swprintf.LIBCMT ref: 00B1CB09
__swprintf.LIBCMT ref: 00B1CB22
_wprintf.LIBCMT ref: 00B1CBCD
_wprintf.LIBCMT ref: 00B1CBEB

Strings

Error: , xrefs: 00B1CB95
"%s" (%d) : ==> %s:, xrefs: 00B1CBE6
"%s" (%d) : ==> %s:%s%s, xrefs: 00B1CBC8
Line %d (File "%s"):, xrefs: 00B1CB03, 00B1CB1C
^ ERROR , xrefs: 00B1CB64

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-3420473620
Opcode ID: 780e039735aae925d18690a4e50832c27f5256e6fb1e37a70d2f10bb2a01ab34
Instruction ID: 4846a833254e431335cc28eaa17bcded223f00704db98c54af236fb83dae17ef
Opcode Fuzzy Hash: 780e039735aae925d18690a4e50832c27f5256e6fb1e37a70d2f10bb2a01ab34
Instruction Fuzzy Hash: 5D516F71940209AACB15FBE0DE42EEEBBB8EF04340F504196B50673162EA356E99DF61

Function 00B155BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B155D7
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00B15664
GetMenuItemCount.USER32(00B91708), ref: 00B156ED
DeleteMenu.USER32(00B91708,00000005,00000000,000000F5,?,?), ref: 00B1577D
DeleteMenu.USER32(00B91708,00000004,00000000), ref: 00B15785
DeleteMenu.USER32(00B91708,00000006,00000000), ref: 00B1578D
DeleteMenu.USER32(00B91708,00000003,00000000), ref: 00B15795
GetMenuItemCount.USER32(00B91708), ref: 00B1579D
SetMenuItemInfoW.USER32(00B91708,00000004,00000000,00000030), ref: 00B157D3
GetCursorPos.USER32(?), ref: 00B157DD
SetForegroundWindow.USER32(00000000), ref: 00B157E6
TrackPopupMenuEx.USER32(00B91708,00000000,?,00000000,00000000,00000000), ref: 00B157F9
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00B15805

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 235d223f3f215aec2bb5d119ce74c99112303aae13705c389bc69136b5ad5bdc
Instruction ID: db9d262019fb9a3a4a7001c3120ae5521366dff0dee414296ba637d3aa1243da
Opcode Fuzzy Hash: 235d223f3f215aec2bb5d119ce74c99112303aae13705c389bc69136b5ad5bdc
Instruction Fuzzy Hash: 1371E470640605FEEB319B54DC89FEABFA5FF80364FA40286F5196A1E1CB715C90DB90

Function 00B33C06 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B32BB5,?,?), ref: 00B33C1D

Strings

HKEY_LOCAL_MACHINE, xrefs: 00B33C6C
HKLM, xrefs: 00B33C81
HKEY_CURRENT_CONFIG, xrefs: 00B33CC0
HKEY_USERS, xrefs: 00B33D04
HKU, xrefs: 00B33D15
HKCU, xrefs: 00B33CF3
HKEY_CURRENT_USER, xrefs: 00B33CE2
HKCC, xrefs: 00B33CD1
HKCR, xrefs: 00B33CAB
HKEY_CLASSES_ROOT, xrefs: 00B33C96

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: c4eff9afcce4fdd2069e8006c2b5ef34606d7bdac78b7ac837e59b71371bcf31
Instruction ID: 554237f002417f6830bf066a85b8418b48bbe7c4ad6f68492ca17ea858cb0a61
Opcode Fuzzy Hash: c4eff9afcce4fdd2069e8006c2b5ef34606d7bdac78b7ac837e59b71371bcf31
Instruction Fuzzy Hash: A241523111028A9BDF00EF14D991AEF37E5FF66740F6044A5EC566B2A2EB70DE4ACB50

Function 00B125B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00B436F4,00000010,?,Bad directive syntax error,00B6DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00B125D6
LoadStringW.USER32(00000000,?,00B436F4,00000010), ref: 00B125DD
_wprintf.LIBCMT ref: 00B12610
__swprintf.LIBCMT ref: 00B12632
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00B126A1

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 00B1260B
Line %d:, xrefs: 00B1262C
., xrefs: 00B12687
Line %d (File "%s"):, xrefs: 00B12647
Error: , xrefs: 00B1266F

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1080873982-4153970271
Opcode ID: 0d583359cd396de42406c8053be56d0cc27b7f860e14f5e6a99f40365bfa7aae
Instruction ID: b29fea76adc34a44ff1a49af177aba3b718ce71c6e7ec6a18272d362f93fb8ae
Opcode Fuzzy Hash: 0d583359cd396de42406c8053be56d0cc27b7f860e14f5e6a99f40365bfa7aae
Instruction Fuzzy Hash: B8213C3180021ABFCF11BF90CD4AEEE7BB9FF18704F440496B506661A2EA75A665DF50

Function 00B17AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00B17B42
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00B17B58
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B17B69
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00B17B7B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00B17B8C

Strings

alias PlayMe, xrefs: 00B17B1B
open , xrefs: 00B17AF1
play PlayMe, xrefs: 00B17B87
close PlayMe, xrefs: 00B17B53, 00B17B80
status PlayMe mode, xrefs: 00B17B3D
play PlayMe wait, xrefs: 00B17B76

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: b3e59a665ad95282d4d6ad9327c1ee713ba9f527022173c383ee412a629d24fb
Instruction ID: 8b46e3b71250bf1d904b47cdc71c56945f943ecac666c551d1c6d5697dc95b3b
Opcode Fuzzy Hash: b3e59a665ad95282d4d6ad9327c1ee713ba9f527022173c383ee412a629d24fb
Instruction Fuzzy Hash: 6611EBA498025979D720B361CC5ADFF7AFCEBD5F10F4005967412A31E1EF604E45C6B0

Function 00B1778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00B17794

Part of subcall function 00AEDC38: timeGetTime.WINMM(?,7707B400,00B458AB), ref: 00AEDC3C

Sleep.KERNEL32(0000000A), ref: 00B177C0
EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 00B177E4
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00B17806
SetActiveWindow.USER32 ref: 00B17825
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00B17833
SendMessageW.USER32(00000010,00000000,00000000), ref: 00B17852
Sleep.KERNEL32(000000FA), ref: 00B1785D
IsWindow.USER32 ref: 00B17869
EndDialog.USER32(00000000), ref: 00B1787A

Strings

BUTTON, xrefs: 00B177F8

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: b8489b177973c6445a0221597896348cb391aadf21859eb6bc099317f277f925
Instruction ID: 0d61cce8b031d0fbc5854776e7bf195d44620239c90deaa4796bf087a963bdad
Opcode Fuzzy Hash: b8489b177973c6445a0221597896348cb391aadf21859eb6bc099317f277f925
Instruction Fuzzy Hash: 6C214CB0298305BFE7105B20ED89B6A3FF9FB45B49F500195F506831A2DF614C81CA25

Function 00B202EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON

Download Yara Rule

APIs

Part of subcall function 00AD936C: __swprintf.LIBCMT ref: 00AD93AB
Part of subcall function 00AD936C: __itow.LIBCMT ref: 00AD93DF

CoInitialize.OLE32(00000000), ref: 00B2034B
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00B203DE
SHGetDesktopFolder.SHELL32(?), ref: 00B203F2
CoCreateInstance.OLE32(00B5DA8C,00000000,00000001,00B83CF8,?), ref: 00B2043E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00B204AD
CoTaskMemFree.OLE32(?,?), ref: 00B20505
_memset.LIBCMT ref: 00B20542
SHBrowseForFolderW.SHELL32(?), ref: 00B2057E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00B205A1
CoTaskMemFree.OLE32(00000000), ref: 00B205A8
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00B205DF
CoUninitialize.OLE32(00000001,00000000), ref: 00B205E1

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: cce4905c35a8957e0723937019b300b01c4be21ff978186d2473b13b451874fa
Instruction ID: 140890ee569406f85aca74b45be58cdddd848da96d4443436cf773db4d8d8452
Opcode Fuzzy Hash: cce4905c35a8957e0723937019b300b01c4be21ff978186d2473b13b451874fa
Instruction Fuzzy Hash: F4B1EE75A00219AFDB14EFA4D988DAEBBF9FF48314B148499E809EB251D770ED41CF50

Function 00B12E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00B12ED6
SetKeyboardState.USER32(?), ref: 00B12F41
GetAsyncKeyState.USER32(000000A0), ref: 00B12F61
GetKeyState.USER32(000000A0), ref: 00B12F78
GetAsyncKeyState.USER32(000000A1), ref: 00B12FA7
GetKeyState.USER32(000000A1), ref: 00B12FB8
GetAsyncKeyState.USER32(00000011), ref: 00B12FE4
GetKeyState.USER32(00000011), ref: 00B12FF2
GetAsyncKeyState.USER32(00000012), ref: 00B1301B
GetKeyState.USER32(00000012), ref: 00B13029
GetAsyncKeyState.USER32(0000005B), ref: 00B13052
GetKeyState.USER32(0000005B), ref: 00B13060

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 0be0bbac201bc0753db06df0153614dbe37f6f5cca7dd1883e93030b08a48adb
Instruction ID: 5756a98f016b6a5ead7217b5236ec37eefd7e31e896a7854690e698242e506ce
Opcode Fuzzy Hash: 0be0bbac201bc0753db06df0153614dbe37f6f5cca7dd1883e93030b08a48adb
Instruction Fuzzy Hash: DC510665A0478829FB35EBA088047EABFF4DF11740F8845DDC5C2561C2EB94ABCCC7A2

Function 00B0ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00B0ED1E
GetWindowRect.USER32(00000000,?), ref: 00B0ED30
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00B0ED8E
GetDlgItem.USER32(?,00000002), ref: 00B0ED99
GetWindowRect.USER32(00000000,?), ref: 00B0EDAB
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00B0EE01
GetDlgItem.USER32(?,000003E9), ref: 00B0EE0F
GetWindowRect.USER32(00000000,?), ref: 00B0EE20
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00B0EE63
GetDlgItem.USER32(?,000003EA), ref: 00B0EE71
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00B0EE8E
InvalidateRect.USER32(?,00000000,00000001), ref: 00B0EE9B

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 85f5b2703c53fbca25e7ac6e8fd66755ca7b8d44103d0143794b6e6410d3776b
Instruction ID: 291b6e565d6ca4d5863d4a99d4c63d82a9d8aed6a84e8b2347b207dd8ab13895
Opcode Fuzzy Hash: 85f5b2703c53fbca25e7ac6e8fd66755ca7b8d44103d0143794b6e6410d3776b
Instruction Fuzzy Hash: 74511EB1B00205AFDB18CF68CD95BAEBBBAEB88301F148669F519D72D0DB70DD418B10

Function 00AEB73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00AEB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00AEB759,?,00000000,?,?,?,?,00AEB72B,00000000,?), ref: 00AEBA58

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00AEB72B), ref: 00AEB7F6
KillTimer.USER32(00000000,?,00000000,?,?,?,?,00AEB72B,00000000,?,?,00AEB2EF,?,?), ref: 00AEB88D
DestroyAcceleratorTable.USER32(00000000), ref: 00B4D8A6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AEB72B,00000000,?,?,00AEB2EF,?,?), ref: 00B4D8D7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AEB72B,00000000,?,?,00AEB2EF,?,?), ref: 00B4D8EE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AEB72B,00000000,?,?,00AEB2EF,?,?), ref: 00B4D90A
DeleteObject.GDI32(00000000), ref: 00B4D91C

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 4d1f5466eea9680e83d8c2c60b6bed4b0641157774f3f066ff004edc0714809d
Instruction ID: 29f7293035776a9dbc61575ed293bac41ccecd413e912046b343fd29f065c865
Opcode Fuzzy Hash: 4d1f5466eea9680e83d8c2c60b6bed4b0641157774f3f066ff004edc0714809d
Instruction Fuzzy Hash: 71617D31911741DFDB359F1ADA88B26B7F5FB94312F14099EE08687A70CB30A990EF50

Function 00AEB40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 00AEB526: GetWindowLongW.USER32(?,000000EB), ref: 00AEB537

GetSysColor.USER32(0000000F), ref: 00AEB438

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: d48758bf471c8c81c1668b5c966c4c05f0936d105d0073057122b3dd2052a0da
Instruction ID: e7419c70f0c844f31cbb956304064176ee494e527f357c9d132024c830f999de
Opcode Fuzzy Hash: d48758bf471c8c81c1668b5c966c4c05f0936d105d0073057122b3dd2052a0da
Instruction Fuzzy Hash: EC419130050680AFDF216F69E889BBA3BA5EB05721F1443A1FD659F1E6DB308D41DB31

Function 00B1690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00B16923
_wcscpy.LIBCMT ref: 00B16934
__wsplitpath.LIBCMT ref: 00B16958
__wsplitpath.LIBCMT ref: 00B16979
_wcscpy.LIBCMT ref: 00B1699B
_wcscpy.LIBCMT ref: 00B169B9
_wcscpy.LIBCMT ref: 00B169C7
_wcscat.LIBCMT ref: 00B169D6
_wcscat.LIBCMT ref: 00B16A2B
_wcscat.LIBCMT ref: 00B16A61
_wcscat.LIBCMT ref: 00B16A73

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: 98c3e731c84a949cc06e460d8d4ef4739fe64b261dff528a252bab9167e774b4
Instruction ID: acab013cae9a99b55d45f1a305f146d323c3154eb6cf9a391b872ad91ff1b5fd
Opcode Fuzzy Hash: 98c3e731c84a949cc06e460d8d4ef4739fe64b261dff528a252bab9167e774b4
Instruction Fuzzy Hash: D7410B7688511CAFCF65EB94CD86DDA73BCEF44300F4041E6B759A2051EA31ABE98F60

Function 00B1D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00B6DC00,00B6DC00,00B6DC00), ref: 00B1D7CE
GetDriveTypeW.KERNEL32(?,00B83A70,00000061), ref: 00B1D898
_wcscpy.LIBCMT ref: 00B1D8C2

Strings

network, xrefs: 00B1D82C
cdrom, xrefs: 00B1D7EA
all, xrefs: 00B1D7D4
fixed, xrefs: 00B1D816
unknown, xrefs: 00B1D859
ramdisk, xrefs: 00B1D842
removable, xrefs: 00B1D800

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: a8724336855f15f38e7d09edf9a44eb9a2b045ad533f228e9fa86c4706162be0
Instruction ID: e6ab910c05dd987f96f52ba1d8d3a2226bb3fca23b8d1dadad05fd779843e330
Opcode Fuzzy Hash: a8724336855f15f38e7d09edf9a44eb9a2b045ad533f228e9fa86c4706162be0
Instruction Fuzzy Hash: 2F51B231104344AFC704EF14D9C1AAEB7E5EF89714FA089AEF49A572A2EB31DD45CB42

Function 00AD936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00AD93AB
__itow.LIBCMT ref: 00AD93DF

Part of subcall function 00AF1557: _xtow@16.LIBCMT ref: 00AF1578

Strings

True, xrefs: 00B44C8C
%.15g, xrefs: 00AD93A5
0x%p, xrefs: 00B44CAD
False, xrefs: 00B44C93

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: b1aff1337aaaa8ff4eed939477ac4d453a76e5a539448dd881d9dd6ddb79535a
Instruction ID: ab2d18f653b38ded4a7c52d6bb95f81985b5132b5316861cda58e9804419a6d9
Opcode Fuzzy Hash: b1aff1337aaaa8ff4eed939477ac4d453a76e5a539448dd881d9dd6ddb79535a
Instruction Fuzzy Hash: CD41B271504205EFDB24EB74DA82F6A73F8EF48300F2444AFE54ADB292EA31DA51DB51

Function 00B3A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00B3A259
CreateCompatibleDC.GDI32(00000000), ref: 00B3A260
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00B3A273
SelectObject.GDI32(00000000,00000000), ref: 00B3A27B
GetPixel.GDI32(00000000,00000000,00000000), ref: 00B3A286
DeleteDC.GDI32(00000000), ref: 00B3A28F
GetWindowLongW.USER32(?,000000EC), ref: 00B3A299
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00B3A2AD
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00B3A2B9

Strings

static, xrefs: 00B3A1F1

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: fe7d136765ee3e92378d1f42c342fcc2957452cddd3eca9e98f9a107e35677f5
Instruction ID: ff9280276c2f68f17674bc3343fefad12441def5621a49461923232d05a9696e
Opcode Fuzzy Hash: fe7d136765ee3e92378d1f42c342fcc2957452cddd3eca9e98f9a107e35677f5
Instruction Fuzzy Hash: 73316D31101215ABDF215FA4DC49FEB3BA9FF0A361F200355FA59A61E0CB35D811DBA5

Function 00B16F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00B16F1D
gethostname.WSOCK32(?,00000100), ref: 00B16F37
gethostbyname.WSOCK32(?), ref: 00B16F44
_wcscpy.LIBCMT ref: 00B16F6C
inet_ntoa.WSOCK32(?), ref: 00B16F8A
_strcat.LIBCMT ref: 00B16F98
_wcscpy.LIBCMT ref: 00B16FAF
WSACleanup.WSOCK32 ref: 00B16FBD
_wcscpy.LIBCMT ref: 00B16FCB

Strings

0.0.0.0, xrefs: 00B16F66

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2620052-3771769585
Opcode ID: f6716108961bb1b12f211c1691210b13964be042ee40e5d2be26abb21f3ce08b
Instruction ID: 5a51584d2d92fba08951a9894c99679d8ec89d144be52ee4f35885b5117548c6
Opcode Fuzzy Hash: f6716108961bb1b12f211c1691210b13964be042ee40e5d2be26abb21f3ce08b
Instruction Fuzzy Hash: 8C11DF72904219AFCB24ABA0AD4AEEA77E8EB44711F4001E5F105A6091EE70DEC68B61

Function 00AF500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AF5047

Part of subcall function 00AF7C0E: __getptd_noexit.LIBCMT ref: 00AF7C0E

__gmtime64_s.LIBCMT ref: 00AF50E0
__gmtime64_s.LIBCMT ref: 00AF5116
__gmtime64_s.LIBCMT ref: 00AF5133
__allrem.LIBCMT ref: 00AF5189
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AF51A5
__allrem.LIBCMT ref: 00AF51BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AF51DA
__allrem.LIBCMT ref: 00AF51F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AF520F
__invoke_watson.LIBCMT ref: 00AF5280

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction ID: a7cc08bb2e3c991ae7d0bcc703642097b4331c6e1651328f2b15da529b8997c7
Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction Fuzzy Hash: D5719372E00F1AABE714AFB8CC41BBA77E8AF00764F144229F714D6681EB70D9418BD0

Function 00B14DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B14DF8
GetMenuItemInfoW.USER32(00B91708,000000FF,00000000,00000030), ref: 00B14E59
SetMenuItemInfoW.USER32(00B91708,00000004,00000000,00000030), ref: 00B14E8F
Sleep.KERNEL32(000001F4), ref: 00B14EA1
GetMenuItemCount.USER32(?), ref: 00B14EE5
GetMenuItemID.USER32(?,00000000), ref: 00B14F01
GetMenuItemID.USER32(?,-00000001), ref: 00B14F2B
GetMenuItemID.USER32(?,?), ref: 00B14F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B14FB6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B14FCA
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B14FEB

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 5bf480fa82359580daaf599bbcd4302af3bc5cc5897a1eff9bd006dd31caf73e
Instruction ID: 9339300b89047450a7cba982524d3a9c530cf6b022e2c00cf1b0d7ba1ef0b393
Opcode Fuzzy Hash: 5bf480fa82359580daaf599bbcd4302af3bc5cc5897a1eff9bd006dd31caf73e
Instruction Fuzzy Hash: 5461BD71900249EFDB20CFA8D988AEE7BF8FB41308F540599F506E7251E731AD86CB20

Function 00B39C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00B39C98
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00B39C9B
GetWindowLongW.USER32(?,000000F0), ref: 00B39CBF
_memset.LIBCMT ref: 00B39CD0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B39CE2
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00B39D5A

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: f1332c12da9607560fba56f4ad593f119033c77705e6af036265d224b01588c9
Instruction ID: 0a4b328d720bd442312b243bc38a6d6cdd763d71cdd6fadedcc88775f6e87773
Opcode Fuzzy Hash: f1332c12da9607560fba56f4ad593f119033c77705e6af036265d224b01588c9
Instruction Fuzzy Hash: C4617C75900208AFDB10DFA8CC81EEE77F8EF09704F2445AAFA15A7291D7B4AD46DB50

Function 00B094E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 00B094FE
SafeArrayAllocData.OLEAUT32(?), ref: 00B09549
VariantInit.OLEAUT32(?), ref: 00B0955B
SafeArrayAccessData.OLEAUT32(?,?), ref: 00B0957B
VariantCopy.OLEAUT32(?,?), ref: 00B095BE
SafeArrayUnaccessData.OLEAUT32(?), ref: 00B095D2
VariantClear.OLEAUT32(?), ref: 00B095E7
SafeArrayDestroyData.OLEAUT32(?), ref: 00B095F4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B095FD
VariantClear.OLEAUT32(?), ref: 00B0960F
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B0961A

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 686ad7311532a8d26b2722d782581d02bf13d00aefe961892a70f85ad9c73f47
Instruction ID: a598745e4c19ee78ddd10b0a388f6aaff76a148353efb7261b197c4e308e28d8
Opcode Fuzzy Hash: 686ad7311532a8d26b2722d782581d02bf13d00aefe961892a70f85ad9c73f47
Instruction Fuzzy Hash: EC416F31900319AFCB11EFA5DC84ADEBFB9FF08355F0080A5E512A3261DB31EA45CBA1

Function 00B2ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00AD936C: __swprintf.LIBCMT ref: 00AD93AB
Part of subcall function 00AD936C: __itow.LIBCMT ref: 00AD93DF

CoInitialize.OLE32 ref: 00B2ADF6
CoUninitialize.OLE32 ref: 00B2AE01
CoCreateInstance.OLE32(?,00000000,00000017,00B5D8FC,?), ref: 00B2AE61
IIDFromString.OLE32(?,?), ref: 00B2AED4
VariantInit.OLEAUT32(?), ref: 00B2AF6E
VariantClear.OLEAUT32(?), ref: 00B2AFCF

Strings

NULL Pointer assignment, xrefs: 00B2AEA6
Failed to create object, xrefs: 00B2AE6C, 00B2AF22
Invalid parameter, xrefs: 00B2AEED

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 57977f706610dd1be8d2782fdd995a44388740974469903838bec07e6d663aeb
Instruction ID: 0baaaa9264a326f9e7e9a43a6345af26e4194a6fd7c4773988841ad235968b65
Opcode Fuzzy Hash: 57977f706610dd1be8d2782fdd995a44388740974469903838bec07e6d663aeb
Instruction Fuzzy Hash: 86619C70208321AFC710EF54E984B6AB7E8EF48714F104999F989DB2A1C774ED45CB93

Function 00B28107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00B28168
inet_addr.WSOCK32(?,?,?), ref: 00B281AD
gethostbyname.WSOCK32(?), ref: 00B281B9
IcmpCreateFile.IPHLPAPI ref: 00B281C7
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00B28237
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00B2824D
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00B282C2
WSACleanup.WSOCK32 ref: 00B282C8

Strings

Ping, xrefs: 00B281EB

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 6dd3731daea41931a9d01903f0e58298674fd45af956bc6d5dda950b15076269
Instruction ID: ba6c828b8587d52de00d647ed599573cc193d851b8f940d62e03cac646f4ae78
Opcode Fuzzy Hash: 6dd3731daea41931a9d01903f0e58298674fd45af956bc6d5dda950b15076269
Instruction Fuzzy Hash: 8551A0316017109FD720AF24DD85B6ABBE4EF48710F1489A9F95AEB2A1DF70E801CB42

Function 00B39E43 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B39E5B
CreateMenu.USER32 ref: 00B39E76
SetMenu.USER32(?,00000000), ref: 00B39E85
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B39F12
IsMenu.USER32(?), ref: 00B39F28
CreatePopupMenu.USER32 ref: 00B39F32
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B39F63
DrawMenuBar.USER32 ref: 00B39F71

Strings

0, xrefs: 00B39E54

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0
API String ID: 176399719-4108050209
Opcode ID: 1a47177aa2463cdaf0d4119df93e16a7b0a1ca5fe3db215ebced2159c9bca3d2
Instruction ID: 8884605719bb1e6c56bfffbb9fdc481b89cff354f9b0c72c52bcb1cc1a8b734f
Opcode Fuzzy Hash: 1a47177aa2463cdaf0d4119df93e16a7b0a1ca5fe3db215ebced2159c9bca3d2
Instruction Fuzzy Hash: 13415879A00209AFDB20DFA8D884BAABBF5FF48314F2441A9F945E7361D770A914CF50

Function 00B1E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B1E396
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00B1E40C
GetLastError.KERNEL32 ref: 00B1E416
SetErrorMode.KERNEL32(00000000,READY), ref: 00B1E483

Strings

READY, xrefs: 00B1E45C
READONLY, xrefs: 00B1E44E
NOTREADY, xrefs: 00B1E442
UNKNOWN, xrefs: 00B1E43B
INVALID, xrefs: 00B1E455

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 3d735ecd1e23e76e86e727f244fe547bb15a02468fecca55fad9f62267568ec7
Instruction ID: d42855d904f7d6946867dd55645f9edf840688b83dd2d9b0c4a47964ca3af16d
Opcode Fuzzy Hash: 3d735ecd1e23e76e86e727f244fe547bb15a02468fecca55fad9f62267568ec7
Instruction Fuzzy Hash: 84319435A002069FD711EF64D985BED77F4EF08700F548096E916E73A1DB70DA82CB51

Function 00B0B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00B0B98C
GetDlgCtrlID.USER32 ref: 00B0B997
GetParent.USER32 ref: 00B0B9B3
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B0B9B6
GetDlgCtrlID.USER32(?), ref: 00B0B9BF
GetParent.USER32(?), ref: 00B0B9DB
SendMessageW.USER32(00000000,?,?,00000111), ref: 00B0B9DE

Strings

ListBox, xrefs: 00B0B949
ComboBox, xrefs: 00B0B911

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: ed2f27a894767ee776a1620c26c4189e95099e3cf127a737a9f95ae04c4a3386
Instruction ID: 5f66d415bf75d66fd4e6ed5096a3c69575038a4b10e66c2bde34c4b4116a995f
Opcode Fuzzy Hash: ed2f27a894767ee776a1620c26c4189e95099e3cf127a737a9f95ae04c4a3386
Instruction Fuzzy Hash: AF21C874900204BFDB04ABA4CC95EFEBBB5EF45310F504296F562932E1DF745816DB20

Function 00B0B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00B0BA73
GetDlgCtrlID.USER32 ref: 00B0BA7E
GetParent.USER32 ref: 00B0BA9A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B0BA9D
GetDlgCtrlID.USER32(?), ref: 00B0BAA6
GetParent.USER32(?), ref: 00B0BAC2
SendMessageW.USER32(00000000,?,?,00000111), ref: 00B0BAC5

Strings

ListBox, xrefs: 00B0BA32
ComboBox, xrefs: 00B0B9FA

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: de74f61dd3adaebfa6e89e538b239e79b622c7cea0ad32aa55a0758e7c01835e
Instruction ID: 65617c6759eabfe8f923a0399402cfd8bf533b03ee9a1497e0ce0e3978ae9d02
Opcode Fuzzy Hash: de74f61dd3adaebfa6e89e538b239e79b622c7cea0ad32aa55a0758e7c01835e
Instruction Fuzzy Hash: 8021A1B4A00204BFDB04ABA4CC85FBEBBB5EF45300F100196F951A32E1DF759916DB20

Function 00B0BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00B0BAE3
GetClassNameW.USER32(00000000,?,00000100), ref: 00B0BAF8
_wcscmp.LIBCMT ref: 00B0BB0A
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00B0BB85

Strings

SHELLDLL_DefView, xrefs: 00B0BB04
smallicons, xrefs: 00B0BB4D
list, xrefs: 00B0BB67
largeicons, xrefs: 00B0BB19
details, xrefs: 00B0BB33

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 23adb3f757a1f89963e852cf5868bb90b3e66e4508cd794ff442e8975a402d3e
Instruction ID: 01afcf4d5a0449e387b8d2143a63f97515d920013f735b0f52302febdf4a7abd
Opcode Fuzzy Hash: 23adb3f757a1f89963e852cf5868bb90b3e66e4508cd794ff442e8975a402d3e
Instruction Fuzzy Hash: B911A376648306FAFA247A249C06DB67BDCDF11724B2000A6FA04E50E6EFB168518614

Function 00B2B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B2B2D5
CoInitialize.OLE32(00000000), ref: 00B2B302
CoUninitialize.OLE32 ref: 00B2B30C
GetRunningObjectTable.OLE32(00000000,?), ref: 00B2B40C
SetErrorMode.KERNEL32(00000001,00000029), ref: 00B2B539
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 00B2B56D
CoGetObject.OLE32(?,00000000,00B5D91C,?), ref: 00B2B590
SetErrorMode.KERNEL32(00000000), ref: 00B2B5A3
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00B2B623
VariantClear.OLEAUT32(00B5D91C), ref: 00B2B633

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 32b27cee323b60b308112034fda1798741ccf2b3ae012f2adcb240a0cd6653f6
Instruction ID: 6e403a1d858b255a1ee898e7c710f8d2544f24e481e60711a2404780a359998c
Opcode Fuzzy Hash: 32b27cee323b60b308112034fda1798741ccf2b3ae012f2adcb240a0cd6653f6
Instruction Fuzzy Hash: 40C10271608315AFC700EF68D894A6BB7E9FF88308F00499DF98A9B251DB71ED05CB52

Function 00AFACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00AFACC1

Part of subcall function 00AF7CF4: __mtinitlocknum.LIBCMT ref: 00AF7D06
Part of subcall function 00AF7CF4: EnterCriticalSection.KERNEL32(00000000,?,00AF7ADD,0000000D), ref: 00AF7D1F

__calloc_crt.LIBCMT ref: 00AFACD2

Part of subcall function 00AF6986: __calloc_impl.LIBCMT ref: 00AF6995
Part of subcall function 00AF6986: Sleep.KERNEL32(00000000,000003BC,00AEF507,?,0000000E), ref: 00AF69AC

@_EH4_CallFilterFunc@8.LIBCMT ref: 00AFACED
GetStartupInfoW.KERNEL32(?,00B86E28,00000064,00AF5E91,00B86C70,00000014), ref: 00AFAD46
__calloc_crt.LIBCMT ref: 00AFAD91
GetFileType.KERNEL32(00000001), ref: 00AFADD8
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 00AFAE11

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: 7b39419767680e3f96f22b3233f683c5997b55fda92168873f7599740db2b580
Instruction ID: 6fd5f3eaf60e77567945d2280ad80d071362a1e3f9ec47f76e44e6a10ec5a5e8
Opcode Fuzzy Hash: 7b39419767680e3f96f22b3233f683c5997b55fda92168873f7599740db2b580
Instruction Fuzzy Hash: DF81B3B19053598FDB24CFA8C9806F9BBF0AF15324B24425EE5AAAB3D1D7349803CB55

Function 00B167E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00B167FD
__swprintf.LIBCMT ref: 00B1680A

Part of subcall function 00AF172B: __woutput_l.LIBCMT ref: 00AF1784

FindResourceW.KERNEL32(?,?,0000000E), ref: 00B16834
LoadResource.KERNEL32(?,00000000), ref: 00B16840
LockResource.KERNEL32(00000000), ref: 00B1684D
FindResourceW.KERNEL32(?,?,00000003), ref: 00B1686D
LoadResource.KERNEL32(?,00000000), ref: 00B1687F
SizeofResource.KERNEL32(?,00000000), ref: 00B1688E
LockResource.KERNEL32(?), ref: 00B1689A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00B168F9

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 1d3f7e0a7a21b618b0ee572934b526eaa431cfd1446ba9bc1719757f7760275f
Instruction ID: e71c4c8fc9204b7af6b637f6f48b11ab117065231cb6b6ecec76f9c26aedf539
Opcode Fuzzy Hash: 1d3f7e0a7a21b618b0ee572934b526eaa431cfd1446ba9bc1719757f7760275f
Instruction Fuzzy Hash: 34316D7190021AABDB119FA0DD45EFA7BA8EF08341F508566F906E3150EB35D991DBB0

Function 00B14025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B14047
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00B130A5,?,00000001), ref: 00B1405B
GetWindowThreadProcessId.USER32(00000000), ref: 00B14062
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B130A5,?,00000001), ref: 00B14071
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B14083
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00B130A5,?,00000001), ref: 00B1409C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B130A5,?,00000001), ref: 00B140AE
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00B130A5,?,00000001), ref: 00B140F3
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00B130A5,?,00000001), ref: 00B14108
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00B130A5,?,00000001), ref: 00B14113

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 34e68cfafee89093b3762cf128da2ea0c6ad6fe6e58a64a4a86c552017687eac
Instruction ID: e77d12f7358e6947ea40249ef4e495f7aa65810a341ed90d7deaab2449aeb66a
Opcode Fuzzy Hash: 34e68cfafee89093b3762cf128da2ea0c6ad6fe6e58a64a4a86c552017687eac
Instruction Fuzzy Hash: D331AC75500704BBDB20DF64DC8ABA97BF9EB54B12F648186F904E7290CFB59E808B60

Function 00B4DD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00AEB496
SetTextColor.GDI32(?,000000FF), ref: 00AEB4A0
SetBkMode.GDI32(?,00000001), ref: 00AEB4B5
GetStockObject.GDI32(00000005), ref: 00AEB4BD
GetClientRect.USER32(?), ref: 00B4DD63
SendMessageW.USER32(?,00001328,00000000,?), ref: 00B4DD7A
GetWindowDC.USER32(?), ref: 00B4DD86
GetPixel.GDI32(00000000,?,?), ref: 00B4DD95
ReleaseDC.USER32(?,00000000), ref: 00B4DDA7
GetSysColor.USER32(00000005), ref: 00B4DDC5

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: 85803d214a7bbbfbdc06b5a54927a641c7fff882f0421e08e171179aec7e44ad
Instruction ID: ef08fa061029a77c141a012489525ab74e7416d49caac6b957cd4dc139d3a18c
Opcode Fuzzy Hash: 85803d214a7bbbfbdc06b5a54927a641c7fff882f0421e08e171179aec7e44ad
Instruction Fuzzy Hash: 91114F31500745EFDB216FA4EC08BA97BA1EB05326F1047A5FA66A60E1DF714A41EB21

Function 00B0CB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00B0CF50), ref: 00B0CE90

Strings

INSTANCE, xrefs: 00B0CD9E
CLASSNN, xrefs: 00B0CC33
NAME, xrefs: 00B0CCC2
REGEXPCLASS, xrefs: 00B0CC56
CLASS, xrefs: 00B0CC10
TEXT, xrefs: 00B0CDC7

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: a5199e46a2ff2e063e0c010b622597a800a4047f52239aad6e74195a83d983e9
Instruction ID: e9e1b029a08d074292af1681e31ca571d383a393a96934f84df2eb1a06eadeaa
Opcode Fuzzy Hash: a5199e46a2ff2e063e0c010b622597a800a4047f52239aad6e74195a83d983e9
Instruction Fuzzy Hash: C69173316005469ACB58EF60C581BEAFFF5FF04300F5486A5E95AA7191DF30B999CBD0

Function 00AD3093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00AD30DC
CoUninitialize.OLE32(?,00000000), ref: 00AD3181
UnregisterHotKey.USER32(?), ref: 00AD32A9
DestroyWindow.USER32(?), ref: 00B45079
FreeLibrary.KERNEL32(?), ref: 00B450F8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B45125

Strings

close all, xrefs: 00AD30D7

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 9885e1c990bccd1f31338f1a6693c2caa3116879c89c1d268b9c7442dc708fbb
Instruction ID: 7e95aebb6f6a8e64c9c199eb8c5bfab0fbeb1f600018651ba7d76123413ee946
Opcode Fuzzy Hash: 9885e1c990bccd1f31338f1a6693c2caa3116879c89c1d268b9c7442dc708fbb
Instruction Fuzzy Hash: BD9105756006428FCB15EF14CA95AA8F3B4FF14305F5482AAE50BA7362DF30AE56CF51

Function 00AECB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00AECC15

Part of subcall function 00AECCCD: GetClientRect.USER32(?,?), ref: 00AECCF6
Part of subcall function 00AECCCD: GetWindowRect.USER32(?,?), ref: 00AECD37
Part of subcall function 00AECCCD: ScreenToClient.USER32(?,?), ref: 00AECD5F

GetDC.USER32 ref: 00B4D137
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00B4D14A
SelectObject.GDI32(00000000,00000000), ref: 00B4D158
SelectObject.GDI32(00000000,00000000), ref: 00B4D16D
ReleaseDC.USER32(?,00000000), ref: 00B4D175
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00B4D200

Strings

U, xrefs: 00B4D0D5

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: ccf2641d9be04e49ad3c468fa799c62218d0918b4e727b0ec0c04be69bc12c22
Instruction ID: 2540c32e4d49786edc851058c29aa0e090e108478e5f248b47c5b5145d3098e5
Opcode Fuzzy Hash: ccf2641d9be04e49ad3c468fa799c62218d0918b4e727b0ec0c04be69bc12c22
Instruction Fuzzy Hash: F471D131400245DFCF219F64CC95AAA7BF5FF48320F2446AAED55AB2A6CB318D42EF50

Function 00B3ECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AEB34E: GetWindowLongW.USER32(?,000000EB), ref: 00AEB35F

Part of subcall function 00AEB63C: GetCursorPos.USER32(000000FF), ref: 00AEB64F
Part of subcall function 00AEB63C: ScreenToClient.USER32(00000000,000000FF), ref: 00AEB66C
Part of subcall function 00AEB63C: GetAsyncKeyState.USER32(00000001), ref: 00AEB691
Part of subcall function 00AEB63C: GetAsyncKeyState.USER32(00000002), ref: 00AEB69F

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 00B3ED3C
ImageList_EndDrag.COMCTL32 ref: 00B3ED42
ReleaseCapture.USER32 ref: 00B3ED48
SetWindowTextW.USER32(?,00000000), ref: 00B3EDF0
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00B3EE03
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 00B3EEDC

Strings

@GUI_DRAGFILE, xrefs: 00B3EE77
@GUI_DROPID, xrefs: 00B3EE33

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 243777527306542b8b426121afac380fd926a796ffd1a07a3aa1bbc4c34d387b
Instruction ID: 1b4a1b9f3cf8efdd9987462edd45db4cc7043e0d914026340491698d65feff54
Opcode Fuzzy Hash: 243777527306542b8b426121afac380fd926a796ffd1a07a3aa1bbc4c34d387b
Instruction Fuzzy Hash: 0851AA71204301AFD710EF24DD9AF6A77E4EB88314F104A6EF595972E2DB70D904DB52

Function 00B245C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B245FF
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00B2462B
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00B2466D
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00B24682
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B2468F
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00B246BF
InternetCloseHandle.WININET(00000000), ref: 00B24706

Part of subcall function 00B25052: GetLastError.KERNEL32(?,?,00B243CC,00000000,00000000,00000001), ref: 00B25067

Strings

, xrefs: 00B246B8

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: 9dcc21d71a8061ab1db0b1b9dd969ff877adf6f4c356b30788cf7e522c0735f2
Instruction ID: 26708ef778ccfeef5c5290a45631c1e90a6e72dd859d4cc1e39c58c11e5db2dc
Opcode Fuzzy Hash: 9dcc21d71a8061ab1db0b1b9dd969ff877adf6f4c356b30788cf7e522c0735f2
Instruction Fuzzy Hash: 53418EB1501229BFEB129F50DC85FBB7BECFF09305F004196FA099A151DBB09D448BA4

Function 00B2B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00B6DC00), ref: 00B2B715
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00B6DC00), ref: 00B2B749
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00B2B8C1
SysFreeString.OLEAUT32(?), ref: 00B2B8EB

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 2d42a871a6e92bcdbe5073bc1aa4a343cb11044f7cb8ae989218cc82318d6d8c
Instruction ID: 50c0959b65e822242051dbeac3a45cdc3b0d98891672046ad71374443d7e506f
Opcode Fuzzy Hash: 2d42a871a6e92bcdbe5073bc1aa4a343cb11044f7cb8ae989218cc82318d6d8c
Instruction Fuzzy Hash: 10F15F71A00219EFCF14DF94D888EAEB7B9FF49311F108599F91AAB250DB31AE45CB50

Function 00B324D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B324F5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B32688
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B326AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B326EC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B3270E
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B3286F
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00B328A1
CloseHandle.KERNEL32(?), ref: 00B328D0
CloseHandle.KERNEL32(?), ref: 00B32947

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 0bf68d9266fb8dbb55c5207a24216425194cdc673af81855590e6cebb02cb8e3
Instruction ID: 227b1d13da9ad0e755edb0bf43ec710108480c5337227940f59ed1dc96bffb00
Opcode Fuzzy Hash: 0bf68d9266fb8dbb55c5207a24216425194cdc673af81855590e6cebb02cb8e3
Instruction Fuzzy Hash: A8D19D35604340DFCB14EF25C991A6ABBE5EF84310F24899DF89A9B2A2DB31DD41CB52

Function 00B3B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00B3B3F4

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 95fbc83d2aa7ced39c13d9979f966b37c1df458e04a6c0cb3fe83608255d3da5
Instruction ID: 0ae7fc4755c87b600c220ec506e50648fae40b4a37d69fbc19c35578ee14ef45
Opcode Fuzzy Hash: 95fbc83d2aa7ced39c13d9979f966b37c1df458e04a6c0cb3fe83608255d3da5
Instruction Fuzzy Hash: E2518B30600215BAEF309F29CC99FA93BE4EB05324F344196F715E72EACB71E9849A55

Function 00AEA699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00B4DB1B
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B4DB3C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00B4DB51
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00B4DB6E
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00B4DB95
DestroyIcon.USER32(00000000,?,?,?,?,?,?,00AEA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00B4DBA0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00B4DBBD
DestroyIcon.USER32(00000000,?,?,?,?,?,?,00AEA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00B4DBC8

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: ca06e03caa640a3e0296cb85f9d9cf54f57fb1f36c6e4e978c3eb8573df1f0a3
Instruction ID: cced7862563ca437b13d37146c563918c97ca6b5d3df786d3c407dfb79eedc4c
Opcode Fuzzy Hash: ca06e03caa640a3e0296cb85f9d9cf54f57fb1f36c6e4e978c3eb8573df1f0a3
Instruction Fuzzy Hash: 74514770600209AFDB20DF69CD81FAA77F9EB68750F100659F946E7290DBB0AD80EB50

Function 00B17555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B16EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B15FA6,?), ref: 00B16ED8

Part of subcall function 00B16EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B15FA6,?), ref: 00B16EF1

Part of subcall function 00B172CB: GetFileAttributesW.KERNEL32(?,00B16019), ref: 00B172CC

lstrcmpiW.KERNEL32(?,?), ref: 00B175CA
_wcscmp.LIBCMT ref: 00B175E2
MoveFileW.KERNEL32(?,?), ref: 00B175FB

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 614ab70821126dc1a55df8c868091ef3f4c45ded32aef774fc803ab225cf6032
Instruction ID: d8ec4b738a1a3f57a3b6e715fb0820523aef5d416cbff603d37d84ec5a6dcf5c
Opcode Fuzzy Hash: 614ab70821126dc1a55df8c868091ef3f4c45ded32aef774fc803ab225cf6032
Instruction Fuzzy Hash: D9512DB2A492199ADF60EBA4D881DDE73FCDF08310F5041EAF605E3141EA7497C9CB60

Function 00AEEA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00B4DAD1,00000004,00000000,00000000), ref: 00AEEAEB
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,00B4DAD1,00000004,00000000,00000000), ref: 00AEEB32
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,00B4DAD1,00000004,00000000,00000000), ref: 00B4DC86
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00B4DAD1,00000004,00000000,00000000), ref: 00B4DCF2

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 60bd244c784cb5f5700c442abe80e2f3f1972349ae6ff7c8facd102b6d715c2d
Instruction ID: 9457d2d42cbcd2d757d28651d93e6660d4727dba4c80bd32886b303c4876a71e
Opcode Fuzzy Hash: 60bd244c784cb5f5700c442abe80e2f3f1972349ae6ff7c8facd102b6d715c2d
Instruction Fuzzy Hash: 354127306047C0EAD739CB2A8DDDB2B7AE6EB45301F19C85DF087835A2DA70B880E711

Function 00B0B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C), ref: 00B0B26C
HeapAlloc.KERNEL32(00000000), ref: 00B0B273
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00B0B288
GetCurrentProcess.KERNEL32(?,00000000), ref: 00B0B290
DuplicateHandle.KERNEL32(00000000), ref: 00B0B293
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002), ref: 00B0B2A3
GetCurrentProcess.KERNEL32(?,00000000), ref: 00B0B2AB
DuplicateHandle.KERNEL32(00000000), ref: 00B0B2AE
CreateThread.KERNEL32(00000000,00000000,00B0B2D4,00000000,00000000,00000000), ref: 00B0B2C8

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: f8963d65470a9d0708b3f3ca13dacb7882f987d56be040b7a988aafa5cf7beb1
Instruction ID: b466d2c82082c4712eb89be2fa24a5ea3922dd64caf5ad2ac01d24a39a23a751
Opcode Fuzzy Hash: f8963d65470a9d0708b3f3ca13dacb7882f987d56be040b7a988aafa5cf7beb1
Instruction Fuzzy Hash: 2901C9B5240308BFE720AFA5DC4DF6B7BACEB88712F018551FA05DB2A1CA749800CB65

Function 00B2C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00B2C49E
NULL Pointer assignment, xrefs: 00B2C876, 00B2C887

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 13f11d6c93898815975495482b195c9293e485fc71ce514fdd58f0b46e89fc44
Instruction ID: c1bab394e5b796fc6151d5d0607d69701680b9b644be93afc96becaef7582b9a
Opcode Fuzzy Hash: 13f11d6c93898815975495482b195c9293e485fc71ce514fdd58f0b46e89fc44
Instruction Fuzzy Hash: 17E1B571A00229ABDF14DFA4E881BEE7BF5EF48354F1481A9F909AB291D770DD41CB90

Function 00B2BB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B2BB5C
VariantInit.OLEAUT32(?), ref: 00B2BC2D
VariantInit.OLEAUT32(?), ref: 00B2BD2E
VariantClear.OLEAUT32(?), ref: 00B2BD38
VariantClear.OLEAUT32(?), ref: 00B2BD99

Strings

Null Object assignment in FOR..IN loop, xrefs: 00B2BBBD, 00B2BCEB, 00B2BDA7
Incorrect Object type in FOR..IN loop, xrefs: 00B2BD11

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: dfd697d22c01cce112ce08c5bbb234efe3b8db76dcc53d459bbea55214fad112
Instruction ID: db0b07758292ba87ea867163bc75f12cfc90888aac5f88660f97de371d61bd33
Opcode Fuzzy Hash: dfd697d22c01cce112ce08c5bbb234efe3b8db76dcc53d459bbea55214fad112
Instruction Fuzzy Hash: F891B471A00225ABDF24DF95E844FEEB7F8EF45710F1085A9F519AB291DB709940CF90

Function 00B39A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00B39B19
SendMessageW.USER32(?,00001036,00000000,?), ref: 00B39B2D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00B39B47
_wcscat.LIBCMT ref: 00B39BA2
SendMessageW.USER32(?,00001057,00000000,?), ref: 00B39BB9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00B39BE7

Strings

SysListView32, xrefs: 00B39AEB

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: cf93ff734f8288d418df1e7b0c6b78790856f81801c564e93ff69fb0d098ec03
Instruction ID: d61d1fa4a32cfe939becea6abe3b66e2a303b7f933b4e71e858f5f7a00e878a1
Opcode Fuzzy Hash: cf93ff734f8288d418df1e7b0c6b78790856f81801c564e93ff69fb0d098ec03
Instruction Fuzzy Hash: 0341B271940309EBEB219FA4DC85FEE77E8EF08350F2005AAF545A7291D7B19D85CB60

Function 00B3172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 00B16532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00B16554
Part of subcall function 00B16532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00B16564
Part of subcall function 00B16532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 00B165F9

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B3179A
GetLastError.KERNEL32 ref: 00B317AD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B317D9
TerminateProcess.KERNEL32(00000000,00000000), ref: 00B31855
GetLastError.KERNEL32(00000000), ref: 00B31860
CloseHandle.KERNEL32(00000000), ref: 00B31895

Strings

SeDebugPrivilege, xrefs: 00B317B8

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 7bc3287df546c112de780ad5fbfcc137346c5dee76d27834d7a91a2563bc620f
Instruction ID: 995408b26caf9c49889adc57b7688a38537f40dc3f5e1734ab0a4d2ba004f2a0
Opcode Fuzzy Hash: 7bc3287df546c112de780ad5fbfcc137346c5dee76d27834d7a91a2563bc620f
Instruction Fuzzy Hash: D641CC72600200AFDB15EF58C9D5FADB7E9AF44300F188499F9069F2D2DFB4A944CB55

Function 00B15819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00B158B8

Strings

blank, xrefs: 00B1583A
stop, xrefs: 00B15889
question, xrefs: 00B15871
info, xrefs: 00B15859
warning, xrefs: 00B158A1

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: d94a1f923cd62776114fcacaeb914e19c633d3cdf6f13913a1fe1676fd269431
Instruction ID: 0b4eee6c9e0493e09a7c041a6a46444feab069923ff5b10ac33c511ad83e3a81
Opcode Fuzzy Hash: d94a1f923cd62776114fcacaeb914e19c633d3cdf6f13913a1fe1676fd269431
Instruction Fuzzy Hash: 09110A3120D746FAE7316F949C82DFA27DCDF55720B6000BAF640E6282F7B0AA808364

Function 00B1A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 00B1A806

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 43647e8900722a37dc1a693f741ce5a41182055db280a4be473c4ccd1305b987
Instruction ID: 23646113638ee96df0257037019cb0fb2df3c2b63ff5b7b79bf73f0de439b565
Opcode Fuzzy Hash: 43647e8900722a37dc1a693f741ce5a41182055db280a4be473c4ccd1305b987
Instruction Fuzzy Hash: 58C17D75A0221ADFDB10DF98D581BEEB7F4FF08311F6480A9E615E7281D734AA81CB91

Function 00B16B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00B16B63
LoadStringW.USER32(00000000), ref: 00B16B6A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00B16B80
LoadStringW.USER32(00000000), ref: 00B16B87
_wprintf.LIBCMT ref: 00B16BAD
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B16BCB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00B16BA8

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 5c361661d4e9f371cd227d052d1856cd6c93e6cf0a0455b34ab82b29ec9b941d
Instruction ID: 5c84d6cfe77b146e6dde9ec456dc2afa083abdb4e3cff9bad46fe79529b5af7f
Opcode Fuzzy Hash: 5c361661d4e9f371cd227d052d1856cd6c93e6cf0a0455b34ab82b29ec9b941d
Instruction Fuzzy Hash: 6D01ECF6900208BFE711AB949D89EE7766CEB08305F4045D5B745E2051EA749E848B75

Function 00B32B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B33C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B32BB5,?,?), ref: 00B33C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B32BF6

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper
String ID:
API String ID: 2595220575-0
Opcode ID: ed9e294142ea5408d9cd0cc7fd013f1f775071f47c1e68e6f737a70291671e6c
Instruction ID: 77b9664c4aeec1ac96954f15d0cf36c58b080d12eedf1edff7664880fa03da7a
Opcode Fuzzy Hash: ed9e294142ea5408d9cd0cc7fd013f1f775071f47c1e68e6f737a70291671e6c
Instruction Fuzzy Hash: C6918C712042019FCB11EF18C991B6EB7E5FF88310F64889DF9969B2A1DB34E945CF42

Function 00B295BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 00B29691
WSAGetLastError.WSOCK32(00000000), ref: 00B2969E
__WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 00B296C8
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00B296E9
WSAGetLastError.WSOCK32(00000000), ref: 00B296F8
htons.WSOCK32(?,?,?,00000000,?), ref: 00B297AA
inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,00B6DC00), ref: 00B29765

Part of subcall function 00B0D2FF: _strlen.LIBCMT ref: 00B0D309

_strlen.LIBCMT ref: 00B29800

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ErrorLast_strlen$htonsinet_ntoaselect
String ID:
API String ID: 3480843537-0
Opcode ID: 10192b4347abf73b903f44c6e1f52ec5a429a5dc9d52d114b4228ce3b0966318
Instruction ID: c3bd45778ec320d8cc3f292d91bee5a77190de7e73be3dd820a86d80cf748306
Opcode Fuzzy Hash: 10192b4347abf73b903f44c6e1f52ec5a429a5dc9d52d114b4228ce3b0966318
Instruction Fuzzy Hash: E681DE31504250ABC710EF64DD85F6BBBE8EF89710F144A5EF55A9B2A1EB30DD04CB92

Function 00AFA979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 00AFA991

Part of subcall function 00AF7D7C: __FF_MSGBANNER.LIBCMT ref: 00AF7D91
Part of subcall function 00AF7D7C: __NMSG_WRITE.LIBCMT ref: 00AF7D98
Part of subcall function 00AF7D7C: __malloc_crt.LIBCMT ref: 00AF7DB8

__lock.LIBCMT ref: 00AFA9A4
__lock.LIBCMT ref: 00AFA9F0
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00B86DE0,00000018,00B05E7B,?,00000000,00000109), ref: 00AFAA0C
EnterCriticalSection.KERNEL32(8000000C,00B86DE0,00000018,00B05E7B,?,00000000,00000109), ref: 00AFAA29
LeaveCriticalSection.KERNEL32(8000000C), ref: 00AFAA39

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: 3765f14b74583db2584b97c130d294cb8b22a85623310e9f78512648657e7154
Instruction ID: 105836ba494d07ed7a1bc40bb181b70070dbfda53645bda74dbc258d9a2fb425
Opcode Fuzzy Hash: 3765f14b74583db2584b97c130d294cb8b22a85623310e9f78512648657e7154
Instruction Fuzzy Hash: 624129B19002199FEB10AFE8CA447FCB7B0AF11365F108319F629AB1D1DB749945CB91

Function 00B38ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00B38EE4
GetDC.USER32(00000000), ref: 00B38EEC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B38EF7
ReleaseDC.USER32(00000000,00000000), ref: 00B38F03
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00B38F3F
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00B38F50
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00B3BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00B38F8A
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00B38FAA

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 9b2229b5be1462180ec93aea528b3a27584607e92828a2e05fbd35de5308946e
Instruction ID: 25c34ec24b35d8cb2858f093e6e72aad7aab3f3f0751c2a5ede7424438aa40df
Opcode Fuzzy Hash: 9b2229b5be1462180ec93aea528b3a27584607e92828a2e05fbd35de5308946e
Instruction Fuzzy Hash: 2E316D72100214BFEB218F50CC49FEA3BA9EF49716F0441A5FE08DB191DAB59842CBB1

Function 00B216DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 00AD936C: __swprintf.LIBCMT ref: 00AD93AB
Part of subcall function 00AD936C: __itow.LIBCMT ref: 00AD93DF

Part of subcall function 00AEC6F4: _wcscpy.LIBCMT ref: 00AEC717

_wcstok.LIBCMT ref: 00B2184E
_wcscpy.LIBCMT ref: 00B218DD
_memset.LIBCMT ref: 00B21910

Strings

X, xrefs: 00B21948

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 638b6739a06ea5b8ae0433242ec5a0a2b7ec37d8662b9b0dc29de4434ddfb983
Instruction ID: 44aa452d5c864d5cce746e01b4a821e0b4e9bac42b23d4cebe327ae4707c48b1
Opcode Fuzzy Hash: 638b6739a06ea5b8ae0433242ec5a0a2b7ec37d8662b9b0dc29de4434ddfb983
Instruction Fuzzy Hash: 4DC171315043519FC724EF28D991A9AB7E4FF95350F00496EF89A9B3A2DB30ED45CB82

Function 00B40133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AEB34E: GetWindowLongW.USER32(?,000000EB), ref: 00AEB35F

GetSystemMetrics.USER32(0000000F), ref: 00B4016D
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 00B4038D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00B403AB
InvalidateRect.USER32(?,00000000,00000001,?), ref: 00B403D6
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00B403FF
ShowWindow.USER32(00000003,00000000), ref: 00B40421
DefDlgProcW.USER32(?,00000005,?,?), ref: 00B40440

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
String ID:
API String ID: 3356174886-0
Opcode ID: 40bece68510506979d6ee9002858756afcc7285eeee3df6664120478cda2d59c
Instruction ID: 3cdfecf33bbe7afe442750d8d82090ffd7c2f90834a91e6ce7949ee2c2f4c7c8
Opcode Fuzzy Hash: 40bece68510506979d6ee9002858756afcc7285eeee3df6664120478cda2d59c
Instruction Fuzzy Hash: DCA1CF31600616EBDB18DF68C9857BDBBF1FF08701F048299EE54A7290DB74AE50EB90

Function 00AEAE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0e4b3b37d2440828dc7ab8c7f05aa2ec0812b9a33dce6b2a16c311e0048f3ba
Instruction ID: b59ca7431844e76d867881ef732cab172e7f0569542dd3fb217cd41f1cbab618
Opcode Fuzzy Hash: c0e4b3b37d2440828dc7ab8c7f05aa2ec0812b9a33dce6b2a16c311e0048f3ba
Instruction Fuzzy Hash: D1716CB1900149EFCB15CF99CC89ABEBB79FF85314F248149F915AB251C730AA41CFA5

Function 00B32230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B3225A
_memset.LIBCMT ref: 00B32323
ShellExecuteExW.SHELL32(?), ref: 00B32368

Part of subcall function 00AD936C: __swprintf.LIBCMT ref: 00AD93AB
Part of subcall function 00AD936C: __itow.LIBCMT ref: 00AD93DF

Part of subcall function 00AEC6F4: _wcscpy.LIBCMT ref: 00AEC717

CloseHandle.KERNEL32(00000000), ref: 00B3242F
FreeLibrary.KERNEL32(00000000), ref: 00B3243E

Strings

@, xrefs: 00B32334

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: a85f39e623c3eea6109630c41dec1bf8e2ec5310c829506f2f8c6c8f1a706f7c
Instruction ID: 11cdde6272b65c039f8db7f1b232c4d0ffaa04def960c9123109c251f307e7b2
Opcode Fuzzy Hash: a85f39e623c3eea6109630c41dec1bf8e2ec5310c829506f2f8c6c8f1a706f7c
Instruction Fuzzy Hash: 1F717075A00619DFCF15EFA8D9819AEBBF5FF48310F208499E856AB351CB34AD40CB94

Function 00B13DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00B13DE7
GetKeyboardState.USER32(?), ref: 00B13DFC
SetKeyboardState.USER32(?), ref: 00B13E5D
PostMessageW.USER32(?,00000101,00000010,?), ref: 00B13E8B
PostMessageW.USER32(?,00000101,00000011,?), ref: 00B13EAA
PostMessageW.USER32(?,00000101,00000012,?), ref: 00B13EF0
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00B13F13

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e2fcc74b51abcaa982a3d9cd664b15b31ffe1015b621abe533726a4fe3df4d66
Instruction ID: 08377da7d465c3128e7cec71e2c5a078e8ce62c795429f1ac8e12a3a475d5d75
Opcode Fuzzy Hash: e2fcc74b51abcaa982a3d9cd664b15b31ffe1015b621abe533726a4fe3df4d66
Instruction Fuzzy Hash: C651F2A1A043D13DFB3643348C45BF67FE99B06B04F4845C8E0D5968C2E394AED5D760

Function 00B13BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00B13C02
GetKeyboardState.USER32(?), ref: 00B13C17
SetKeyboardState.USER32(?), ref: 00B13C78
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00B13CA4
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00B13CC1
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00B13D05
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00B13D26

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 49571c7b0ea4ce52f319f0e9e3f045236112a5b7697110fb1e11c50279bd9547
Instruction ID: a6b294efba28b3144b3b4ef507a1bb9b0e078debb24312d1727b421e4d419b03
Opcode Fuzzy Hash: 49571c7b0ea4ce52f319f0e9e3f045236112a5b7697110fb1e11c50279bd9547
Instruction Fuzzy Hash: 0B5104A05087D53DFB3283348C45BF6BEE9EB06B00F4884D8E0D5668C2E695EED4D761

Function 00B17DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00B17DBE
_wcsncpy.LIBCMT ref: 00B17DF3
_wcsncpy.LIBCMT ref: 00B17E25
_wcsncpy.LIBCMT ref: 00B17E58
_wcsncpy.LIBCMT ref: 00B17E9A
_wcsncpy.LIBCMT ref: 00B17ED4
_wcsncpy.LIBCMT ref: 00B17F03

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 6bc718e8865c6ea46f59ff42c0de0bd876be2e4f7a4929ff77c2652c5b252f75
Instruction ID: 8b49615721580368541e513c7e07c0345b00a816d55863161f0327078b927582
Opcode Fuzzy Hash: 6bc718e8865c6ea46f59ff42c0de0bd876be2e4f7a4929ff77c2652c5b252f75
Instruction Fuzzy Hash: AE416D66C11258B6CF10EBF4C846ADFB3BCEF04310F5089A6F614E3122FA34E66587A5

Function 00B33D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00B33DA1
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B33DCB
FreeLibrary.KERNEL32(00000000), ref: 00B33E80

Part of subcall function 00B33D72: RegCloseKey.ADVAPI32(?), ref: 00B33DE8
Part of subcall function 00B33D72: FreeLibrary.KERNEL32(?), ref: 00B33E3A
Part of subcall function 00B33D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00B33E5D

RegDeleteKeyW.ADVAPI32(?,?), ref: 00B33E25

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 9411ece9e7bc8cb72b94baa04bf9e715e2bd197eada696bda44a1660a366f980
Instruction ID: c5d3853d1fc997c2b7d6963741491fd5b8e97fa07f7cc3850ab100b033d26efb
Opcode Fuzzy Hash: 9411ece9e7bc8cb72b94baa04bf9e715e2bd197eada696bda44a1660a366f980
Instruction Fuzzy Hash: 5D310AB5901219BFDB159B90DC85AFFB7FCEB08701F1401AAE512E2190DA749F899BB0

Function 00B38FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00B38FE7
GetWindowLongW.USER32(00CAD8A8,000000F0), ref: 00B3901A
GetWindowLongW.USER32(00CAD8A8,000000F0), ref: 00B3904F
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00B39081
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00B390AB
GetWindowLongW.USER32(00000000,000000F0), ref: 00B390BC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00B390D6

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 30cf85ed8eba77344a636a9fba9886bc1467b053f2d9c571b1928b130c97b05a
Instruction ID: e98e9f49783e12b9683f8dd5f1f71a6068c5006ae0e316c72087e3bf1a9af291
Opcode Fuzzy Hash: 30cf85ed8eba77344a636a9fba9886bc1467b053f2d9c571b1928b130c97b05a
Instruction Fuzzy Hash: E4312235604215EFDB258F58DC84F6437F5FB4A714F2402A5F6298B2B2CFB1A841DB41

Function 00B108AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B108F2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B10918
SysAllocString.OLEAUT32(00000000), ref: 00B1091B
SysAllocString.OLEAUT32(?), ref: 00B10939
SysFreeString.OLEAUT32(?), ref: 00B10942
StringFromGUID2.OLE32(?,?,00000028), ref: 00B10967
SysAllocString.OLEAUT32(?), ref: 00B10975

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: a895d5bd0d4983f7cea86781aa0a5e9e7da9e9e2ddd5e38c691e816ee6dab53c
Instruction ID: 3270c14a5081213e2f5209eac80472bec37f4aa3f0719b6aead483e5b72e8689
Opcode Fuzzy Hash: a895d5bd0d4983f7cea86781aa0a5e9e7da9e9e2ddd5e38c691e816ee6dab53c
Instruction Fuzzy Hash: DE217976611219AF9B10AF7CDC84DFB73ECEB09360B808565F915DB251DAB0EC85CB60

Function 00B12472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00B12485
__wcsnicmp.LIBCMT ref: 00B124A6
__wcsnicmp.LIBCMT ref: 00B124C0

Strings

#notrayicon, xrefs: 00B1247D
#OnAutoItStartRegister, xrefs: 00B124BA
#requireadmin, xrefs: 00B124A0

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 7ef1d812a6a21d5eb080433c1d99013d4b5bad6b3284271aad13c8ca5d9e5f84
Instruction ID: c1ad7e01088b0052f21b533e1bf5644b00934298ec1bc2da4ea8412b8c7134c3
Opcode Fuzzy Hash: 7ef1d812a6a21d5eb080433c1d99013d4b5bad6b3284271aad13c8ca5d9e5f84
Instruction Fuzzy Hash: 16217C31200251A7C720BB349D93EF773D9EF74310FA0406AF64697182E65599E2C3A1

Function 00B10986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B109CB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B109F1
SysAllocString.OLEAUT32(00000000), ref: 00B109F4
SysAllocString.OLEAUT32 ref: 00B10A15
SysFreeString.OLEAUT32 ref: 00B10A1E
StringFromGUID2.OLE32(?,?,00000028), ref: 00B10A38
SysAllocString.OLEAUT32(?), ref: 00B10A46

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 3d6b02658ce932019cfcb164e02a1348a537e70b61f875501f00bd983fd95617
Instruction ID: 91e45c1f4bf6e26ac833be628105508360f30ee95191d13314fa84f8f61e096f
Opcode Fuzzy Hash: 3d6b02658ce932019cfcb164e02a1348a537e70b61f875501f00bd983fd95617
Instruction Fuzzy Hash: F9215675624304AFDB10EFA8DC89DAA77ECEF4C3607548165F909CB2A5DAB0ECC18764

Function 00B3A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AED17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00AED1BA
Part of subcall function 00AED17C: GetStockObject.GDI32(00000011), ref: 00AED1CE
Part of subcall function 00AED17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AED1D8

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00B3A32D
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00B3A33A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00B3A345
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00B3A354
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00B3A360

Strings

Msctls_Progress32, xrefs: 00B3A2FE

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 4ee74696f9ef70e3a2654f6d02e7d145882119e44533f14c69d2aa8513be2ace
Instruction ID: b42510c199999871b33887194b099de01e6043bdea2d5491c7ebd574f6d96375
Opcode Fuzzy Hash: 4ee74696f9ef70e3a2654f6d02e7d145882119e44533f14c69d2aa8513be2ace
Instruction Fuzzy Hash: 7E11B6B1150219BEEF155F64CC85EEB7F6DFF09798F114115FA04A60A0C7729C21DBA4

Function 00AECCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00AECCF6
GetWindowRect.USER32(?,?), ref: 00AECD37
ScreenToClient.USER32(?,?), ref: 00AECD5F
GetClientRect.USER32(?,?), ref: 00AECE8C
GetWindowRect.USER32(?,?), ref: 00AECEA5

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: c7257325796394c230afd3620565e335cea9c4eb33f7a495fe563486e5da5e22
Instruction ID: d18c41fd802da401361e9ec6c5bd509ed8e83f1687f3902a1a47e9854073ab17
Opcode Fuzzy Hash: c7257325796394c230afd3620565e335cea9c4eb33f7a495fe563486e5da5e22
Instruction Fuzzy Hash: 42B14979900289DBDF10CFA9C4807EDBBB1FF08310F149569EC69EB250DB30AA51DB64

Function 00B31BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00B31C18
Process32FirstW.KERNEL32(00000000,?), ref: 00B31C26
__wsplitpath.LIBCMT ref: 00B31C54

Part of subcall function 00AF1DFC: __wsplitpath_helper.LIBCMT ref: 00AF1E3C

_wcscat.LIBCMT ref: 00B31C69
Process32NextW.KERNEL32(00000000,?), ref: 00B31CDF
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00B31CF1

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 1380811348-0
Opcode ID: 596f02c3f640cdc603b64b4a6a722815477835fddd5a80b5f6bd46585c874159
Instruction ID: 704b66addf11be174a5293301b6927ca89af3b1c6efd05abdeb56795f6fa64f3
Opcode Fuzzy Hash: 596f02c3f640cdc603b64b4a6a722815477835fddd5a80b5f6bd46585c874159
Instruction Fuzzy Hash: 45519C715043409FD720EF64D881EABB7ECEF88754F10496EF58A97251EB30EA04CB92

Function 00B32FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B33C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B32BB5,?,?), ref: 00B33C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B330AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B330EF
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00B33112
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00B3313B
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00B3317E
RegCloseKey.ADVAPI32(00000000), ref: 00B3318B

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: 19924e34a341f94792fc5c6812243a71cafd7601d1de083bbce0d098b541bed8
Instruction ID: 064ddb9f3f6a1a506ef307836f677471a78f2e5dde6370f5da6936330d2665f2
Opcode Fuzzy Hash: 19924e34a341f94792fc5c6812243a71cafd7601d1de083bbce0d098b541bed8
Instruction Fuzzy Hash: B9514831104300AFC714EF64C995E6BBBE9FF88710F14499EF5569B2A1DB31EA09CB52

Function 00B384DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00B38540
GetMenuItemCount.USER32(00000000), ref: 00B38577
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00B3859F
GetMenuItemID.USER32(?,?), ref: 00B3860E
GetSubMenu.USER32(?,?), ref: 00B3861C
PostMessageW.USER32(?,00000111,?,00000000), ref: 00B3866D

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 96106defef249492977d4af1ce786aa65ab5f0b3bdbe92c8d5cee1ad095dadcd
Instruction ID: 5e18577e7a0b7ee7585d4269c374f110f43eb9523dd802f96537658ad97da979
Opcode Fuzzy Hash: 96106defef249492977d4af1ce786aa65ab5f0b3bdbe92c8d5cee1ad095dadcd
Instruction Fuzzy Hash: 09519D31A00615EFCF11EFA8C945AAEB7F4EF58310F214499F916BB351DB70AE418B91

Function 00B14AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B14B10
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B14B5B
IsMenu.USER32(00000000), ref: 00B14B7B
CreatePopupMenu.USER32 ref: 00B14BAF
GetMenuItemCount.USER32(000000FF), ref: 00B14C0D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00B14C3E

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 174a72610fcfb661debe919230f2784639155599a4f530bd215873343ae76017
Instruction ID: 872f9a4a40fa7c42ae2a1e0c66189545c84cde2b0ead4b8462f92e9f4444cfd3
Opcode Fuzzy Hash: 174a72610fcfb661debe919230f2784639155599a4f530bd215873343ae76017
Instruction Fuzzy Hash: 01510270605309EFDF20CF68D888BEEBBF4EF45318F548199E4159B291E7709A80CB91

Function 00B28DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,00B6DC00), ref: 00B28E7C
WSAGetLastError.WSOCK32(00000000), ref: 00B28E89
__WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00B28EAD
#16.WSOCK32(?,?,00000000,00000000), ref: 00B28EC5
_strlen.LIBCMT ref: 00B28EF7
WSAGetLastError.WSOCK32(00000000), ref: 00B28F6A

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ErrorLast$_strlenselect
String ID:
API String ID: 2217125717-0
Opcode ID: f4d94a5ec0e4de1768a0633680b9d51083b9d567c268dd6edce85ab729ea7289
Instruction ID: 00a373a2ffcf36d950ab6a5f3bd791149f13aeb2b305739bbb0626fd1038f91e
Opcode Fuzzy Hash: f4d94a5ec0e4de1768a0633680b9d51083b9d567c268dd6edce85ab729ea7289
Instruction Fuzzy Hash: C4417F71501214ABDB14EBA4DE85EEEB7F9EF58310F1046AAF51A97291DF30AE40CB60

Function 00AEABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00AEB34E: GetWindowLongW.USER32(?,000000EB), ref: 00AEB35F

BeginPaint.USER32(?,?,?), ref: 00AEAC2A
GetWindowRect.USER32(?,?), ref: 00AEAC8E
ScreenToClient.USER32(?,?), ref: 00AEACAB
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00AEACBC
EndPaint.USER32(?,?,?,?,?), ref: 00AEAD06
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00B4E673

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: 1619abd8946f2ae488e6ce942f705d1af60a230a93967a4cde316e700a19e501
Instruction ID: a6d44b7c7e2810715b75764bb7b5c2b2ebb09eaaef5f0a7be5ddcf0ac1ac2ca7
Opcode Fuzzy Hash: 1619abd8946f2ae488e6ce942f705d1af60a230a93967a4cde316e700a19e501
Instruction Fuzzy Hash: D441CF705003419FC720DF69DC84FB67BF8FB69321F1406A9F9A5872A1CB30A945EB62

Function 00B3E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00B91628,00000000,00B91628,00000000,00000000,00B91628,?,00B4DC5D,00000000,?,00000000,00000000,00000000,?,00B4DAD1,00000004), ref: 00B3E40B
EnableWindow.USER32(00000000,00000000), ref: 00B3E42F
ShowWindow.USER32(00B91628,00000000), ref: 00B3E48F
ShowWindow.USER32(00000000,00000004), ref: 00B3E4A1
EnableWindow.USER32(00000000,00000001), ref: 00B3E4C5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00B3E4E8

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: fed8ece6f4a5b4153df3ca2dbd9cc7fc08d232d06c20a5859802f84db3e08996
Instruction ID: aaeffe2846ffd5b71a020c15fbb2032c6c4b7953f3dd0b915dd8815c5681fadb
Opcode Fuzzy Hash: fed8ece6f4a5b4153df3ca2dbd9cc7fc08d232d06c20a5859802f84db3e08996
Instruction Fuzzy Hash: 16414F30601140EFDB22CF24C599B987BE1FF09304F2841EAEA688F2E2C731E852CB51

Function 00B198BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00B198D1

Part of subcall function 00AEF4EA: std::exception::exception.LIBCMT ref: 00AEF51E
Part of subcall function 00AEF4EA: __CxxThrowException@8.LIBCMT ref: 00AEF533

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00B19908
EnterCriticalSection.KERNEL32(?), ref: 00B19924
LeaveCriticalSection.KERNEL32(?), ref: 00B1999E
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00B199B3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00B199D2

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 2537439066-0
Opcode ID: ec7b55b051015c0c68809a0f6d1da17a51933113114ad7cf14ddb13e2e597502
Instruction ID: f4fd704b46f6eb83bea0c3228778272fb7cde6bf343e65d0b060c2a6c82b8fea
Opcode Fuzzy Hash: ec7b55b051015c0c68809a0f6d1da17a51933113114ad7cf14ddb13e2e597502
Instruction Fuzzy Hash: 8E317031900245EFDB10EF95DD85AAAB7B8FF44310B1481A9E904AB256DB30DE50CBA4

Function 00B29B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00B277F4,?,?,00000000,00000001), ref: 00B29B53

Part of subcall function 00B26544: GetWindowRect.USER32(?,?), ref: 00B26557

GetDesktopWindow.USER32 ref: 00B29B7D
GetWindowRect.USER32(00000000), ref: 00B29B84
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00B29BB6

Part of subcall function 00B17A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00B17AD0

GetCursorPos.USER32(?), ref: 00B29BE2
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00B29C44

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 58cad21fa11de858ceb4b2f55968e479a7521f7b6afbb12a3c637fbf0c749e7c
Instruction ID: 3e22f534cea8e9119241111d12e8cc50edbd0df1bc89cc3fef05e7d7c676db27
Opcode Fuzzy Hash: 58cad21fa11de858ceb4b2f55968e479a7521f7b6afbb12a3c637fbf0c749e7c
Instruction Fuzzy Hash: FB31EF72204319AFC720DF14E849F9AB7E9FF89314F000A5AF599D7181DA30EA44CB92

Function 00B3EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00AEAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00AEAFE3
Part of subcall function 00AEAF83: SelectObject.GDI32(?,00000000), ref: 00AEAFF2
Part of subcall function 00AEAF83: BeginPath.GDI32(?), ref: 00AEB009
Part of subcall function 00AEAF83: SelectObject.GDI32(?,00000000), ref: 00AEB033

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00B3EC20
LineTo.GDI32(00000000,00000003,?), ref: 00B3EC34
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00B3EC42
LineTo.GDI32(00000000,00000000,?), ref: 00B3EC52
EndPath.GDI32(00000000), ref: 00B3EC62
StrokePath.GDI32(00000000), ref: 00B3EC72

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: ac57b2a345f7d43116d7049e3c3fc79f37bb38df63dfdfa5f01fba580691b9a0
Instruction ID: acf889d607c59c50157517abfcc2f1ca51c374eddd5610a67b5c2ac4f55280e8
Opcode Fuzzy Hash: ac57b2a345f7d43116d7049e3c3fc79f37bb38df63dfdfa5f01fba580691b9a0
Instruction Fuzzy Hash: 30111B7240024DBFEF129F94DD88FEA7F6DEB08351F048152BE189A1A0DB719D55DBA0

Function 00B0E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B0E1C0
GetDeviceCaps.GDI32(00000000,00000058), ref: 00B0E1D1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B0E1D8
ReleaseDC.USER32(00000000,00000000), ref: 00B0E1E0
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00B0E1F7
MulDiv.KERNEL32(000009EC,?,?), ref: 00B0E209

Part of subcall function 00B09AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00B09A05,00000000,00000000,?,00B09DDB), ref: 00B0A53A

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: dd4f54c33dfad12c4b8d5dc4b3f82a1759bd7dce6d24ac66d50e1836e08b1ce6
Instruction ID: bcc42e63fd8f8d67c1e62d5f471ca289d6aed1d4a6c600d7508815b57e149edb
Opcode Fuzzy Hash: dd4f54c33dfad12c4b8d5dc4b3f82a1759bd7dce6d24ac66d50e1836e08b1ce6
Instruction Fuzzy Hash: 2F018FB5A00714BFEB109BA69C45B5EBFB8EB48751F0441A6EA04E72D0DA709C01CBA0

Function 00AF7B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00AF7B47

Part of subcall function 00AF123A: __initp_misc_winsig.LIBCMT ref: 00AF125E
Part of subcall function 00AF123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00AF7F51
Part of subcall function 00AF123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00AF7F65
Part of subcall function 00AF123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00AF7F78
Part of subcall function 00AF123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00AF7F8B
Part of subcall function 00AF123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00AF7F9E
Part of subcall function 00AF123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00AF7FB1
Part of subcall function 00AF123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00AF7FC4
Part of subcall function 00AF123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00AF7FD7
Part of subcall function 00AF123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00AF7FEA
Part of subcall function 00AF123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00AF7FFD
Part of subcall function 00AF123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00AF8010
Part of subcall function 00AF123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00AF8023
Part of subcall function 00AF123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00AF8036
Part of subcall function 00AF123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00AF8049
Part of subcall function 00AF123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00AF805C
Part of subcall function 00AF123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00AF806F

__mtinitlocks.LIBCMT ref: 00AF7B4C

Part of subcall function 00AF7E23: InitializeCriticalSectionAndSpinCount.KERNEL32(00B8AC68,00000FA0,?,?,00AF7B51,00AF5E77,00B86C70,00000014), ref: 00AF7E41

__mtterm.LIBCMT ref: 00AF7B55

Part of subcall function 00AF7BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00AF7B5A,00AF5E77,00B86C70,00000014), ref: 00AF7D3F
Part of subcall function 00AF7BBD: _free.LIBCMT ref: 00AF7D46
Part of subcall function 00AF7BBD: DeleteCriticalSection.KERNEL32(00B8AC68,?,?,00AF7B5A,00AF5E77,00B86C70,00000014), ref: 00AF7D68

__calloc_crt.LIBCMT ref: 00AF7B7A
GetCurrentThreadId.KERNEL32 ref: 00AF7BA3

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: 7fef87b7776e4f0e0cbd06845fa603d9b016e4810211a920a7e607b17a78d554
Instruction ID: 83285feea2f081a6160bd8cff723495ee3c7f7d26e823584da3f6b9b469aa75a
Opcode Fuzzy Hash: 7fef87b7776e4f0e0cbd06845fa603d9b016e4810211a920a7e607b17a78d554
Instruction Fuzzy Hash: 4EF0963251D71A19E62977F8BE06A7E26949F02730B2006AAFB61D60E5FF2488418160

Function 00AD27EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00AD281D
MapVirtualKeyW.USER32(00000010,00000000), ref: 00AD2825
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00AD2830
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00AD283B
MapVirtualKeyW.USER32(00000011,00000000), ref: 00AD2843
MapVirtualKeyW.USER32(00000012,00000000), ref: 00AD284B

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: f245c36cba3b4d0d89546c75df7c392453de7ffbc8dd8b39023e64597ae1929a
Instruction ID: 879db8076287fd19b4c9aea7b42dc468a961cf604d7e58346f217d248c57fe82
Opcode Fuzzy Hash: f245c36cba3b4d0d89546c75df7c392453de7ffbc8dd8b39023e64597ae1929a
Instruction Fuzzy Hash: 6D0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00425BA15C47A42C7F5A864CBE5

Function 00B19AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: 499f57f1ad5d72f63a13ed51c293e101f9add7aaa427b414ec971378966b5901
Instruction ID: edc249890acdbc7cfe190e361d8233463661df88a5026fc595348d51a3f67e7d
Opcode Fuzzy Hash: 499f57f1ad5d72f63a13ed51c293e101f9add7aaa427b414ec971378966b5901
Instruction Fuzzy Hash: 3501F432152311ABD7282B54EC58EEB77AAFF88702B8402A9F503D70A0CF76A840CB50

Function 00B17BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00B17C07
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00B17C1D
GetWindowThreadProcessId.USER32(?,?), ref: 00B17C2C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B17C3B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B17C45
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B17C4C

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 87a774166e083bed1f6257483704b69e96d0398e1c91f852371961751b1ffc03
Instruction ID: a3e13c7865c653b57a823c7a1c9f1b55218c457a5587afa3092bd2a5f30d115d
Opcode Fuzzy Hash: 87a774166e083bed1f6257483704b69e96d0398e1c91f852371961751b1ffc03
Instruction Fuzzy Hash: 4EF01D72241658BBE6315B529C0DFEF7BBCDBC6B12F000298F601A2051DBA05A42C6B6

Function 00B19A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00B19A33
EnterCriticalSection.KERNEL32(?,?,?,?,00B45DEE,?,?,?,?,?,00ADED63), ref: 00B19A44
TerminateThread.KERNEL32(?,000001F6,?,?,?,00B45DEE,?,?,?,?,?,00ADED63), ref: 00B19A51
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00B45DEE,?,?,?,?,?,00ADED63), ref: 00B19A5E

Part of subcall function 00B193D1: CloseHandle.KERNEL32(?,?,00B19A6B,?,?,?,00B45DEE,?,?,?,?,?,00ADED63), ref: 00B193DB

InterlockedExchange.KERNEL32(?,000001F6), ref: 00B19A71
LeaveCriticalSection.KERNEL32(?,?,?,?,00B45DEE,?,?,?,?,?,00ADED63), ref: 00B19A78

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 7ec812757d03ca4f8e930a73a3b68495ddb092a749a66fd226f0e7a960d54ad5
Instruction ID: d45d83fe54e22899649fecf2722704351684fe342d0b9c0471cf617504a5c459
Opcode Fuzzy Hash: 7ec812757d03ca4f8e930a73a3b68495ddb092a749a66fd226f0e7a960d54ad5
Instruction Fuzzy Hash: A2F05E32142311ABD7252BA4EC8DEEA7769FF84702F5406A5F603D60A0DF769841DB51

Function 00AD1CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 00AEF4EA: std::exception::exception.LIBCMT ref: 00AEF51E
Part of subcall function 00AEF4EA: __CxxThrowException@8.LIBCMT ref: 00AEF533

__swprintf.LIBCMT ref: 00AD1EA6

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00AD1D49

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 2125237772-557222456
Opcode ID: 1aadc83dd662798f3b17201c59401d4425a798ed341a89df39e45eb575e54054
Instruction ID: c9758a74d3c931387720e46eb37773364b7647dc80a2823903885ae45d695212
Opcode Fuzzy Hash: 1aadc83dd662798f3b17201c59401d4425a798ed341a89df39e45eb575e54054
Instruction Fuzzy Hash: E2916B71504201AFC724EF24CA96D7EBBE4EF95700F04495EF886972A1DB30EE05DB92

Function 00B2AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B2B006
CharUpperBuffW.USER32(?,?), ref: 00B2B115
VariantClear.OLEAUT32(?), ref: 00B2B298

Part of subcall function 00B19DC5: VariantInit.OLEAUT32(00000000), ref: 00B19E05
Part of subcall function 00B19DC5: VariantCopy.OLEAUT32(?,?), ref: 00B19E0E
Part of subcall function 00B19DC5: VariantClear.OLEAUT32(?), ref: 00B19E1A

Strings

Incorrect Parameter format, xrefs: 00B2B03E, 00B2B20B
AUTOIT.ERROR, xrefs: 00B2B11B

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: ad78c50e57847240e206078ed9c5ec3fee69e64c567ed844c15289d229332c82
Instruction ID: c0f6c1bc6fbf3782a8d7c28489cb24201f4056cd5bb04ade160c40d9c827909d
Opcode Fuzzy Hash: ad78c50e57847240e206078ed9c5ec3fee69e64c567ed844c15289d229332c82
Instruction Fuzzy Hash: C49159706083019FCB10EF24D581D5BBBE4EF89700F0449AEF89A9B3A2DB31E945CB52

Function 00B15347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AEC6F4: _wcscpy.LIBCMT ref: 00AEC717

_memset.LIBCMT ref: 00B15438
GetMenuItemInfoW.USER32(?), ref: 00B15467
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B15513
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00B1553D

Strings

0, xrefs: 00B15430

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 471ec3818b2f0b1ed1c02ed95a2bc95ba13810ff57d7f61f644777d0cfb0d256
Instruction ID: 744f22638409ce70a2d70e38c3e9de7f14c8b43d68044211a1a496077f9dc486
Opcode Fuzzy Hash: 471ec3818b2f0b1ed1c02ed95a2bc95ba13810ff57d7f61f644777d0cfb0d256
Instruction Fuzzy Hash: A7510471114701DBD7219B28D9817EBB7E9EFD5310F840AAAF8A6D3290EB70CD848752

Function 00B10213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00B1027B
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00B102B1
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00B102C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00B10344

Strings

DllGetClassObject, xrefs: 00B102B7

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 187a359d7ee8e4eb9ff448ede84d5fdc2a4914b4ca4de434316fe39e160311b8
Instruction ID: 7b2a373c94264499fa07c8e0d430923e92923393629084c7d79f6220211b2cc8
Opcode Fuzzy Hash: 187a359d7ee8e4eb9ff448ede84d5fdc2a4914b4ca4de434316fe39e160311b8
Instruction Fuzzy Hash: 5F416871610204EFDB15EF54D884B9A7BF9EF48311B5480E9A919DF206D7F0DAC4CBA4

Function 00B15007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B15075
GetMenuItemInfoW.USER32 ref: 00B15091
DeleteMenu.USER32(00000004,00000007,00000000), ref: 00B150D7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00B91708,00000000), ref: 00B15120

Strings

0, xrefs: 00B1506D

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 4a4e8d46099c08b0e16b548e78a9db8226aa57c72766b8949879f5c602d59eec
Instruction ID: 5d302f86725b203f4447bf573ac1f014b6325fb45389df5fb62c7b79c39e6b8a
Opcode Fuzzy Hash: 4a4e8d46099c08b0e16b548e78a9db8226aa57c72766b8949879f5c602d59eec
Instruction Fuzzy Hash: F441C170204701EFD721DF24D885BAAB7E4EFC9314F04469EF956A7291D730E890CB62

Function 00B1E698 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00B1E742
GetLastError.KERNEL32(?,00000000), ref: 00B1E768
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00B1E78D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00B1E7B9

Strings

p1Mw`KNw, xrefs: 00B1E78D

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID: p1Mw`KNw
API String ID: 3321077145-3626030660
Opcode ID: a79db7b8f130165673dfefdb86a804d613cafe20e709c37feb2e9ee879084263
Instruction ID: c75b3d117b65157cbe34b68a6781c6f144f265cb434e85d46f9c6f3419c5ffaf
Opcode Fuzzy Hash: a79db7b8f130165673dfefdb86a804d613cafe20e709c37feb2e9ee879084263
Instruction Fuzzy Hash: E2413539200610DFCB11EF19C544A8EBBE5FF99710B198089E916AF3A2CB70FD80CB91

Function 00B30567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 00B30587

Strings

cdecl, xrefs: 00B305DE
none, xrefs: 00B30662
stdcall, xrefs: 00B30609
winapi, xrefs: 00B305F8

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: f1c23e9e493a9fcdf68122c3e08dd3ca1345438f9f3b710933f67aa65d006ad3
Instruction ID: 9ef5c627466e220f8586a9834973d321a67f28fcd84cbdd306ed88c5ea0d7646
Opcode Fuzzy Hash: f1c23e9e493a9fcdf68122c3e08dd3ca1345438f9f3b710933f67aa65d006ad3
Instruction Fuzzy Hash: 2931A131510616ABCF00EF58C9519EEB3F4FF55310F2046AAE826A73D5DB71E915CB90

Function 00B0B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00B0B88E
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00B0B8A1
SendMessageW.USER32(?,00000189,?,00000000), ref: 00B0B8D1

Strings

ListBox, xrefs: 00B0B84D
ComboBox, xrefs: 00B0B815

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 08e5be155c8d0d8637060ddd27d2cad570199c181f3c0d446e9810d716b8682e
Instruction ID: 678e029930a65fd3b0f88c681c591db55a89caa3cce72fa2cc10c420d4643321
Opcode Fuzzy Hash: 08e5be155c8d0d8637060ddd27d2cad570199c181f3c0d446e9810d716b8682e
Instruction Fuzzy Hash: A221D371900209BFDB14ABA4DD86DFE7BBCDF05360B10826AF422A72F1DB744D069B60

Function 00B243E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B24401
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B24427
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B24457
InternetCloseHandle.WININET(00000000), ref: 00B2449E

Part of subcall function 00B25052: GetLastError.KERNEL32(?,?,00B243CC,00000000,00000000,00000001), ref: 00B25067

Strings

, xrefs: 00B24450

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: 9994b72a81a011e87b495a1da7142c3963893a90f0235aefdf61ddfaea8d170d
Instruction ID: 66ebf03f76a8f165e52808d114a52ebc52cd22dbbf87112bd5843957d8568919
Opcode Fuzzy Hash: 9994b72a81a011e87b495a1da7142c3963893a90f0235aefdf61ddfaea8d170d
Instruction Fuzzy Hash: 5621DEB2200218BEE721AF54ECC0FBBBAECEB48748F00855AF51997240EF748D059770

Function 00B390E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AED17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00AED1BA
Part of subcall function 00AED17C: GetStockObject.GDI32(00000011), ref: 00AED1CE
Part of subcall function 00AED17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AED1D8

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00B3915C
LoadLibraryW.KERNEL32(?), ref: 00B39163
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00B39178
DestroyWindow.USER32(?), ref: 00B39180

Strings

SysAnimate32, xrefs: 00B39137

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 28c0025b82f498c3dd1bc0300c1b42d312e65afc2af8166547064cacd5070518
Instruction ID: 481a78caf633d2af8da2d0eaba4526b968c338a4a9e573c75d6657355778efb8
Opcode Fuzzy Hash: 28c0025b82f498c3dd1bc0300c1b42d312e65afc2af8166547064cacd5070518
Instruction Fuzzy Hash: 29219F71204606BBEF204E64DC85FBA37EDEF99364F200698F914B3190C7B1DC52A760

Function 00B19568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00B19588
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B195B9
GetStdHandle.KERNEL32(0000000C), ref: 00B195CB
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00B19605

Strings

nul, xrefs: 00B19600

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 6868b75e552cf65b75c373e07a7ca56beeef889c63b25dfe80276e4ac92159db
Instruction ID: 9fceae20488f3acec0bdeed57777f7852b505779b6e9a38b39d8c014c9b23843
Opcode Fuzzy Hash: 6868b75e552cf65b75c373e07a7ca56beeef889c63b25dfe80276e4ac92159db
Instruction Fuzzy Hash: C5219270500345ABEB219F29DC55ADA77F9FF54720FA04A99F8A1E72E0D770D980CB10

Function 00B19634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00B19653
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B19683
GetStdHandle.KERNEL32(000000F6), ref: 00B19694
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00B196CE

Strings

nul, xrefs: 00B196C9

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: a87e4d21181dec5cfdff6ad9d316b86403aef9e2b8019dc14154d2614315b32e
Instruction ID: e3e4a2133a008595a499fccba1ff7d67f90a0944a5e31d8398a7a75a8800f1f5
Opcode Fuzzy Hash: a87e4d21181dec5cfdff6ad9d316b86403aef9e2b8019dc14154d2614315b32e
Instruction Fuzzy Hash: D721AF716003459BDB209F69DC64EDA77E8EF45720F600B98F8A1E72D0EB709881CB20

Function 00B1DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B1DB0A
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00B1DB5E
__swprintf.LIBCMT ref: 00B1DB77
SetErrorMode.KERNEL32(00000000,00000001,00000000,00B6DC00), ref: 00B1DBB5

Strings

%lu, xrefs: 00B1DB71

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 15f4cf42d5332c5c737f96df155c9a046ed90514bbac70d60b7add5d95d2f33a
Instruction ID: 47a5d7b10e9b72febd9e8d9cb0c18c754941f1e9bfbd4e95edcde7fee7ebeae9
Opcode Fuzzy Hash: 15f4cf42d5332c5c737f96df155c9a046ed90514bbac70d60b7add5d95d2f33a
Instruction Fuzzy Hash: A0213035A00209AFCB10EFA5C985EAEBBF9EF49714B1040A9F509E7251DA71EA41CB61

Function 00B0C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00B0C84A
Part of subcall function 00B0C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B0C85D
Part of subcall function 00B0C82D: GetCurrentThreadId.KERNEL32 ref: 00B0C864
Part of subcall function 00B0C82D: AttachThreadInput.USER32(00000000), ref: 00B0C86B

GetFocus.USER32 ref: 00B0CA05

Part of subcall function 00B0C876: GetParent.USER32(?), ref: 00B0C884

GetClassNameW.USER32(?,?,00000100), ref: 00B0CA4E
EnumChildWindows.USER32(?,00B0CAC4), ref: 00B0CA76
__swprintf.LIBCMT ref: 00B0CA90

Strings

%s%d, xrefs: 00B0CA8A

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
String ID: %s%d
API String ID: 3187004680-1110647743
Opcode ID: 486ec4a785563df9691251d98aae1181dd42ee326da071cb1727d845c4dd9c9d
Instruction ID: c84cee5b85f1d64512d22a6091f219dcec6e9e75d8752306f466e63132697e28
Opcode Fuzzy Hash: 486ec4a785563df9691251d98aae1181dd42ee326da071cb1727d845c4dd9c9d
Instruction Fuzzy Hash: 11117F716003096BCB11BFA08D85FA93FB8AF48754F0081A6FA19AB196DB749546DB70

Function 00B31945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00B319F3
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00B31A26
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00B31B49
CloseHandle.KERNEL32(?), ref: 00B31BBF

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 3a73f0f0e375208296cb1879d86082f60cc31fb80bf23037a2651107712810d8
Instruction ID: 3e1ead2a8f20e079d430e7b48901d2f6f4e402704a93388f461f5722cda5f901
Opcode Fuzzy Hash: 3a73f0f0e375208296cb1879d86082f60cc31fb80bf23037a2651107712810d8
Instruction Fuzzy Hash: 91817771600214ABDF10EF59C986BADBBE9EF44720F148499F905AF382E7B5E941CB90

Function 00B3E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00B3E1D5
SendMessageW.USER32(?,000000B0,?,?), ref: 00B3E20D
IsDlgButtonChecked.USER32(?,00000001), ref: 00B3E248
GetWindowLongW.USER32(?,000000EC), ref: 00B3E269
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00B3E281

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: MessageSend$ButtonCheckedLongWindow
String ID:
API String ID: 3188977179-0
Opcode ID: f67f65af811d56bbbf579c9031ab895cb823e5f16c3c34f1e60a8aa260101111
Instruction ID: 54c9137fe538900e3154c8b06696ab5b33087e4f96acef31fdd01e0ffc9b5e14
Opcode Fuzzy Hash: f67f65af811d56bbbf579c9031ab895cb823e5f16c3c34f1e60a8aa260101111
Instruction Fuzzy Hash: E7619335A00604AFDB25CF58C895FAA77FAEF89300F2444EAF965A72D1C770E941DB10

Function 00B11C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B11CB4
VariantClear.OLEAUT32(00000013), ref: 00B11D26
VariantClear.OLEAUT32(00000000), ref: 00B11D81
VariantClear.OLEAUT32(?), ref: 00B11DF8
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00B11E26

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 959d709f98b39b6ea68838b26a564a060ba504520a4ea948ca722850792d1bf2
Instruction ID: dcc735dab40fe100258a5503736a5433b9af5c82ca67efd4b2bbe2ce4e543170
Opcode Fuzzy Hash: 959d709f98b39b6ea68838b26a564a060ba504520a4ea948ca722850792d1bf2
Instruction Fuzzy Hash: F7512CB5A00209EFDB14CF58D884AAAB7F8FF4C314B158559E955DB305D730E951CBA0

Function 00B30688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00AD936C: __swprintf.LIBCMT ref: 00AD93AB
Part of subcall function 00AD936C: __itow.LIBCMT ref: 00AD93DF

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 00B306EE
GetProcAddress.KERNEL32(00000000,?), ref: 00B3077D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00B3079B
GetProcAddress.KERNEL32(00000000,?), ref: 00B307E1
FreeLibrary.KERNEL32(00000000,00000004), ref: 00B307FB

Part of subcall function 00AEE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00B1A574,?,?,00000000,00000008), ref: 00AEE675
Part of subcall function 00AEE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00B1A574,?,?,00000000,00000008), ref: 00AEE699

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: a58d1b26f2bb5d339505b5000a10589df5e5d90e2b772305e2c02e89e38df382
Instruction ID: 0c0655070ac1ce28f6be8b57d1d6002079be866588dbbcd65a253a3b1946e027
Opcode Fuzzy Hash: a58d1b26f2bb5d339505b5000a10589df5e5d90e2b772305e2c02e89e38df382
Instruction Fuzzy Hash: F5510575A00205DFCB10EFA8C595AADB7F5EF58310F14809AE916AB352DB30ED45CF90

Function 00B32E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B33C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B32BB5,?,?), ref: 00B33C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B32EEF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B32F2E
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00B32F75
RegCloseKey.ADVAPI32(?,?), ref: 00B32FA1
RegCloseKey.ADVAPI32(00000000), ref: 00B32FAE

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: 81e07fcb3e51d15580373e7fb51f2672d417f45993a5d399bc4867333f0221d3
Instruction ID: 399544546e27556a7e3999bf2aa4bdeff8710c9442e767fd94599253c7c20798
Opcode Fuzzy Hash: 81e07fcb3e51d15580373e7fb51f2672d417f45993a5d399bc4867333f0221d3
Instruction Fuzzy Hash: 95517871208204AFD704EF64C991EABB7F9FF88314F54899EF596872A1DB30E905CB52

Function 00B3CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e73e2ca21813cd9e3ba21a637cc850a68a7a116aa1230747b5ebe1dbd76ea2
Instruction ID: aab63f2cc7f189d018686fdb278f7869f429d49b468be5069a2f0b576a06d377
Opcode Fuzzy Hash: a8e73e2ca21813cd9e3ba21a637cc850a68a7a116aa1230747b5ebe1dbd76ea2
Instruction Fuzzy Hash: 4E418679900215ABD720DFA8CC84FA97FE4EB09350F2502B5F95AB72E1CB70AD51DB50

Function 00B21206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00B212B4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00B212DD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00B2131C

Part of subcall function 00AD936C: __swprintf.LIBCMT ref: 00AD93AB
Part of subcall function 00AD936C: __itow.LIBCMT ref: 00AD93DF

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00B21341
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00B21349

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: e6b5689b5d66b758d7cd4bce951cba5962f115deb3fa21d27f72b685b7394c8a
Instruction ID: 500d001bbd484eaa07094c3ca08cd02ee8671589b8ad6ca7ed6503e15b3b6da3
Opcode Fuzzy Hash: e6b5689b5d66b758d7cd4bce951cba5962f115deb3fa21d27f72b685b7394c8a
Instruction Fuzzy Hash: 85410C35600605EFCF01EF68CA81AAEBBF5FF48310B148099E91AAB361CB31ED41DB51

Function 00AEB63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 00AEB64F
ScreenToClient.USER32(00000000,000000FF), ref: 00AEB66C
GetAsyncKeyState.USER32(00000001), ref: 00AEB691
GetAsyncKeyState.USER32(00000002), ref: 00AEB69F

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 049a9db2f00e1afe2a1410e35ceba62fd7561f6b41d8a517e3fb4d3d7019cbe8
Instruction ID: b14cfe59b1643c478a40d498137899ea8f3efe692d3cbb8cd85f89e4d6183cfc
Opcode Fuzzy Hash: 049a9db2f00e1afe2a1410e35ceba62fd7561f6b41d8a517e3fb4d3d7019cbe8
Instruction Fuzzy Hash: 52414435604255FFDF259F65C848AE9BBB4FB05324F204359F82596290CB30AE54EFA1

Function 00B0B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00B0B369
PostMessageW.USER32(?,00000201,00000001), ref: 00B0B413
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00B0B41B
PostMessageW.USER32(?,00000202,00000000), ref: 00B0B429
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00B0B431

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 5e48ddcac4458d120fad2f21a7d819024a75e999f4b836a7a1cedc2940df3aec
Instruction ID: b7830273c53b6a318d021c8b0a4885caefc12fe0aaf7f62bdcd197b54dc1d121
Opcode Fuzzy Hash: 5e48ddcac4458d120fad2f21a7d819024a75e999f4b836a7a1cedc2940df3aec
Instruction Fuzzy Hash: 6731CE71900319EBDF14CF68D94DB9E7FB5EB04315F1042A9F921AB2D1C7B09A54CB91

Function 00B0DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00B0DBD7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00B0DBF4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00B0DC2C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00B0DC52
_wcsstr.LIBCMT ref: 00B0DC5C

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 16e80eb282f05455b38c23ee63c4ab14872bff22fb83b118f4d427253d57554d
Instruction ID: 0b3fe7873a6627e42c0fb1047729d7dae06fb821a22828bd551e3667f18edeeb
Opcode Fuzzy Hash: 16e80eb282f05455b38c23ee63c4ab14872bff22fb83b118f4d427253d57554d
Instruction Fuzzy Hash: 76210472204244BBFB259BB99D49E7F7FE8DF45750F1080A9F809CA1D1EEA1CC41D2A0

Function 00B3DE69 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00AEB34E: GetWindowLongW.USER32(?,000000EB), ref: 00AEB35F

GetWindowLongW.USER32(?,000000F0), ref: 00B3DEB0
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00B3DED4
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00B3DEEC
GetSystemMetrics.USER32(00000004), ref: 00B3DF14
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,00B23A1E,00000000), ref: 00B3DF32

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 8a628a5ee7248bbd36ad6f09f1b6b2622afc942efae1c2453f049949a6250758
Instruction ID: 176ca3175aabd4069958b152677b60c14a1a956785b7b7c7b86272504527c948
Opcode Fuzzy Hash: 8a628a5ee7248bbd36ad6f09f1b6b2622afc942efae1c2453f049949a6250758
Instruction Fuzzy Hash: 0E21B671A11222AFCF205F78EC84B663BD8FB15725F250765F926CB6E0D7309851CB90

Function 00B0BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B0BC90
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B0BCC2
__itow.LIBCMT ref: 00B0BCDA
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B0BD00
__itow.LIBCMT ref: 00B0BD11

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: bb9d2b9e617c506f037f8481585df41d500e773d6aa48877b5bb1fc48bbd9eba
Instruction ID: 3f323cc8fc96879c3991d60dc9b8c5dcd7b1715541f40ea067ba81a1a1d6c3a9
Opcode Fuzzy Hash: bb9d2b9e617c506f037f8481585df41d500e773d6aa48877b5bb1fc48bbd9eba
Instruction Fuzzy Hash: 8E21D835700308BBDB24AE658D86FDEBEE8EF59750F0001B5FA06EB1D1DB70894587A1

Function 00B16318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 00AD50E6: _wcsncpy.LIBCMT ref: 00AD50FA

GetFileAttributesW.KERNEL32(?,?,?,?,00B160C3), ref: 00B16369
GetLastError.KERNEL32(?,?,?,00B160C3), ref: 00B16374
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00B160C3), ref: 00B16388
_wcsrchr.LIBCMT ref: 00B163AA

Part of subcall function 00B16318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00B160C3), ref: 00B163E0

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: 6016ccf0ff2c8d7c827fd69aa02b8fae364106c98ba11ed665eb92993292b087
Instruction ID: 83ac811554a7bab18e66ed073b216079c5b0281e8dc25699a607c40664c7e814
Opcode Fuzzy Hash: 6016ccf0ff2c8d7c827fd69aa02b8fae364106c98ba11ed665eb92993292b087
Instruction Fuzzy Hash: 4721D5315042159ADB25AB7CBD42FEA33ECEF153A1F9044EAF065D31C1EF60D9C18A69

Function 00B28B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00B2A84E

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00B28BD3
WSAGetLastError.WSOCK32(00000000), ref: 00B28BE2
connect.WSOCK32(00000000,?,00000010), ref: 00B28BFE

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: f0a31539ceb367a40ad86c21a90e08b6a42c1aeba97410b1881db4b61eb301ac
Instruction ID: 818ebd816bd8aff6f2d96d929a7aec0bfabf426d0e7ff04f38800e76c8826998
Opcode Fuzzy Hash: f0a31539ceb367a40ad86c21a90e08b6a42c1aeba97410b1881db4b61eb301ac
Instruction Fuzzy Hash: 26216D312002249FDB10AF68DD85B7E77E9EF48721F044599F95AAB392CF74AC418B62

Function 00B28420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00B28441
GetForegroundWindow.USER32 ref: 00B28458
GetDC.USER32(00000000), ref: 00B28494
GetPixel.GDI32(00000000,?,00000003), ref: 00B284A0
ReleaseDC.USER32(00000000,00000003), ref: 00B284DB

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 5cc1e8607d339bf6156ab081e86068e64a45a41f67f5dbed757fafe96b41d02d
Instruction ID: 6df9fed1373059fe718e2ed32d98a9bae32b3601fac14822340446d35bd95324
Opcode Fuzzy Hash: 5cc1e8607d339bf6156ab081e86068e64a45a41f67f5dbed757fafe96b41d02d
Instruction Fuzzy Hash: 03218175A00214AFD710EFA4D985AAEBBE5EF48301F0484B9E85A97351DF74AC41CB60

Function 00AEAF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00AEAFE3
SelectObject.GDI32(?,00000000), ref: 00AEAFF2
BeginPath.GDI32(?), ref: 00AEB009
SelectObject.GDI32(?,00000000), ref: 00AEB033

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 9e58c18b446f4b002a39acb2fc84429d54b8a7c3b8be348cfc36e477129b87f9
Instruction ID: 696e5657cb84553da5acbe0d8266177e53bfa38e4e019157fbfaa9fa0c4d6b9f
Opcode Fuzzy Hash: 9e58c18b446f4b002a39acb2fc84429d54b8a7c3b8be348cfc36e477129b87f9
Instruction Fuzzy Hash: 8921B371C00346EFDB21DF5AED4879A7B78BB10356F14471BE420A31A0CB706951EF61

Function 00AF217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00AF21A9
CreateThread.KERNEL32(?,?,00AF22DF,00000000,?,?), ref: 00AF21ED
GetLastError.KERNEL32 ref: 00AF21F7
_free.LIBCMT ref: 00AF2200
__dosmaperr.LIBCMT ref: 00AF220B

Part of subcall function 00AF7C0E: __getptd_noexit.LIBCMT ref: 00AF7C0E

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: d9a846f9d70f78fb09b12138843a19748df3e80f85b6626835e24d153c8cf544
Instruction ID: dbc93d276c8b827518d3e6f754bc6138e00ea2a0388deb0e21b928d9d1824956
Opcode Fuzzy Hash: d9a846f9d70f78fb09b12138843a19748df3e80f85b6626835e24d153c8cf544
Instruction Fuzzy Hash: 4B11A13210430EAFAB21AFE5DD41EBF7BA8EF05760B100529FB2487191EB7198118BA5

Function 00B0ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00B0ABD7
GetLastError.KERNEL32(?,00B0A69F,?,?,?), ref: 00B0ABE1
GetProcessHeap.KERNEL32(00000008,?,?,00B0A69F,?,?,?), ref: 00B0ABF0
HeapAlloc.KERNEL32(00000000,?,00B0A69F,?,?,?), ref: 00B0ABF7
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00B0AC0E

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 1bf9b68a17d92e90816ce12a770159eabaf6528a512a43dd73d09db6762e090c
Instruction ID: 60c40f386cef0008b4a52fb0150160ef23fd0d3ab09eae25d86b9afa2fdaa65a
Opcode Fuzzy Hash: 1bf9b68a17d92e90816ce12a770159eabaf6528a512a43dd73d09db6762e090c
Instruction Fuzzy Hash: DA011D71200304BFEB204FA5DC58E6B3FADEF8A75571109A9F545D32A0DA719C41CF61

Function 00B09ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 00B09ADC
ProgIDFromCLSID.OLE32(?,00000000), ref: 00B09AF7
lstrcmpiW.KERNEL32(?,00000000), ref: 00B09B05
CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00B09B15
CLSIDFromString.OLE32(?,?), ref: 00B09B21

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 24055fb5a5520b8d88d941f36024520b416725b800d2c00583089214ad35abfb
Instruction ID: 69834a54453b58b9e3bce737b879540b69b9e1f3f78166f221dbda03b632499b
Opcode Fuzzy Hash: 24055fb5a5520b8d88d941f36024520b416725b800d2c00583089214ad35abfb
Instruction Fuzzy Hash: B0014B76600219BFDB214FA8ED44BAABEEDEB44762F1480A4F905D3261DB70DD419BA0

Function 00B17A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00B17A74
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00B17A82
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00B17A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00B17A94
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00B17AD0

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 5d13c3562a99d4ccc509b74893868cdc682db67b5dd875530065b62a3046488b
Instruction ID: 393db8d297b9fa3edd8a54752320b4a1a4ace3cf917cad13a9c4accbfbd21f36
Opcode Fuzzy Hash: 5d13c3562a99d4ccc509b74893868cdc682db67b5dd875530065b62a3046488b
Instruction Fuzzy Hash: 1B011735C54A19ABCF10AFE5EC88ADDBBB8FF08752F4405D5E502B3150DF309A9087A1

Function 00B0AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B0AADA
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B0AAE4
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B0AAF3
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B0AAFA
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B0AB10

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 59ab4e8b2aaba15654585a94b6d4a57ef15288b25e8f4695fb4aae5974037bcc
Instruction ID: c77d6bc6df01b5774d99eb9bb363660c64f59e3cbc8e54c83d5753f5b696ec62
Opcode Fuzzy Hash: 59ab4e8b2aaba15654585a94b6d4a57ef15288b25e8f4695fb4aae5974037bcc
Instruction Fuzzy Hash: 1CF04F712013086FEB210FA4EC88F6B3FADFF45755F4005A9F942D71A0CA609842CA61

Function 00B0AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B0AA79
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B0AA83
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B0AA92
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B0AA99
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B0AAAF

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: fe0bafc67c28c57171a9ed14976a11d3e10eb34dd24206eb5992aa703e06261d
Instruction ID: 642243487fe55737b45aa94d27020f0f07cf06393f2d13b87562b8e0d31f2d14
Opcode Fuzzy Hash: fe0bafc67c28c57171a9ed14976a11d3e10eb34dd24206eb5992aa703e06261d
Instruction Fuzzy Hash: E8F04F712103046FEB215FA4AC89F6B3FACFF49755F040599F941D71D1DA609C42CA61

Function 00B0EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00B0EC94
GetWindowTextW.USER32(00000000,?,00000100), ref: 00B0ECAB
MessageBeep.USER32(00000000), ref: 00B0ECC3
KillTimer.USER32(?,0000040A), ref: 00B0ECDF
EndDialog.USER32(?,00000001), ref: 00B0ECF9

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: b757940b61996664a8b0b252d1ad00140af538959f9cf3ce2efddc4a1f8a9c34
Instruction ID: 11fa36944fa59c64c016b70c3f7ee2ff4e3cc9ba3b297843b5103e1c5c369dc8
Opcode Fuzzy Hash: b757940b61996664a8b0b252d1ad00140af538959f9cf3ce2efddc4a1f8a9c34
Instruction Fuzzy Hash: E1018130500745ABFB355B50DE4EB967BB8FB10706F000A99F593A64E0EBF1AA84CB40

Function 00AEB0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00AEB0BA
StrokeAndFillPath.GDI32(?,?,00B4E680,00000000,?,?,?), ref: 00AEB0D6
SelectObject.GDI32(?,00000000), ref: 00AEB0E9
DeleteObject.GDI32 ref: 00AEB0FC
StrokePath.GDI32(?), ref: 00AEB117

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 4f9a334f3f48af392d432b51a95aba7cf61835dbf86cad5d737e3794e9e93f9d
Instruction ID: b8410474c4c1fda4f87ae65a672fec5b362123ebe42800a2845d11bac6b9cc6a
Opcode Fuzzy Hash: 4f9a334f3f48af392d432b51a95aba7cf61835dbf86cad5d737e3794e9e93f9d
Instruction Fuzzy Hash: 9FF0EC35410745EFDB22AF6AEE0D7553F75A710362F088756F429860F0CB319965EF60

Function 00B1F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B1F2DA
CoCreateInstance.OLE32(00B5DA7C,00000000,00000001,00B5D8EC,?), ref: 00B1F2F2
CoUninitialize.OLE32 ref: 00B1F555

Strings

.lnk, xrefs: 00B1F28B, 00B1F290, 00B1F29E

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: 8428858a70d792e47a98626b08b4c97307b7291f46bc1693d02f45a1c6ef314f
Instruction ID: dfdadd9e6b1fcbd0b57ca0182ccff0ec896ec809841a807161eaa4244d37fe62
Opcode Fuzzy Hash: 8428858a70d792e47a98626b08b4c97307b7291f46bc1693d02f45a1c6ef314f
Instruction Fuzzy Hash: 5EA11C72104201AFD700EF64C981EAFB7ECEF98714F40495EF55697292EB70EA49CB52

Function 00B1E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00AD660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AD53B1,?,?,00AD61FF,?,00000000,00000001,00000000), ref: 00AD662F

CoInitialize.OLE32(00000000), ref: 00B1E85D
CoCreateInstance.OLE32(00B5DA7C,00000000,00000001,00B5D8EC,?), ref: 00B1E876
CoUninitialize.OLE32 ref: 00B1E893

Part of subcall function 00AD936C: __swprintf.LIBCMT ref: 00AD93AB
Part of subcall function 00AD936C: __itow.LIBCMT ref: 00AD93DF

Strings

.lnk, xrefs: 00B1E83B, 00B1E84D

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 52b0180eaa9fb69e3f74f4146e186365dd840c4e67d2623cf673f8efc299e691
Instruction ID: e4f247be177dedc86c5513a8bda8ac2b1b9844b5fb6bb9e163f93aa87e37554b
Opcode Fuzzy Hash: 52b0180eaa9fb69e3f74f4146e186365dd840c4e67d2623cf673f8efc299e691
Instruction Fuzzy Hash: DAA166356043019FCB10EF24C984E5ABBE5FF88310F548999F9A69B3A1CB31EC85CB91

Function 00AF325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00AF32ED

Part of subcall function 00AFE0D0: __87except.LIBCMT ref: 00AFE10B

Strings

pow, xrefs: 00AF32C5, 00AF32E2

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: a1a85b9b9d6db0ae82b7a1ec48611e402b8f55df2e3d5d21565c8e72037953a2
Instruction ID: 34c9b83c3d463d44105b2c83bc7b43850e55027a33610120704bb0115e11e66d
Opcode Fuzzy Hash: a1a85b9b9d6db0ae82b7a1ec48611e402b8f55df2e3d5d21565c8e72037953a2
Instruction Fuzzy Hash: 67515D32A0920D96DF15F7D4CD413BE2BA49B90710F208E68F6D5871F9EF788DC49645

Function 00B14606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,00B6DC50,?,0000000F,0000000C,00000016,00B6DC50,?), ref: 00B14645

Part of subcall function 00AD936C: __swprintf.LIBCMT ref: 00AD93AB
Part of subcall function 00AD936C: __itow.LIBCMT ref: 00AD93DF

CharUpperBuffW.USER32(?,?,00000000,?), ref: 00B146C5

Strings

REMOVE, xrefs: 00B14676
THIS, xrefs: 00B14703

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf
String ID: REMOVE$THIS
API String ID: 3797816924-776492005
Opcode ID: a0c4789704a7170a0816e5babeccde5ec2768aca4169cc9d8bdf1a17925e32ad
Instruction ID: 7321da212bf1d778c210c59349cc8fb196daa31b7252f5a8129901b99bb74849
Opcode Fuzzy Hash: a0c4789704a7170a0816e5babeccde5ec2768aca4169cc9d8bdf1a17925e32ad
Instruction Fuzzy Hash: 63417F34A002099FCF00EFA4C981AAEB7F5FF4A314F548499E916AB392DB30DD85CB50

Function 00B0C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B1430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B0BC08,?,?,00000034,00000800,?,00000034), ref: 00B14335

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00B0C1D3

Part of subcall function 00B142D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B0BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00B14300

Part of subcall function 00B1422F: GetWindowThreadProcessId.USER32(?,?), ref: 00B1425A
Part of subcall function 00B1422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00B0BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00B1426A
Part of subcall function 00B1422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00B0BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00B14280

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B0C240
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B0C28D

Strings

@, xrefs: 00B0C2A5

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 89db1e0fc87454777608b91511c66683739fc107d04f4a2f7012a928543794fb
Instruction ID: cb26c465692ad66c5d9a5907dfc0ccdb9d3faafcaa9405f88b43f7cf83df6232
Opcode Fuzzy Hash: 89db1e0fc87454777608b91511c66683739fc107d04f4a2f7012a928543794fb
Instruction Fuzzy Hash: 0841297290021CAFDB11DFA4CD81AEEBBB8EF09700F004195FA55B7181DB716E89CBA1

Function 00B3A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00B6DC00,00000000,?,?,?,?), ref: 00B3A6D8
GetWindowLongW.USER32 ref: 00B3A6F5
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B3A705

Strings

SysTreeView32, xrefs: 00B3A6AA

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 26a42fd7a572559ec7d861665b46884bd0d114c11653bf87dc7799a7ef1d3b48
Instruction ID: 744fd1f1624679fab25fc0b41006e36c055250b0fca975dcaf2e8970a9cb9c62
Opcode Fuzzy Hash: 26a42fd7a572559ec7d861665b46884bd0d114c11653bf87dc7799a7ef1d3b48
Instruction Fuzzy Hash: A8319E31640206ABDB218F38CC85BEA77A9FB49324F344765F8B5932E0DB70AC519B50

Function 00B3A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00B3A15E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00B3A172
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B3A196

Strings

SysMonthCal32, xrefs: 00B3A129

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: a21b7a14f7b1c573260def50ad8f09e07cc802f3dab09064f422c7ceadfe37d5
Instruction ID: c68465ccd7f3a39a004173732b37693dd6fb07813de9da90cc950aeada5d3619
Opcode Fuzzy Hash: a21b7a14f7b1c573260def50ad8f09e07cc802f3dab09064f422c7ceadfe37d5
Instruction Fuzzy Hash: 1A21A132510218ABEF158FA4CC82FEA3BB9EF49714F210254FA557B1D0DAB5AC51DB90

Function 00B3A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00B3A941
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00B3A94F
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00B3A956

Strings

msctls_updown32, xrefs: 00B3A8BB

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 0e7ad5a9026e9b7dbcfb6b92c5026429123c74183c12102e046d4268673ef8cf
Instruction ID: 83c8c91ef907a9ee3a2c39af2b8689c148bc01419b90c20196439c8155943acb
Opcode Fuzzy Hash: 0e7ad5a9026e9b7dbcfb6b92c5026429123c74183c12102e046d4268673ef8cf
Instruction Fuzzy Hash: F721AEB560020AAFDB10DF28CC81E6737ECEB4A3A4F240599FA049B261CB30EC119B61

Function 00B399A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00B39A30
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00B39A40
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00B39A65

Strings

Listbox, xrefs: 00B399FD

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 899ed08c85f7881ba83cd7af62a398ee3abe05575afc4749c69cf03288952150
Instruction ID: 77663cf9bd6e5d63197d2da28d59d37f08b932d37b1542b75cd9bc90c585b48c
Opcode Fuzzy Hash: 899ed08c85f7881ba83cd7af62a398ee3abe05575afc4749c69cf03288952150
Instruction Fuzzy Hash: 77219532650118BFEB258F54CC85FBF3BAAEF89750F118269F9545B1A0CAB19C52C7A0

Function 00B3A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00B3A46D
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00B3A482
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00B3A48F

Strings

msctls_trackbar32, xrefs: 00B3A444

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: a333c8ccb069a0d3140243e5f104db6f9a7cb641608b03b2fd7094568fb7df09
Instruction ID: 9eab1692f2a95d961bffba553f0f03eda79f7c1c9564eae87cc11c21fb205213
Opcode Fuzzy Hash: a333c8ccb069a0d3140243e5f104db6f9a7cb641608b03b2fd7094568fb7df09
Instruction Fuzzy Hash: AE110A71200308BEEF205F65CC45FAB3BA9EF89754F214218FA45961E1D6B2E811D720

Function 00AF2287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00AF2350,?), ref: 00AF22A1
GetProcAddress.KERNEL32(00000000), ref: 00AF22A8

Strings

combase.dll, xrefs: 00AF229C
RoInitialize, xrefs: 00AF2290

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: 863c982a45907833b15b7013d4f8747b0173b45dad1b48bdac62d87a9d0327be
Instruction ID: e3f92eb06e704972aedfd5d269452c9ef79cb67d2897861022ac422fcaa4ab94
Opcode Fuzzy Hash: 863c982a45907833b15b7013d4f8747b0173b45dad1b48bdac62d87a9d0327be
Instruction Fuzzy Hash: 96E01A706A0312AFEB206F70ED49B6536A4A700702F1041A6B202F70B0CFB94084CF04

Function 00AF235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00AF2276), ref: 00AF2376
GetProcAddress.KERNEL32(00000000), ref: 00AF237D

Strings

combase.dll, xrefs: 00AF2371
RoUninitialize, xrefs: 00AF2365

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: d7df87936f7541783871a1551c5a639ccd25f956b46ad4225a91434b304a7b2a
Instruction ID: 775cc60ef20725351f1df9477499d71a73425b300ea774907f1dc62c32fa0558
Opcode Fuzzy Hash: d7df87936f7541783871a1551c5a639ccd25f956b46ad4225a91434b304a7b2a
Instruction Fuzzy Hash: 81E0B6B4594314AFEB316FA0EE1DB253AA5BB00702F100696F609F70B0CFB95444CB15

Function 00B4AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00B4AC60
__swprintf.LIBCMT ref: 00B4AC94

Strings

%.3d, xrefs: 00B4AC6E
WIN_XPe, xrefs: 00B4ACD3

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 51ddc94bbd4349d5d0b20b281b6f949b55304defd93d47e861bca8c90f915263
Instruction ID: 354a8b0d6cb279da6bebceb159d794ef7957fa3b52f814d8998e50f21f84b1ce
Opcode Fuzzy Hash: 51ddc94bbd4349d5d0b20b281b6f949b55304defd93d47e861bca8c90f915263
Instruction Fuzzy Hash: C4E0EC71844658EBCA90AB90DDC59F9B3FCE704741F1000D2B90AA2411D6359B84BA12

Function 00AD42F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00AD42EC,?,00AD42AA,?), ref: 00AD4304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00AD4316

Strings

kernel32.dll, xrefs: 00AD42FF
Wow64RevertWow64FsRedirection, xrefs: 00AD4310

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: dfaf96a6207e3a8bfbd44140beeda8acbe420c1e50a5c8195a4095e7d7b4272d
Instruction ID: 24b7dd1dadbfca95ed1c4fe4986c4534fb0f6afbabfc9a6bc8e9dbe7475e48ed
Opcode Fuzzy Hash: dfaf96a6207e3a8bfbd44140beeda8acbe420c1e50a5c8195a4095e7d7b4272d
Instruction Fuzzy Hash: 5CD0C770544B139FD7305F75E84C74176D4EB18712B11459AF557E3674DBB0C880CB50

Function 00B32205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00B321FB,?,00B323EF), ref: 00B32213
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00B32225

Strings

kernel32.dll, xrefs: 00B3220E
GetProcessId, xrefs: 00B3221F

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: a070701ddb283819fde6899516f502ce888b69e54f73557632c07a2131b6dd5f
Instruction ID: eb6348e6332197682196dd926e0a6e4625c01f6ed795e797a15c7eb1bb7a5255
Opcode Fuzzy Hash: a070701ddb283819fde6899516f502ce888b69e54f73557632c07a2131b6dd5f
Instruction Fuzzy Hash: E3D05E34500B139FC7615B30EC0874276D4EB09302F104499A841E2160DB70D880CB90

Function 00AD434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00AD41BB,00AD4341,?,00AD422F,?,00AD41BB,?,?,?,?,00AD39FE,?,00000001), ref: 00AD4359
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00AD436B

Strings

kernel32.dll, xrefs: 00AD4354
Wow64DisableWow64FsRedirection, xrefs: 00AD4365

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: ded8dc62880d6352dacfeb173bbc0bb7f35cd0307501c2416fde44feac6fda40
Instruction ID: d4415ebb5791eb54017e2a97a048875f1ca59f521150bb06312a53499de80d70
Opcode Fuzzy Hash: ded8dc62880d6352dacfeb173bbc0bb7f35cd0307501c2416fde44feac6fda40
Instruction Fuzzy Hash: 1DD0C770544B139FD7705F75E80874176D4AB18B16F11459AF497F3670DBB0D880CB50

Function 00B10539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,00B1051D,?,00B105FE), ref: 00B10547
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00B10559

Strings

RegisterTypeLibForUser, xrefs: 00B10553
oleaut32.dll, xrefs: 00B10542

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: 2083a09450a133dabc4b67a414ba4df9dc66308cc3f268c7c3a5aae184373aab
Instruction ID: bcd9075998e4af80813effb35d88e5328e7960c8277336d765693764e59bdefb
Opcode Fuzzy Hash: 2083a09450a133dabc4b67a414ba4df9dc66308cc3f268c7c3a5aae184373aab
Instruction Fuzzy Hash: 6CD05E30520B129EC720AB20A84874176E4AB20302B508499E446E2160DAB0C8C0CB10

Function 00B10564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,00B1052F,?,00B106D7), ref: 00B10572
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00B10584

Strings

oleaut32.dll, xrefs: 00B1056D
UnRegisterTypeLibForUser, xrefs: 00B1057E

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: 1f93372569a217e08eb70e92fc99dd7cf47971fd0687b8673e9e9bbfcec100a0
Instruction ID: 229d151f947b63b53b4b25301dad4d9f5b66fd697d4ad8d628e43ff3f504f7eb
Opcode Fuzzy Hash: 1f93372569a217e08eb70e92fc99dd7cf47971fd0687b8673e9e9bbfcec100a0
Instruction Fuzzy Hash: CBD09E745147129ED7207F75A848B4677E5AB14711B60859AE955E2160DAB0D4C0CB60

Function 00B2ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00B2ECBE,?,00B2EBBB), ref: 00B2ECD6
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00B2ECE8

Strings

kernel32.dll, xrefs: 00B2ECD1
GetSystemWow64DirectoryW, xrefs: 00B2ECE2

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 0bb1e75e6695329816c209d401c0f72f02005e135c84c562bb75b8982f9e0e95
Instruction ID: a2e25fc1877b49401b435fdda01a083c311239a29f7a5ab1af8e21d699dd5274
Opcode Fuzzy Hash: 0bb1e75e6695329816c209d401c0f72f02005e135c84c562bb75b8982f9e0e95
Instruction Fuzzy Hash: 12D09E70500B239EDB206BA5A8487427AE4EB04752B14859AB859E2671DF70D880DB60

Function 00B2BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00B2BAD3,00000001,00B2B6EE,?,00B6DC00), ref: 00B2BAEB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00B2BAFD

Strings

kernel32.dll, xrefs: 00B2BAE6
GetModuleHandleExW, xrefs: 00B2BAF7

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 1e22987e3adf9736559547b41d81df30a8d336c3db3a4121fe31942478c3f4cb
Instruction ID: 5657c683b28542249d805496643fa12398587446670ef11333a7a36185e28a07
Opcode Fuzzy Hash: 1e22987e3adf9736559547b41d81df30a8d336c3db3a4121fe31942478c3f4cb
Instruction Fuzzy Hash: 46D09E70900B239EDB306F75B888B5277D4EB04752B104999A857E2564EFB0D880CB54

Function 00B33BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00B33BD1,?,00B33E06), ref: 00B33BE9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B33BFB

Strings

advapi32.dll, xrefs: 00B33BE4
RegDeleteKeyExW, xrefs: 00B33BF5

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: fbea8d421f698ca4de4b56e4e1db777a6bb77340050bf3896d0a92e7bc06bc19
Instruction ID: a8a6271ed6c86404fefdef5591c69c16c3cee0a59783e38fd7d75b2b81e96264
Opcode Fuzzy Hash: fbea8d421f698ca4de4b56e4e1db777a6bb77340050bf3896d0a92e7bc06bc19
Instruction Fuzzy Hash: 0BD09E70500B529ED7206B65A808743BAE4EB05715F2055D9E455E2160EBB0D4C4CF50

Function 00B09B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2deba1993dc4d46e276aa19ef320b96046c992421269cac3d7eb989c3f574e0c
Instruction ID: 152bd52644a439e702cd743408a26cb2759cdae05c71c423d24ae71d0acc4675
Opcode Fuzzy Hash: 2deba1993dc4d46e276aa19ef320b96046c992421269cac3d7eb989c3f574e0c
Instruction Fuzzy Hash: D5C12B75A0021AEFDB14DF94C894AAEBBF5FF48710F1085D8E915AB292D730DE41DB90

Function 00B2AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B2AAB4
CoUninitialize.OLE32 ref: 00B2AABF

Part of subcall function 00B10213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00B1027B

VariantInit.OLEAUT32(?), ref: 00B2AACA
VariantClear.OLEAUT32(?), ref: 00B2AD9D

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: e57a19185dfacaa1db2c89e232c3b3e5309e9fdeb4de0a05f82dc030954e82a6
Instruction ID: af27937c34a4e44c0660ebfc2a4647895f3213b924be813b2f673803a93556ed
Opcode Fuzzy Hash: e57a19185dfacaa1db2c89e232c3b3e5309e9fdeb4de0a05f82dc030954e82a6
Instruction Fuzzy Hash: 48A159352047119FCB10EF18D985B5AB7E5FF88750F148499FA9A9B3A2CB30ED40CB86

Function 00B091CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B091DD
SysAllocString.OLEAUT32(?), ref: 00B09286
VariantCopy.OLEAUT32 ref: 00B092B5
VariantClear.OLEAUT32(?), ref: 00B092DC

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 94b90742bf97c39ee292b54c24a03ab18e7a40555693c52a460577de45c58463
Instruction ID: bd48df17aaaaca0f10477fe2f87c69153e59d18b5c9bf23eb51d176b44e021de
Opcode Fuzzy Hash: 94b90742bf97c39ee292b54c24a03ab18e7a40555693c52a460577de45c58463
Instruction Fuzzy Hash: 295174306043069BDB34AF66D4E5A6EBBE5EF54310F20985FE556DB2D3DB7098808B09

Function 00AF365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AF36B7
_memcpy_s.LIBCMT ref: 00AF3729
__filbuf.LIBCMT ref: 00AF37AA
_memset.LIBCMT ref: 00AF37EE

Part of subcall function 00AF7C0E: __getptd_noexit.LIBCMT ref: 00AF7C0E

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction ID: 79c0d31b96900d6310bd4f4663f7d00b5b4ce3ce52d2b6873ef2ad5bf751f8d6
Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction Fuzzy Hash: 865191B2A0120DABDF24DFE9C98467F77B5AF40360F248629FA26D62D0D7749F508B50

Function 00B3C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00CB6328,?), ref: 00B3C544
ScreenToClient.USER32(?,00000002), ref: 00B3C574
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 00B3C5DA

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: a0b0934ce50ff33e063223396e6dc61fc8c624e9518f455e37babf2ee09ab24e
Instruction ID: f43d8a28f7ce5de523c377e8094ac15dc406549d4db454b51f6c9902dc50cf37
Opcode Fuzzy Hash: a0b0934ce50ff33e063223396e6dc61fc8c624e9518f455e37babf2ee09ab24e
Instruction Fuzzy Hash: E8512175A00205EFCF20DFA8C881AAE7BF5EB55320F218699F965A7291D770ED41CB50

Function 00B0C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00B0C462
__itow.LIBCMT ref: 00B0C49C

Part of subcall function 00B0C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00B0C753

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00B0C505
__itow.LIBCMT ref: 00B0C55A

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 20ae750f06797471e321e2135b263ab385157c1a4b7bc8db494689ab8c4be101
Instruction ID: 058612d15285d0064b6e70387decfbf0b20e0c95d963932aa4c737b91da0c211
Opcode Fuzzy Hash: 20ae750f06797471e321e2135b263ab385157c1a4b7bc8db494689ab8c4be101
Instruction Fuzzy Hash: 7741A271A00209ABDF25EF64CD52BEE7FF5AF58700F00019AFA06A32D1DB709A45CB91

Function 00B1390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00B13966
SetKeyboardState.USER32(00000080,?,00000001), ref: 00B13982
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 00B139EF
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00B13A4D

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 87dd3bd2cfb212ed8681df8a5b616d7bcfbb82d57e28bacbe412597bb2382154
Instruction ID: f2d1f6525165fe4aefda46b43c9b8f01f9c4cce90093e6a3e1143276b3b5b10e
Opcode Fuzzy Hash: 87dd3bd2cfb212ed8681df8a5b616d7bcfbb82d57e28bacbe412597bb2382154
Instruction Fuzzy Hash: 50413930A04248AAEF308B64D845BFDBBF9DF55750F8401DAE4C2A21C1E7B48EC5D765

Function 00B3B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B3B5D1

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 018eec143031ea60db6e21e3bef5c0e8e5fa4cd0e42cd9bbe077c67dbe5de3a6
Instruction ID: 6cebe39475349d8fb3f5a343e0bd5d99483b1383de36972dcea50b7e136a64d4
Opcode Fuzzy Hash: 018eec143031ea60db6e21e3bef5c0e8e5fa4cd0e42cd9bbe077c67dbe5de3a6
Instruction Fuzzy Hash: 9A31BC74601208BBEF209F18CC9AFA8B7E5EB15310F744586FB51D72EACB30A9509B51

Function 00B3D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00B3D807
GetWindowRect.USER32(?,?), ref: 00B3D87D
PtInRect.USER32(?,?,00B3ED5A), ref: 00B3D88D
MessageBeep.USER32(00000000), ref: 00B3D8FE

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 31e9043430e43c378d92d2e6e3db08bfa9ec23ebf3b7b746a1bb6ba5f8d103bc
Instruction ID: 93bc8e4299037396a9d2135dd0790830cdcd2c4fa80e33314ca1d9184dbe8a79
Opcode Fuzzy Hash: 31e9043430e43c378d92d2e6e3db08bfa9ec23ebf3b7b746a1bb6ba5f8d103bc
Instruction Fuzzy Hash: 38417C74A00219DFCB11DF58E884BA9BBF5FF49311F2886EAE8149B2A1D730F945CB50

Function 00B13A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7707C0D0,?,00008000), ref: 00B13AB8
SetKeyboardState.USER32(00000080,?,00008000), ref: 00B13AD4
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00B13B34
SendInput.USER32(00000001,?,0000001C,7707C0D0,?,00008000), ref: 00B13B92

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 33f052cef672f8dcda014945bbc66a54fd0d4f0944ec8f31b3bb176b1b723361
Instruction ID: f14aeae8defdd196fb8c58d695f241e7a7f3cdec6a8e0ce7fabcb44d7f9b89ec
Opcode Fuzzy Hash: 33f052cef672f8dcda014945bbc66a54fd0d4f0944ec8f31b3bb176b1b723361
Instruction Fuzzy Hash: 3F312070A08258AEEF308B648859BFF7BE9DB55B10F8402DAE481932D1F7748BC5C761

Function 00B04004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00B04038
__isleadbyte_l.LIBCMT ref: 00B04066
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00B04094
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00B040CA

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 139dd89c51c81310eca24caabfe49977ede3b5e0d7edeeca3ef1ad86d3896639
Instruction ID: 05b17dc76238c3cc1e5c688468c1512c522763eabc0030ebef20c15d633d1154
Opcode Fuzzy Hash: 139dd89c51c81310eca24caabfe49977ede3b5e0d7edeeca3ef1ad86d3896639
Instruction Fuzzy Hash: AF31CF70600206AFDB219F65C944BBA7FE9FF40310F1540A8E761AB0E0F731E890DB90

Function 00B37CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00B37CB9

Part of subcall function 00B15F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B15F6F
Part of subcall function 00B15F55: GetCurrentThreadId.KERNEL32 ref: 00B15F76
Part of subcall function 00B15F55: AttachThreadInput.USER32(00000000,?,00B1781F), ref: 00B15F7D

GetCaretPos.USER32(?), ref: 00B37CCA
ClientToScreen.USER32(00000000,?), ref: 00B37D03
GetForegroundWindow.USER32 ref: 00B37D09

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: a4e2151636c750fc5ad66fe8e8bad9b2c017dbac41dd5dfa4ace9f8ff582553e
Instruction ID: 0cb37a03d66d3cf46bdb6fa2c32c6411bd5bf1ba9a3380483d0ed96f1ec578be
Opcode Fuzzy Hash: a4e2151636c750fc5ad66fe8e8bad9b2c017dbac41dd5dfa4ace9f8ff582553e
Instruction Fuzzy Hash: C331D472900108AFDB10EFA9D9459EFBBFDEF94314B1044A6E815E7211DA719E45CB90

Function 00B3F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AEB34E: GetWindowLongW.USER32(?,000000EB), ref: 00AEB35F

GetCursorPos.USER32(?), ref: 00B3F211
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00B4E4C0,?,?,?,?,?), ref: 00B3F226
GetCursorPos.USER32(?), ref: 00B3F270
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00B4E4C0,?,?,?), ref: 00B3F2A6

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 318a0e61d7367c3d87b6d4d12f7da5017fc45f61935c3965cdb1f2ab0f5bfffb
Instruction ID: 77a0f03c1ea3ea7a77f364213282dd0cf86cf899908ee33923a1859f81e43331
Opcode Fuzzy Hash: 318a0e61d7367c3d87b6d4d12f7da5017fc45f61935c3965cdb1f2ab0f5bfffb
Instruction Fuzzy Hash: 9521A039900118EFCB258F98DC58EFB7BB5EF09311F1444AAF9054B2A1D7309961DB60

Function 00B2431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B24358

Part of subcall function 00B243E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B24401
Part of subcall function 00B243E2: InternetCloseHandle.WININET(00000000), ref: 00B2449E

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 6b20e8a485e08661bd756b43bbc0414e77cc39f97088a6a8bb589ce38f68f967
Instruction ID: 2d9e040f779449183a84ad460aca890cf33688aa91bcbd4e98e3276bc0d22870
Opcode Fuzzy Hash: 6b20e8a485e08661bd756b43bbc0414e77cc39f97088a6a8bb589ce38f68f967
Instruction Fuzzy Hash: 0C219F31200725BBEB26DF60EC40FBBB7E9FF48711F10416ABA1997A50DB7198219B94

Function 00B38A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00B38AA6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B38AC0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B38ACE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00B38ADC

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 531898e4e24a16b7e4eabc5318e321200f0c4e17575e9fc7eacb1e50a6ee096a
Instruction ID: 7b228a9f517be3fc27e1f7b664e6955abc37e1654981399511a72c9a4e1cd0a1
Opcode Fuzzy Hash: 531898e4e24a16b7e4eabc5318e321200f0c4e17575e9fc7eacb1e50a6ee096a
Instruction Fuzzy Hash: 6A11BE31205611AFDB14AB28CC45FBA77E9EF85321F24429AF816C73E1CF70AC018791

Function 00B28A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00B28AE0
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00B28AF2
accept.WSOCK32(00000000,00000000,00000000), ref: 00B28AFF
WSAGetLastError.WSOCK32(00000000), ref: 00B28B16

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: a212ab32946189eb670096976f93ca7f0425bf153593a21377eba411a582c9f7
Instruction ID: fe85851ebcc0db783631999d914d053ea87e4e564f4b47430cca8dce6de225d0
Opcode Fuzzy Hash: a212ab32946189eb670096976f93ca7f0425bf153593a21377eba411a582c9f7
Instruction Fuzzy Hash: 50219372A001249FC7219F69D885BDEBBECEF49310F0041AAF849D7291DB749E418F90

Function 00B10AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B11E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00B10ABB,?,?,?,00B1187A,00000000,000000EF,00000119,?,?), ref: 00B11E77
Part of subcall function 00B11E68: lstrcpyW.KERNEL32(00000000,?,?,00B10ABB,?,?,?,00B1187A,00000000,000000EF,00000119,?,?,00000000), ref: 00B11E9D
Part of subcall function 00B11E68: lstrcmpiW.KERNEL32(00000000,?,00B10ABB,?,?,?,00B1187A,00000000,000000EF,00000119,?,?), ref: 00B11ECE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00B1187A,00000000,000000EF,00000119,?,?,00000000), ref: 00B10AD4
lstrcpyW.KERNEL32(00000000,?,?,00B1187A,00000000,000000EF,00000119,?,?,00000000), ref: 00B10AFA
lstrcmpiW.KERNEL32(00000002,cdecl,?,00B1187A,00000000,000000EF,00000119,?,?,00000000), ref: 00B10B2E

Strings

cdecl, xrefs: 00B10B25

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: fc85a7e066810857fe641fdf2d77dd17435571f6cc139b92ad5bb63c631a2b62
Instruction ID: 490704c1b0eca8de7f76453109bc8cee46383db564ac64b68c186b1e083b9b03
Opcode Fuzzy Hash: fc85a7e066810857fe641fdf2d77dd17435571f6cc139b92ad5bb63c631a2b62
Instruction Fuzzy Hash: 8A11D636110305AFDB25AF34DC45EBA77E8FF45350B8041AAF905CB250EB719880C7E0

Function 00B02F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B02FB5

Part of subcall function 00AF395C: __FF_MSGBANNER.LIBCMT ref: 00AF3973
Part of subcall function 00AF395C: __NMSG_WRITE.LIBCMT ref: 00AF397A
Part of subcall function 00AF395C: RtlAllocateHeap.NTDLL(00C90000,00000000,00000001,00000001,00000000,?,?,00AEF507,?,0000000E), ref: 00AF399F

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: b4cdd56ffb959afbe1aa76bfcbaddfce7d73ddbb8bc54ce9dfb605d9be720fe5
Instruction ID: 04a362e4930a6fb5a7234b2db99d77713abbe5cd20f238ccab4943a9fbc59d32
Opcode Fuzzy Hash: b4cdd56ffb959afbe1aa76bfcbaddfce7d73ddbb8bc54ce9dfb605d9be720fe5
Instruction Fuzzy Hash: C011E732409216ABDB313BB4AD4877D3FD8EF407A1F2045A5F909D6191EF30CD409690

Function 00B1058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00B105AC
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00B105C7
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00B105DD
FreeLibrary.KERNEL32(?), ref: 00B10632

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: 62e4faab2b94ede0008c143b4b29c47d5c300a90c8710ba237ac10381ca3cf8c
Instruction ID: 28fa78be0d5bed2feb05749b258d57fbe5f7ab1191fc66774947a8b3882bbd7c
Opcode Fuzzy Hash: 62e4faab2b94ede0008c143b4b29c47d5c300a90c8710ba237ac10381ca3cf8c
Instruction Fuzzy Hash: A4216A71910309EBDB20AF91EC88ADABBF8EF40704F4085A9E51696150DBB0EAD5DF50

Function 00B16713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00B16733
_memset.LIBCMT ref: 00B16754
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00B167A6
CloseHandle.KERNEL32(00000000), ref: 00B167AF

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 03dc5730447b9fa9cb95c243337b4b73ea7bc33a71cadc6f1269fd42fcc972aa
Instruction ID: d7451f0e72ee4646e541a8147e2e3747b70b07b5b63db19e8907db707affebeb
Opcode Fuzzy Hash: 03dc5730447b9fa9cb95c243337b4b73ea7bc33a71cadc6f1269fd42fcc972aa
Instruction Fuzzy Hash: D411A7759012287AE73057A5AC4DFEBBBBCEF44764F1042DAF904E71D0D6744E808B64

Function 00B0B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B0AA79
Part of subcall function 00B0AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B0AA83
Part of subcall function 00B0AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B0AA92
Part of subcall function 00B0AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B0AA99
Part of subcall function 00B0AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B0AAAF

GetLengthSid.ADVAPI32(?,00000000,00B0ADE4,?,?), ref: 00B0B21B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00B0B227
HeapAlloc.KERNEL32(00000000), ref: 00B0B22E
CopySid.ADVAPI32(?,00000000,?), ref: 00B0B247

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 4217664535-0
Opcode ID: c6b0ae9a6a25d5947cf87518936e1d4093276fc69efd6022123b04d5ec86411f
Instruction ID: 6617a1a6be40ab394d4d26a808748ba573a6856969476ff1ea48ad66e8fb85a6
Opcode Fuzzy Hash: c6b0ae9a6a25d5947cf87518936e1d4093276fc69efd6022123b04d5ec86411f
Instruction Fuzzy Hash: 7911BC71A00205AFCB149F98CC94EAEBFE9EF84304B1484ADE942A7290DB31AE45CB10

Function 00B0B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00B0B498
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B0B4AA
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B0B4C0
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B0B4DB

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0fbb04127f7115760e951c3890987abfaef3f802fe1ed5cd80ecddb33c221282
Instruction ID: d871bf4f330c33ff2871c07f1b74d6c97fe43e36a061b9863eaf2e770814066a
Opcode Fuzzy Hash: 0fbb04127f7115760e951c3890987abfaef3f802fe1ed5cd80ecddb33c221282
Instruction Fuzzy Hash: 6511457A900218FFEB11DFA8C881E9DBBB8FB08700F204091EA05B7294D771AF11DB94

Function 00AEB55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00AEB34E: GetWindowLongW.USER32(?,000000EB), ref: 00AEB35F

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00AEB5A5
GetClientRect.USER32(?,?), ref: 00B4E69A
GetCursorPos.USER32(?), ref: 00B4E6A4
ScreenToClient.USER32(?,?), ref: 00B4E6AF

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 5a6811b7de5dbd9f23a7eed9f57ad3bf10a1efa320428478eafecfa3990f5103
Instruction ID: 0f6951bb3111671aa0a71474ae43e83ef48df1f084adf68bfc947a4839c89efc
Opcode Fuzzy Hash: 5a6811b7de5dbd9f23a7eed9f57ad3bf10a1efa320428478eafecfa3990f5103
Instruction Fuzzy Hash: 1211363191012ABFCB10DF98D9499EE7BB9FB08305F1004A1E912E7140D730AA82DBB1

Function 00B1732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B17352
MessageBoxW.USER32(?,?,?,?), ref: 00B17385
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00B1739B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00B173A2

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: bf7e619606b466763c337577adb537afbe11095393485fb644ab54a1cddfe01e
Instruction ID: 4daa695510f73d5357eed32a8655637d43e6ad87fd8650bf074f3d62b0b27c32
Opcode Fuzzy Hash: bf7e619606b466763c337577adb537afbe11095393485fb644ab54a1cddfe01e
Instruction Fuzzy Hash: 0F1104B2A08204AFC7029BA8EC09BDE7BFDDB48311F144396F925D32A1DE708D4197A5

Function 00AED17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00AED1BA
GetStockObject.GDI32(00000011), ref: 00AED1CE
SendMessageW.USER32(00000000,00000030,00000000), ref: 00AED1D8

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 6d9a6edc7ce492219bdac3768f47de3079177fb4c20ead50f9519c4af4eaa6e4
Instruction ID: f23881738f644c64638b0341be13fd1ecf5093ddd2b40affa39984e3da1e120e
Opcode Fuzzy Hash: 6d9a6edc7ce492219bdac3768f47de3079177fb4c20ead50f9519c4af4eaa6e4
Instruction Fuzzy Hash: D3118C72501689BFEF124FA5DC54EEABB69FF08365F044216FA1592160CB31DD60EBA0

Function 00B04DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00B04E16

Part of subcall function 00B054F5: __fltout2.LIBCMT ref: 00B0551E

__cftog_l.LIBCMT ref: 00B04E3C
__cftoe_l.LIBCMT ref: 00B04E6E

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: ed51e7072bfc6f27bbc4793e2a55e598fcc5a064a7c73384fb612bada63150d6
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: 98014C7200014EBBCF265E84DC458EE3FA3FB18350B588495FE18591B5D336CAB1AB81

Function 00AF7452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00AF7A0D: __getptd_noexit.LIBCMT ref: 00AF7A0E

__lock.LIBCMT ref: 00AF748F
InterlockedDecrement.KERNEL32(?), ref: 00AF74AC
_free.LIBCMT ref: 00AF74BF
InterlockedIncrement.KERNEL32(00CA2BE0), ref: 00AF74D7

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: a15aa3c983c96f58d6d126c6ffdfc58c7b1e02b98fb1be374595fff20ddf88c4
Instruction ID: fb3e284c6b1fc5f845ee9beede858bc02f94e6c8777148abbdc3d6a8d0cf6871
Opcode Fuzzy Hash: a15aa3c983c96f58d6d126c6ffdfc58c7b1e02b98fb1be374595fff20ddf88c4
Instruction Fuzzy Hash: 4601F532909729EBD722BFE49A0577DBB70BF04712F18415AFA24A36A0CB345941CFD6

Function 00AF7A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00AF7AD8

Part of subcall function 00AF7CF4: __mtinitlocknum.LIBCMT ref: 00AF7D06
Part of subcall function 00AF7CF4: EnterCriticalSection.KERNEL32(00000000,?,00AF7ADD,0000000D), ref: 00AF7D1F

InterlockedIncrement.KERNEL32(?), ref: 00AF7AE5
__lock.LIBCMT ref: 00AF7AF9
___addlocaleref.LIBCMT ref: 00AF7B17

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID:
API String ID: 1687444384-0
Opcode ID: 981d5cfa0009e69e3eed71920725f68d3427f6334e901e8848bb44f3fe5f47ba
Instruction ID: 35c4f7c9c186e1876aa1239fe15b84e1f39a7c3cb144ce0f92c2dcc8189820e0
Opcode Fuzzy Hash: 981d5cfa0009e69e3eed71920725f68d3427f6334e901e8848bb44f3fe5f47ba
Instruction Fuzzy Hash: 7D016D72404B049FD720EFB5CA0575AB7F0EF40325F20894EF59A972A0CBB0A644CB11

Function 00B3E32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B3E33D
_memset.LIBCMT ref: 00B3E34C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00B93D00,00B93D44), ref: 00B3E37B
CloseHandle.KERNEL32 ref: 00B3E38D

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 119eab937f19a2d9295a2aa37c4d99ad3a70bfff92c91f7a6c5042805ef7fc56
Instruction ID: cd5fabf2f32936a14753777c5837a5e39b75647297a0c9d0611b46132d6b0ef0
Opcode Fuzzy Hash: 119eab937f19a2d9295a2aa37c4d99ad3a70bfff92c91f7a6c5042805ef7fc56
Instruction Fuzzy Hash: 6FF03AF1540308BBE6101B60AD5AF777ADCDB05B54F004472BE08D71A2DA759E0086A8

Function 00B3EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00AEAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00AEAFE3
Part of subcall function 00AEAF83: SelectObject.GDI32(?,00000000), ref: 00AEAFF2
Part of subcall function 00AEAF83: BeginPath.GDI32(?), ref: 00AEB009
Part of subcall function 00AEAF83: SelectObject.GDI32(?,00000000), ref: 00AEB033

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00B3EA8E
LineTo.GDI32(00000000,?,?), ref: 00B3EA9B
EndPath.GDI32(00000000), ref: 00B3EAAB
StrokePath.GDI32(00000000), ref: 00B3EAB9

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 4fc799685618389fb9037f8bc07c1b0a7c8beea7ad93f4d407d65bd694da9182
Instruction ID: 7c664f0df60c25c11f508446c8450480ae3e5374f7109784d7d6aa951d6aaf38
Opcode Fuzzy Hash: 4fc799685618389fb9037f8bc07c1b0a7c8beea7ad93f4d407d65bd694da9182
Instruction Fuzzy Hash: 70F0823200535ABBDB23AF94AD0DFCE3F59AF16312F184242FA11A20E1CB749561DB95

Function 00B0C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00B0C84A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B0C85D
GetCurrentThreadId.KERNEL32 ref: 00B0C864
AttachThreadInput.USER32(00000000), ref: 00B0C86B

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 8240a98c732319356c18f1d8ab9bc126991bbfdf8b1298bb7c4c80e1c2967425
Instruction ID: f52997840ac142791b22a5042192b749febf7f1f84320fd750b644def5d073d4
Opcode Fuzzy Hash: 8240a98c732319356c18f1d8ab9bc126991bbfdf8b1298bb7c4c80e1c2967425
Instruction Fuzzy Hash: 70E03071141324B6DB201F619C4DFDB7F5CEF057A2F408251B60995490DBB1C981C7E0

Function 00B0B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00B0B0D6
OpenThreadToken.ADVAPI32(00000000,?,?,?,00B0AC9D), ref: 00B0B0DD
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00B0AC9D), ref: 00B0B0EA
OpenProcessToken.ADVAPI32(00000000,?,?,?,00B0AC9D), ref: 00B0B0F1

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 293533369121e7075828aeb4340c100cb604d1829bb0a25cea99cce150f4cf11
Instruction ID: 45f99389814817179a6c175f86346af5a304d1d69dc578742eb8845f8a5d126e
Opcode Fuzzy Hash: 293533369121e7075828aeb4340c100cb604d1829bb0a25cea99cce150f4cf11
Instruction Fuzzy Hash: 24E04F326013129BD7302FB15C0CF473BA8EF55792F1189A8A241D7080EE2484418760

Function 00AEB47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00AEB496
SetTextColor.GDI32(?,000000FF), ref: 00AEB4A0
SetBkMode.GDI32(?,00000001), ref: 00AEB4B5
GetStockObject.GDI32(00000005), ref: 00AEB4BD
GetWindowDC.USER32(?,00000000), ref: 00B4DE2B
GetPixel.GDI32(00000000,00000000,00000000), ref: 00B4DE38
GetPixel.GDI32(00000000,?,00000000), ref: 00B4DE51
GetPixel.GDI32(00000000,00000000,?), ref: 00B4DE6A
GetPixel.GDI32(00000000,?,?), ref: 00B4DE8A
ReleaseDC.USER32(?,00000000), ref: 00B4DE95

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: ec67a9b46e04a3fa734ff5257f56b28985bca3fc30ca2f909d297fcc0b49d300
Instruction ID: 97832babee4f17f021d5205b10e337978277f14222ffb891cd9e86130ac4f19a
Opcode Fuzzy Hash: ec67a9b46e04a3fa734ff5257f56b28985bca3fc30ca2f909d297fcc0b49d300
Instruction Fuzzy Hash: 0DE06D31100740AADF312B74AC0DBD83B11EB12336F00C7A6F669A80E1CBB18680DB11

Function 00B4B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00B4B29A
GetDC.USER32(00000000), ref: 00B4B2A4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B4B2C3
ReleaseDC.USER32 ref: 00B4B2E2

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 855c8d468cd384a4d32d3f436bd6b3e8edd9d7482eab3c6604df65095403174e
Instruction ID: c98395989e682b366bbdf244d3c92a5b0d24e2258b90029af5dd7b8f516c73c6
Opcode Fuzzy Hash: 855c8d468cd384a4d32d3f436bd6b3e8edd9d7482eab3c6604df65095403174e
Instruction Fuzzy Hash: 11E01AB1100304EFDB115F70C848B2D7BA8EB4C352F118945F95AC7251CEB498419B40

Function 00B0B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B0B2DF
UnloadUserProfile.USERENV(?,?), ref: 00B0B2EB
CloseHandle.KERNEL32(?), ref: 00B0B2F4
CloseHandle.KERNEL32(?), ref: 00B0B2FC

Part of subcall function 00B0AB24: GetProcessHeap.KERNEL32(00000000,?,00B0A848), ref: 00B0AB2B
Part of subcall function 00B0AB24: HeapFree.KERNEL32(00000000), ref: 00B0AB32

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: c0e536b636f9838284cb14792c4b458a53016b36fcdc32ea1cbc9f1b72e9f44c
Instruction ID: 59dfa761c90c4e6ef71440cdf53c5af1659a1b9bfd590802dd14ea88c5891181
Opcode Fuzzy Hash: c0e536b636f9838284cb14792c4b458a53016b36fcdc32ea1cbc9f1b72e9f44c
Instruction Fuzzy Hash: 67E0BF36104205BBCB122B95DC08959FFA6FF883227108761F61582571CF329871EB55

Function 00B4B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00B4B2AE
GetDC.USER32(00000000), ref: 00B4B2B8
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B4B2C3
ReleaseDC.USER32 ref: 00B4B2E2

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 4a8864071bb3262baaf576c484b1933aa31ddf07f73f3b26deee1098a2f48b4c
Instruction ID: 1706998179165daf3f30797de306a0826f3986130b8d69226f5c22509fb7b8da
Opcode Fuzzy Hash: 4a8864071bb3262baaf576c484b1933aa31ddf07f73f3b26deee1098a2f48b4c
Instruction Fuzzy Hash: D2E046B1500300EFDB115F70CC4872D7BA8EB4C362F118A49F95ACB251CFB898428B00

Function 00AF3FAD Relevance: 6.0, APIs: 4, Instructions: 14threadCOMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 00AF3FAE

Part of subcall function 00AF7A25: GetLastError.KERNEL32(00000001,00AEF507,00AF7C13,00AF39E3,?,?,00AEF507,?,0000000E), ref: 00AF7A27
Part of subcall function 00AF7A25: __calloc_crt.LIBCMT ref: 00AF7A48
Part of subcall function 00AF7A25: GetCurrentThreadId.KERNEL32 ref: 00AF7A71
Part of subcall function 00AF7A25: SetLastError.KERNEL32(00000000,00AEF507,?,0000000E), ref: 00AF7A89

CloseHandle.KERNEL32(?,?,00AF3F8D), ref: 00AF3FC2
__freeptd.LIBCMT ref: 00AF3FC9
ExitThread.KERNEL32 ref: 00AF3FD1

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ErrorLastThread$CloseCurrentExitHandle__calloc_crt__freeptd__getptd_noexit
String ID:
API String ID: 408300095-0
Opcode ID: 6160871bc9b779ce05f793f17d2cb4f6f2906235c4d5654b9ad0c1f7d10f8850
Instruction ID: ebaccfe39d30a9908a37052c1932eb3a6048cd7994fde5d26433ffaa3e43c994
Opcode Fuzzy Hash: 6160871bc9b779ce05f793f17d2cb4f6f2906235c4d5654b9ad0c1f7d10f8850
Instruction Fuzzy Hash: 57D0A732445F145BCA322BA09D0973D77606F00762B054344F2A54A0E08F204F018786

Function 00B0DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00B0DEAA

Strings

Container, xrefs: 00B0DE29
AutoIt3GUI, xrefs: 00B0DE22

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 2cb4595c2f0082e0b94e5af8809c3ffda3d6ce35000897791ddd6d3d2a31deb2
Instruction ID: ff504323979a1debde20597255ecbb216ccb48dd1e1cab787b38b317d3574369
Opcode Fuzzy Hash: 2cb4595c2f0082e0b94e5af8809c3ffda3d6ce35000897791ddd6d3d2a31deb2
Instruction Fuzzy Hash: 77910674600602AFDB14DFA4C884B6ABBF5EF49710B1485ADF94ACB6E1DB71E841CB50

Function 00B1DE7C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00AEC6F4: _wcscpy.LIBCMT ref: 00AEC717

Part of subcall function 00AD936C: __swprintf.LIBCMT ref: 00AD93AB
Part of subcall function 00AD936C: __itow.LIBCMT ref: 00AD93DF

__wcsnicmp.LIBCMT ref: 00B1DEFD
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00B1DFC6

Strings

LPT, xrefs: 00B1DEF7

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 3756835f5327918fcdc7a4c86b9d627e45f93bb0ea218b795047f10fb3882680
Instruction ID: 0aeff50f246f4ff8327f210ae04dc2e400e7adc22d4857b7ef79d39e64e08217
Opcode Fuzzy Hash: 3756835f5327918fcdc7a4c86b9d627e45f93bb0ea218b795047f10fb3882680
Instruction Fuzzy Hash: C9618F75A00215AFCB14EF98C996EEEB7F4EF08710F40409AF956AB291D770EE81CB54

Function 00AEBCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00AEBCDA
GlobalMemoryStatusEx.KERNEL32 ref: 00AEBCF3

Strings

@, xrefs: 00AEBCE8

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: f313ce2a681315d7174061feaa950579ee466717be0a633e58fa61ecfd5b2aef
Instruction ID: be2557a934686e33961d9669a1113ff77109cf34d4915a26179396ccbcfc26f5
Opcode Fuzzy Hash: f313ce2a681315d7174061feaa950579ee466717be0a633e58fa61ecfd5b2aef
Instruction Fuzzy Hash: 8B5115724087849BE320AF15D886BAFBBECFB94354F514C4DF1C8420A6EFB185A8C756

Function 00B1C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00AD44ED: __fread_nolock.LIBCMT ref: 00AD450B

_wcscmp.LIBCMT ref: 00B1C65D
_wcscmp.LIBCMT ref: 00B1C670

Strings

FILE, xrefs: 00B1C5A5

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 5712767573fc3f628854f119a653affe692fffd5c41913ded9ec08a2ba8958b2
Instruction ID: f556bc5c50842769abb6c918d3e836dbb89fce47f33df88a7a44e96471b588e8
Opcode Fuzzy Hash: 5712767573fc3f628854f119a653affe692fffd5c41913ded9ec08a2ba8958b2
Instruction Fuzzy Hash: DB41D576A0020ABBDF209AA49C41FEF7BF9EF49714F4000BAF606EB181D6709A44CB55

Function 00B3A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00B3A85A
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B3A86F

Strings

', xrefs: 00B3A7C3

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 0b8528d1ef42c5340687aba08da2424c6097a95e6479b0fdfd9e3c25d1d95ae3
Instruction ID: c75b1832b0276e6d82fdd775aa513105ae37acc4c0b58642191e6c7706e97878
Opcode Fuzzy Hash: 0b8528d1ef42c5340687aba08da2424c6097a95e6479b0fdfd9e3c25d1d95ae3
Instruction Fuzzy Hash: FF41E775E012099FDB14CF68D981BDABBF9FB08300F2441AAE945AB341D770A946CF91

Function 00B25180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B25190
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 00B251C6

Strings

|, xrefs: 00B251B5

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: aa24efd11831b251b3d8ff82cda89ac99f2d3b146f66ec5ca06f0306ad7d78a9
Instruction ID: 928f8f29f5336dea3db4662ac57e0aa10cc47b256e7d90cdc99140f43e6f1c28
Opcode Fuzzy Hash: aa24efd11831b251b3d8ff82cda89ac99f2d3b146f66ec5ca06f0306ad7d78a9
Instruction Fuzzy Hash: 89311971800119ABCF11AFA4DD85AEEBFB9FF18710F000056F915A6266DA31A916CBA0

Function 00B3975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00B3980E
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00B3984A

Strings

static, xrefs: 00B397AA

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 7d9c47edbd977493ac04524563c3312641d4519be70862ad3d0c7d795872302b
Instruction ID: 0a3b8970e4a18f3288dce052ef21bd86480188cac109bd13710912fdca8c139d
Opcode Fuzzy Hash: 7d9c47edbd977493ac04524563c3312641d4519be70862ad3d0c7d795872302b
Instruction Fuzzy Hash: 6F317E71110604AAEB109F78CC81BBB73A9FF99760F108659F8A9C7190DB71AC82D760

Function 00B15157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B151C6
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B15201

Strings

0, xrefs: 00B151BF

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 8eb59b30fcd52babb8047ffb2ce8fe3739f07fb28985875b3bf6edbe3e441ef0
Instruction ID: f8404bd2faf284f903240c39476c317e32d23a5170bd1ca5d434a3d811d92839
Opcode Fuzzy Hash: 8eb59b30fcd52babb8047ffb2ce8fe3739f07fb28985875b3bf6edbe3e441ef0
Instruction Fuzzy Hash: 3C31F532600305EFEB34CF99D885BEEBBF4EF86350F540099E981A71A0D7709A84CB90

Function 00B2658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00B26608

Strings

AUTOITCALLVARIABLE%d, xrefs: 00B265FA
, $, xrefs: 00B26648

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: __snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 2391506597-2584243854
Opcode ID: 9b676f862d5baffc3e2e9d7f7a91766057c0ff2eb1aa7700e2d8dfb2b323577f
Instruction ID: 357e9c4b6534fa5de8ab4bca8c3d2ebc49e5a1d974d597625639bf745aa0cd20
Opcode Fuzzy Hash: 9b676f862d5baffc3e2e9d7f7a91766057c0ff2eb1aa7700e2d8dfb2b323577f
Instruction Fuzzy Hash: 6B218571A00129AFCF15EFA4D981EED77F4EF45700F00449AF405AB291DB74EA45CBA1

Function 00B393CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00B3945C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B39467

Strings

Combobox, xrefs: 00B39429

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: a00ac0b8a54482333dc2a65dffb2a9e34c8c73a8a06e1f91e07da88bffc75ca8
Instruction ID: 956e1fa1e76781491ccfb4b6eaffa13bb450b8a7eb284a41eb598ef696b166a3
Opcode Fuzzy Hash: a00ac0b8a54482333dc2a65dffb2a9e34c8c73a8a06e1f91e07da88bffc75ca8
Instruction Fuzzy Hash: CD1182B17102096FEF259E58DC81EBB37AEEB883A4F204165F919972A0D6B19C528760

Function 00B398FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00AED17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00AED1BA
Part of subcall function 00AED17C: GetStockObject.GDI32(00000011), ref: 00AED1CE
Part of subcall function 00AED17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AED1D8

GetWindowRect.USER32(00000000,?), ref: 00B39968
GetSysColor.USER32(00000012), ref: 00B39982

Strings

static, xrefs: 00B39945

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 58c3b4b00a7f93fffd52f2cfa444cf9451018f714a7f70adb7895f01b0186eea
Instruction ID: fcf1f9a2b6d48aa3b5789f40b3b1b1c1368d47d16d9ef5f71b6091036103bba4
Opcode Fuzzy Hash: 58c3b4b00a7f93fffd52f2cfa444cf9451018f714a7f70adb7895f01b0186eea
Instruction Fuzzy Hash: 9711677252020AAFDB04DFB8CC45EEA7BE8FB08304F110A69F955E3250E774E811DB60

Function 00B39617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00B39699
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00B396A8

Strings

edit, xrefs: 00B3967D

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: aa4c5cd71cd9c52b8ee4bcc8861217c1d5f7c19c7d8c4546499f0c976f042ee5
Instruction ID: 6a9165d23a095c851ae2f6a42a6092965dcbad5167c51c9a601e3f54339a2882
Opcode Fuzzy Hash: aa4c5cd71cd9c52b8ee4bcc8861217c1d5f7c19c7d8c4546499f0c976f042ee5
Instruction Fuzzy Hash: 5A118C71502208ABEB215FA8DC82EEB3BAAEB05378F604754F965931E0C7B5DC51DB60

Function 00B15262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B152D5
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00B152F4

Strings

0, xrefs: 00B152CE

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 9bb863e366731179fb9f09b72a4c60cc0cd7c3c396db69093c8f6abad2881409
Instruction ID: b2028a7dce629508a0fa6c792f823d6ad43b60094bb329551604f0d0aa47e8a2
Opcode Fuzzy Hash: 9bb863e366731179fb9f09b72a4c60cc0cd7c3c396db69093c8f6abad2881409
Instruction Fuzzy Hash: 0D112672901614EBDB30DB98ED44BDD77F8EB85350F5400A5E962E7190D7B0ED40E7A0

Function 00B24D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00B24DF5
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00B24E1E

Strings

<local>, xrefs: 00B24DE6

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: f91232cee650e608fc409a9594a2b2bc3d4ceeab567cdf0eed5543aa8ace35e8
Instruction ID: 4ca16926e331756d3e131e8df8d18a3742ac95a4b5c325fdaa59ad7f1c1dc27b
Opcode Fuzzy Hash: f91232cee650e608fc409a9594a2b2bc3d4ceeab567cdf0eed5543aa8ace35e8
Instruction Fuzzy Hash: 2311A370501231BBDB298F51D8C4EFBFAE8FF06795F10826AF50956940D7706D41C6E0

Function 00B2A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00B2A84E
htons.WSOCK32(00000000,?,00000000), ref: 00B2A88B

Strings

255.255.255.255, xrefs: 00B2A866

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: 8ac4f9ab60291d31f066cb98e0265acfa41ea2b6040d6eb45eb5b4665e12e39a
Instruction ID: 3b622f4752788675df2f50f438ca82efa5160097368ab20613b542984abd3fa3
Opcode Fuzzy Hash: 8ac4f9ab60291d31f066cb98e0265acfa41ea2b6040d6eb45eb5b4665e12e39a
Instruction Fuzzy Hash: 55014935200315ABCB20AF64DC86FADB7E4EF04710F1085A6F51A9B3D1D731E801C752

Function 00B0B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00B0B7EF

Strings

ListBox, xrefs: 00B0B7B9
ComboBox, xrefs: 00B0B78B

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 4014c7c622ef84399f18383b0bfacaaf1369af1fcc3b7a3aa74f0c410cca1d14
Instruction ID: 841f91c6c5815e211ce640e7bcf2177456d39f2d91f876adf9a30fe05b706d61
Opcode Fuzzy Hash: 4014c7c622ef84399f18383b0bfacaaf1369af1fcc3b7a3aa74f0c410cca1d14
Instruction Fuzzy Hash: 9201B171640115ABCB04EBA4CD52DFE37A9EF55360B44065AF462673E2EF749908CB90

Function 00B0B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000180,00000000,?), ref: 00B0B6EB

Strings

ListBox, xrefs: 00B0B6B5
ComboBox, xrefs: 00B0B687

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: bc7cf99fdb62f0d36a856fd8ab513bafb45c2fe8d61e30ba7702863108f5567e
Instruction ID: b63a1f041947e87dcbf3066df20b6df8f2b342d64a8785726371542aeeeb2481
Opcode Fuzzy Hash: bc7cf99fdb62f0d36a856fd8ab513bafb45c2fe8d61e30ba7702863108f5567e
Instruction Fuzzy Hash: 35018FB1641105ABCB04EBA4CA52EFE77E8DF15350B50005AB403B32D1EF659E18CBA5

Function 00B0B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000182,?,00000000), ref: 00B0B76C

Strings

ListBox, xrefs: 00B0B738
ComboBox, xrefs: 00B0B70A

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 6ac82c2d851eb51b84a9fa5baf8cd662c16f6bb10de9cb99e668ca01b80a7e6c
Instruction ID: ba5afbcff0a15d77ea709b589a114c1cfc08c6610cbfa495cc621ceb28f74dc3
Opcode Fuzzy Hash: 6ac82c2d851eb51b84a9fa5baf8cd662c16f6bb10de9cb99e668ca01b80a7e6c
Instruction Fuzzy Hash: 5901ADB1640105ABCB04EBA4CA42EFE77EC9F15350B50005AB802B32E2EF649E09CBB5

Function 00B17744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00B17762
_wcscmp.LIBCMT ref: 00B17774

Strings

#32770, xrefs: 00B1776E

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 01e6e6c436d9603617c76be79562f6277636a5815fa584e4dd7dbed8d773a7c1
Instruction ID: ae814e1db7d4febc8959f29d9ff7c97b1132bfc8b25adf21c0b5222c6ef58a11
Opcode Fuzzy Hash: 01e6e6c436d9603617c76be79562f6277636a5815fa584e4dd7dbed8d773a7c1
Instruction Fuzzy Hash: 53E0927760432867D720AAA99C09E97FBECEB51B60F000196B905D3091EA60AA41C7D4

Function 00B0A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00B0A63F

Part of subcall function 00AF13F1: _doexit.LIBCMT ref: 00AF13FB

Strings

Error allocating memory., xrefs: 00B0A638
AutoIt, xrefs: 00B0A633

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 9ae7af31dbbd95239b0a5af851abe8eccb36591cfad3703042d320047228ade2
Instruction ID: 38416f617c5ab5b307c118e2819b4bd19d0c54a5552424adf19a8a037bfc1b9e
Opcode Fuzzy Hash: 9ae7af31dbbd95239b0a5af851abe8eccb36591cfad3703042d320047228ade2
Instruction Fuzzy Hash: 03D05B313C471837D21436E96D1BFD57588CB15B51F1404A6FB0D995D24DE7958042E9

Function 00B4AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00B4ACC0
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00B4AEBD

Strings

WIN_XPe, xrefs: 00B4ACD3

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: DirectoryFreeLibrarySystem
String ID: WIN_XPe
API String ID: 510247158-3257408948
Opcode ID: 5e1b51fcbd1efa05b3967fb1c82b451e4fef3ab22ddfe4f36e335f2560b46174
Instruction ID: 3c756d92d666be1120fe7fc427ff6ed9dc79852bba083d6f90a2f2b40f82d05b
Opcode Fuzzy Hash: 5e1b51fcbd1efa05b3967fb1c82b451e4fef3ab22ddfe4f36e335f2560b46174
Instruction Fuzzy Hash: B1E0C970C40659AFDB51DBA5DEC8AECB7F8EB48301F1481C6E116B2561DB705A84EF22

Function 00B38698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B386A2
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00B386B5

Part of subcall function 00B17A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00B17AD0

Strings

Shell_TrayWnd, xrefs: 00B3869B

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 5c58c01fdfe7c593cbdd2b13d331b4b962953b55d7d4ee67b3d96e2d77e0da71
Instruction ID: a8e95c413ca0ca8d737d6bae16ac0901fd43f70214215fea32ace3ff3a1bf637
Opcode Fuzzy Hash: 5c58c01fdfe7c593cbdd2b13d331b4b962953b55d7d4ee67b3d96e2d77e0da71
Instruction Fuzzy Hash: 68D0C931394314A7E2746770AC1BFC66A98AB14B12F500995B649AB1E0CDE0A940CB55

Function 00B386CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B386E2
PostMessageW.USER32(00000000), ref: 00B386E9

Part of subcall function 00B17A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00B17AD0

Strings

Shell_TrayWnd, xrefs: 00B386DB

Memory Dump Source

Source File: 00000000.00000002.1308373388.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.1308344359.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308580701.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308639983.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1308660440.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Invoice OMS.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 41b6e6388fcd17cb9dff5f52a8ade171e0e426f88182a30f534ca89035f0781e
Instruction ID: 22214741e52e70c438ca649eeb45c946c548151a90343ab917eaee59d6964c08
Opcode Fuzzy Hash: 41b6e6388fcd17cb9dff5f52a8ade171e0e426f88182a30f534ca89035f0781e
Instruction Fuzzy Hash: 78D0C9313C53146BE2746770AC0BFC66A98AB15B12F500995B645AB1E0CDE0A940CB55

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Invoice OMS.132.2024 - S10.08 (2).exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut1CB7.tmp

C:\Users\user\AppData\Local\Temp\parachronistic

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
Invoice OMS.132.2024 - S10.08 (2).exe

Function 00AFB043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Function 00AD3D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowCOMMON

Function 00AEDDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Function 00AD406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00B1FA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238
COMMON

Function 00B1BFA4 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 316
fileCOMMON

Function 00AD3F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00AD3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00AD3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Function 00ECD8E0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00AD49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Function 00AD36B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 00ECD650 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 166
fileCOMMON

Function 00AD51AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON