Edit tour

Windows Analysis Report
NEWORDER.exe

Overview

General Information

Sample name:	NEWORDER.exe
Analysis ID:	1592063
MD5:	53ae35ae01c79a16eca864ee78a086ef
SHA1:	aaae775bb0f19a8ef5d1c19b8005aad129b06cac
SHA256:	e3140471b8e10e218754105e8fe4305bd7045f0f1da7eee586b07e5cfe4206b5
Tags:	AutoITexemalwaretrojanuser-Joker
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected MassLogger RAT

Yara detected Telegram RAT

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

NEWORDER.exe (PID: 6104 cmdline: "C:\Users\user\Desktop\NEWORDER.exe" MD5: 53AE35AE01C79A16ECA864EE78A086EF)

RegSvcs.exe (PID: 6808 cmdline: "C:\Users\user\Desktop\NEWORDER.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "ask4help@br4inb0xc.com", "Password": "wWg24EKAsnUH", "Server": "br4inb0xc.com", "To": "asper1@br4inb0xc.com", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2188859928.0000000001110000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.2188859928.0000000001110000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2188859928.0000000001110000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2188859928.0000000001110000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.2188859928.0000000001110000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1417f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1367d:$a3: \Google\Chrome\User Data\Default\Login Data 0x1398b:$a4: \Orbitum\User Data\Default\Login Data 0x14783:$a5: \Kometa\User Data\Default\Login Data
00000002.00000002.3406953590.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.3406953590.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3406953590.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.3406953590.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xefdf:$a1: get_encryptedPassword 0xf307:$a2: get_encryptedUsername 0xed7a:$a3: get_timePasswordChanged 0xee9b:$a4: get_passwordField 0xeff5:$a5: set_encryptedPassword 0x10951:$a7: get_logins 0x10602:$a8: GetOutlookPasswords 0x103f4:$a9: StartKeylogger 0x108a1:$a10: KeyLoggerEventArgs 0x10451:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.3407838999.0000000002F86000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: NEWORDER.exe PID: 6104	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: NEWORDER.exe PID: 6104	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: NEWORDER.exe PID: 6104	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: NEWORDER.exe PID: 6104	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x29b8d9:$a1: get_encryptedPassword 0x29bbf2:$a2: get_encryptedUsername 0x29b688:$a3: get_timePasswordChanged 0x29b7a9:$a4: get_passwordField 0x29b8ef:$a5: set_encryptedPassword 0x29d1f2:$a7: get_logins 0x29cea3:$a8: GetOutlookPasswords 0x29cc95:$a9: StartKeylogger 0x29d142:$a10: KeyLoggerEventArgs 0x29ccf2:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 6808	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6808	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 6808	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6808	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x481ed:$a1: get_encryptedPassword 0x48506:$a2: get_encryptedUsername 0x47f9c:$a3: get_timePasswordChanged 0x480bd:$a4: get_passwordField 0x48203:$a5: set_encryptedPassword 0x49b06:$a7: get_logins 0x497b7:$a8: GetOutlookPasswords 0x495a9:$a9: StartKeylogger 0x49a56:$a10: KeyLoggerEventArgs 0x49606:$a11: KeyLoggerEventArgsEventHandler
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.NEWORDER.exe.1110000.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.NEWORDER.exe.1110000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.NEWORDER.exe.1110000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.NEWORDER.exe.1110000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler
0.2.NEWORDER.exe.1110000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1417f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1367d:$a3: \Google\Chrome\User Data\Default\Login Data 0x1398b:$a4: \Orbitum\User Data\Default\Login Data 0x14783:$a5: \Kometa\User Data\Default\Login Data
0.2.NEWORDER.exe.1110000.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.NEWORDER.exe.1110000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.NEWORDER.exe.1110000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.NEWORDER.exe.1110000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3df:$a1: get_encryptedPassword 0xd707:$a2: get_encryptedUsername 0xd17a:$a3: get_timePasswordChanged 0xd29b:$a4: get_passwordField 0xd3f5:$a5: set_encryptedPassword 0xed51:$a7: get_logins 0xea02:$a8: GetOutlookPasswords 0xe7f4:$a9: StartKeylogger 0xeca1:$a10: KeyLoggerEventArgs 0xe851:$a11: KeyLoggerEventArgsEventHandler
0.2.NEWORDER.exe.1110000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1237f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1187d:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b8b:$a4: \Orbitum\User Data\Default\Login Data 0x12983:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler
2.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1417f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1367d:$a3: \Google\Chrome\User Data\Default\Login Data 0x1398b:$a4: \Orbitum\User Data\Default\Login Data 0x14783:$a5: \Kometa\User Data\Default\Login Data
Click to see the 10 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T18:09:06.923625+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49710	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "ask4help@br4inb0xc.com", "Password": "wWg24EKAsnUH", "Server": "br4inb0xc.com", "To": "asper1@br4inb0xc.com", "Port": 587}

Multi AV Scanner detection for submitted file

Source: NEWORDER.exe	Virustotal: Detection: 41%			Perma Link
Source: NEWORDER.exe	ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: NEWORDER.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: NEWORDER.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49712 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: NEWORDER.exe, 00000000.00000003.2181931628.0000000003C40000.00000004.00001000.00020000.00000000.sdmp, NEWORDER.exe, 00000000.00000003.2179069061.0000000003A80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: NEWORDER.exe, 00000000.00000003.2181931628.0000000003C40000.00000004.00001000.00020000.00000000.sdmp, NEWORDER.exe, 00000000.00000003.2179069061.0000000003A80000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_0065C2A2 FindFirstFileExW,	0_2_0065C2A2
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_006968EE FindFirstFileW,FindClose,	0_2_006968EE
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_0069698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0069698F
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_0068D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0068D076
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_0068D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0068D3A9
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_00699642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00699642
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_0069979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0069979D
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_00699B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00699B2B
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_0068DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0068DBBE
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_00695C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00695C97

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02D15782h	2_2_02D15366
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02D151B9h	2_2_02D14F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02D15782h	2_2_02D156AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05880740h	2_2_05880498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 058802E8h	2_2_05880040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov esp, ebp	2_2_05884D8B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov esp, ebp	2_2_05884DCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_05880B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 058817FDh	2_2_05881620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05882187h	2_2_05881620

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49710 -> 132.226.247.73:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49712 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\NEWORDER.exe

Code function: 0_2_0069CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0069CE44

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000002.00000002.3407838999.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000002.00000002.3407838999.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: RegSvcs.exe, 00000002.00000002.3407838999.0000000002E9E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3407838999.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000002.00000002.3407838999.0000000002E31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000002.00000002.3407838999.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: NEWORDER.exe, 00000000.00000002.2188859928.0000000001110000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3406953590.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000002.00000002.3407838999.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: RegSvcs.exe, 00000002.00000002.3407838999.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000002.00000002.3407838999.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: RegSvcs.exe, 00000002.00000002.3407838999.0000000002E31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: NEWORDER.exe, 00000000.00000002.2188859928.0000000001110000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3406953590.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000002.00000002.3407838999.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: NEWORDER.exe, 00000000.00000002.2188859928.0000000001110000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3407838999.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3406953590.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000002.00000002.3407838999.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: RegSvcs.exe, 00000002.00000002.3407838999.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: C:\Users\user\Desktop\NEWORDER.exe

Code function: 0_2_0069EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0069EAFF

Source: C:\Users\user\Desktop\NEWORDER.exe

Code function: 0_2_0069ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0069ED6A

Source: C:\Users\user\Desktop\NEWORDER.exe

0_2_0069EAFF

Source: C:\Users\user\Desktop\NEWORDER.exe

Code function: 0_2_0068AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0068AA57

Source: C:\Users\user\Desktop\NEWORDER.exe

Code function: 0_2_006B9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_006B9576

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.NEWORDER.exe.1110000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.NEWORDER.exe.1110000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.NEWORDER.exe.1110000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.NEWORDER.exe.1110000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000000.00000002.2188859928.0000000001110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2188859928.0000000001110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.3406953590.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: NEWORDER.exe PID: 6104, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 6808, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: NEWORDER.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: NEWORDER.exe, 00000000.00000000.2169692303.00000000006E2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_46130edc-8
Source: NEWORDER.exe, 00000000.00000000.2169692303.00000000006E2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_a90c5db9-c
Source: NEWORDER.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_12a36fe9-3
Source: NEWORDER.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_eb07e4dd-e

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: NEWORDER.exe

Source: C:\Users\user\Desktop\NEWORDER.exe

Code function: 0_2_0068D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0068D5EB

Source: C:\Users\user\Desktop\NEWORDER.exe

Code function: 0_2_00681201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00681201

Source: C:\Users\user\Desktop\NEWORDER.exe

Code function: 0_2_0068E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0068E8F6

Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_00628060	0_2_00628060
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_00692046	0_2_00692046
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_00688298	0_2_00688298
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_0065E4FF	0_2_0065E4FF
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_0065676B	0_2_0065676B
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_006B4873	0_2_006B4873
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_0062CAF0	0_2_0062CAF0
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_0064CAA0	0_2_0064CAA0
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_0063CC39	0_2_0063CC39
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_00656DD9	0_2_00656DD9
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_0063B119	0_2_0063B119
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_006291C0	0_2_006291C0
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_00641394	0_2_00641394
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_0064781B	0_2_0064781B
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_0063997D	0_2_0063997D
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_00627920	0_2_00627920
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_00647A4A	0_2_00647A4A
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_00647CA7	0_2_00647CA7
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_006ABE44	0_2_006ABE44
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_00659EEE	0_2_00659EEE
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_0062BF40	0_2_0062BF40
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_0144F0F0	0_2_0144F0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02D1C168	2_2_02D1C168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02D127B9	2_2_02D127B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02D1CA58	2_2_02D1CA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02D17E68	2_2_02D17E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02D14F08	2_2_02D14F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02D12DD1	2_2_02D12DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02D1B9E0	2_2_02D1B9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02D14EF8	2_2_02D14EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02D17E63	2_2_02D17E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0588048A	2_2_0588048A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05880498	2_2_05880498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05882687	2_2_05882687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05882698	2_2_05882698
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05884000	2_2_05884000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05880007	2_2_05880007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05880040	2_2_05880040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05882CD0	2_2_05882CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05882CE0	2_2_05882CE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05880B20	2_2_05880B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05884AE0	2_2_05884AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05881610	2_2_05881610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05881620	2_2_05881620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05883320	2_2_05883320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05883330	2_2_05883330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05883FEF	2_2_05883FEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05883980	2_2_05883980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05883974	2_2_05883974

Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: String function: 0063F9F2 appears 40 times
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: String function: 00640A30 appears 46 times
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: String function: 00629CB3 appears 31 times

Source: NEWORDER.exe, 00000000.00000003.2183155768.0000000003BC3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs NEWORDER.exe
Source: NEWORDER.exe, 00000000.00000003.2183942795.0000000003D6D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs NEWORDER.exe
Source: NEWORDER.exe, 00000000.00000002.2188859928.0000000001110000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs NEWORDER.exe

Source: NEWORDER.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.NEWORDER.exe.1110000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.NEWORDER.exe.1110000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.NEWORDER.exe.1110000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.NEWORDER.exe.1110000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2188859928.0000000001110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2188859928.0000000001110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.3406953590.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: NEWORDER.exe PID: 6104, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 6808, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/2

Source: C:\Users\user\Desktop\NEWORDER.exe

Code function: 0_2_006937B5 GetLastError,FormatMessageW,

0_2_006937B5

Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_006810BF AdjustTokenPrivileges,CloseHandle,		0_2_006810BF
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_006816C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_006816C3

Source: C:\Users\user\Desktop\NEWORDER.exe

Code function: 0_2_006951CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_006951CD

Source: C:\Users\user\Desktop\NEWORDER.exe

Code function: 0_2_006AA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_006AA67C

Source: C:\Users\user\Desktop\NEWORDER.exe

Code function: 0_2_0069648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0069648E

Source: C:\Users\user\Desktop\NEWORDER.exe

Code function: 0_2_006242A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_006242A2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\NEWORDER.exe

File created: C:\Users\user\AppData\Local\Temp\overfertilize

Jump to behavior

Source: NEWORDER.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\NEWORDER.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.3407838999.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3407838999.0000000002F2E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3407838999.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3407838999.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3408422037.0000000003E5D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3407838999.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: NEWORDER.exe	Virustotal: Detection: 41%
Source: NEWORDER.exe	ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\NEWORDER.exe "C:\Users\user\Desktop\NEWORDER.exe"
Source: C:\Users\user\Desktop\NEWORDER.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\NEWORDER.exe"
Source: C:\Users\user\Desktop\NEWORDER.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\NEWORDER.exe"	Jump to behavior

Source: C:\Users\user\Desktop\NEWORDER.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEWORDER.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEWORDER.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEWORDER.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEWORDER.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEWORDER.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEWORDER.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEWORDER.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEWORDER.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEWORDER.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEWORDER.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: NEWORDER.exe

Static file information: File size 1357312 > 1048576

Source: NEWORDER.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: NEWORDER.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: NEWORDER.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: NEWORDER.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: NEWORDER.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: NEWORDER.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: NEWORDER.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: NEWORDER.exe, 00000000.00000003.2181931628.0000000003C40000.00000004.00001000.00020000.00000000.sdmp, NEWORDER.exe, 00000000.00000003.2179069061.0000000003A80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: NEWORDER.exe, 00000000.00000003.2181931628.0000000003C40000.00000004.00001000.00020000.00000000.sdmp, NEWORDER.exe, 00000000.00000003.2179069061.0000000003A80000.00000004.00001000.00020000.00000000.sdmp

Source: NEWORDER.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: NEWORDER.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: NEWORDER.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: NEWORDER.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: NEWORDER.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\NEWORDER.exe

Code function: 0_2_006242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006242DE

Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_00640A76 push ecx; ret	0_2_00640A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02D1F273 push ebp; retf	2_2_02D1F281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0588BDB8 push es; ret	2_2_0588C230

Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_0063F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0063F98E
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_006B1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_006B1C41

Source: C:\Users\user\Desktop\NEWORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEWORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\NEWORDER.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95645

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\NEWORDER.exe

API/Special instruction interceptor: Address: 144ED14

Source: C:\Users\user\Desktop\NEWORDER.exe

API coverage: 3.4 %

Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_0065C2A2 FindFirstFileExW,	0_2_0065C2A2
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_006968EE FindFirstFileW,FindClose,	0_2_006968EE
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_0069698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0069698F
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_0068D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0068D076
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_0068D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0068D3A9
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_00699642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00699642
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_0069979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0069979D
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_00699B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00699B2B
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_0068DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0068DBBE
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_00695C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00695C97

Source: C:\Users\user\Desktop\NEWORDER.exe

Code function: 0_2_006242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006242DE

Source: RegSvcs.exe, 00000002.00000002.3407178583.00000000011D8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_02D1C168 LdrInitializeThunk,LdrInitializeThunk,

2_2_02D1C168

Source: C:\Users\user\Desktop\NEWORDER.exe

Code function: 0_2_0069EAA2 BlockInput,

0_2_0069EAA2

Source: C:\Users\user\Desktop\NEWORDER.exe

Code function: 0_2_00652622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00652622

Source: C:\Users\user\Desktop\NEWORDER.exe

Code function: 0_2_006242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006242DE

Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_00644CE8 mov eax, dword ptr fs:[00000030h]	0_2_00644CE8
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_0144EFE0 mov eax, dword ptr fs:[00000030h]	0_2_0144EFE0
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_0144EF80 mov eax, dword ptr fs:[00000030h]	0_2_0144EF80
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_0144D910 mov eax, dword ptr fs:[00000030h]	0_2_0144D910

Source: C:\Users\user\Desktop\NEWORDER.exe

Code function: 0_2_00680B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00680B62

Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_00652622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00652622
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_0064083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0064083F
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_006409D5 SetUnhandledExceptionFilter,	0_2_006409D5
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_00640C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00640C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\NEWORDER.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\NEWORDER.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: C95008

Jump to behavior

Source: C:\Users\user\Desktop\NEWORDER.exe

0_2_00681201

Source: C:\Users\user\Desktop\NEWORDER.exe

Code function: 0_2_00662BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00662BA5

Source: C:\Users\user\Desktop\NEWORDER.exe

Code function: 0_2_0068B226 SendInput,keybd_event,

0_2_0068B226

Source: C:\Users\user\Desktop\NEWORDER.exe

Code function: 0_2_006A22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_006A22DA

Source: C:\Users\user\Desktop\NEWORDER.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\NEWORDER.exe"

Jump to behavior

Source: C:\Users\user\Desktop\NEWORDER.exe

0_2_00680B62

Source: C:\Users\user\Desktop\NEWORDER.exe

Code function: 0_2_00681663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00681663

Source: NEWORDER.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: NEWORDER.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\NEWORDER.exe

Code function: 0_2_00640698 cpuid

0_2_00640698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\NEWORDER.exe

Code function: 0_2_00698195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00698195

Source: C:\Users\user\Desktop\NEWORDER.exe

Code function: 0_2_0067D27A GetUserNameW,

0_2_0067D27A

Source: C:\Users\user\Desktop\NEWORDER.exe

Code function: 0_2_0065B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0065B952

Source: C:\Users\user\Desktop\NEWORDER.exe

Code function: 0_2_006242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006242DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.NEWORDER.exe.1110000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEWORDER.exe.1110000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2188859928.0000000001110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3406953590.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NEWORDER.exe PID: 6104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6808, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.NEWORDER.exe.1110000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEWORDER.exe.1110000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2188859928.0000000001110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3406953590.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NEWORDER.exe PID: 6104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6808, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: NEWORDER.exe	Binary or memory string: WIN_81
Source: NEWORDER.exe	Binary or memory string: WIN_XP
Source: NEWORDER.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: NEWORDER.exe	Binary or memory string: WIN_XPe
Source: NEWORDER.exe	Binary or memory string: WIN_VISTA
Source: NEWORDER.exe	Binary or memory string: WIN_7
Source: NEWORDER.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 0.2.NEWORDER.exe.1110000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEWORDER.exe.1110000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2188859928.0000000001110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3406953590.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3407838999.0000000002F86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NEWORDER.exe PID: 6104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6808, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.NEWORDER.exe.1110000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEWORDER.exe.1110000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2188859928.0000000001110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3406953590.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NEWORDER.exe PID: 6104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6808, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.NEWORDER.exe.1110000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEWORDER.exe.1110000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2188859928.0000000001110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3406953590.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NEWORDER.exe PID: 6104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6808, type: MEMORYSTR

Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_006A1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_006A1204
Source: C:\Users\user\Desktop\NEWORDER.exe	Code function: 0_2_006A1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_006A1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	21 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	221 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
NEWORDER.exe	42%	Virustotal		Browse
NEWORDER.exe	37%	ReversingLabs	Win32.Trojan.Cerbu
NEWORDER.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.96.1	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189l	RegSvcs.exe, 00000002.00000002.3407838999.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	RegSvcs.exe, 00000002.00000002.3407838999.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	NEWORDER.exe, 00000000.00000002.2188859928.0000000001110000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3406953590.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	RegSvcs.exe, 00000002.00000002.3407838999.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189d	RegSvcs.exe, 00000002.00000002.3407838999.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.3407838999.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	RegSvcs.exe, 00000002.00000002.3407838999.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.3407838999.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegSvcs.exe, 00000002.00000002.3407838999.0000000002E9E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3407838999.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegSvcs.exe, 00000002.00000002.3407838999.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	RegSvcs.exe, 00000002.00000002.3407838999.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.3407838999.0000000002E31000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	NEWORDER.exe, 00000000.00000002.2188859928.0000000001110000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3406953590.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	NEWORDER.exe, 00000000.00000002.2188859928.0000000001110000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3407838999.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3406953590.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.96.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States		16989	UTMEMUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592063
Start date and time:	2025-01-15 18:08:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	NEWORDER.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 45 Number of non-executed functions: 299
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.96.1	k9OEsV37GE.exe	Get hash	malicious	FormBook	Browse	www.uzshou.world/kbd2/?EtJTX=_JVX4ryxDRQpLJF&cNPH=ufZ7RYF4yLxNXVSq5Vx/4TYieRbcnKjskkbM3L5RbgB1pAgqHA7sfCNkYWLyXRMMwBB3JLbYKUw1FAOWml6VLpxPVZ4qXf58MsNUIQgw/PJ5HUGIvLQvrl5frN9PrRFpPiAd2cDcH6Sr
	gH3LlhcRzg.exe	Get hash	malicious	FormBook	Browse	www.dejikenkyu.cyou/58m5/
	EIvidclKOb.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/0pqe/
	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	www.aonline.top/fqlg/
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	pelisplus.so/administrator/index.php
	Recibos.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/
132.226.247.73	QUOTATION REQUIRED_Enatel s.r.l..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	RENH3RE2025QUOTE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	rlPy5vt1Dg.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	wZ6VEnOkie.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Invoice No 1122207 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	PDF6UU0CVUO2W-YGVUIO.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
	PO#_1100015533.scr	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	1nl3hc.ps1	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	Contrarre.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	RFQ_AS0101402025.22025_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	QUOTATION REQUIRED_Enatel s.r.l..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	Confirm Bank Statement.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
checkip.dyndns.com	Invoice No 1122207 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	PDF6UU0CVUO2W-YGVUIO.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	PO#_1100015533.scr	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	1nl3hc.ps1	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	Contrarre.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	RFQ_AS0101402025.22025_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	QUOTATION REQUIRED_Enatel s.r.l..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Confirm Bank Statement.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://docs.google.com/drawings/d/1Fix-5JDCTM2QJpjq3c_NOGTxMuhYRiEX3wdVSCqQc9w/preview?FwaxQ	Get hash	malicious	Unknown	Browse	104.21.79.87
	DOCU800147001.exe	Get hash	malicious	GuLoader	Browse	104.21.32.1
	firstontario.docx	Get hash	malicious	Unknown	Browse	1.1.1.1
	lummm_lzmb.exe	Get hash	malicious	LummaC	Browse	104.21.67.165
	https://solve.lzmb.org/awjsx.captcha?u=a85c9e46-f1ff-475f-b74c-c23cf236a082	Get hash	malicious	Unknown	Browse	104.21.78.33
	https://solve.xfzz.org/awjsx.captcha?u=c56ed68e-fc67-4e24-b8ac-6adc700e0877%20#%20%E2%9C%85%20''I%20am%20not%20a%20robot%20-%20reCAPTCHA%20Verification%20ID:%203467''	Get hash	malicious	Unknown	Browse	104.21.32.1
	https://tinyurl.com/Amconconstruction	Get hash	malicious	Unknown	Browse	104.17.25.14
	Zohobooks Voip CaIIer left (4) voice message from +1 (___) ___-__92 [MSG ID-zNeaDpAKAIgeQjKGl].eml	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://bluefiles.com/fr/reader/document/2c33782e98658214c7dff875dd234fc3b9b9a60915ac1685fe35abcc657c139d	Get hash	malicious	Unknown	Browse	1.1.1.1
UTMEMUS	330tqxXVzm.dll	Get hash	malicious	Wannacry	Browse	132.224.47.164
	QUOTATION REQUIRED_Enatel s.r.l..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Confirm Bank Statement.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	RENH3RE2025QUOTE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	tN8GsMV1le.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Invoice No 1122207 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	PDF6UU0CVUO2W-YGVUIO.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
	1nl3hc.ps1	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	Contrarre.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	RFQ_AS0101402025.22025_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	QUOTATION REQUIRED_Enatel s.r.l..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	Confirm Bank Statement.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
	50201668.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1

Process:	C:\Users\user\Desktop\NEWORDER.exe
File Type:	data
Category:	dropped
Size (bytes):	93696
Entropy (8bit):	6.86238420998648
Encrypted:	false
SSDEEP:	1536:LH0oYRsprXY2L6+WrWMfNXq9b73KAf0vXn35RX10pVZX5d0J16iAfrnkgx:ZE0Y2L6+WrWMfNXIfHf0vX3ihd0J16ic
MD5:	DD4E293395F17005966633E7CB791802
SHA1:	2628FF55CAE9CDCA78ADFE046399C9945E3FD03D
SHA-256:	823CB58B5327F3D241BD7D9266D6AFD1D6E4525BDBC5D5E0D66CABC97E4B9D88
SHA-512:	CE688176E591E84C6DF9A468933F4A4CCD23B8453FF7F1C1BC44289BEB38CEA489A199470A66F7574AABD548992458124A842ACFCAEDD5698036C6A5242250F4
Malicious:	false
Reputation:	low
Preview:	z..R[7I3ROAR.7J.9UPVMO4.7M4RX7I3VOAR2M7JW9UPVMO4L7M4RX7I3VO.R2M9U.7U._.n.M{...0^:.&=.5@,Zj4X;>99oV).?A<x^'....r_"S/y4XZrMO4L7M4..7I.WLA.\..JW9UPVMO.L5L?S.7IWWOAZ2M7JW9..WMO.L7M.SX7IsVOaR2M5JW=UPVMO4L1M4RX7I3V.@R2O7JW9UPTM/.L7]4RH7I3V_AR"M7JW9U@VMO4L7M4RX7..WO.R2M7.V9.UVMO4L7M4RX7I3VOAR2M.KW5UPVMO4L7M4RX7I3VOAR2M7JW9UPVMO4L7M4RX7I3VOAR2M7JW9UPvMO<L7M4RX7I3VOIr2M.JW9UPVMO4L7c@7 CI3V.#S2M.JW91QVMM4L7M4RX7I3VOAR.M7yK&"5MO4.2M4R.6I3POARTL7JW9UPVMO4L7MtRXwgA3#.12M;JW9U.WMO6L7MXSX7I3VOAR2M7JWyUP.MO4L7M4RX7I3VOAR..6JW9UP.MO4N7H4..7I..OAQ2M7.W9S..MO.L7M4RX7I3VOAR2M7JW9UPVMO4L7M4RX7I3VOAR2M7JW.(.Y...%D..RX7I3VNCQ6K?BW9UPVMO427M4.X7IsVOAe2M7oW9U=VMO.L7MJRX773VO%R2MEJW94PVM.4L7"4RXYI3V1AR2S5bH9UZ\|kO6d.M4XX..@wOAX.L7JSJwPVG.6L7IGqX7C.UOAVAi7J].QPVI<.L7G.WX7M..OB.$K7JLVmPVGO7."K4RC.o3TgxR2G7`q9V.CKO4W.o4P.>I3Re.!/M7L.{UP\9F4L5.>RX3c-Tg.R2G.h)UPRfO.nIY4R\.I.t1TR2I.J}.+FVMK.L.oJEX7M.VeGxPME.[9%S9,O4J..4RR..3VIAx.MIDW9QR9.O4F.g.RpgI3POi.2M1J}.U.eMO0`03.RX3b%(~AR6.12W9S#.MO>i.~4R\..3VEAx.M..W9SP~.O4J

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.737507307782037
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	NEWORDER.exe
File size:	1'357'312 bytes
MD5:	53ae35ae01c79a16eca864ee78a086ef
SHA1:	aaae775bb0f19a8ef5d1c19b8005aad129b06cac
SHA256:	e3140471b8e10e218754105e8fe4305bd7045f0f1da7eee586b07e5cfe4206b5
SHA512:	939beb060314c73341de83dbf0fc4f910778ad9f52877b186665c7e191600d736a13ba233a67d4658eac7b31a63dbe5365db257e61cdb3a963756c8beee300e7
SSDEEP:	24576:zqDEvCTbMWu7rQYlBQcBiT6rprG8aGKLbpOyjRo1HTqUMxn:zTvC/MTQYxsWR7aGkbw2osV
TLSH:	EF55C00333819062FF5B92330F6AE6555B7D6E2A4133A91F13AC3D79BA70172163E663
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	98e2a3b29b9ba181

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6785AA95 [Tue Jan 14 00:06:45 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F28FC85FC93h
jmp 00007F28FC85F59Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F28FC85F77Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F28FC85F74Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F28FC86233Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F28FC862388h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F28FC862371h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x74bcc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x149000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x74bcc	0x74c00	bed47b6405bed921e1b351c80469b2f5	False	0.6035490832441114	data	6.350362065560363	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x149000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd4458	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd4580	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd46a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd47d0	0x33428	Device independent bitmap graphic, 198 x 512 x 32, image size 202752, resolution 7874 x 7874 px/m	English	Great Britain	0.13495903981710802
RT_MENU	0x107bf8	0x50	data	English	Great Britain	0.9
RT_STRING	0x107c48	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0x1081dc	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0x108868	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0x108cf8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0x1092f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0x109950	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0x109db8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0x109f10	0x3e79e	data			1.0003360661503231
RT_GROUP_ICON	0x1486b0	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1486c4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1486d8	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x1486ec	0x14	data	English	Great Britain	1.25
RT_VERSION	0x148700	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x1487dc	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-15T18:09:06.923625+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49710	132.226.247.73	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 18:09:05.963357925 CET	49710	80	192.168.2.6	132.226.247.73
Jan 15, 2025 18:09:05.968194962 CET	80	49710	132.226.247.73	192.168.2.6
Jan 15, 2025 18:09:05.968274117 CET	49710	80	192.168.2.6	132.226.247.73
Jan 15, 2025 18:09:05.968671083 CET	49710	80	192.168.2.6	132.226.247.73
Jan 15, 2025 18:09:05.973433971 CET	80	49710	132.226.247.73	192.168.2.6
Jan 15, 2025 18:09:06.661544085 CET	80	49710	132.226.247.73	192.168.2.6
Jan 15, 2025 18:09:06.666459084 CET	49710	80	192.168.2.6	132.226.247.73
Jan 15, 2025 18:09:06.671286106 CET	80	49710	132.226.247.73	192.168.2.6
Jan 15, 2025 18:09:06.879221916 CET	80	49710	132.226.247.73	192.168.2.6
Jan 15, 2025 18:09:06.891393900 CET	49712	443	192.168.2.6	104.21.96.1
Jan 15, 2025 18:09:06.891452074 CET	443	49712	104.21.96.1	192.168.2.6
Jan 15, 2025 18:09:06.891525030 CET	49712	443	192.168.2.6	104.21.96.1
Jan 15, 2025 18:09:06.901324987 CET	49712	443	192.168.2.6	104.21.96.1
Jan 15, 2025 18:09:06.901349068 CET	443	49712	104.21.96.1	192.168.2.6
Jan 15, 2025 18:09:06.923624992 CET	49710	80	192.168.2.6	132.226.247.73
Jan 15, 2025 18:09:07.390995026 CET	443	49712	104.21.96.1	192.168.2.6
Jan 15, 2025 18:09:07.391280890 CET	49712	443	192.168.2.6	104.21.96.1
Jan 15, 2025 18:09:07.396121025 CET	49712	443	192.168.2.6	104.21.96.1
Jan 15, 2025 18:09:07.396158934 CET	443	49712	104.21.96.1	192.168.2.6
Jan 15, 2025 18:09:07.396581888 CET	443	49712	104.21.96.1	192.168.2.6
Jan 15, 2025 18:09:07.439363956 CET	49712	443	192.168.2.6	104.21.96.1
Jan 15, 2025 18:09:07.452600002 CET	49712	443	192.168.2.6	104.21.96.1
Jan 15, 2025 18:09:07.495362043 CET	443	49712	104.21.96.1	192.168.2.6
Jan 15, 2025 18:09:07.612427950 CET	443	49712	104.21.96.1	192.168.2.6
Jan 15, 2025 18:09:07.612495899 CET	443	49712	104.21.96.1	192.168.2.6
Jan 15, 2025 18:09:07.612592936 CET	49712	443	192.168.2.6	104.21.96.1
Jan 15, 2025 18:09:07.619805098 CET	49712	443	192.168.2.6	104.21.96.1
Jan 15, 2025 18:10:11.879041910 CET	80	49710	132.226.247.73	192.168.2.6
Jan 15, 2025 18:10:11.879254103 CET	49710	80	192.168.2.6	132.226.247.73
Jan 15, 2025 18:10:46.892849922 CET	49710	80	192.168.2.6	132.226.247.73
Jan 15, 2025 18:10:46.897658110 CET	80	49710	132.226.247.73	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 18:09:05.714477062 CET	54052	53	192.168.2.6	1.1.1.1
Jan 15, 2025 18:09:05.721187115 CET	53	54052	1.1.1.1	192.168.2.6
Jan 15, 2025 18:09:06.881403923 CET	62529	53	192.168.2.6	1.1.1.1
Jan 15, 2025 18:09:06.890608072 CET	53	62529	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 15, 2025 18:09:05.714477062 CET	192.168.2.6	1.1.1.1	0xd4ee	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 15, 2025 18:09:06.881403923 CET	192.168.2.6	1.1.1.1	0x4655	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 15, 2025 18:09:05.721187115 CET	1.1.1.1	192.168.2.6	0xd4ee	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 15, 2025 18:09:05.721187115 CET	1.1.1.1	192.168.2.6	0xd4ee	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 15, 2025 18:09:05.721187115 CET	1.1.1.1	192.168.2.6	0xd4ee	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 15, 2025 18:09:05.721187115 CET	1.1.1.1	192.168.2.6	0xd4ee	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 15, 2025 18:09:05.721187115 CET	1.1.1.1	192.168.2.6	0xd4ee	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 15, 2025 18:09:05.721187115 CET	1.1.1.1	192.168.2.6	0xd4ee	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 15, 2025 18:09:06.890608072 CET	1.1.1.1	192.168.2.6	0x4655	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 18:09:06.890608072 CET	1.1.1.1	192.168.2.6	0x4655	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 18:09:06.890608072 CET	1.1.1.1	192.168.2.6	0x4655	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 18:09:06.890608072 CET	1.1.1.1	192.168.2.6	0x4655	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 18:09:06.890608072 CET	1.1.1.1	192.168.2.6	0x4655	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 18:09:06.890608072 CET	1.1.1.1	192.168.2.6	0x4655	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 18:09:06.890608072 CET	1.1.1.1	192.168.2.6	0x4655	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	132.226.247.73	80	6808	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 18:09:05.968671083 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 15, 2025 18:09:06.661544085 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 17:09:06 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 15, 2025 18:09:06.666459084 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 15, 2025 18:09:06.879221916 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 17:09:06 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49712	104.21.96.1	443	6808	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 17:09:07 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-15 17:09:07 UTC	863	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 17:09:07 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2275736 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e0%2FzWAFzXT%2BDvESJAYBTEOWdl907BVSJWCPObbnP07e%2FR7R2aMkzzMFtWGwSwErgthjQuda4j6e1K5i2CnrLgzHyAfW9ukTERoFJO%2B7IYmGV%2Fr6Ukc%2Bnp4A82C%2BiSsifLVFcgBiK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902778c2084c72a4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1975&min_rtt=1970&rtt_var=749&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1451292&cwnd=212&unsent_bytes=0&cid=2b99a85e23aff3be&ts=238&x=0"
2025-01-15 17:09:07 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	12:09:03
Start date:	15/01/2025
Path:	C:\Users\user\Desktop\NEWORDER.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\NEWORDER.exe"
Imagebase:	0x620000
File size:	1'357'312 bytes
MD5 hash:	53AE35AE01C79A16ECA864EE78A086EF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.2188859928.0000000001110000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2188859928.0000000001110000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2188859928.0000000001110000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2188859928.0000000001110000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.2188859928.0000000001110000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:09:04
Start date:	15/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\NEWORDER.exe"
Imagebase:	0xb20000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.3406953590.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3406953590.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.3406953590.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.3406953590.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3407838999.0000000002F86000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	2.5%
Signature Coverage:	3.4%
Total number of Nodes:	1632
Total number of Limit Nodes:	43

Executed Functions

Function 006242DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0062430D

Part of subcall function 00626B57: _wcslen.LIBCMT ref: 00626B6A

GetCurrentProcess.KERNEL32(?,006BCB64,00000000,?,?), ref: 00624422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00624429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00624454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00624466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00624474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0062447B
GetSystemInfo.KERNEL32(?,?,?), ref: 006244A0

Strings

kernel32.dll, xrefs: 0062444F
GetNativeSystemInfo, xrefs: 00624460
|O, xrefs: 006636F8

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 6aa2329760cba0b0a7a6e700e0a0e9bcdd46e2b43e910183475397a2e21ee125
Instruction ID: d2b1efe3ca4b153a922e117182ffe3e70d68718063e024542034d7698e11aeb3
Opcode Fuzzy Hash: 6aa2329760cba0b0a7a6e700e0a0e9bcdd46e2b43e910183475397a2e21ee125
Instruction Fuzzy Hash: A2A1906790A6F4DFCB11DB6DBC411F57FE7AB27380B087899D0819BB22D6204649CF25

Function 006242A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,006250AA,?,?,00000000,00000000), ref: 006242B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,006250AA,?,?,00000000,00000000), ref: 006242C9
LoadResource.KERNEL32(?,00000000,?,?,006250AA,?,?,00000000,00000000,?,?,?,?,?,?,00624F20), ref: 006635BE
SizeofResource.KERNEL32(?,00000000,?,?,006250AA,?,?,00000000,00000000,?,?,?,?,?,?,00624F20), ref: 006635D3
LockResource.KERNEL32(006250AA,?,?,006250AA,?,?,00000000,00000000,?,?,?,?,?,?,00624F20,?), ref: 006635E6

Strings

SCRIPT, xrefs: 006242BF

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: a2bda213532d9c9ef323ec5f539eaaab51437db3b38ffe684fb6795161c959f1
Instruction ID: 3f48ae220d9c8b76646a9a29871a059e45913f88fed969365e5c0afb657b8a99
Opcode Fuzzy Hash: a2bda213532d9c9ef323ec5f539eaaab51437db3b38ffe684fb6795161c959f1
Instruction Fuzzy Hash: F2117CB0201B10FFDB218B66EC48F677BBAEFC5B61F104269F40296250DB71DE408A30

Function 00662BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00622B6B

Part of subcall function 00623A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,006F1418,?,00622E7F,?,?,?,00000000), ref: 00623A78

Part of subcall function 00629CB3: _wcslen.LIBCMT ref: 00629CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,006E2224), ref: 00662C10
ShellExecuteW.SHELL32(00000000,?,?,006E2224), ref: 00662C17

Strings

runas, xrefs: 00662C0B

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: c880d7b69a69f2d7c90ce66f0e9e1f21d269faf501261f6467d2a80b702193a4
Instruction ID: 21de4637f0f43f5b3c677c8341afc313814f6bea2e705fb96baf582bf694cfbc
Opcode Fuzzy Hash: c880d7b69a69f2d7c90ce66f0e9e1f21d269faf501261f6467d2a80b702193a4
Instruction Fuzzy Hash: 0F110A31204B66AAC744FF20F8619BE77A79FD1355F44182CF142171A2CF258649CF16

Function 0062D730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0062D807
timeGetTime.WINMM ref: 0062DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0062DB28
TranslateMessage.USER32(?), ref: 0062DB7B
DispatchMessageW.USER32(?), ref: 0062DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0062DB9F
Sleep.KERNEL32(0000000A), ref: 0062DBB1

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: f6bcbb94d4f60d68703730075c8096064e88a296bc2537058a835fe7d9bf1fdb
Instruction ID: 483b2c5e58b844f6cd6f3bbd67b10af354c64a704c7c2452bb9402fe16b53e44
Opcode Fuzzy Hash: f6bcbb94d4f60d68703730075c8096064e88a296bc2537058a835fe7d9bf1fdb
Instruction Fuzzy Hash: 4042DF70608A52DFD729CF24D894BAAB7E3BF46304F14861DE4598B391D771E884CF92

Function 00622CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00622D07
RegisterClassExW.USER32(00000030), ref: 00622D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00622D42
InitCommonControlsEx.COMCTL32(?), ref: 00622D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00622D6F
LoadIconW.USER32(000000A9), ref: 00622D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00622D94

Strings

TaskbarCreated, xrefs: 00622D37
AutoIt v3 GUI, xrefs: 00622D23
0, xrefs: 00622CE9
+, xrefs: 00622CF0

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: e38354cbfcb1d90acc8b7d5f5143100108b06b10478c9e1d7f10df25e32e22c6
Instruction ID: 1aa25020d59893390c2ec809e18ec9b1ed80644e2ddcbb549b221a9aff94f98a
Opcode Fuzzy Hash: e38354cbfcb1d90acc8b7d5f5143100108b06b10478c9e1d7f10df25e32e22c6
Instruction Fuzzy Hash: 0B21E5B1901208EFDB00DFA4E849BEDBBB6FB09751F00621AF511AA2A0D7B10680CF90

Function 0066065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0066039A: CreateFileW.KERNELBASE(00000000,00000000,?,00660704,?,?,00000000,?,00660704,00000000,0000000C), ref: 006603B7

GetLastError.KERNEL32 ref: 0066076F
__dosmaperr.LIBCMT ref: 00660776
GetFileType.KERNELBASE(00000000), ref: 00660782
GetLastError.KERNEL32 ref: 0066078C
__dosmaperr.LIBCMT ref: 00660795
CloseHandle.KERNEL32(00000000), ref: 006607B5
CloseHandle.KERNEL32(?), ref: 006608FF
GetLastError.KERNEL32 ref: 00660931
__dosmaperr.LIBCMT ref: 00660938

Strings

H, xrefs: 006608BD

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 5744adbd8962b0a06700d114af3d8ac6af4ec6d859bd61b8f6f67501d477cfa5
Instruction ID: 1f73ece0fdd88da63aa6d218aefe65b15404baa2845c97bbfac8728a56864469
Opcode Fuzzy Hash: 5744adbd8962b0a06700d114af3d8ac6af4ec6d859bd61b8f6f67501d477cfa5
Instruction Fuzzy Hash: 9DA12432A141058FEF19EF68D851BAF7BE2AB06320F14016DF815EB392DB319D12CB95

Function 0062344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00623A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,006F1418,?,00622E7F,?,?,?,00000000), ref: 00623A78

Part of subcall function 00623357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00623379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0062356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0066318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 006631CE
RegCloseKey.ADVAPI32(?), ref: 00663210
_wcslen.LIBCMT ref: 00663277
_wcslen.LIBCMT ref: 00663286

Strings

\Include\, xrefs: 00623527
Include, xrefs: 00663184, 006631C5
Software\AutoIt v3\AutoIt, xrefs: 00623560
\, xrefs: 0066328C

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 0c474bf6db3128c17d06e40ef8ddda9d0c50d8deee9d64b272af15a5c0bc1096
Instruction ID: 828c8962d02851d518b7f072f747fb72e541f93a8b5e7972b81f85cbd431f5a6
Opcode Fuzzy Hash: 0c474bf6db3128c17d06e40ef8ddda9d0c50d8deee9d64b272af15a5c0bc1096
Instruction Fuzzy Hash: 2871A1B25047129FC314EF65ECA19ABBBEAFF85740F40182EF54587260DB349A48CF65

Function 00622B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00622B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00622B9D
LoadIconW.USER32(00000063), ref: 00622BB3
LoadIconW.USER32(000000A4), ref: 00622BC5
LoadIconW.USER32(000000A2), ref: 00622BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00622BEF
RegisterClassExW.USER32(?), ref: 00622C40

Part of subcall function 00622CD4: GetSysColorBrush.USER32(0000000F), ref: 00622D07
Part of subcall function 00622CD4: RegisterClassExW.USER32(00000030), ref: 00622D31
Part of subcall function 00622CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00622D42
Part of subcall function 00622CD4: InitCommonControlsEx.COMCTL32(?), ref: 00622D5F
Part of subcall function 00622CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00622D6F
Part of subcall function 00622CD4: LoadIconW.USER32(000000A9), ref: 00622D85
Part of subcall function 00622CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00622D94

Strings

0, xrefs: 00622C0F
AutoIt v3, xrefs: 00622C2F
#, xrefs: 00622C16

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 5a72870fb0fd40d25e8a96cbbde3e387e9bdd3f5c203b378d1824ceaa58ed753
Instruction ID: 62dba6df1516f9b4247e2c96158af728766b4bc59019dec7d2264f337ab685aa
Opcode Fuzzy Hash: 5a72870fb0fd40d25e8a96cbbde3e387e9bdd3f5c203b378d1824ceaa58ed753
Instruction Fuzzy Hash: 1D2133B2E00315EFDB109F96EC55BAD7FB6FB49B90F00112AF500AA660D7B10A44CF94

Function 0062B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0062BB4E

Strings

p%o, xrefs: 0062BB32
p#o, xrefs: 0062BA72
p#o, xrefs: 0067024F
p#o, xrefs: 00670263
p#o, xrefs: 0062BB6B
p%o, xrefs: 0062B8DC
x#o, xrefs: 00670168
x#o, xrefs: 00670207

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#o$p#o$p#o$p#o$p%o$p%o$x#o$x#o
API String ID: 1385522511-1468649385
Opcode ID: 3781ca5b88803a32d95349e6dc67a17fd37b5957ac230dee5d74a449f2b26533
Instruction ID: b9adbddb790c8b9ad49232861707227aa3b49ce8b8e4c1e2e81fc90a1fb67ae5
Opcode Fuzzy Hash: 3781ca5b88803a32d95349e6dc67a17fd37b5957ac230dee5d74a449f2b26533
Instruction Fuzzy Hash: 8432DC71A0062ADFEB20CF54D894ABEB7B7EF45310F149059E909AB351C774AD82CFA1

Function 00623170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0062316A,?,?), ref: 006231D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0062316A,?,?), ref: 00623204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00623227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0062316A,?,?), ref: 00623232
CreatePopupMenu.USER32 ref: 00623246
PostQuitMessage.USER32(00000000), ref: 00623267

Strings

TaskbarCreated, xrefs: 0062322D

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 077ea2a4db6220d51169a67afd2b17528d77c52c182f8937950653b11ba992de
Instruction ID: 22a7075cde8282e2f97fc806ee7285acad4282c61fb2c90dc78d8958749e6380
Opcode Fuzzy Hash: 077ea2a4db6220d51169a67afd2b17528d77c52c182f8937950653b11ba992de
Instruction Fuzzy Hash: 0E414D31204A39EBDB141B78BC2DBB93A5BEB07390F041129F54199392CB7ACB41DFA5

Function 0062DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D%o, xrefs: 00672FDA
D%o, xrefs: 0062E1E0
D%o, xrefs: 0062E4B1
D%o, xrefs: 0067302D
Variable must be of type 'Object'., xrefs: 006732B7
D%oD%o, xrefs: 0062E27E

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID:
String ID: D%o$D%o$D%o$D%o$D%oD%o$Variable must be of type 'Object'.
API String ID: 0-87526932
Opcode ID: cfaa95854ec6473a512b23b72d805a4697ec7e9b940273ddab47b7c5b6c04744
Instruction ID: 3c2d5e2dfe16f54d4acb31ee5fee046b5ed744aaafac403eff72658b8f2ff62d
Opcode Fuzzy Hash: cfaa95854ec6473a512b23b72d805a4697ec7e9b940273ddab47b7c5b6c04744
Instruction Fuzzy Hash: 25C27B71E00625CFCB24CF98D880AADB7B2BF08310F248569E955AB391D376ED42CF95

Function 0144E0D0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 0144E1A1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0144E3C7

Memory Dump Source

Source File: 00000000.00000002.2190890557.000000000144B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0144B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144b000_NEWORDER.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 640a513b0a1dc75cf27b9d1dcd7263df352c7e5bc7e4f1208c2f85c57f315c64
Instruction ID: 169aafbbd8105d4914a840d07e6f738c153792716141d414fb07d0609d5ad920
Opcode Fuzzy Hash: 640a513b0a1dc75cf27b9d1dcd7263df352c7e5bc7e4f1208c2f85c57f315c64
Instruction Fuzzy Hash: 46A10A74E00209EFEB14CFA4C994BEEBBB5FF48304F20855AE601BB291D7799A41CB54

Function 00622C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00622C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00622CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00621CAD,?), ref: 00622CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00621CAD,?), ref: 00622CCF

Strings

AutoIt v3, xrefs: 00622C89, 00622C8E, 00622C8F
edit, xrefs: 00622CAC

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 5eb406b259f3ce5f74b1b57f63346163ef13753388b2e2d2a033e6a520e83993
Instruction ID: 67cf32ad3193daa0ba19d775da39da9c7dd2b7d872f7a32b1c72dc079cdd0494
Opcode Fuzzy Hash: 5eb406b259f3ce5f74b1b57f63346163ef13753388b2e2d2a033e6a520e83993
Instruction Fuzzy Hash: 55F0D077544290BBE73117176C08E772E7FD7C7FB0B011059F900DA560C6611850DA70

Function 0144DE50 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0144DD40: Sleep.KERNELBASE(000001F4), ref: 0144DD51

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0144DFB9

Strings

7M4RX7I3VOAR2M7JW9UPVMO4L, xrefs: 0144E01F, 0144E022

Memory Dump Source

Source File: 00000000.00000002.2190890557.000000000144B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0144B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144b000_NEWORDER.jbxd

Similarity

API ID: CreateFileSleep
String ID: 7M4RX7I3VOAR2M7JW9UPVMO4L
API String ID: 2694422964-1063000210
Opcode ID: f7a842ef1d44a2586c82e088afb30fecc0e690cf6034310ffb94b7222bed2f36
Instruction ID: d8fcfbd0dbe79587bdea228e2cf7f3af230f0c87d4b91a121abb67631e9ba3c5
Opcode Fuzzy Hash: f7a842ef1d44a2586c82e088afb30fecc0e690cf6034310ffb94b7222bed2f36
Instruction Fuzzy Hash: A0618470D04288DBEF11DBF4D844BEFBB75AF19304F00419AE258BB2C1D6BA1A45CB66

Function 00623B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00623B0F,SwapMouseButtons,00000004,?), ref: 00623B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00623B0F,SwapMouseButtons,00000004,?), ref: 00623B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00623B0F,SwapMouseButtons,00000004,?), ref: 00623B83

Strings

Control Panel\Mouse, xrefs: 00623B3E

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 1b6fd048a73b3749c5652ad64d46ffe5ac6adedaa2f9f7558ff683b0ce8ee04d
Instruction ID: 24c3f902ac722796115816021b851045ef3a474c44dd72efa84defd750393e18
Opcode Fuzzy Hash: 1b6fd048a73b3749c5652ad64d46ffe5ac6adedaa2f9f7558ff683b0ce8ee04d
Instruction Fuzzy Hash: EE115AB5510628FFDB208FA5EC44AEEB7B9EF24795B108559B801D7210D3319F409B60

Function 0144CD40 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0144D56D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0144D591
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0144D5B3

Memory Dump Source

Source File: 00000000.00000002.2190890557.000000000144B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0144B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144b000_NEWORDER.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 3007ae169ef8b9d8c61beb8ea063371979b6b354134e23f449e077085ff78b4f
Instruction ID: 1f882f35efe6a6d0082cf8b58ce87107ae08d3e68f6e20f91319a7a1cd8bee40
Opcode Fuzzy Hash: 3007ae169ef8b9d8c61beb8ea063371979b6b354134e23f449e077085ff78b4f
Instruction Fuzzy Hash: 6A62FD70E142589BEB24DFA4C850BDEB772EF68300F1091A9D10DEB3A4E7759E81CB59

Function 00623923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 006633A2

Part of subcall function 00626B57: _wcslen.LIBCMT ref: 00626B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00623A04

Strings

Line: , xrefs: 006633EB

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 6d578ee521632213277aec78811781de27e180eb6a4f480715924bf9f99abc32
Instruction ID: 73e94b7e76f5712881a40e74d219f512e9a07bd8367a4ff31184c2ffc0850ec4
Opcode Fuzzy Hash: 6d578ee521632213277aec78811781de27e180eb6a4f480715924bf9f99abc32
Instruction Fuzzy Hash: 6E310471408774AAC365EB10EC45BEB73DAAB42350F00592EF599922D1EB749748CFC6

Function 00622DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00662C8C

Part of subcall function 00623AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00623A97,?,?,00622E7F,?,?,?,00000000), ref: 00623AC2

Part of subcall function 00622DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00622DC4

Strings

X, xrefs: 00662C5A
`en, xrefs: 00662C85

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`en
API String ID: 779396738-457593827
Opcode ID: 7427e6390a152410bfe7e1897e723441615709744cda220c4069473bfe58beb1
Instruction ID: c097a8fe5dad90c754641908131c3187923ee85ce097209e5bbd1844c008b78d
Opcode Fuzzy Hash: 7427e6390a152410bfe7e1897e723441615709744cda220c4069473bfe58beb1
Instruction Fuzzy Hash: 12210870A006A89FCB41EF94D805BEE7BFAAF49314F00801DF404B7341DBB856498FA5

Function 0063FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00640668

Part of subcall function 006432A4: RaiseException.KERNEL32(?,?,?,0064068A,?,006F1444,?,?,?,?,?,?,0064068A,00621129,006E8738,00621129), ref: 00643304

__CxxThrowException@8.LIBVCRUNTIME ref: 00640685

Strings

Unknown exception, xrefs: 00640692

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 34dd766842190c31eb34e78b4362ee4e53273c707d9f4a237652444194e19d9a
Instruction ID: 4c7ee97eaf05392f768bcf4bf0264cf008bb78657700e3fb420098b40cc6f79d
Opcode Fuzzy Hash: 34dd766842190c31eb34e78b4362ee4e53273c707d9f4a237652444194e19d9a
Instruction Fuzzy Hash: 45F0C23490030DB7CB44BB64EC4AC9E7B6F9E40310F604539BA18966A2EF71DB66CAC4

Function 006A7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 006A82F5
TerminateProcess.KERNEL32(00000000), ref: 006A82FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 006A84DD

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 76e8e15d96d4704b958c0ed7b940a1547a05eac9177ab7a0104d5c02325d40f5
Instruction ID: b5afb66d470a7fe32f3409f14de21af9382e84af05694045a39c561787893cea
Opcode Fuzzy Hash: 76e8e15d96d4704b958c0ed7b940a1547a05eac9177ab7a0104d5c02325d40f5
Instruction Fuzzy Hash: D91248719083019FC754DF28C484B6ABBE6BF89318F14895DE8998B352DB31ED45CF92

Function 006210F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00621BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00621BF4
Part of subcall function 00621BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00621BFC
Part of subcall function 00621BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00621C07
Part of subcall function 00621BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00621C12
Part of subcall function 00621BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00621C1A
Part of subcall function 00621BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00621C22

Part of subcall function 00621B4A: RegisterWindowMessageW.USER32(00000004,?,006212C4), ref: 00621BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0062136A
OleInitialize.OLE32 ref: 00621388
CloseHandle.KERNEL32(00000000,00000000), ref: 006624AB

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 7e92e4ab428119bdb6dfbc77a28ed771439c84d1daf09f191df34c8730bd44d0
Instruction ID: 9340b5fea94e39e5af6831cd62023ce03e2b3e9df06122cddb57a609f506288f
Opcode Fuzzy Hash: 7e92e4ab428119bdb6dfbc77a28ed771439c84d1daf09f191df34c8730bd44d0
Instruction Fuzzy Hash: 1371C6F4915204CFC384EF7AA9456B53AE3BBAB3D4704A22E902ACF361EB314545CF44

Function 006586AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,006585CC,?,006E8CC8,0000000C), ref: 00658704
GetLastError.KERNEL32(?,006585CC,?,006E8CC8,0000000C), ref: 0065870E
__dosmaperr.LIBCMT ref: 00658739

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 292e9cee28ec0bb78a9a3f97150faa35ae1087d50a9b0a31e0e84f5880aa76c4
Instruction ID: db131a51b37974e17911fb1c893d3ab0cec9656486d3b55724e668fcf7d2edc4
Opcode Fuzzy Hash: 292e9cee28ec0bb78a9a3f97150faa35ae1087d50a9b0a31e0e84f5880aa76c4
Instruction Fuzzy Hash: 25012B32A056201FD7A46334A8597BE678B4F91776F39021DFC19AB6D3EEA08C89C154

Function 00631310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006317F6

Strings

CALL, xrefs: 006317C6

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: d675e1088af43673eaee41e6e1b0483eedc1e697072b2217be8980bbc066178e
Instruction ID: 651cc06d1f07f6b343f7ca8d1a4a8acfc88ec8902b7f6070bb1901308f6fa1b0
Opcode Fuzzy Hash: d675e1088af43673eaee41e6e1b0483eedc1e697072b2217be8980bbc066178e
Instruction Fuzzy Hash: FF229CB06086019FC714DF14C490A6ABBF3BF8A314F18896DF49A8B362D771E945CF96

Function 00623837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00623908

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 33cd5b22cfca856ae93825a2606d0fa0d4ecd227fae10f446758fa9398f5715d
Instruction ID: 3508039d9e235552edb896a1da5acb685014b945c09c29ec93cb5402e9f85f5d
Opcode Fuzzy Hash: 33cd5b22cfca856ae93825a2606d0fa0d4ecd227fae10f446758fa9398f5715d
Instruction Fuzzy Hash: DF319FB1604721DFD320DF24D8847A7BBE9FB4A358F00092EF5998B340E775AA44CB52

Function 00625745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0062949C,?,00008000), ref: 00625773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0062949C,?,00008000), ref: 00664052

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 95f62530fdb02dbab4ecaaa26dcd63ec96c333ba13827c099f36a82c88e69b3c
Instruction ID: dafa8a60b7d0f11c4f897391b1d26251bb4eaf5f26d14cd21476269e2c83a7ae
Opcode Fuzzy Hash: 95f62530fdb02dbab4ecaaa26dcd63ec96c333ba13827c099f36a82c88e69b3c
Instruction Fuzzy Hash: A7014031185635B6E3315A2ADC0EF977F99EF067B0F148310BA9D6E1E0CBB45855CB90

Function 0144CD3D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0144D56D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0144D591
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0144D5B3

Memory Dump Source

Source File: 00000000.00000002.2190890557.000000000144B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0144B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144b000_NEWORDER.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: df6a772f5278f9eae63f3a29a40672dfa4321236305f3f5d8c91d224ff423281
Instruction ID: 4978762ccf9877695703aa6e38baf18baa1a8c8436b53bcf922cc03c1213a1ea
Opcode Fuzzy Hash: df6a772f5278f9eae63f3a29a40672dfa4321236305f3f5d8c91d224ff423281
Instruction Fuzzy Hash: 0612CD24E24658C7EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4E85CF5A

Function 006A709C Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 30c60319cf8c0abcdd70b876c9e87266a96ed16ef83f4e965d3e2a63be8c7774
Instruction ID: 8bad74de9dc79f4b12a5bcae543e0f142c7354255961c602432a960db84c2685
Opcode Fuzzy Hash: 30c60319cf8c0abcdd70b876c9e87266a96ed16ef83f4e965d3e2a63be8c7774
Instruction Fuzzy Hash: 40D13875A04209EFCF14EF98D8819AEBBB6FF49310F154059E905AB391DB30AD82CF94

Function 0063FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0063FD1F

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: b0cfcdaf032f5cc54923488a178d216f4993d2c184263e3b98ede12234f6db83
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: E931D175A0010A9BC718CF59D4849AAFBB6FF49300F2496A5E80ACB756DB31EDC1CBC0

Function 00624ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00624E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00624EDD,?,006F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00624E9C
Part of subcall function 00624E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00624EAE
Part of subcall function 00624E90: FreeLibrary.KERNEL32(00000000,?,?,00624EDD,?,006F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00624EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,006F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00624EFD

Part of subcall function 00624E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00663CDE,?,006F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00624E62
Part of subcall function 00624E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00624E74
Part of subcall function 00624E59: FreeLibrary.KERNEL32(00000000,?,?,00663CDE,?,006F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00624E87

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 4ce8943872f7e8d4cb6f637fe7bece55ac24a19551377989d76055cfba907c40
Instruction ID: e8e2342a1078d3582617c5b2c27528dd2950921836bb75624f6581368997e7e2
Opcode Fuzzy Hash: 4ce8943872f7e8d4cb6f637fe7bece55ac24a19551377989d76055cfba907c40
Instruction Fuzzy Hash: 9F112731600A25AADF24AB60ED02FED77A7AFC0710F10842DF542A61C1DE719E459F58

Function 00658402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00658440

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 6ae900825d20df77095962f755b15272eb9b8b9d94a307f0f2a7e0419bd4923c
Instruction ID: 3209c4dce86c6cd97358b7d7041c0e1c525c9ff5f2b516fe933288e4c1755580
Opcode Fuzzy Hash: 6ae900825d20df77095962f755b15272eb9b8b9d94a307f0f2a7e0419bd4923c
Instruction Fuzzy Hash: DA11487190410AAFCB05DF58E9409DA7BFAEF48300F104069FC09AB312DA31DA15CBA4

Function 00655000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00654C7D: RtlAllocateHeap.NTDLL(00000008,00621129,00000000,?,00652E29,00000001,00000364,?,?,?,0064F2DE,00653863,006F1444,?,0063FDF5,?), ref: 00654CBE

_free.LIBCMT ref: 0065506C

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: b9e677510ddb9149ff2787e6a38f658874e1115789a0b56969681c37db4d3f83
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 4F014E722047055BE3318F55D84599AFBEEFB85371F25051DE985933C0EA306849C774

Function 0064E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 63ecc962419e7369a56c3d555e7192fb14f0334048a8372b286d19f8d063486c
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: C9F02832910A109AC7713A799C05B9B339FAF62336F11071DFC25A32D2CF75D80686AD

Function 00629CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00629CBD

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: b66f2ccc6a42f866386a2c3f527481c72d49d8aa6e16cad6a22e3b4c4ac6860b
Instruction ID: 92303df73eddc76c832b1ac3d4ba4327512dfbbc323b2c367630f0c17dbccb5a
Opcode Fuzzy Hash: b66f2ccc6a42f866386a2c3f527481c72d49d8aa6e16cad6a22e3b4c4ac6860b
Instruction Fuzzy Hash: 01F0C8B3600A117ED7149F29D806BA7BB95EF44760F10852EF619CB2D1DB71E5108BF4

Function 00654C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00621129,00000000,?,00652E29,00000001,00000364,?,?,?,0064F2DE,00653863,006F1444,?,0063FDF5,?), ref: 00654CBE

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1c89f3419b2deecc764dedaacccdcdf5390c4b77281b9b5d7a022690f8e25c20
Instruction ID: 32c38f290fa5fa521d173c74891ece959ed6d01bcb0428981035e00c37bfd633
Opcode Fuzzy Hash: 1c89f3419b2deecc764dedaacccdcdf5390c4b77281b9b5d7a022690f8e25c20
Instruction Fuzzy Hash: 61F0E93160222467DB215F62DC05B9B378BBFC17BAF144195BC15AB380CE71D88986E0

Function 00653820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,006F1444,?,0063FDF5,?,?,0062A976,00000010,006F1440,006213FC,?,006213C6,?,00621129), ref: 00653852

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 866a3a3e6061f343655691f8a9c29d0b4c3f2c0872a5afdd8f9ccdc5dea465ae
Instruction ID: 1aa7d1a842f37e1bfcd4b98e6263d2a6eb12c9f6d813716d92dc978e7adebf64
Opcode Fuzzy Hash: 866a3a3e6061f343655691f8a9c29d0b4c3f2c0872a5afdd8f9ccdc5dea465ae
Instruction Fuzzy Hash: 04E0E531100234A6D73526669C01BDB364FAF42FF2F050125BC55A7780CF51DE0582E4

Function 00624F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,006F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00624F6D

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 3181ce711683881a714a63cdf82bc2c9f566f2769beb07b4f9e3b0e0feba4a77
Instruction ID: b1142f93e4c83d449df3bf9742ae0c90ecafba3979d40dc2eb31103d4d2ada9e
Opcode Fuzzy Hash: 3181ce711683881a714a63cdf82bc2c9f566f2769beb07b4f9e3b0e0feba4a77
Instruction Fuzzy Hash: 0FF03071105B62CFDB349F64E590852B7E6FF94329310C97EE1EA82611CB319884DF10

Function 0068CCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,0066EE51,006E3630,00000002), ref: 0068CD26

Part of subcall function 0068CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,0068CD19,?,?,?), ref: 0068CC59
Part of subcall function 0068CC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,0068CD19,?,?,?,?,0066EE51,006E3630,00000002), ref: 0068CC6E
Part of subcall function 0068CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,0068CD19,?,?,?,?,0066EE51,006E3630,00000002), ref: 0068CC7A

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: File$Pointer$Write
String ID:
API String ID: 3847668363-0
Opcode ID: 3eaf85fe66cd92caf1a5c8720ec6a9ea78e04a589521baf9e4b28123adee7e26
Instruction ID: 3f340729fe833fdb858763f7ba014113fea352b7a84ebdef3910060330ef466e
Opcode Fuzzy Hash: 3eaf85fe66cd92caf1a5c8720ec6a9ea78e04a589521baf9e4b28123adee7e26
Instruction Fuzzy Hash: 63E06D7A400704EFC721AF9ADD008AAFBF9FF84360710862FE996D2510D3B1AA54DB60

Function 00622DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00622DC4

Part of subcall function 00626B57: _wcslen.LIBCMT ref: 00626B6A

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 41fd4c5b895bda6ba6a069127ba61c0e6c743e8b0614fde2dbbc64d3992c0b2e
Instruction ID: 7738bde89edfa1ddd1dd1961d6f92651373f45b13d91a9bcff5fc64386a56867
Opcode Fuzzy Hash: 41fd4c5b895bda6ba6a069127ba61c0e6c743e8b0614fde2dbbc64d3992c0b2e
Instruction Fuzzy Hash: 58E0CD726001245BC7209258DC05FDA77DEDFC8790F044175FD09D7248D970AD808654

Function 00622B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00623837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00623908

Part of subcall function 0062D730: GetInputState.USER32 ref: 0062D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00622B6B

Part of subcall function 006230F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0062314E

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: f8fa5ae1d360baf251960001ad7d4cda4c052c8ead99089dc6553d74ca004807
Instruction ID: b7d0a274c3d11d668b67e285c719bd0837534ca193e1a69fb471facf3c24b976
Opcode Fuzzy Hash: f8fa5ae1d360baf251960001ad7d4cda4c052c8ead99089dc6553d74ca004807
Instruction Fuzzy Hash: 70E0262130063806C748BB34B8124BDA78B9BE2391F40293EF14247262CF2C46458A69

Function 0066039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00660704,?,?,00000000,?,00660704,00000000,0000000C), ref: 006603B7

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2cd898fcb9d5fe5a1732fe9210498c9e208f5904e82b3e8e860bf6a56b774d7d
Instruction ID: 1ee46f6a5c1661707ad282079bd517a34e0f18a8b685a8f82ffec695e8971b48
Opcode Fuzzy Hash: 2cd898fcb9d5fe5a1732fe9210498c9e208f5904e82b3e8e860bf6a56b774d7d
Instruction Fuzzy Hash: 0AD06C3204010DBBDF028F84DD06EDA3BAAFB48714F014100BE1866020C732E961AB90

Function 00621CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00621CBC

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: e7c733d0316448621080d15d0a30458d8edf973d23a2d9be5cccf4d41c77fb79
Instruction ID: c5634df2fa9bf507ed243db154a1573466663a1962a9130a05580eb37d08c07b
Opcode Fuzzy Hash: e7c733d0316448621080d15d0a30458d8edf973d23a2d9be5cccf4d41c77fb79
Instruction Fuzzy Hash: F9C09277280306EFF3248B84BC5AF207766A348B10F04A001F609A95E3C3A22870EA60

Function 0069744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00625745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0062949C,?,00008000), ref: 00625773

GetLastError.KERNEL32(00000002,00000000), ref: 006976DE

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 8a6a88ff841e2b0d1c7d202d23ac441dd05a7bfd550b3e7513c70949663c7068
Instruction ID: b64d9d30ea32cfc3a809102ad2d20968583626b3976b585722a3f639d1b92881
Opcode Fuzzy Hash: 8a6a88ff841e2b0d1c7d202d23ac441dd05a7bfd550b3e7513c70949663c7068
Instruction Fuzzy Hash: 1281DF30608B119FCB54EF28D491AA9B7E6BF88310F04452CF8865B792DB30ED45CF96

Function 0144DD3C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 0144DD51

Memory Dump Source

Source File: 00000000.00000002.2190890557.000000000144B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0144B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144b000_NEWORDER.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: e2d6f9dd3e3c6b61aabaa2a69d7e6c8ab94721557ebd363084ed8eb198d87808
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: B5E09A7494010DAFDB10EFA8DA496AE7BB4EF04301F1005A1FD0597691DA309A548A62

Function 00626246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000000,006624E0), ref: 00626266

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d5dab0f3bb0d272c446939f10c397cb1eab1ae4acfe0c82a37d659baa2f63f2d
Instruction ID: d85b5e794daf610e08c04afae9315a90c2ee997b4838526c4ad5501a21ef0109
Opcode Fuzzy Hash: d5dab0f3bb0d272c446939f10c397cb1eab1ae4acfe0c82a37d659baa2f63f2d
Instruction Fuzzy Hash: D1E0B675401B11CFC3358F1AE804452FBF6FFE13613204A2EE0E592664D3B059868F50

Function 0144DD40 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 0144DD51

Memory Dump Source

Source File: 00000000.00000002.2190890557.000000000144B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0144B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144b000_NEWORDER.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: b1c95eda2563496a4e77f2e4a733b6ebab7bdbdeba07b18c2245ccf88330391c
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: C4E0E67494010DDFDB00EFF8DA496AE7FB4EF04301F100161FD01D2281D6309D508A62

Non-executed Functions

Function 006B9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00639BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00639BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 006B961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006B965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 006B969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006B96C9
SendMessageW.USER32 ref: 006B96F2
GetKeyState.USER32(00000011), ref: 006B978B
GetKeyState.USER32(00000009), ref: 006B9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006B97AE
GetKeyState.USER32(00000010), ref: 006B97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006B97E9
SendMessageW.USER32 ref: 006B9810
SendMessageW.USER32(?,00001030,?,006B7E95), ref: 006B9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 006B992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 006B9941
SetCapture.USER32(?), ref: 006B994A
ClientToScreen.USER32(?,?), ref: 006B99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 006B99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006B99D6
ReleaseCapture.USER32 ref: 006B99E1
GetCursorPos.USER32(?), ref: 006B9A19
ScreenToClient.USER32(?,?), ref: 006B9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 006B9A80
SendMessageW.USER32 ref: 006B9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 006B9AEB
SendMessageW.USER32 ref: 006B9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 006B9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 006B9B4A
GetCursorPos.USER32(?), ref: 006B9B68
ScreenToClient.USER32(?,?), ref: 006B9B75
GetParent.USER32(?), ref: 006B9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 006B9BFA
SendMessageW.USER32 ref: 006B9C2B
ClientToScreen.USER32(?,?), ref: 006B9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 006B9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 006B9CDE
SendMessageW.USER32 ref: 006B9D01
ClientToScreen.USER32(?,?), ref: 006B9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 006B9D82

Part of subcall function 00639944: GetWindowLongW.USER32(?,000000EB), ref: 00639952

GetWindowLongW.USER32(?,000000F0), ref: 006B9E05

Strings

p#o, xrefs: 006B9990
@GUI_DRAGID, xrefs: 006B997D
F, xrefs: 006B9D07

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#o
API String ID: 3429851547-906295620
Opcode ID: 4270961af16c58ad8b0fd7a72910668feafa7f3b671882130a3de364ac229659
Instruction ID: 0b5018c297b23331708e5a1e09b8a174fe38aace0b5e7ba940e92bcfc498435e
Opcode Fuzzy Hash: 4270961af16c58ad8b0fd7a72910668feafa7f3b671882130a3de364ac229659
Instruction Fuzzy Hash: 14429DB0204250AFE724CF24CC44EEABBE6FF4A360F145619F655872A1E771D991CFA1

Function 006B4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 006B48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 006B4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 006B4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 006B494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 006B495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 006B497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 006B49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 006B49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 006B4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 006B4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 006B4A7E
IsMenu.USER32(?), ref: 006B4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006B4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006B4B20
GetWindowLongW.USER32(?,000000F0), ref: 006B4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 006B4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 006B4C82
wsprintfW.USER32 ref: 006B4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 006B4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 006B4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 006B4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 006B4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 006B4D5A

Strings

%d/%02d/%02d, xrefs: 006B4CA8

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: f5f4c30166a475c15e06d734f18dcd1c2e5ff8ca16bccaccd3a125810576cfbe
Instruction ID: 3c8022bbc1a36867a17e19479eab2e5c3d78cd346d9499ead5b017370d6fee7f
Opcode Fuzzy Hash: f5f4c30166a475c15e06d734f18dcd1c2e5ff8ca16bccaccd3a125810576cfbe
Instruction Fuzzy Hash: 2D12B1B1500215ABEB259F28CC49FEE7BBAEF85710F104219F515EB2A2DF749A81CB50

Function 0063F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0063F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0067F474
IsIconic.USER32(00000000), ref: 0067F47D
ShowWindow.USER32(00000000,00000009), ref: 0067F48A
SetForegroundWindow.USER32(00000000), ref: 0067F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0067F4AA
GetCurrentThreadId.KERNEL32 ref: 0067F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0067F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0067F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0067F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0067F4DE
SetForegroundWindow.USER32(00000000), ref: 0067F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0067F4F6
keybd_event.USER32(00000012,00000000), ref: 0067F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0067F50B
keybd_event.USER32(00000012,00000000), ref: 0067F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0067F519
keybd_event.USER32(00000012,00000000), ref: 0067F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0067F528
keybd_event.USER32(00000012,00000000), ref: 0067F52D
SetForegroundWindow.USER32(00000000), ref: 0067F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0067F557

Strings

Shell_TrayWnd, xrefs: 0067F46F

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 4dea17565821f4527bd26a7a052cadee3b25e9cce9ee8d95ca1c5062d01b0d9b
Instruction ID: 4a3c9ea6b4bdcd35061c2c642a977e86bbf170168f4704ae85ab49ee6d66f18d
Opcode Fuzzy Hash: 4dea17565821f4527bd26a7a052cadee3b25e9cce9ee8d95ca1c5062d01b0d9b
Instruction Fuzzy Hash: 0C31A8B1A403187FFB306BB58C49FBF7E6EEB44B60F105125FA04E61D1D6B05E50AA60

Function 00681201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 006816C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0068170D
Part of subcall function 006816C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0068173A
Part of subcall function 006816C3: GetLastError.KERNEL32 ref: 0068174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00681286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 006812A8
CloseHandle.KERNEL32(?), ref: 006812B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 006812D1
GetProcessWindowStation.USER32 ref: 006812EA
SetProcessWindowStation.USER32(00000000), ref: 006812F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00681310

Part of subcall function 006810BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006811FC), ref: 006810D4
Part of subcall function 006810BF: CloseHandle.KERNEL32(?,?,006811FC), ref: 006810E9

Strings

default, xrefs: 0068130B
Zn, xrefs: 00681392
winsta0, xrefs: 006812CC
, xrefs: 0068125A

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Zn
API String ID: 22674027-1505778627
Opcode ID: a6cfd0fd6d75632b4cd4dcf1cd06c5661c2c581e154636de4865349d9c73b08b
Instruction ID: a8b9919c8d000ca7dc8fbf3e626b0df9c9429d407e410e1cc767499cb96a2449
Opcode Fuzzy Hash: a6cfd0fd6d75632b4cd4dcf1cd06c5661c2c581e154636de4865349d9c73b08b
Instruction Fuzzy Hash: 618195B1900209AFDF21AFA4DC49FEE7BBEEF05714F144229F911BA250D7718A85CB64

Function 00680B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006810F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00681114
Part of subcall function 006810F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00680B9B,?,?,?), ref: 00681120
Part of subcall function 006810F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00680B9B,?,?,?), ref: 0068112F
Part of subcall function 006810F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00680B9B,?,?,?), ref: 00681136
Part of subcall function 006810F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0068114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00680BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00680C00
GetLengthSid.ADVAPI32(?), ref: 00680C17
GetAce.ADVAPI32(?,00000000,?), ref: 00680C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00680C6D
GetLengthSid.ADVAPI32(?), ref: 00680C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00680C8C
HeapAlloc.KERNEL32(00000000), ref: 00680C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00680CB4
CopySid.ADVAPI32(00000000), ref: 00680CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00680CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00680D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00680D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00680D45
HeapFree.KERNEL32(00000000), ref: 00680D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00680D55
HeapFree.KERNEL32(00000000), ref: 00680D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00680D65
HeapFree.KERNEL32(00000000), ref: 00680D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00680D78
HeapFree.KERNEL32(00000000), ref: 00680D7F

Part of subcall function 00681193: GetProcessHeap.KERNEL32(00000008,00680BB1,?,00000000,?,00680BB1,?), ref: 006811A1
Part of subcall function 00681193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00680BB1,?), ref: 006811A8
Part of subcall function 00681193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00680BB1,?), ref: 006811B7

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 46ed7a6a01711da8f42e8dfa84b7f09ce82fe08c26cc36032a1d6e8c487d4d45
Instruction ID: e8395ba894c9914ab7311f9167c9d88d5f81b4673e6bc18e438d5e4a06dcdf12
Opcode Fuzzy Hash: 46ed7a6a01711da8f42e8dfa84b7f09ce82fe08c26cc36032a1d6e8c487d4d45
Instruction Fuzzy Hash: 6B7161B190020AAFEF50EFA4DC44FEEBBBABF05310F144615F914A7251D771AA45CB60

Function 0069EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(006BCC08), ref: 0069EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0069EB37
GetClipboardData.USER32(0000000D), ref: 0069EB43
CloseClipboard.USER32 ref: 0069EB4F
GlobalLock.KERNEL32(00000000), ref: 0069EB87
CloseClipboard.USER32 ref: 0069EB91
GlobalUnlock.KERNEL32(00000000), ref: 0069EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0069EBC9
GetClipboardData.USER32(00000001), ref: 0069EBD1
GlobalLock.KERNEL32(00000000), ref: 0069EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0069EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0069EC38
GetClipboardData.USER32(0000000F), ref: 0069EC44
GlobalLock.KERNEL32(00000000), ref: 0069EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0069EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0069EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0069ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0069ECF3
CountClipboardFormats.USER32 ref: 0069ED14
CloseClipboard.USER32 ref: 0069ED59

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 60c6a45b788ae1cebef45a76e88311fdc1bb6a20243dd7056fb86292dfc5d3b3
Instruction ID: a45bba5a8dd1a54596e6efd3c93b45537be7cf36a72627c847a8e37d930e8a79
Opcode Fuzzy Hash: 60c6a45b788ae1cebef45a76e88311fdc1bb6a20243dd7056fb86292dfc5d3b3
Instruction Fuzzy Hash: 8B61E074204202AFD700EF24D884F6A77AAEF84724F14561DF456876A2DB32DE4ACB62

Function 0069698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 006969BE
FindClose.KERNEL32(00000000), ref: 00696A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00696A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00696A75

Part of subcall function 00629CB3: _wcslen.LIBCMT ref: 00629CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00696AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00696ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00696B6A
%02d, xrefs: 00696C00, 00696C0A, 00696C5A, 00696CAA, 00696CFA, 00696D4A
%03d, xrefs: 00696DA2
%4d, xrefs: 00696BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00696B32

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: d852e30f868e48698a5f19b0db0d578a241f7d9f9dc4ca6854ca5adfdf427380
Instruction ID: a9a0cf298cf555a7e2fe6c4ad6cf898eb2d7c989690da20a220c6adcc134aa91
Opcode Fuzzy Hash: d852e30f868e48698a5f19b0db0d578a241f7d9f9dc4ca6854ca5adfdf427380
Instruction Fuzzy Hash: A1D160B1508310AFC754EBA0D991EAFB7EEBF88704F04491DF585C6191EB34DA48CB62

Function 00699642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00699663
GetFileAttributesW.KERNEL32(?), ref: 006996A1
SetFileAttributesW.KERNEL32(?,?), ref: 006996BB
FindNextFileW.KERNEL32(00000000,?), ref: 006996D3
FindClose.KERNEL32(00000000), ref: 006996DE
FindFirstFileW.KERNEL32(*.*,?), ref: 006996FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0069974A
SetCurrentDirectoryW.KERNEL32(006E6B7C), ref: 00699768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00699772
FindClose.KERNEL32(00000000), ref: 0069977F
FindClose.KERNEL32(00000000), ref: 0069978F

Strings

*.*, xrefs: 006996F5

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: b74001ed082774f663e0f25361e53f72b770456d997ed3911073f84b03fcac61
Instruction ID: 02ab23255515d5ea03f24a77e92306a3b8941b0c4e87a5796ec2d566394d35b8
Opcode Fuzzy Hash: b74001ed082774f663e0f25361e53f72b770456d997ed3911073f84b03fcac61
Instruction Fuzzy Hash: AE31C2725012196FDF14AFF9DC48ADE77AE9F49320F14425AF805E2290EB70DB808A24

Function 0069979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 006997BE
FindNextFileW.KERNEL32(00000000,?), ref: 00699819
FindClose.KERNEL32(00000000), ref: 00699824
FindFirstFileW.KERNEL32(*.*,?), ref: 00699840
SetCurrentDirectoryW.KERNEL32(?), ref: 00699890
SetCurrentDirectoryW.KERNEL32(006E6B7C), ref: 006998AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 006998B8
FindClose.KERNEL32(00000000), ref: 006998C5
FindClose.KERNEL32(00000000), ref: 006998D5

Part of subcall function 0068DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0068DB00

Strings

*.*, xrefs: 0069983B

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 33a10dcde31b6b7e506c58f467000415a3784a84ee2b52bc5ed4753e8edc7efb
Instruction ID: aa3930a9efce323d7b8f632e1ddc4701056ad7b06c8ca599ddab55ebb1577ccf
Opcode Fuzzy Hash: 33a10dcde31b6b7e506c58f467000415a3784a84ee2b52bc5ed4753e8edc7efb
Instruction Fuzzy Hash: D831C3715012196FDF10AFB9DC48ADE77AE9F06320F14465EF810A26D1DB70DA858B34

Function 00698195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00698257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00698267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00698273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00698310
SetCurrentDirectoryW.KERNEL32(?), ref: 00698324
SetCurrentDirectoryW.KERNEL32(?), ref: 00698356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0069838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00698395

Strings

*.*, xrefs: 0069839B

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: e1730c41ee88176dc9e06897999642aba639b7929903bc5af6d6ed073c76aa8e
Instruction ID: 8a81dc50e012827e9bf644c57d2089914e9df1c54bc2f3488237682417ee2889
Opcode Fuzzy Hash: e1730c41ee88176dc9e06897999642aba639b7929903bc5af6d6ed073c76aa8e
Instruction Fuzzy Hash: 7E6159B25047059FCB10EF60D84099EB3EAFF89320F04491DF989D7651DB31EA45CB96

Function 0068D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00623AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00623A97,?,?,00622E7F,?,?,?,00000000), ref: 00623AC2

Part of subcall function 0068E199: GetFileAttributesW.KERNEL32(?,0068CF95), ref: 0068E19A

FindFirstFileW.KERNEL32(?,?), ref: 0068D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0068D1DD
MoveFileW.KERNEL32(?,?), ref: 0068D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0068D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0068D237

Part of subcall function 0068D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0068D21C,?,?), ref: 0068D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0068D253
FindClose.KERNEL32(00000000), ref: 0068D264

Strings

\*.*, xrefs: 0068D0CD, 0068D0D6, 0068D0EB

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 6b5c3e02df8ed1c00b4eb234b0055c1c2a6f242fce75eafffb58894a4641afe4
Instruction ID: 7897a24177394429cadda81bf3d63e3ebc55dd7c4be744341628e7a1e7e64c42
Opcode Fuzzy Hash: 6b5c3e02df8ed1c00b4eb234b0055c1c2a6f242fce75eafffb58894a4641afe4
Instruction Fuzzy Hash: FF61483180112DAACF45FBA0E9929EDB7B6AF55300F244269E40277291EB356F49CF64

Function 0069ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0069ED91
EmptyClipboard.USER32 ref: 0069ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0069EDAC
CloseClipboard.USER32 ref: 0069EEA3

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 477e69a696ed47520b6bfe5d0956d1aed4a0a2e6814e5949bc8cc9fa324969b7
Instruction ID: 3987fc19530af34318af1a5db1630e7313ca28ff49394c629a5d210c622ca0fa
Opcode Fuzzy Hash: 477e69a696ed47520b6bfe5d0956d1aed4a0a2e6814e5949bc8cc9fa324969b7
Instruction Fuzzy Hash: 99419D75604611AFDB10CF15E888F59BBE6FF44328F14C199E4158BB62C736ED82CB90

Function 0068E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 006816C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0068170D
Part of subcall function 006816C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0068173A
Part of subcall function 006816C3: GetLastError.KERNEL32 ref: 0068174A

ExitWindowsEx.USER32(?,00000000), ref: 0068E932

Strings

, xrefs: 0068E95C
@, xrefs: 0068E925
, xrefs: 0068E920
SeShutdownPrivilege, xrefs: 0068E902

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: a4e1d867d4b35e392ddddcc2d333fa00a105df126ed592ed93f2953ae8d69306
Instruction ID: 42836505b551c608dfc3eff644b2245641dc47a301850bc82df127dead4e67fa
Opcode Fuzzy Hash: a4e1d867d4b35e392ddddcc2d333fa00a105df126ed592ed93f2953ae8d69306
Instruction Fuzzy Hash: 23012672610211ABEF6432B49C8AFFB725E9714761F150721F902E22E2D6E29D8083A4

Function 006A1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 006A1276
WSAGetLastError.WSOCK32 ref: 006A1283
bind.WSOCK32(00000000,?,00000010), ref: 006A12BA
WSAGetLastError.WSOCK32 ref: 006A12C5
closesocket.WSOCK32(00000000), ref: 006A12F4
listen.WSOCK32(00000000,00000005), ref: 006A1303
WSAGetLastError.WSOCK32 ref: 006A130D
closesocket.WSOCK32(00000000), ref: 006A133C

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 0d54af9ee199685a4e2a7e45c04294f8406309191de2d52e462986ea15f70cde
Instruction ID: 9782e8ed46df3298bc1c73b728a9fe679bb87d22c3e392bcea7cc3259ef95f0b
Opcode Fuzzy Hash: 0d54af9ee199685a4e2a7e45c04294f8406309191de2d52e462986ea15f70cde
Instruction Fuzzy Hash: 21417F716001109FD710EF24D494B69BBE6AF87328F188198E8569F396C771EE81CFE1

Function 0065B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0065B9D4
_free.LIBCMT ref: 0065B9F8
_free.LIBCMT ref: 0065BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,006C3700), ref: 0065BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,006F121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0065BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,006F1270,000000FF,?,0000003F,00000000,?), ref: 0065BC36
_free.LIBCMT ref: 0065BD4B

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: d16ec1751ecc14af08af04c3dc439d1889445ca90dc66c6e33acf438d977c1be
Instruction ID: bf817cdc9a8fc271f95e4b75963b9b0ff8454df0641197f79e6b64be78b47636
Opcode Fuzzy Hash: d16ec1751ecc14af08af04c3dc439d1889445ca90dc66c6e33acf438d977c1be
Instruction Fuzzy Hash: 33C137719002459FCB209F69CC41AEA7BBBEF42351F18619EEC90DB351EB308E49C754

Function 0068D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00623AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00623A97,?,?,00622E7F,?,?,?,00000000), ref: 00623AC2

Part of subcall function 0068E199: GetFileAttributesW.KERNEL32(?,0068CF95), ref: 0068E19A

FindFirstFileW.KERNEL32(?,?), ref: 0068D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0068D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0068D481
FindClose.KERNEL32(00000000), ref: 0068D498
FindClose.KERNEL32(00000000), ref: 0068D4A1

Strings

\*.*, xrefs: 0068D3F2

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 6aa4dad50ebae4b898912615f5e590405aac8679ca03db5a9f5b93496815b516
Instruction ID: 3a5ba96b46c3d009479d6ef83e70bb5bac987b6d7e48ab50f89fdb4e2c031e50
Opcode Fuzzy Hash: 6aa4dad50ebae4b898912615f5e590405aac8679ca03db5a9f5b93496815b516
Instruction Fuzzy Hash: 10317C714087959BC344FF64E8918AFB7EABE91310F444E2DF4D1922D1EB34AA09CB67

Function 0065E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0065E645

Strings

1#INF, xrefs: 0065F852
1#IND, xrefs: 0065F83D
1#SNAN, xrefs: 0065F844
1#QNAN, xrefs: 0065F84B

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 430485ec0f29c017f77835c3d3fb9bdf382dc570aa0107eba27ebed1514e8ec5
Instruction ID: 1caeb9a62bf0fd7a57b4547e0825dc1de4545f25a62eb8f116d1b50c458e60d8
Opcode Fuzzy Hash: 430485ec0f29c017f77835c3d3fb9bdf382dc570aa0107eba27ebed1514e8ec5
Instruction Fuzzy Hash: 98C22B71E046288BDF69CF28DD407EAB7B6EB44306F1441EAD84DE7241E775AE898F40

Function 0069648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006964DC
CoInitialize.OLE32(00000000), ref: 00696639
CoCreateInstance.OLE32(006BFCF8,00000000,00000001,006BFB68,?), ref: 00696650
CoUninitialize.OLE32 ref: 006968D4

Strings

.lnk, xrefs: 006964BA, 00696524, 006965E0

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 1ca161e26cc2c6bdc3077756b812eeed14cf3124151195984ffa4e39673ff2ce
Instruction ID: 546dcc7c4ddaf0063800d1ee5fcb772c084aaf244efe6e0ef017a9af2f9ad685
Opcode Fuzzy Hash: 1ca161e26cc2c6bdc3077756b812eeed14cf3124151195984ffa4e39673ff2ce
Instruction Fuzzy Hash: 74D14871508711AFC744EF24D891DABB7EABF98304F00496DF5958B2A1DB70E909CBA2

Function 006A22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 006A22E8

Part of subcall function 0069E4EC: GetWindowRect.USER32(?,?), ref: 0069E504

GetDesktopWindow.USER32 ref: 006A2312
GetWindowRect.USER32(00000000), ref: 006A2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 006A2355
GetCursorPos.USER32(?), ref: 006A2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 006A23DF

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 9300f1b4bb06dcb6c0b03aae6dd86a26d7aa1e94ccd3d38a7e598be06ffa9883
Instruction ID: e32ed2825a446a0ca3e902e49df3336fde8f8acfbb96159ced13ad6ca8bab2ce
Opcode Fuzzy Hash: 9300f1b4bb06dcb6c0b03aae6dd86a26d7aa1e94ccd3d38a7e598be06ffa9883
Instruction Fuzzy Hash: E731C172544316AFCB20EF18C845A9BB7AAFF85310F000A1DF98597181DB35EE48CB91

Function 00699B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00629CB3: _wcslen.LIBCMT ref: 00629CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00699B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00699C8B

Part of subcall function 00693874: GetInputState.USER32 ref: 006938CB
Part of subcall function 00693874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00693966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00699BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00699C75

Strings

*.*, xrefs: 00699B5D

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 91d6f63f73d9d2a7152e022bfdfbfebee34437cb3f5bcae0186af3aca313566e
Instruction ID: 2fb06c5f0dbaf652af1647e601a2c9ab69caecbcd26746838befeeeef76a15a5
Opcode Fuzzy Hash: 91d6f63f73d9d2a7152e022bfdfbfebee34437cb3f5bcae0186af3aca313566e
Instruction Fuzzy Hash: 5A41827190061ADFCF54DF68DC85AEEBBBAEF05310F14415AE405A2291EB309F84CF64

Function 0063997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00639BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00639BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00639A4E
GetSysColor.USER32(0000000F), ref: 00639B23
SetBkColor.GDI32(?,00000000), ref: 00639B36

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 3e997ccb2111c87099e1af45f92738a24beabe211be7b2e42e4049d0322b9de9
Instruction ID: 226c87812687073d15e42c0690f020e4f67ee0f34f863d48a8570a5fd72e31ab
Opcode Fuzzy Hash: 3e997ccb2111c87099e1af45f92738a24beabe211be7b2e42e4049d0322b9de9
Instruction Fuzzy Hash: 63A12AB1108404EEE7289A3D8C59EFB269FDF42350F15830DF502C6795CAA59D42DBF5

Function 006A1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006A304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 006A307A
Part of subcall function 006A304E: _wcslen.LIBCMT ref: 006A309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 006A185D
WSAGetLastError.WSOCK32 ref: 006A1884
bind.WSOCK32(00000000,?,00000010), ref: 006A18DB
WSAGetLastError.WSOCK32 ref: 006A18E6
closesocket.WSOCK32(00000000), ref: 006A1915

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 13c8863c3fde54a56b48b3b97eea6a72e47296989013d680f9088dbc1d5f38bb
Instruction ID: 6e86fcbc37db571dc3fe55d65572b639bbb39fdf60eddb670cd7622aedec49fc
Opcode Fuzzy Hash: 13c8863c3fde54a56b48b3b97eea6a72e47296989013d680f9088dbc1d5f38bb
Instruction Fuzzy Hash: AB51B171A00610AFEB10AF24D896F6A77EAAF49718F04805CF9066F3C3C775AD418BE5

Function 006B1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 006B1CC0
IsWindowEnabled.USER32 ref: 006B1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 006B1CDB
IsIconic.USER32 ref: 006B1CE9
IsZoomed.USER32 ref: 006B1CF7

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: a1c4b31a12b0e3d3ff6bfe8b4ccd47998be7e3b94a6d17c79cf80449d76b89a5
Instruction ID: 69e2b431146657feff4482238049a29a582eea3c7fb2bd2b718dc422fab94141
Opcode Fuzzy Hash: a1c4b31a12b0e3d3ff6bfe8b4ccd47998be7e3b94a6d17c79cf80449d76b89a5
Instruction Fuzzy Hash: AF21B4B17402116FD7208F1AC864BEA7BE6AF86324B58805CE845CF352D775DD82CB94

Function 00628060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 0062813C
VUUU, xrefs: 00665DF0
VUUU, xrefs: 0062843C
VUUU, xrefs: 006283FA
VUUU, xrefs: 006283E8

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 66e78b76f6db380e0bc806e7b07ab12eb7aef63bf0fe35e1fa9579539cf17c9c
Instruction ID: 107188d8e01bc549a3b4f2383e04d720617ff27a4e1f3d33c9851cf3fda63f23
Opcode Fuzzy Hash: 66e78b76f6db380e0bc806e7b07ab12eb7aef63bf0fe35e1fa9579539cf17c9c
Instruction Fuzzy Hash: 59A24C70A0162ACFDF24CF58D9517EDB7B2BB54310F2481AAE816A7385DB749E81CF90

Function 00688298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 006882AA

Strings

|, xrefs: 006882DA
(, xrefs: 006882F0
tbn, xrefs: 006884F4

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: lstrlen
String ID: ($tbn$|
API String ID: 1659193697-2322377913
Opcode ID: d482810f2d654cd328c11b88110b13c73cd33ef1a1d8f614ae2a7a18b72e3636
Instruction ID: 542aec9eb6af139ce1e93ee975698c78c8c8d3450c518b4cc2ea0a5e08aee161
Opcode Fuzzy Hash: d482810f2d654cd328c11b88110b13c73cd33ef1a1d8f614ae2a7a18b72e3636
Instruction Fuzzy Hash: A6324474A007059FCB28DF59C480AAAB7F1FF48710B55C56EE49ADB3A1EB70E981CB44

Function 006AA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 006AA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 006AA6BA

Part of subcall function 00629CB3: _wcslen.LIBCMT ref: 00629CBD

Process32NextW.KERNEL32(00000000,?), ref: 006AA79C
CloseHandle.KERNEL32(00000000), ref: 006AA7AB

Part of subcall function 0063CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00663303,?), ref: 0063CE8A

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 634788fed4ea79b29b16527a53a4bb124ab9ad134a27cdfc864ab95cb08ac812
Instruction ID: 2c33e5a16d5f82ac00147f28e17d069fafccf71086b6dbab0b739ede7ad269b7
Opcode Fuzzy Hash: 634788fed4ea79b29b16527a53a4bb124ab9ad134a27cdfc864ab95cb08ac812
Instruction Fuzzy Hash: E7516C71508710AFD350EF24D886A6BBBEAFF89754F00492DF58597252EB30D904CFA6

Function 0068AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0068AAAC
SetKeyboardState.USER32(00000080), ref: 0068AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0068AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0068AB88

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 023c5494cd5ef52b311a048f258437e2237a850e5681d76b7fc15c52302b8d71
Instruction ID: d2499c5dea4572b643b0b73b4c633431b81b264fd21098aec0db6f34815f72a1
Opcode Fuzzy Hash: 023c5494cd5ef52b311a048f258437e2237a850e5681d76b7fc15c52302b8d71
Instruction Fuzzy Hash: C031DA70A40248AFFB35ABA5CC05BFA7BA7AB44320F04431BF9C1566D1D3758985C766

Function 0069CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0069CE89
GetLastError.KERNEL32(?,00000000), ref: 0069CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0069CEFE

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: da342252f81fc9ae2d8b3c440dce335d0ff57acafc94eaa43d60d0c34f8433b1
Instruction ID: 211754f59320ab3f0b805c8f66f6a104f0f54c10cd7698e329e46b2371444a0c
Opcode Fuzzy Hash: da342252f81fc9ae2d8b3c440dce335d0ff57acafc94eaa43d60d0c34f8433b1
Instruction Fuzzy Hash: E621BDB15007059BDF20DF65C948BA677FEEF40364F10442EE546D2651E770EE458B64

Function 0068DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00665222), ref: 0068DBCE
GetFileAttributesW.KERNEL32(?), ref: 0068DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0068DBEE
FindClose.KERNEL32(00000000), ref: 0068DBFA

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 8de1490a2ae21a3c203c658219c6a9227c0784bbda78080ac6aca2385ba1d4a6
Instruction ID: 480267e54887c9bb084dd863a859ae27af7ab188a12bf8aaee822ff5249e5cec
Opcode Fuzzy Hash: 8de1490a2ae21a3c203c658219c6a9227c0784bbda78080ac6aca2385ba1d4a6
Instruction Fuzzy Hash: 0AF0E5B081091057C320BB7CAC0D8AA376E9E01374B104702F836C22F0EBB05F95C7E5

Function 00695C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00695CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00695D17
FindClose.KERNEL32(?), ref: 00695D5F

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: e4a8dbc6f3047098719be1f7a3f422e59c26e2903a2fde9c4f6fb3e6a301b6b9
Instruction ID: f35ea51a6e34e28052f1079c20e781f0d2b6476bbada54df641f92ac03d6f038
Opcode Fuzzy Hash: e4a8dbc6f3047098719be1f7a3f422e59c26e2903a2fde9c4f6fb3e6a301b6b9
Instruction Fuzzy Hash: 5151DC74600A018FCB04CF28C494E9AB7EAFF49324F14855EE95A8B3A1CB30ED48CF95

Function 00652622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0065271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00652724
UnhandledExceptionFilter.KERNEL32(?), ref: 00652731

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: c5283a2686609392ba4200f5e7eb1f29c07efb18f40e628656a1601214855f25
Instruction ID: 3fef1246717c641180655593ed69a88d17a39fbea7155a837212e968fad1f31d
Opcode Fuzzy Hash: c5283a2686609392ba4200f5e7eb1f29c07efb18f40e628656a1601214855f25
Instruction Fuzzy Hash: DE31D67491122D9BCB61DF68DC88BDCB7B9AF08310F5042EAE80CA7261E7309F858F45

Function 006951CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006951DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00695238
SetErrorMode.KERNEL32(00000000), ref: 006952A1

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 62a59ded9d76f1636a55a39bc7da15c3fee70a6a4444c35255dd8ad6ece35cd2
Instruction ID: 3012725579678be74473118342c136d5a1af8d0519a3c7983f686b23a44b3ac8
Opcode Fuzzy Hash: 62a59ded9d76f1636a55a39bc7da15c3fee70a6a4444c35255dd8ad6ece35cd2
Instruction Fuzzy Hash: 5B314175A00518DFDB00DF54D884EEDBBB5FF49314F048099E805AB352DB35E955CBA1

Function 006816C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0063FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00640668
Part of subcall function 0063FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00640685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0068170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0068173A
GetLastError.KERNEL32 ref: 0068174A

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 52dc8ff99e15f591f93ef55af069597ba3977654e92f6d5a7eceb97e88ff5447
Instruction ID: 3bb9daccae8632a27c122e63eae39de41e3d2bc612d41c95631b9687dbcb21b4
Opcode Fuzzy Hash: 52dc8ff99e15f591f93ef55af069597ba3977654e92f6d5a7eceb97e88ff5447
Instruction Fuzzy Hash: 4B1194B1804304AFD718AF54DC86D6AB7BEEF45714F20862EF05657241EB70BC428B64

Function 0068D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0068D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0068D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0068D650

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 7316e6e20c3f77007de5d62fcb7172cff919bf1e5f1767ed02a8bcb48551d38b
Instruction ID: 171d39b9a62a4fdab38e407aa4e42175ecb99fd509a05e1f16749db1e4a1d2e2
Opcode Fuzzy Hash: 7316e6e20c3f77007de5d62fcb7172cff919bf1e5f1767ed02a8bcb48551d38b
Instruction Fuzzy Hash: 1F1182B1E05228BFDB108F94EC44FAFBBBDEB45B60F104211F904E7290D2704A418BA1

Function 00681663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0068168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 006816A1
FreeSid.ADVAPI32(?), ref: 006816B1

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 3d56efed51b542c3303dea386981b264e27eb89fa6865b1d19537b089ec1dac7
Instruction ID: ccb12f3487661347edae625185aae87b2f9ffdaab3326bb13a92e02dfbb755c8
Opcode Fuzzy Hash: 3d56efed51b542c3303dea386981b264e27eb89fa6865b1d19537b089ec1dac7
Instruction Fuzzy Hash: 17F0F971950309FBDB00DFE49C89AAEBBBDFB04614F504565E501E2181E775AA848B50

Function 00644CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(006528E9,?,00644CBE,006528E9,006E88B8,0000000C,00644E15,006528E9,00000002,00000000,?,006528E9), ref: 00644D09
TerminateProcess.KERNEL32(00000000,?,00644CBE,006528E9,006E88B8,0000000C,00644E15,006528E9,00000002,00000000,?,006528E9), ref: 00644D10
ExitProcess.KERNEL32 ref: 00644D22

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: db1da15d32945ef11bb4abe516c791b7e726faabcd7eb112e4c6c774d0eb253f
Instruction ID: b1ff93bfe09e06c796b3a51afa5da15c324db5045ca0f66473831e45d4467da9
Opcode Fuzzy Hash: db1da15d32945ef11bb4abe516c791b7e726faabcd7eb112e4c6c774d0eb253f
Instruction Fuzzy Hash: 5FE0B671400548ABCF51AF54DD0AA983FABEF41791F505118FC059A222CF35DE82CA84

Function 0065C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0065C36C

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 7c5bbdd21bff1eb8d7ae1fc5c639e01fe098fdba59daf2ffb710c29a9aaa1350
Instruction ID: 177cf191cb5ed93e2796c2af8d266122136f5712cfa96f4da869ecc6503f3835
Opcode Fuzzy Hash: 7c5bbdd21bff1eb8d7ae1fc5c639e01fe098fdba59daf2ffb710c29a9aaa1350
Instruction Fuzzy Hash: 6F412672500319AFCB209FB9CC49DEB77BAEB84325F5042ADFD05C7280E6719E858B54

Function 0067D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0067D28C

Strings

X64, xrefs: 0067D2A8

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 1097ecdc14917bab24570f8dc6bf46df4baf5f035f8b3aa5e944b4ee0f501b4c
Instruction ID: acfc2ac93ed7c9b95eb3a681a0fb4c018c6cda33b0ce656179be6431a4d9919d
Opcode Fuzzy Hash: 1097ecdc14917bab24570f8dc6bf46df4baf5f035f8b3aa5e944b4ee0f501b4c
Instruction Fuzzy Hash: 21D0CAB480112DEBCB94DBA0EC88DDEB3BDBB04305F104692F60AA2000DB30968A9F20

Function 0064CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 586b698509014d0d9fbfb318e9ed269f9a1f68456f76fd5901a0484a1fb7c09a
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 86021C71E012199FDF54CFA9C8806EDBBF2EF48324F258169D919EB380D731AA45CB94

Function 0062CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#o, xrefs: 0062CF7F
Variable is not of type 'Object'., xrefs: 00670C40

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#o
API String ID: 0-2363411428
Opcode ID: c75a20b887db97c3fe92ef5a2fbaed41b344715c884c80622c236ea61b384d3a
Instruction ID: 28e56224bc3155a576cd51daf85a8d80b2a7a5d0b8cbbab82060fcf1fb72f209
Opcode Fuzzy Hash: c75a20b887db97c3fe92ef5a2fbaed41b344715c884c80622c236ea61b384d3a
Instruction Fuzzy Hash: 5F32AD70900628DBDF14DF90E991AEDB7B7BF05314F248059E80AAB382D775AE46CF61

Function 006968EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00696918
FindClose.KERNEL32(00000000), ref: 00696961

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d3819bc6f9c38726edfae4676fc6af8b34482e4fb06ed40eb8ff857866e110b9
Instruction ID: 29204bf5cb6386889d198651ddad057fbdbc8627774a3764a5bfc93e01669865
Opcode Fuzzy Hash: d3819bc6f9c38726edfae4676fc6af8b34482e4fb06ed40eb8ff857866e110b9
Instruction Fuzzy Hash: A1118E716046119FCB10DF29D484A1ABBE6EF89328F14C69DF4698F7A2CB30ED45CB91

Function 006937B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,006A4891,?,?,00000035,?), ref: 006937E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,006A4891,?,?,00000035,?), ref: 006937F4

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 86aa9fce264019b0dd416fb401a77ee8f8d23ba72a61410a7db2b51c15b322b8
Instruction ID: c49511ba5b17f2b2029c8d3330a0f0c3a68abf14a62f8eeee5726756ff6c19e3
Opcode Fuzzy Hash: 86aa9fce264019b0dd416fb401a77ee8f8d23ba72a61410a7db2b51c15b322b8
Instruction Fuzzy Hash: EEF0E5B07043282AEB6017A69C4DFEB3AAFEFC5771F000265F509D2291D9709A44C6B4

Function 0068B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0068B25D
keybd_event.USER32(?,7694C0D0,?,00000000), ref: 0068B270

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: dd5f9a2530fae51ddfcea1fe1ebbae8ba9bc193eaaccd13598f3851696a8b5ff
Instruction ID: 76d1ace552980b9fc71662ce7631fecb8519b04ef24325056d8580dc63c71672
Opcode Fuzzy Hash: dd5f9a2530fae51ddfcea1fe1ebbae8ba9bc193eaaccd13598f3851696a8b5ff
Instruction Fuzzy Hash: A8F06D7180424DABDB059FA0C805BFE7BB1FF04315F009119F951A5191C37982119F94

Function 006810BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006811FC), ref: 006810D4
CloseHandle.KERNEL32(?,?,006811FC), ref: 006810E9

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: fbcbafe706ad0a80bbc4fbb62b25d162cceaed8b2048c9b807aaf6784d62997d
Instruction ID: 2a993c08a14538f39f790a7219bcb1a7c5e26620929084869ed556eb297187a7
Opcode Fuzzy Hash: fbcbafe706ad0a80bbc4fbb62b25d162cceaed8b2048c9b807aaf6784d62997d
Instruction Fuzzy Hash: 9BE04F72408600AFE7652B11FC09E7377EAEF04320F10892DF4A5804B1DB626CD0DB54

Function 0065676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00656766,?,?,00000008,?,?,0065FEFE,00000000), ref: 00656998

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 4407177f9d697be13effcda8430f3f52b2b112bd657e1156ccd0ad0604cbcc86
Instruction ID: 81a82bfade6873fc6097fc38b40a6c7c92f3bd0ff651930f4aaf1e3b557974d2
Opcode Fuzzy Hash: 4407177f9d697be13effcda8430f3f52b2b112bd657e1156ccd0ad0604cbcc86
Instruction Fuzzy Hash: 5EB15B316106099FD715CF28C486BA47BE1FF05366F658658FC9ACF2A2C735D98ACB40

Function 0063B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0067851F

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f281425e46ece9a5295ef24163094234358a470a19b9abcb7986febc35c23277
Instruction ID: ec82335562e32ca4eed69ef1e0a17f7bf133aed7eacb93628b7d34b800fd924b
Opcode Fuzzy Hash: f281425e46ece9a5295ef24163094234358a470a19b9abcb7986febc35c23277
Instruction Fuzzy Hash: 3D125E71D002299FDB54CF58C8816EEB7F6FF48710F14819AE949EB256EB309E81CB94

Function 0069EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0069EABD

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 4d0425945f8c47ace4783ccc8b31531a4030f139a5eab5e690631cd2a419f2d9
Instruction ID: b75a9f4aa69a7ff940c240cc952e7a62b479fb8d49ea1db4b66493593f66fd94
Opcode Fuzzy Hash: 4d0425945f8c47ace4783ccc8b31531a4030f139a5eab5e690631cd2a419f2d9
Instruction Fuzzy Hash: B6E01A312102159FD710EF59E804E9AB7EEAF98770F04842AFC49DB761DA71A8418BA1

Function 006409D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,006403EE), ref: 006409DA

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 762d6d6d881f29dbbd5aff585b7c9afc18368507f6dca561bf68d6a2a371e40b
Instruction ID: 36c6d9bc3023b6c438fe88a1c3f68b67fd7007ddae55b583896d3bf1230b5eda
Opcode Fuzzy Hash: 762d6d6d881f29dbbd5aff585b7c9afc18368507f6dca561bf68d6a2a371e40b
Instruction Fuzzy Hash:

Function 0064781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0064798B

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 4f48e2ad4611384cae857fa7c1ccf449d54b60a65b5252ac740a2196fcb1e7b6
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: CE517A7160C7499FDB389578885E7FE678B9B12300F18092EE882D7382CB15DE46D35A

Function 00692046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&o, xrefs: 00692053

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID:
String ID: 0&o
API String ID: 0-3321480047
Opcode ID: 63efdab93bb7ca92dd92573fd1e2e389426a7676c3728c0787436e1d26fa4670
Instruction ID: 2853acf925498ad1419808ca324d6c846fceabcfc78dc05b1d92c7d0e9f7dcd6
Opcode Fuzzy Hash: 63efdab93bb7ca92dd92573fd1e2e389426a7676c3728c0787436e1d26fa4670
Instruction Fuzzy Hash: A121BB326615158BDB28CF79C82367E73EAB754310F15862EE4A7C37D1DE35A904CB84

Function 00656DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13212ea043f4fa30c957942e84a52446e49c4665c8ae1ebe828604beb052fa0f
Instruction ID: e08f0a000e1dbfc814947c8f61e0e2b23a981fb67dcbc96b935e879e32513cb2
Opcode Fuzzy Hash: 13212ea043f4fa30c957942e84a52446e49c4665c8ae1ebe828604beb052fa0f
Instruction Fuzzy Hash: 6132D221D29F424DD7239634DC22336A68AAFB73D6F15D737EC1AB5AA5EF29C4834100

Function 0063CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4726a5a588afb384193c1ba46bdbf314e54b6c2533e8ad23d375dcc943410304
Instruction ID: 1cff93074208de504a7bc0d15fe752d514c94220bf716109a63b547fa3ed9077
Opcode Fuzzy Hash: 4726a5a588afb384193c1ba46bdbf314e54b6c2533e8ad23d375dcc943410304
Instruction Fuzzy Hash: 2832D231A002558BDF28CA29C4D46FD77A3EB45334F28C56EE85EAB391D630DD82DB81

Function 00627920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95eef5c62f51cc3a2f4be44aa11f2df7f6a1031281ed93a91e7085e0092f1749
Instruction ID: 85e0618169937678e0f4e7f30853e14d16ee488bba9f52bc3bac6a34bebe787d
Opcode Fuzzy Hash: 95eef5c62f51cc3a2f4be44aa11f2df7f6a1031281ed93a91e7085e0092f1749
Instruction Fuzzy Hash: 9B22AE70A00A1A9FDF14CF64D882AEEB3B7FF44300F244569E816AB391EB35A955CF54

Function 006291C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86397e8fc99a4cfe3fdbe5ad42bfd7fae0dadbcc3fa55fbb2704a61f0f8ba9f2
Instruction ID: 7bb4531b1dd22b389ddb6166ab4e3f9b1b3b0b4e9cc498f18ef0bfcd5f40cdb0
Opcode Fuzzy Hash: 86397e8fc99a4cfe3fdbe5ad42bfd7fae0dadbcc3fa55fbb2704a61f0f8ba9f2
Instruction Fuzzy Hash: C902B6B5E00616EBDB04DF54D981AAEB7B2FF44304F108169E8169B391EB31AE11CFD5

Function 00647A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0022f59e485cd122f109b51d995b050de37949bb3d159ebfbf9985289d38b1d
Instruction ID: ce91a73da3ef5c5beab057c1c853e99f3ae205b161c6b315ebd1bf4fcd946018
Opcode Fuzzy Hash: e0022f59e485cd122f109b51d995b050de37949bb3d159ebfbf9985289d38b1d
Instruction Fuzzy Hash: 876179712087499AEF749E288D95BFE239BDF51704F10091EF982DB381DB11AE82C359

Function 00647CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fd53e963860b7de469f5e35e85e1ec2aeb8e5e25fc552e94ac2a749451d58a7
Instruction ID: 00bd1f204fb2201c629b26a547c5e4f9bfa226bf20122d1a27c84f47f5449d4f
Opcode Fuzzy Hash: 3fd53e963860b7de469f5e35e85e1ec2aeb8e5e25fc552e94ac2a749451d58a7
Instruction Fuzzy Hash: 56618A31A2C74966DF389A288C95BFF238BDF42704F100A5DE943DB381DB52ED428359

Function 006A2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 006A2B30
DeleteObject.GDI32(00000000), ref: 006A2B43
DestroyWindow.USER32 ref: 006A2B52
GetDesktopWindow.USER32 ref: 006A2B6D
GetWindowRect.USER32(00000000), ref: 006A2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 006A2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 006A2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A2CF8
GetClientRect.USER32(00000000,?), ref: 006A2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 006A2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A2D80
GlobalLock.KERNEL32(00000000), ref: 006A2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A2D98
GlobalUnlock.KERNEL32(00000000), ref: 006A2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A2DA8
GlobalFree.KERNEL32(00000000), ref: 006A2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,006BFC38,00000000), ref: 006A2DDB
GlobalFree.KERNEL32(00000000), ref: 006A2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 006A2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 006A2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A303F

Strings

static, xrefs: 006A2D3A, 006A2E91
DISPLAY, xrefs: 006A2EA2
AutoIt v3, xrefs: 006A2CF2
, xrefs: 006A2FC5

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 7f66352c3debd78452b99e9d6df8e9bfe2b5969e2ec2fff3309184850570cd36
Instruction ID: 690814145577f50a831c2edf0b44ed5ec45275f551825b0c3641abca8e273d86
Opcode Fuzzy Hash: 7f66352c3debd78452b99e9d6df8e9bfe2b5969e2ec2fff3309184850570cd36
Instruction Fuzzy Hash: ED025DB1500215EFDB14DF68CC89EAE7BBAEB49720F009158F915AB2A1DB709E41CF60

Function 006B70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 006B712F
GetSysColorBrush.USER32(0000000F), ref: 006B7160
GetSysColor.USER32(0000000F), ref: 006B716C
SetBkColor.GDI32(?,000000FF), ref: 006B7186
SelectObject.GDI32(?,?), ref: 006B7195
InflateRect.USER32(?,000000FF,000000FF), ref: 006B71C0
GetSysColor.USER32(00000010), ref: 006B71C8
CreateSolidBrush.GDI32(00000000), ref: 006B71CF
FrameRect.USER32(?,?,00000000), ref: 006B71DE
DeleteObject.GDI32(00000000), ref: 006B71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 006B7230
FillRect.USER32(?,?,?), ref: 006B7262
GetWindowLongW.USER32(?,000000F0), ref: 006B7284

Part of subcall function 006B73E8: GetSysColor.USER32(00000012), ref: 006B7421
Part of subcall function 006B73E8: SetTextColor.GDI32(?,?), ref: 006B7425
Part of subcall function 006B73E8: GetSysColorBrush.USER32(0000000F), ref: 006B743B
Part of subcall function 006B73E8: GetSysColor.USER32(0000000F), ref: 006B7446
Part of subcall function 006B73E8: GetSysColor.USER32(00000011), ref: 006B7463
Part of subcall function 006B73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 006B7471
Part of subcall function 006B73E8: SelectObject.GDI32(?,00000000), ref: 006B7482
Part of subcall function 006B73E8: SetBkColor.GDI32(?,00000000), ref: 006B748B
Part of subcall function 006B73E8: SelectObject.GDI32(?,?), ref: 006B7498
Part of subcall function 006B73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 006B74B7
Part of subcall function 006B73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006B74CE
Part of subcall function 006B73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 006B74DB

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 89c17e2ce376c2cc9f81418df6dbcf8ff9e81109619a5650b42ec10837349aed
Instruction ID: a7247a475b3306b0c8da65189aa455cda92763741d20c962e1914dff697b4867
Opcode Fuzzy Hash: 89c17e2ce376c2cc9f81418df6dbcf8ff9e81109619a5650b42ec10837349aed
Instruction Fuzzy Hash: FEA194B2008301BFD7109F64DC48E9B77AAFB89330F101B19F9A2961E1D771EA85CB61

Function 006A2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 006A273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 006A286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 006A28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 006A28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 006A2900
GetClientRect.USER32(00000000,?), ref: 006A290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 006A2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 006A2964
GetStockObject.GDI32(00000011), ref: 006A2974
SelectObject.GDI32(00000000,00000000), ref: 006A2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 006A2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006A2991
DeleteDC.GDI32(00000000), ref: 006A299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 006A29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 006A29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 006A2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 006A2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 006A2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 006A2A77
GetStockObject.GDI32(00000011), ref: 006A2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 006A2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 006A2A97

Strings

msctls_progress32, xrefs: 006A2A13
static, xrefs: 006A294F, 006A2A71
DISPLAY, xrefs: 006A295A
AutoIt v3, xrefs: 006A28F8

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: a069da6b4a38dfd99fb83a368796b4bba9bbf22b1ccbf4593688f8bad5825aea
Instruction ID: 30f11a62fe8778aedfa8567a978cbd90972162fcdb7b85cafccd5966631249b3
Opcode Fuzzy Hash: a069da6b4a38dfd99fb83a368796b4bba9bbf22b1ccbf4593688f8bad5825aea
Instruction Fuzzy Hash: 11B16DB1A40215AFEB14DF68DC49FAE7BAAEB49710F004219F915EB290D774ED40CFA4

Function 00694ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00694AED
GetDriveTypeW.KERNEL32(?,006BCB68,?,\\.\,006BCC08), ref: 00694BCA
SetErrorMode.KERNEL32(00000000,006BCB68,?,\\.\,006BCC08), ref: 00694D36

Strings

iSCSI, xrefs: 00694CC2
SSD, xrefs: 00694C4A
MMC, xrefs: 00694CDE
PhysicalDrive, xrefs: 00694B76
1394, xrefs: 00694C9F
ATA, xrefs: 00694C98
Network, xrefs: 00694C02
ATAPI, xrefs: 00694C91
SAS, xrefs: 00694CC9
Unknown, xrefs: 00694BED, 00694C83
Fixed, xrefs: 00694C09
Removable, xrefs: 00694C10, 00694C15
SCSI, xrefs: 00694C8A
CDROM, xrefs: 00694BFB
RAMDisk, xrefs: 00694BF4
SATA, xrefs: 00694CD0
FileBackedVirtual, xrefs: 00694CEC
Fibre, xrefs: 00694CAD
\\.\, xrefs: 00694B3F
RAID, xrefs: 00694CBB
Virtual, xrefs: 00694CE5
USB, xrefs: 00694CB4
SSA, xrefs: 00694CA6

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: eab95133d4ac4b36b765408a086d28467be96b04d4188e904040091303b08b1f
Instruction ID: 70acff01174cb90dc258e1bd7d0e047f743b510acbcc7e88d52295b9489953ac
Opcode Fuzzy Hash: eab95133d4ac4b36b765408a086d28467be96b04d4188e904040091303b08b1f
Instruction Fuzzy Hash: FE61D130606245DFCF04DF25CA81DAC77ABAF54384B244459F806ABA91DF35ED43EB51

Function 006B73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 006B7421
SetTextColor.GDI32(?,?), ref: 006B7425
GetSysColorBrush.USER32(0000000F), ref: 006B743B
GetSysColor.USER32(0000000F), ref: 006B7446
CreateSolidBrush.GDI32(?), ref: 006B744B
GetSysColor.USER32(00000011), ref: 006B7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 006B7471
SelectObject.GDI32(?,00000000), ref: 006B7482
SetBkColor.GDI32(?,00000000), ref: 006B748B
SelectObject.GDI32(?,?), ref: 006B7498
InflateRect.USER32(?,000000FF,000000FF), ref: 006B74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006B74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 006B74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 006B752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 006B7554
InflateRect.USER32(?,000000FD,000000FD), ref: 006B7572
DrawFocusRect.USER32(?,?), ref: 006B757D
GetSysColor.USER32(00000011), ref: 006B758E
SetTextColor.GDI32(?,00000000), ref: 006B7596
DrawTextW.USER32(?,006B70F5,000000FF,?,00000000), ref: 006B75A8
SelectObject.GDI32(?,?), ref: 006B75BF
DeleteObject.GDI32(?), ref: 006B75CA
SelectObject.GDI32(?,?), ref: 006B75D0
DeleteObject.GDI32(?), ref: 006B75D5
SetTextColor.GDI32(?,?), ref: 006B75DB
SetBkColor.GDI32(?,?), ref: 006B75E5

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 6fda2709ca364fa3e5068bce33392281460020d144b911f4786279d190759457
Instruction ID: 254512e570c69c196606bad90003520d8dcb496c316d0b7a43578983381b0648
Opcode Fuzzy Hash: 6fda2709ca364fa3e5068bce33392281460020d144b911f4786279d190759457
Instruction Fuzzy Hash: 766165B2904118AFDF119FA8DC49EDE7FBAEB49330F115215F915BB2A1D7709A80CB90

Function 006B0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 006B1128
GetDesktopWindow.USER32 ref: 006B113D
GetWindowRect.USER32(00000000), ref: 006B1144
GetWindowLongW.USER32(?,000000F0), ref: 006B1199
DestroyWindow.USER32(?), ref: 006B11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 006B11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006B120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 006B121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 006B1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 006B1245
IsWindowVisible.USER32(00000000), ref: 006B12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 006B12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 006B12D0
GetWindowRect.USER32(00000000,?), ref: 006B12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 006B130E
GetMonitorInfoW.USER32(00000000,?), ref: 006B1328
CopyRect.USER32(?,?), ref: 006B133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 006B13AA

Strings

tooltips_class32, xrefs: 006B11E6
(, xrefs: 006B131B
0, xrefs: 006B10D3

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 78f5b3d4d9edebd452f6324a4b71c0f488f47094089b6d16d9dfa34b8bdd2400
Instruction ID: e5d80bc7fd46a13640f2ae5668850e8531abe076f304c982fb4a2b9c4ff5e50e
Opcode Fuzzy Hash: 78f5b3d4d9edebd452f6324a4b71c0f488f47094089b6d16d9dfa34b8bdd2400
Instruction Fuzzy Hash: 83B1ADB1604351AFD700DF24C894BAABBE6FF85350F40891CF9999B261DB31E984CFA5

Function 006B0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006B02E5
_wcslen.LIBCMT ref: 006B031F
_wcslen.LIBCMT ref: 006B0389
_wcslen.LIBCMT ref: 006B03F1
_wcslen.LIBCMT ref: 006B0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 006B04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 006B0504

Part of subcall function 0063F9F2: _wcslen.LIBCMT ref: 0063F9FD

Part of subcall function 0068223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00682258
Part of subcall function 0068223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0068228A

Strings

ISSELECTED, xrefs: 006B04DD
GETSUBITEMCOUNT, xrefs: 006B0384, 006B039F
SELECTCLEAR, xrefs: 006B052D
GETITEMCOUNT, xrefs: 006B0316, 006B0337
DESELECT, xrefs: 006B059C
VIEWCHANGE, xrefs: 006B0675
SELECT, xrefs: 006B0548
GETTEXT, xrefs: 006B03EC, 006B0407
SELECTALL, xrefs: 006B0515
GETSELECTEDCOUNT, xrefs: 006B0470, 006B048B
SELECTINVERT, xrefs: 006B057E
GETSELECTED, xrefs: 006B05E1
FINDITEM, xrefs: 006B0627

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 1b40382661f07421c6824d558985eaca258e4faf849f2d7b5b022d3d76d6df12
Instruction ID: 75c1026c7576322400ed57164ebdbf19026fa197b36c745ca4dc85c513ae0458
Opcode Fuzzy Hash: 1b40382661f07421c6824d558985eaca258e4faf849f2d7b5b022d3d76d6df12
Instruction Fuzzy Hash: 54E19B712083118FD754DF24C5509ABBBE7BF88714F144A5CF896AB3A1DB30ED868B81

Function 00638891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00638968
GetSystemMetrics.USER32(00000007), ref: 00638970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0063899B
GetSystemMetrics.USER32(00000008), ref: 006389A3
GetSystemMetrics.USER32(00000004), ref: 006389C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 006389E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 006389F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00638A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00638A3C
GetClientRect.USER32(00000000,000000FF), ref: 00638A5A
GetStockObject.GDI32(00000011), ref: 00638A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00638A81

Part of subcall function 0063912D: GetCursorPos.USER32(?), ref: 00639141
Part of subcall function 0063912D: ScreenToClient.USER32(00000000,?), ref: 0063915E
Part of subcall function 0063912D: GetAsyncKeyState.USER32(00000001), ref: 00639183
Part of subcall function 0063912D: GetAsyncKeyState.USER32(00000002), ref: 0063919D

SetTimer.USER32(00000000,00000000,00000028,006390FC), ref: 00638AA8

Strings

AutoIt v3 GUI, xrefs: 00638A20

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 37f13dabfa4a3552278e5b107727d41cb1bfca4d93fd5efd3a419b8e1f54f711
Instruction ID: e8ff3105e65b70ae8704e23f6bcabd067dec91392f026d0d5ee9a96b183f42f0
Opcode Fuzzy Hash: 37f13dabfa4a3552278e5b107727d41cb1bfca4d93fd5efd3a419b8e1f54f711
Instruction Fuzzy Hash: B1B17B71A00209EFDB14DFA8CC45BEE3BB6FB48354F104229FA15AB290DB70A941CF95

Function 00680D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006810F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00681114
Part of subcall function 006810F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00680B9B,?,?,?), ref: 00681120
Part of subcall function 006810F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00680B9B,?,?,?), ref: 0068112F
Part of subcall function 006810F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00680B9B,?,?,?), ref: 00681136
Part of subcall function 006810F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0068114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00680DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00680E29
GetLengthSid.ADVAPI32(?), ref: 00680E40
GetAce.ADVAPI32(?,00000000,?), ref: 00680E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00680E96
GetLengthSid.ADVAPI32(?), ref: 00680EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00680EB5
HeapAlloc.KERNEL32(00000000), ref: 00680EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00680EDD
CopySid.ADVAPI32(00000000), ref: 00680EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00680F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00680F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00680F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00680F6E
HeapFree.KERNEL32(00000000), ref: 00680F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00680F7E
HeapFree.KERNEL32(00000000), ref: 00680F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00680F8E
HeapFree.KERNEL32(00000000), ref: 00680F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00680FA1
HeapFree.KERNEL32(00000000), ref: 00680FA8

Part of subcall function 00681193: GetProcessHeap.KERNEL32(00000008,00680BB1,?,00000000,?,00680BB1,?), ref: 006811A1
Part of subcall function 00681193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00680BB1,?), ref: 006811A8
Part of subcall function 00681193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00680BB1,?), ref: 006811B7

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 9ea8b68c355b705079204a5b5b716d5fc4e8fa2e1d6e308c22bfebd8bb3846a4
Instruction ID: a50edf6a880dbeb01bba99de462a559478a4a90e08f86c6213e8bce88b3d61db
Opcode Fuzzy Hash: 9ea8b68c355b705079204a5b5b716d5fc4e8fa2e1d6e308c22bfebd8bb3846a4
Instruction Fuzzy Hash: 017173B1900209ABEF60AFA4DC44FEEBBBABF04310F148615F915F6251D7319A49CB60

Function 006AC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006AC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,006BCC08,00000000,?,00000000,?,?), ref: 006AC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 006AC5A4
_wcslen.LIBCMT ref: 006AC5F4
_wcslen.LIBCMT ref: 006AC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 006AC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 006AC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 006AC84D
RegCloseKey.ADVAPI32(?), ref: 006AC881
RegCloseKey.ADVAPI32(00000000), ref: 006AC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 006AC960

Strings

REG_SZ, xrefs: 006AC644
REG_DWORD, xrefs: 006AC804
REG_MULTI_SZ, xrefs: 006AC6F5
REG_EXPAND_SZ, xrefs: 006AC5CD
REG_BINARY, xrefs: 006AC913
REG_QWORD, xrefs: 006AC8C3

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 3c0771254a3b9db6015a4cd8f60dfde4daae6a7936c6c1142b81ae18f82df85a
Instruction ID: de1ad05d9a488a801e08ff80db9dd73665cff7b48368530d654cd93da409de90
Opcode Fuzzy Hash: 3c0771254a3b9db6015a4cd8f60dfde4daae6a7936c6c1142b81ae18f82df85a
Instruction Fuzzy Hash: A91257356046119FC754EF14D881A6AB7E6FF89724F04885CF88AAB3A2DB31ED41CF85

Function 006B091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006B09C6
_wcslen.LIBCMT ref: 006B0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006B0A54
_wcslen.LIBCMT ref: 006B0A8A
_wcslen.LIBCMT ref: 006B0B06
_wcslen.LIBCMT ref: 006B0B81

Part of subcall function 0063F9F2: _wcslen.LIBCMT ref: 0063F9FD

Part of subcall function 00682BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00682BFA

Strings

EXISTS, xrefs: 006B0B7C, 006B0B97
UNCHECK, xrefs: 006B0D3E
GETITEMCOUNT, xrefs: 006B0C1E
GETSELECTED, xrefs: 006B0C4E
ISCHECKED, xrefs: 006B0CE1
CHECK, xrefs: 006B0A85, 006B0AA0
COLLAPSE, xrefs: 006B0B01, 006B0B1C
GETTOTALCOUNT, xrefs: 006B09F2, 006B0A17
EXPAND, xrefs: 006B0BF8
SELECT, xrefs: 006B0D11
GETTEXT, xrefs: 006B0C97

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 0c1915aa185bff9f50109fdb96e62df10cc4bb68e9fe14ea43d180b1f8e20b45
Instruction ID: 8f497646fa0f298af2acf86358cf8bb0fb11548e9c65e6b5959ac6941228219a
Opcode Fuzzy Hash: 0c1915aa185bff9f50109fdb96e62df10cc4bb68e9fe14ea43d180b1f8e20b45
Instruction Fuzzy Hash: 67E1AE712087118FC754DF24C4509AABBE3BF98314F14495CF896AB3A2DB31ED86CB81

Function 006AC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,006AB6AE,?,?), ref: 006AC9B5
_wcslen.LIBCMT ref: 006AC9F1
_wcslen.LIBCMT ref: 006ACA68
_wcslen.LIBCMT ref: 006ACA9E
_wcslen.LIBCMT ref: 006ACAF9
_wcslen.LIBCMT ref: 006ACB2F
_wcslen.LIBCMT ref: 006ACB7F

Strings

HKCR, xrefs: 006ACB29, 006ACB2E
HKU, xrefs: 006ACBF0
HKCC, xrefs: 006ACBAC
HKEY_CURRENT_CONFIG, xrefs: 006ACB79, 006ACB7E
HKEY_USERS, xrefs: 006ACBDF
HKEY_CLASSES_ROOT, xrefs: 006ACAF3, 006ACAF8
HKCU, xrefs: 006ACBCE
HKEY_CURRENT_USER, xrefs: 006ACBBD
HKEY_LOCAL_MACHINE, xrefs: 006ACA62, 006ACA67
HKLM, xrefs: 006ACA98, 006ACA9D

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 11131465e63d993261d94627b6e57afbd837414fa236e889ff2f1a19fc4f5b17
Instruction ID: 2d372c4c951957975733a8ed63d6d0ae9a6bd6066d208fa518f0ad5c7542a054
Opcode Fuzzy Hash: 11131465e63d993261d94627b6e57afbd837414fa236e889ff2f1a19fc4f5b17
Instruction Fuzzy Hash: D471E53260056A8BCB20EF7DC9516FA3393AF62774F250528F8569B384EA31CD45DBA0

Function 006B833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006B835A
_wcslen.LIBCMT ref: 006B836E
_wcslen.LIBCMT ref: 006B8391
_wcslen.LIBCMT ref: 006B83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 006B83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,006B5BF2), ref: 006B844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006B8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 006B84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006B8501
FreeLibrary.KERNEL32(?), ref: 006B850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 006B851D
DestroyIcon.USER32(?,?,?,?,?,006B5BF2), ref: 006B852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 006B8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 006B8555

Strings

.exe, xrefs: 006B8388
.dll, xrefs: 006B83AB
.icl, xrefs: 006B8368

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 43689f5d5d808516ffcfbd9865bbe85a8f17cc0ed83b8ed82bec23d00d12a47d
Instruction ID: 0ca1de9b5b52997ab6ffa58827968695c9220d4932a78195568d0dc973af1326
Opcode Fuzzy Hash: 43689f5d5d808516ffcfbd9865bbe85a8f17cc0ed83b8ed82bec23d00d12a47d
Instruction Fuzzy Hash: 4061AFB2540615BEEB249F64CC42BFE77AEBB04721F104609F815E71D1DF74AA90DBA0

Function 00627778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#requireadmin, xrefs: 006277FF
Cannot parse #include, xrefs: 00665279
#ce, xrefs: 006278ED
', xrefs: 00665169
#comments-start, xrefs: 0062785F, 006278B1
", xrefs: 00665153
#OnAutoItStartRegister, xrefs: 00627817
#notrayicon, xrefs: 006277E7
Bad directive syntax error, xrefs: 0066519A
#pragma compile, xrefs: 006277D3
#include, xrefs: 00627847
Unterminated group of comments, xrefs: 0066528C
#comments-end, xrefs: 006278D9
#include-once, xrefs: 0062782F
#cs, xrefs: 00627873, 006278C5

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: dda34f6f7da7734bd761ee9e756bd6f0058220804975c4bf205889a317693b4a
Instruction ID: 46e62293cee4e72c6fda2549ef26c106db39c4c379f2c4a445232648d29c0fa8
Opcode Fuzzy Hash: dda34f6f7da7734bd761ee9e756bd6f0058220804975c4bf205889a317693b4a
Instruction Fuzzy Hash: 8381F971604A15BBDB20AF61DC43FEE776BAF56300F044028F905AB292EF70DA51CBA5

Function 00685A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00685A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00685A40
SetWindowTextW.USER32(?,?), ref: 00685A57
GetDlgItem.USER32(?,000003EA), ref: 00685A6C
SetWindowTextW.USER32(00000000,?), ref: 00685A72
GetDlgItem.USER32(?,000003E9), ref: 00685A82
SetWindowTextW.USER32(00000000,?), ref: 00685A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00685AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00685AC3
GetWindowRect.USER32(?,?), ref: 00685ACC
_wcslen.LIBCMT ref: 00685B33
SetWindowTextW.USER32(?,?), ref: 00685B6F
GetDesktopWindow.USER32 ref: 00685B75
GetWindowRect.USER32(00000000), ref: 00685B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00685BD3
GetClientRect.USER32(?,?), ref: 00685BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00685C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00685C2F

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 1da23294b6aa14db8726c310d253d908467b3aa13f0f07d4ee3c1afbd23d0697
Instruction ID: 73cf1eff6dfb6f9b88bc91d5d717cce3244c7c3e358cd5357b67311c2b74aa9a
Opcode Fuzzy Hash: 1da23294b6aa14db8726c310d253d908467b3aa13f0f07d4ee3c1afbd23d0697
Instruction Fuzzy Hash: 14718071900B05AFDB20EFA8CE95EAEBBF6FF48714F104618E143A66A0D775E944CB50

Function 006830F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0068318D
_wcslen.LIBCMT ref: 006831F8

Strings

INSTANCE, xrefs: 00683453
CLASS, xrefs: 00683188, 006831A5
TEXT, xrefs: 0068347C
CLASSNN, xrefs: 006831F3, 00683204
[n, xrefs: 0068339A
NAME, xrefs: 00683335, 00683346
REGEXPCLASS, xrefs: 00683255, 00683266

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[n
API String ID: 176396367-1244928801
Opcode ID: 5302dd44be6205196b127f2676cb41cfc3da9951577570d1bb54ac1faed22243
Instruction ID: 739aace205e48d7382f3d82fd086a01c8901b55eff5e30cf075f934cb0df0f23
Opcode Fuzzy Hash: 5302dd44be6205196b127f2676cb41cfc3da9951577570d1bb54ac1faed22243
Instruction Fuzzy Hash: 10E1A531A00636ABCB14AF68C4516EEBBB7BF54B10F548229E456B7340DF70AF858B90

Function 006400C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 006400C6

Part of subcall function 006400ED: InitializeCriticalSectionAndSpinCount.KERNEL32(006F070C,00000FA0,AFC626DD,?,?,?,?,006623B3,000000FF), ref: 0064011C
Part of subcall function 006400ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,006623B3,000000FF), ref: 00640127
Part of subcall function 006400ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,006623B3,000000FF), ref: 00640138
Part of subcall function 006400ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0064014E
Part of subcall function 006400ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0064015C
Part of subcall function 006400ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0064016A
Part of subcall function 006400ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00640195
Part of subcall function 006400ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006401A0

___scrt_fastfail.LIBCMT ref: 006400E7

Part of subcall function 006400A3: __onexit.LIBCMT ref: 006400A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00640122
SleepConditionVariableCS, xrefs: 00640154
InitializeConditionVariable, xrefs: 00640148
kernel32.dll, xrefs: 00640133
WakeAllConditionVariable, xrefs: 00640162

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 35925c92faec914b0f099b393b6ba172d0f1736c455f47770c125175cd2be5e1
Instruction ID: 9d3e9a863f8e1bf5bd75869273f2f3519d63a6d3a7a9eb187a20a778f0835e83
Opcode Fuzzy Hash: 35925c92faec914b0f099b393b6ba172d0f1736c455f47770c125175cd2be5e1
Instruction Fuzzy Hash: A1210B72A447206BF7106BA8AC45BA93397DF44F61F110239FA01A3392DB749C408F94

Function 006944C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,006BCC08), ref: 00694527
_wcslen.LIBCMT ref: 0069453B
_wcslen.LIBCMT ref: 00694599
_wcslen.LIBCMT ref: 006945F4
_wcslen.LIBCMT ref: 0069463F
_wcslen.LIBCMT ref: 006946A7

Part of subcall function 0063F9F2: _wcslen.LIBCMT ref: 0063F9FD

GetDriveTypeW.KERNEL32(?,006E6BF0,00000061), ref: 00694743

Strings

network, xrefs: 0069469D, 006946A2
removable, xrefs: 006945EA, 006945EF
all, xrefs: 00694531, 00694536
unknown, xrefs: 00694708
ramdisk, xrefs: 006946F1
fixed, xrefs: 00694635, 0069463A
cdrom, xrefs: 0069458F, 00694594

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: daa0ec9a8b3070e33e066183a24a9f285adcf20acf1f15b478c6f50e2cf33234
Instruction ID: 8cee983abead460e58e26bb66d790ac105aa81770c184fde95de1bec01a96564
Opcode Fuzzy Hash: daa0ec9a8b3070e33e066183a24a9f285adcf20acf1f15b478c6f50e2cf33234
Instruction Fuzzy Hash: F8B102716083129BCB10DF28C890EAAB7EBAFA5760F10491DF096C7791DF30D946CB92

Function 006B911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00639BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00639BB2

DragQueryPoint.SHELL32(?,?), ref: 006B9147

Part of subcall function 006B7674: ClientToScreen.USER32(?,?), ref: 006B769A
Part of subcall function 006B7674: GetWindowRect.USER32(?,?), ref: 006B7710
Part of subcall function 006B7674: PtInRect.USER32(?,?,006B8B89), ref: 006B7720

SendMessageW.USER32(?,000000B0,?,?), ref: 006B91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 006B91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 006B91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 006B9225
SendMessageW.USER32(?,000000B0,?,?), ref: 006B923E
SendMessageW.USER32(?,000000B1,?,?), ref: 006B9255
SendMessageW.USER32(?,000000B1,?,?), ref: 006B9277
DragFinish.SHELL32(?), ref: 006B927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 006B9371

Strings

@GUI_DRAGFILE, xrefs: 006B9320
@GUI_DRAGID, xrefs: 006B92E9
p#o, xrefs: 006B92BB
@GUI_DROPID, xrefs: 006B929E

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#o
API String ID: 221274066-2906935444
Opcode ID: bf89b95c0e24da12f48283765b8bbc4192699c0a79c97e5b717d8a06b27c4921
Instruction ID: 8d69d233da14931170c4b5ae76969005435250c90b037266b1722ec784ab05c4
Opcode Fuzzy Hash: bf89b95c0e24da12f48283765b8bbc4192699c0a79c97e5b717d8a06b27c4921
Instruction Fuzzy Hash: 75616CB1108301AFC701DF54DC85DAFBBEAEFC9750F000A2DF595921A1DB709A89CBA6

Function 006AAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006AB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 006AB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 006AB1D4
_wcslen.LIBCMT ref: 006AB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 006AB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 006AB236
_wcslen.LIBCMT ref: 006AB332

Part of subcall function 006905A7: GetStdHandle.KERNEL32(000000F6), ref: 006905C6

_wcslen.LIBCMT ref: 006AB34B
_wcslen.LIBCMT ref: 006AB366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 006AB3B6
GetLastError.KERNEL32(00000000), ref: 006AB407
CloseHandle.KERNEL32(?), ref: 006AB439
CloseHandle.KERNEL32(00000000), ref: 006AB44A
CloseHandle.KERNEL32(00000000), ref: 006AB45C
CloseHandle.KERNEL32(00000000), ref: 006AB46E
CloseHandle.KERNEL32(?), ref: 006AB4E3

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 06ed1719819274a699c6d3afe87a9cee756493f92fc6dfabc13c28700d4e6436
Instruction ID: 21c0d3bcbe7a3f15e3f9f7f33d32e17e193b151f551073aec2632371fff44367
Opcode Fuzzy Hash: 06ed1719819274a699c6d3afe87a9cee756493f92fc6dfabc13c28700d4e6436
Instruction Fuzzy Hash: 01F19A316083109FCB54EF24D891B6EBBE6AF86310F14955DF8859B2A2CB31EC45CF96

Function 0062326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(006F1990), ref: 00662F8D
GetMenuItemCount.USER32(006F1990), ref: 0066303D
GetCursorPos.USER32(?), ref: 00663081
SetForegroundWindow.USER32(00000000), ref: 0066308A
TrackPopupMenuEx.USER32(006F1990,00000000,?,00000000,00000000,00000000), ref: 0066309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 006630A9

Strings

0, xrefs: 0062327D

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 2258eaf219582111724f1e1ed1fdb65e74ff29297b8ae7528335e5a5cca5d5a8
Instruction ID: 6fdd6e127fd0ad783b18ed29fb6b6478ede2328295c7ca56d57c6c9b6a3d251b
Opcode Fuzzy Hash: 2258eaf219582111724f1e1ed1fdb65e74ff29297b8ae7528335e5a5cca5d5a8
Instruction Fuzzy Hash: 10712971640626BEEB218F24DC59FEABF6BFF05324F204216F5146A2E0C7B1AE50CB50

Function 006B6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 006B6DEB

Part of subcall function 00626B57: _wcslen.LIBCMT ref: 00626B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 006B6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 006B6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006B6E94
DestroyWindow.USER32(?), ref: 006B6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00620000,00000000), ref: 006B6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006B6EFD
GetDesktopWindow.USER32 ref: 006B6F16
GetWindowRect.USER32(00000000), ref: 006B6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 006B6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 006B6F4D

Part of subcall function 00639944: GetWindowLongW.USER32(?,000000EB), ref: 00639952

Strings

tooltips_class32, xrefs: 006B6E58, 006B6EDD
0, xrefs: 006B6D98

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 32044d311ff82d1617e38e02e48853d59c549b8c3b42a9ad2c576128684d0d46
Instruction ID: 53c9684bc57978b476a35b3fde5602572a22ba97312003b6c7d98baa8e14b0a3
Opcode Fuzzy Hash: 32044d311ff82d1617e38e02e48853d59c549b8c3b42a9ad2c576128684d0d46
Instruction Fuzzy Hash: BD7166B1504244AFDB21CF28DC48EBABBEAFB89314F04451DFA8987261D774E986CB11

Function 0069C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0069C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0069C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0069C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0069C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0069C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0069C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0069C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0069C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0069C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0069C5F0
InternetCloseHandle.WININET(00000000), ref: 0069C5FB

Strings

, xrefs: 0069C575

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 0b399362cfb2c51a7b974fb1034eab8afa5105593d6a0b29d602f0b0109c3f3e
Instruction ID: 36397830de798ab34d77b71187370c1b4f4e591d28d7f4b4dd3aa84edf3fc2e1
Opcode Fuzzy Hash: 0b399362cfb2c51a7b974fb1034eab8afa5105593d6a0b29d602f0b0109c3f3e
Instruction Fuzzy Hash: BB514DB1500204BFDF218F65C948AAB7BFEFF48764F00452AF94596650DB34EA54DB60

Function 006B856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 006B8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006B85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006B85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006B85BA
GlobalLock.KERNEL32(00000000), ref: 006B85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006B85D7
GlobalUnlock.KERNEL32(00000000), ref: 006B85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006B85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006B85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,006BFC38,?), ref: 006B8611
GlobalFree.KERNEL32(00000000), ref: 006B8621
GetObjectW.GDI32(?,00000018,?), ref: 006B8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 006B8671
DeleteObject.GDI32(?), ref: 006B8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 006B86AF

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 6f568b22b6145aa72f9e0b7c2a279ecd1959fcaf89afa6dcd7520be25fcf518f
Instruction ID: f855cea588ccbc8ab098efcdddeb3de773478820e56c118936184bea275c1afb
Opcode Fuzzy Hash: 6f568b22b6145aa72f9e0b7c2a279ecd1959fcaf89afa6dcd7520be25fcf518f
Instruction Fuzzy Hash: 0E410AB5600205AFDB119FA5DC48EAB7BBEFF89721F104159F905E7260DB709E81CB60

Function 006914BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00691502
VariantCopy.OLEAUT32(?,?), ref: 0069150B
VariantClear.OLEAUT32(?), ref: 00691517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 006915FB
VarR8FromDec.OLEAUT32(?,?), ref: 00691657
VariantInit.OLEAUT32(?), ref: 00691708
SysFreeString.OLEAUT32(?), ref: 0069178C
VariantClear.OLEAUT32(?), ref: 006917D8
VariantClear.OLEAUT32(?), ref: 006917E7
VariantInit.OLEAUT32(00000000), ref: 00691823

Strings

Default, xrefs: 006916AF
%4d%02d%02d%02d%02d%02d, xrefs: 00691625

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 398989c2963b096925d96220497a8fcfeb54cda996c52a49f923bb0f320b897d
Instruction ID: 30b737ce4f4afea94569179a7149647176865dd4db12038f0d478d5b5e237596
Opcode Fuzzy Hash: 398989c2963b096925d96220497a8fcfeb54cda996c52a49f923bb0f320b897d
Instruction Fuzzy Hash: 99D1F4B1A00516DBDF009F65D845BB9B7BBBF46700F22805AF4469FA90DB30DD42DBA1

Function 006AB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00629CB3: _wcslen.LIBCMT ref: 00629CBD

Part of subcall function 006AC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006AB6AE,?,?), ref: 006AC9B5
Part of subcall function 006AC998: _wcslen.LIBCMT ref: 006AC9F1
Part of subcall function 006AC998: _wcslen.LIBCMT ref: 006ACA68
Part of subcall function 006AC998: _wcslen.LIBCMT ref: 006ACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006AB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006AB772
RegDeleteValueW.ADVAPI32(?,?), ref: 006AB80A
RegCloseKey.ADVAPI32(?), ref: 006AB87E
RegCloseKey.ADVAPI32(?), ref: 006AB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 006AB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 006AB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 006AB922
FreeLibrary.KERNEL32(00000000), ref: 006AB983
RegCloseKey.ADVAPI32(00000000), ref: 006AB994

Strings

advapi32.dll, xrefs: 006AB8ED
RegDeleteKeyExW, xrefs: 006AB8FE

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: c1c11683459df36064a902e2e9d6e63f8f182ff121ea0ef450a00ff81f360387
Instruction ID: debf73aafb2c01c32cda66715ce04c57555a665ce6c8bc5f06ee988ed1ea26d8
Opcode Fuzzy Hash: c1c11683459df36064a902e2e9d6e63f8f182ff121ea0ef450a00ff81f360387
Instruction Fuzzy Hash: 62C16A30208601AFD714EF14C494B6ABBE6BF86318F14959CF49A4B3A2CB75ED46CF91

Function 006A255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 006A25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 006A25E8
CreateCompatibleDC.GDI32(?), ref: 006A25F4
SelectObject.GDI32(00000000,?), ref: 006A2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 006A266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 006A26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 006A26D0
SelectObject.GDI32(?,?), ref: 006A26D8
DeleteObject.GDI32(?), ref: 006A26E1
DeleteDC.GDI32(?), ref: 006A26E8
ReleaseDC.USER32(00000000,?), ref: 006A26F3

Strings

(, xrefs: 006A268D

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 334e7fddf11c4f9adf365480ec6cff6a1d84cb8045703a3ea6bf88cd7d19972b
Instruction ID: 74c62e1304d8fe2d0d0138da2a289f21a82d9710b7e06a245854defd2b6e3e9f
Opcode Fuzzy Hash: 334e7fddf11c4f9adf365480ec6cff6a1d84cb8045703a3ea6bf88cd7d19972b
Instruction Fuzzy Hash: 2261F3B5D00219EFCF04DFA8D894AAEBBB6FF48310F208529E555A7250D771AE41CF64

Function 0065DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0065DAA1

Part of subcall function 0065D63C: _free.LIBCMT ref: 0065D659
Part of subcall function 0065D63C: _free.LIBCMT ref: 0065D66B
Part of subcall function 0065D63C: _free.LIBCMT ref: 0065D67D
Part of subcall function 0065D63C: _free.LIBCMT ref: 0065D68F
Part of subcall function 0065D63C: _free.LIBCMT ref: 0065D6A1
Part of subcall function 0065D63C: _free.LIBCMT ref: 0065D6B3
Part of subcall function 0065D63C: _free.LIBCMT ref: 0065D6C5
Part of subcall function 0065D63C: _free.LIBCMT ref: 0065D6D7
Part of subcall function 0065D63C: _free.LIBCMT ref: 0065D6E9
Part of subcall function 0065D63C: _free.LIBCMT ref: 0065D6FB
Part of subcall function 0065D63C: _free.LIBCMT ref: 0065D70D
Part of subcall function 0065D63C: _free.LIBCMT ref: 0065D71F
Part of subcall function 0065D63C: _free.LIBCMT ref: 0065D731

_free.LIBCMT ref: 0065DA96

Part of subcall function 006529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0065D7D1,00000000,00000000,00000000,00000000,?,0065D7F8,00000000,00000007,00000000,?,0065DBF5,00000000), ref: 006529DE
Part of subcall function 006529C8: GetLastError.KERNEL32(00000000,?,0065D7D1,00000000,00000000,00000000,00000000,?,0065D7F8,00000000,00000007,00000000,?,0065DBF5,00000000,00000000), ref: 006529F0

_free.LIBCMT ref: 0065DAB8
_free.LIBCMT ref: 0065DACD
_free.LIBCMT ref: 0065DAD8
_free.LIBCMT ref: 0065DAFA
_free.LIBCMT ref: 0065DB0D
_free.LIBCMT ref: 0065DB1B
_free.LIBCMT ref: 0065DB26
_free.LIBCMT ref: 0065DB5E
_free.LIBCMT ref: 0065DB65
_free.LIBCMT ref: 0065DB82
_free.LIBCMT ref: 0065DB9A

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 56073c77d5e5dedc06c59640b27beab6d95e19a5d4c1439a692bbd2a20ab543e
Instruction ID: ae92d7381eb84cb270e965c79aac7470944bb455ff026549362c8bd25a7d0a70
Opcode Fuzzy Hash: 56073c77d5e5dedc06c59640b27beab6d95e19a5d4c1439a692bbd2a20ab543e
Instruction Fuzzy Hash: 6B3159716043069FEB71AA3AE845B9A77EBFF01712F11441DE848E7391DA31AC88CB24

Function 0068365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0068369C
_wcslen.LIBCMT ref: 006836A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00683797
GetClassNameW.USER32(?,?,00000400), ref: 0068380C
GetDlgCtrlID.USER32(?), ref: 0068385D
GetWindowRect.USER32(?,?), ref: 00683882
GetParent.USER32(?), ref: 006838A0
ScreenToClient.USER32(00000000), ref: 006838A7
GetClassNameW.USER32(?,?,00000100), ref: 00683921
GetWindowTextW.USER32(?,?,00000400), ref: 0068395D

Strings

%s%u, xrefs: 00683734

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 94f1e2863486db16bf541a47a403aec6a4bac4dec22969462e7f1a51f0737859
Instruction ID: 529f5bd510273d3170c63bdb521f3158d3e5f103233d490df9f390e6989ecdf3
Opcode Fuzzy Hash: 94f1e2863486db16bf541a47a403aec6a4bac4dec22969462e7f1a51f0737859
Instruction Fuzzy Hash: B491C471204626AFDB15EF24C885FEAF7AAFF44750F004719F999D2290EB30EA45CB91

Function 00684954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00684994
GetWindowTextW.USER32(?,?,00000400), ref: 006849DA
_wcslen.LIBCMT ref: 006849EB
CharUpperBuffW.USER32(?,00000000), ref: 006849F7
_wcsstr.LIBVCRUNTIME ref: 00684A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00684A64
GetWindowTextW.USER32(?,?,00000400), ref: 00684A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00684AE6
GetClassNameW.USER32(?,?,00000400), ref: 00684B20
GetWindowRect.USER32(?,?), ref: 00684B8B

Strings

ThumbnailClass, xrefs: 00684A6F, 00684AF1

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 4cb10e6e1224f82a1db241a7cd4e2275157c3ba5033e2d85318ea356a2cab4cb
Instruction ID: ea3b727da3084e353c8487eaf238b836644b9e2b9247801ad36f05c9f7ae7956
Opcode Fuzzy Hash: 4cb10e6e1224f82a1db241a7cd4e2275157c3ba5033e2d85318ea356a2cab4cb
Instruction Fuzzy Hash: DD91BF710042069FDB04EF14C985FAA77EAFF84314F04466AFD859A296EF30ED45CBA1

Function 006B8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00639BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00639BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 006B8D5A
GetFocus.USER32 ref: 006B8D6A
GetDlgCtrlID.USER32(00000000), ref: 006B8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 006B8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 006B8ECF
GetMenuItemCount.USER32(?), ref: 006B8EEC
GetMenuItemID.USER32(?,00000000), ref: 006B8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 006B8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 006B8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 006B8FA1

Strings

0, xrefs: 006B8E9F

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: fa63d7154ce22c9dc143d6df55fac92aa7c5c3e1e890a1ad34e1bf691dde27e1
Instruction ID: f11a0721f3614344b634a9557e34268b7d382a88b08a6d9cdbe789970f016f42
Opcode Fuzzy Hash: fa63d7154ce22c9dc143d6df55fac92aa7c5c3e1e890a1ad34e1bf691dde27e1
Instruction Fuzzy Hash: B2815CB1504301AFDB10CF14D884AEBBBEEFB88754F140A1DF99597291DB71D981CBA1

Function 0068DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0068DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0068DC46
_wcslen.LIBCMT ref: 0068DC50
_wcsstr.LIBVCRUNTIME ref: 0068DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0068DCBC

Strings

DefaultLangCodepage, xrefs: 0068DD1F
%u.%u.%u.%u, xrefs: 0068DD9A
\VarFileInfo\Translation, xrefs: 0068DCB4
StringFileInfo\, xrefs: 0068DC8F
04090000, xrefs: 0068DCF2

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: e9d02562988b6dc9bbe9958e84570b67bf3cf3e5cd847baf1d469da34e07e4a5
Instruction ID: 211935ba5339102b2a0025c1fc3613f7a221684147e4c4823bbcf16495f29b45
Opcode Fuzzy Hash: e9d02562988b6dc9bbe9958e84570b67bf3cf3e5cd847baf1d469da34e07e4a5
Instruction Fuzzy Hash: 1F41FF729402007ADB50B775DC07EFF77AEEF52760F10016EF900A6282EA709A0197B9

Function 006ACC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 006ACC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 006ACC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 006ACD48

Part of subcall function 006ACC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 006ACCAA
Part of subcall function 006ACC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 006ACCBD
Part of subcall function 006ACC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 006ACCCF
Part of subcall function 006ACC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 006ACD05
Part of subcall function 006ACC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 006ACD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 006ACCF3

Strings

advapi32.dll, xrefs: 006ACCB8
RegDeleteKeyExW, xrefs: 006ACCC9

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 42f92c21376d3302e297e2f79d1dead6834cb25ed00509801007de0142dba27b
Instruction ID: 2644086d41283e6757d26b2ea6e3dd72a2a5fafa0c5a997d5079c109d89776cf
Opcode Fuzzy Hash: 42f92c21376d3302e297e2f79d1dead6834cb25ed00509801007de0142dba27b
Instruction Fuzzy Hash: 663180B1901128BBD720AB55DC88EFFBB7EEF56760F000165B906E2241DB709F45DAB0

Function 00693D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00693D40
_wcslen.LIBCMT ref: 00693D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00693D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00693DBE
RemoveDirectoryW.KERNEL32(?), ref: 00693DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00693E55
CloseHandle.KERNEL32(00000000), ref: 00693E60
CloseHandle.KERNEL32(00000000), ref: 00693E6B

Strings

\, xrefs: 00693D77
\??\%s, xrefs: 00693D5B
:, xrefs: 00693D82

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 74c2916871dda9b8f500920ed9edb2bcf39da049874e64a36cd95e0bbd3e11a3
Instruction ID: 8607feb721aa4f7ff3284ee0b8b75fc740da57de7f3ba8e8bf4ab4012733a431
Opcode Fuzzy Hash: 74c2916871dda9b8f500920ed9edb2bcf39da049874e64a36cd95e0bbd3e11a3
Instruction Fuzzy Hash: 1A31C3B1904219ABDF209FA0DC59FEB37BEEF88710F1041B6F605D6260EB7097848B24

Function 0068E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0068E6B4

Part of subcall function 0063E551: timeGetTime.WINMM(?,?,0068E6D4), ref: 0063E555

Sleep.KERNEL32(0000000A), ref: 0068E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0068E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0068E727
SetActiveWindow.USER32 ref: 0068E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0068E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0068E773
Sleep.KERNEL32(000000FA), ref: 0068E77E
IsWindow.USER32 ref: 0068E78A
EndDialog.USER32(00000000), ref: 0068E79B

Strings

BUTTON, xrefs: 0068E719

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 420f106f39cb7fff87be904588385c140ad58510de7e727faa55d82f744e3cf6
Instruction ID: 81e2a78c1cdda7e873b598a82f39a2c45fef3177c74a30db3a4dba067e82853a
Opcode Fuzzy Hash: 420f106f39cb7fff87be904588385c140ad58510de7e727faa55d82f744e3cf6
Instruction Fuzzy Hash: 73218EB1240205AFEB106F20ECD9E363B6BF755B58F102625F501D22B1EBB2AD80DB24

Function 0068E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00629CB3: _wcslen.LIBCMT ref: 00629CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0068EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0068EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0068EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0068EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0068EAA7

Strings

play PlayMe wait, xrefs: 0068EA91
status PlayMe mode, xrefs: 0068EA58
open , xrefs: 0068EA0C
close PlayMe, xrefs: 0068EA6E, 0068EA9B
play PlayMe, xrefs: 0068EAA2
alias PlayMe, xrefs: 0068EA36

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 4b5820caff7bfeac57294386925ca985e027280d9ec4dba917b0686c61b21676
Instruction ID: 986582c301e7d31753c7b3dca592b0a72807c1a00753bad2b650d92a2bf917bd
Opcode Fuzzy Hash: 4b5820caff7bfeac57294386925ca985e027280d9ec4dba917b0686c61b21676
Instruction Fuzzy Hash: 6D115431A9126979D724F766DC4ADFF6A7EEBD1F40F010529B411A20D1EFB10A45CAB0

Function 00685CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00685CE2
GetWindowRect.USER32(00000000,?), ref: 00685CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00685D59
GetDlgItem.USER32(?,00000002), ref: 00685D69
GetWindowRect.USER32(00000000,?), ref: 00685D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00685DCF
GetDlgItem.USER32(?,000003E9), ref: 00685DDD
GetWindowRect.USER32(00000000,?), ref: 00685DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00685E31
GetDlgItem.USER32(?,000003EA), ref: 00685E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00685E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00685E67

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 3d2d768a096e1e33feb1907fe33c5fc8547d88fd245211c12188bbd89468eb52
Instruction ID: 0d044f93ca63a65af7c9717e28c76752a0ff5b00707ffc1ab0c249fdc03c3fe9
Opcode Fuzzy Hash: 3d2d768a096e1e33feb1907fe33c5fc8547d88fd245211c12188bbd89468eb52
Instruction Fuzzy Hash: BE5120B0A00615AFDF18DF68CD99AAE7BB6FF48310F108229F916E6290D7709E44CB50

Function 00638BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00638F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00638BE8,?,00000000,?,?,?,?,00638BBA,00000000,?), ref: 00638FC5

DestroyWindow.USER32(?), ref: 00638C81
KillTimer.USER32(00000000,?,?,?,?,00638BBA,00000000,?), ref: 00638D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00676973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00638BBA,00000000,?), ref: 006769A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00638BBA,00000000,?), ref: 006769B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00638BBA,00000000), ref: 006769D4
DeleteObject.GDI32(00000000), ref: 006769E6

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 23bdf84ef3521bc8e4f3de5ba0d2b379794a9ed7a089f3c3e48b6d050b85a11f
Instruction ID: 2b7359fdcc3a6f741169a4e8f8084e0586d7130aba28617c5415b491ee5b80e5
Opcode Fuzzy Hash: 23bdf84ef3521bc8e4f3de5ba0d2b379794a9ed7a089f3c3e48b6d050b85a11f
Instruction Fuzzy Hash: C3618A71502B01DFCB259F25CA48BA5B7F3FB51352F14A52DF0469B660CB71A981CBE0

Function 00639838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00639944: GetWindowLongW.USER32(?,000000EB), ref: 00639952

GetSysColor.USER32(0000000F), ref: 00639862

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: af9baa70db9b923493dbf43c43188b2654a71817be822bf1e9e4ca65cfd54153
Instruction ID: 2cf15e997d7b8e5d13c58711241852187c166e8e4f2de9509a7de8165c0588c4
Opcode Fuzzy Hash: af9baa70db9b923493dbf43c43188b2654a71817be822bf1e9e4ca65cfd54153
Instruction Fuzzy Hash: 6041BF71504640AFDB205F3C9C84BBA3BA7AB56330F144B05F9A29B2E1C7B19D82DF60

Function 00658D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.d, xrefs: 0065903A, 00658FD0, 00658FF2

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID:
String ID: .d
API String ID: 0-3816422287
Opcode ID: ae31b71ff728ab7744f1e96581deacef8830276df75dc943f7d645f6a09c0de0
Instruction ID: 9755540b8f9fe467559c097dab7d30e02f132491a7e560d591f3df6264041b2e
Opcode Fuzzy Hash: ae31b71ff728ab7744f1e96581deacef8830276df75dc943f7d645f6a09c0de0
Instruction Fuzzy Hash: DEC1CE74A04249EFDF11DFA8C845BEEBBB2AF09311F04419DEC15A7392C7709A4ACB65

Function 006896E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0066F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00689717
LoadStringW.USER32(00000000,?,0066F7F8,00000001), ref: 00689720

Part of subcall function 00629CB3: _wcslen.LIBCMT ref: 00629CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0066F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00689742
LoadStringW.USER32(00000000,?,0066F7F8,00000001), ref: 00689745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00689866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0068984A
Line %d (File "%s"):, xrefs: 0068978F
Error: , xrefs: 0068981D
Line %d:, xrefs: 006897A0
^ ERROR, xrefs: 006897FB

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: ad6505f659a7a6030b5805e4c9b6e4f60ff20578d4fbf29eff9e040dbd3ec6eb
Instruction ID: 3fb04f150f1315c8b1713a3926a7d78bd3d3927a8b7487c6cea6e0ecda0befd3
Opcode Fuzzy Hash: ad6505f659a7a6030b5805e4c9b6e4f60ff20578d4fbf29eff9e040dbd3ec6eb
Instruction Fuzzy Hash: 87415C72800629AACB44FBE0ED86DEEB77AAF54340F140529F20172192EB356F48CF75

Function 006806DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00626B57: _wcslen.LIBCMT ref: 00626B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 006807A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 006807BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 006807DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00680804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0068082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00680837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0068083C

Strings

SOFTWARE\Classes\, xrefs: 0068070E
\IPC$, xrefs: 00680784
\CLSID, xrefs: 00680724

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 5766447cb0268797c9351438aacae69b1b7c631acc9b88f35785e49fca4dbf24
Instruction ID: 4572a38484a953e218a53df719b7f440dcb1132aa0bd8367cf2f29640e159857
Opcode Fuzzy Hash: 5766447cb0268797c9351438aacae69b1b7c631acc9b88f35785e49fca4dbf24
Instruction Fuzzy Hash: 04411972C10629ABDF15EBA4DC958EDB77ABF04350F054629F901A32A1EB705E48CFA0

Function 006A3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006A3C5C
CoInitialize.OLE32(00000000), ref: 006A3C8A
CoUninitialize.OLE32 ref: 006A3C94
_wcslen.LIBCMT ref: 006A3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 006A3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 006A3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 006A3F0E
CoGetObject.OLE32(?,00000000,006BFB98,?), ref: 006A3F2D
SetErrorMode.KERNEL32(00000000), ref: 006A3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 006A3FC4
VariantClear.OLEAUT32(?), ref: 006A3FD8

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 3b55db36699f0eec6aeec6d73fc278443f9c3be56399ba4386ad19ed8a5c0f9f
Instruction ID: f6e1bbbc5064de4513312f44e9461c5c479ad13d62090666414372e4e31ae84d
Opcode Fuzzy Hash: 3b55db36699f0eec6aeec6d73fc278443f9c3be56399ba4386ad19ed8a5c0f9f
Instruction Fuzzy Hash: C6C115B16042119FD740EF68C88496BBBEAFF8A754F10491DF98A9B311DB30EE45CB52

Function 00697A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00697AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00697B8F
SHGetDesktopFolder.SHELL32(?), ref: 00697BA3
CoCreateInstance.OLE32(006BFD08,00000000,00000001,006E6E6C,?), ref: 00697BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00697C74
CoTaskMemFree.OLE32(?,?), ref: 00697CCC
SHBrowseForFolderW.SHELL32(?), ref: 00697D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00697D7A
CoTaskMemFree.OLE32(00000000), ref: 00697D81
CoTaskMemFree.OLE32(00000000), ref: 00697DD6
CoUninitialize.OLE32 ref: 00697DDC

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 2d974582f35a75ad08a2f72b6dfb6afc4fd8f168e13d4813ccdd4c50c861232b
Instruction ID: 9795e55b448fdaf1951884e7bdb6d6056150688d2debaa89aba375e9a5f9f20b
Opcode Fuzzy Hash: 2d974582f35a75ad08a2f72b6dfb6afc4fd8f168e13d4813ccdd4c50c861232b
Instruction Fuzzy Hash: 0BC13975A04119AFCB14DFA4C884DAEBBFAFF48314B148599E8199B761C730EE45CB90

Function 006B541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 006B5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006B5515
CharNextW.USER32(00000158), ref: 006B5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 006B5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 006B559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006B55AC

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 75122c53b3fd9a4730c72ad6a3bc437aa3c582ece4d0d97580fcd8a07fbe3e70
Instruction ID: 52e753db3cdb19f720cadce48df9f4782d2fb5f16734e4dcaa013856a3a17195
Opcode Fuzzy Hash: 75122c53b3fd9a4730c72ad6a3bc437aa3c582ece4d0d97580fcd8a07fbe3e70
Instruction Fuzzy Hash: B4618CB1900618EFDF209F54CC84EFE7BBAEB09761F104149F926AA291D7708AC1DB60

Function 0067FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0067FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0067FB08
VariantInit.OLEAUT32(?), ref: 0067FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0067FB3A
VariantCopy.OLEAUT32(?,?), ref: 0067FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0067FBA1
VariantClear.OLEAUT32(?), ref: 0067FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0067FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0067FBCC
VariantClear.OLEAUT32(?), ref: 0067FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0067FBE9

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 2c1ccca453ca90e86fbfdaa688af23c9048182c250acb8442bdf209babe4006a
Instruction ID: f5d5b5acc32cdb20532379d3aab0641c1e0ea00be1d072486354c07d030a0323
Opcode Fuzzy Hash: 2c1ccca453ca90e86fbfdaa688af23c9048182c250acb8442bdf209babe4006a
Instruction Fuzzy Hash: B4414175A00219DFCB00DF64D854DEEBBBAEF48754F008569E959A7261CB30AA45CFA0

Function 00689C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00689CA1
GetAsyncKeyState.USER32(000000A0), ref: 00689D22
GetKeyState.USER32(000000A0), ref: 00689D3D
GetAsyncKeyState.USER32(000000A1), ref: 00689D57
GetKeyState.USER32(000000A1), ref: 00689D6C
GetAsyncKeyState.USER32(00000011), ref: 00689D84
GetKeyState.USER32(00000011), ref: 00689D96
GetAsyncKeyState.USER32(00000012), ref: 00689DAE
GetKeyState.USER32(00000012), ref: 00689DC0
GetAsyncKeyState.USER32(0000005B), ref: 00689DD8
GetKeyState.USER32(0000005B), ref: 00689DEA

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 58de33e19d22f43df6002da802f6f7e8e7126914576bfaa5d017785daacc5f36
Instruction ID: 10125599ab7f8db4d8fac5f9528cfa08ca887eb08f36dc5ed5c67f1f3db4a5f4
Opcode Fuzzy Hash: 58de33e19d22f43df6002da802f6f7e8e7126914576bfaa5d017785daacc5f36
Instruction Fuzzy Hash: C541B874504BC96DFF31A660C8043F5BEA26F11344F0C825AD6C6567C2DBA59AC4C7B6

Function 006A055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 006A05BC
inet_addr.WSOCK32(?), ref: 006A061C
gethostbyname.WSOCK32(?), ref: 006A0628
IcmpCreateFile.IPHLPAPI ref: 006A0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 006A06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 006A06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 006A07B9
WSACleanup.WSOCK32 ref: 006A07BF

Strings

Ping, xrefs: 006A0676

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: dacd384e2829173a213d7a2e353654d5455aad0904cda4aa8c2c8bc023153f1f
Instruction ID: f1e8b4ca324f62d4f61f40a00b7c0714911b7cdccf05a9cc52e975aa3e7a7ace
Opcode Fuzzy Hash: dacd384e2829173a213d7a2e353654d5455aad0904cda4aa8c2c8bc023153f1f
Instruction Fuzzy Hash: F591AF755042019FE320EF15C588F5ABBE2AF4A318F1485A9F46A9B7A2C730FD85CF91

Function 006A8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 006A8CF3

Part of subcall function 00688E54: _wcslen.LIBCMT ref: 00688E77

_wcslen.LIBCMT ref: 006A8D4E
_wcslen.LIBCMT ref: 006A8D9C
_wcslen.LIBCMT ref: 006A8DDC
_wcslen.LIBCMT ref: 006A8E6E

Strings

stdcall, xrefs: 006A8DD6, 006A8DDB
cdecl, xrefs: 006A8D48, 006A8D4D
none, xrefs: 006A8E65, 006A8E6A
winapi, xrefs: 006A8D96, 006A8D9B

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: ffb166db3a8a70a9d4751ed0ad89f0d0961afabaaeb29c11552795247dcaa763
Instruction ID: 03dac29321e8902d9e4d77ad00f045517e3668573ec15ad44c30d7c41cddc48e
Opcode Fuzzy Hash: ffb166db3a8a70a9d4751ed0ad89f0d0961afabaaeb29c11552795247dcaa763
Instruction Fuzzy Hash: 9D518F31A005269FCB14FF68C9519FEB7A7BF66724B204229E426A7385DF30DD41CB90

Function 006A372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 006A3774
CoUninitialize.OLE32 ref: 006A377F
CoCreateInstance.OLE32(?,00000000,00000017,006BFB78,?), ref: 006A37D9
IIDFromString.OLE32(?,?), ref: 006A384C
VariantInit.OLEAUT32(?), ref: 006A38E4
VariantClear.OLEAUT32(?), ref: 006A3936

Strings

NULL Pointer assignment, xrefs: 006A381E
Invalid parameter, xrefs: 006A3865
Failed to create object, xrefs: 006A37E4, 006A389A

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: e6ccc7c496e3a62c15c1ac21634450656500cdbb1926a68f1228cc36bf7d08a7
Instruction ID: 950caa6d573806cf4def12d1af7136e7bf046adcd996ed7bc22551298a564488
Opcode Fuzzy Hash: e6ccc7c496e3a62c15c1ac21634450656500cdbb1926a68f1228cc36bf7d08a7
Instruction Fuzzy Hash: 24619FB0608321AFD310EF54D848B9ABBE6AF46710F10091DF5859B391D774EE49CF96

Function 006B8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00639BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00639BB2

Part of subcall function 0063912D: GetCursorPos.USER32(?), ref: 00639141
Part of subcall function 0063912D: ScreenToClient.USER32(00000000,?), ref: 0063915E
Part of subcall function 0063912D: GetAsyncKeyState.USER32(00000001), ref: 00639183
Part of subcall function 0063912D: GetAsyncKeyState.USER32(00000002), ref: 0063919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 006B8B6B
ImageList_EndDrag.COMCTL32 ref: 006B8B71
ReleaseCapture.USER32 ref: 006B8B77
SetWindowTextW.USER32(?,00000000), ref: 006B8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 006B8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 006B8CFF

Strings

@GUI_DRAGFILE, xrefs: 006B8C9A
p#o, xrefs: 006B8C71
@GUI_DROPID, xrefs: 006B8C51

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#o
API String ID: 1924731296-2710196452
Opcode ID: 3c183c7a53afcac68bf8aab47bdc4351c0ef41613fed3952d701886db2c937d9
Instruction ID: 891c50311f7cc13f1590834492e259c7312dfd6b9353a5b74e27944ccd214696
Opcode Fuzzy Hash: 3c183c7a53afcac68bf8aab47bdc4351c0ef41613fed3952d701886db2c937d9
Instruction Fuzzy Hash: 3951AFB1204304AFD704DF14DC56FAA7BE6FB89750F00062DF952972E1DB71A944CBA6

Function 00693388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 006933CF

Part of subcall function 00629CB3: _wcslen.LIBCMT ref: 00629CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 006933F0

Strings

^ ERROR , xrefs: 0069349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00693504
Line %d (File "%s"):, xrefs: 00693443, 0069345C
"%s" (%d) : ==> %s:, xrefs: 00693522
Error: , xrefs: 006934D1
Incorrect parameters to object property !, xrefs: 006934AB

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: c4654700a0e78b73fd1c0232d9bcc08a92fe315315c072cda4f7c006f4a3dd83
Instruction ID: ee8533b387fa4a010b80367729cca7e353a424656aef4aeb33961f3868a1124b
Opcode Fuzzy Hash: c4654700a0e78b73fd1c0232d9bcc08a92fe315315c072cda4f7c006f4a3dd83
Instruction Fuzzy Hash: 4851BF72D00629AACF54EBA0DD42EEEB37AAF14380F144569F00572291EB352F58CF64

Function 0068B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0068B5FC
_wcslen.LIBCMT ref: 0068B608
_wcslen.LIBCMT ref: 0068B64D
_wcslen.LIBCMT ref: 0068B68C
_wcslen.LIBCMT ref: 0068B6C7

Strings

EXISTS, xrefs: 0068B686, 0068B68B
APPEND, xrefs: 0068B6C1, 0068B6C6
REMOVE, xrefs: 0068B602, 0068B607
KEYS, xrefs: 0068B647, 0068B64C

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 3ae6a74fcd0864c49c46851d2c3444efb6412a106e82fe90e097808d6fb1439c
Instruction ID: f5d993d40e5b54764d4e478fc1f62eac9503b6663c94d2b3ebae053afe7b8d4e
Opcode Fuzzy Hash: 3ae6a74fcd0864c49c46851d2c3444efb6412a106e82fe90e097808d6fb1439c
Instruction Fuzzy Hash: 85419532A011269ACB207E7DC8915FE7BA7AF61794B256329E461D7384F731CDC2C790

Function 00695393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006953A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00695416
GetLastError.KERNEL32 ref: 00695420
SetErrorMode.KERNEL32(00000000,READY), ref: 006954A7

Strings

NOTREADY, xrefs: 0069544B
READY, xrefs: 00695460, 00695468
UNKNOWN, xrefs: 00695444
READONLY, xrefs: 00695452
INVALID, xrefs: 00695459

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 014f408c0d3f99e38106753b52b0d4b5b9b0860e58ead1eb94148abff2db85ae
Instruction ID: bf64742b9875103fb6635600c19c4c788a9530c6b8cf70077ee73ff2a5b2ee33
Opcode Fuzzy Hash: 014f408c0d3f99e38106753b52b0d4b5b9b0860e58ead1eb94148abff2db85ae
Instruction Fuzzy Hash: 5131C375A006059FCB52DF68C884AEABBFAEF44705F148069F406DB792DB30DD86CB90

Function 006B3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 006B3C79
SetMenu.USER32(?,00000000), ref: 006B3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006B3D10
IsMenu.USER32(?), ref: 006B3D24
CreatePopupMenu.USER32 ref: 006B3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006B3D5B
DrawMenuBar.USER32 ref: 006B3D63

Strings

0, xrefs: 006B3C54
F, xrefs: 006B3D4E

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 515a3e4c6c1a75268f0f1a59902e7a7da73d5b57cba7ead6ca67e57c9bc30db0
Instruction ID: a3ef4d31fc0551bef0d125d594fa4e72e6b79ddd8bbe5ed2e145489e6fdb1b44
Opcode Fuzzy Hash: 515a3e4c6c1a75268f0f1a59902e7a7da73d5b57cba7ead6ca67e57c9bc30db0
Instruction Fuzzy Hash: 77417AB9B01219EFDB24CFA4D844AEA7BB6FF49350F140129F946A7360D770AA50CF94

Function 006B3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 006B3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 006B3AA0
GetWindowLongW.USER32(?,000000F0), ref: 006B3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006B3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 006B3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 006B3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 006B3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 006B3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 006B3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 006B3C13

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: b920bc5aa5fe02762f6f329b5ee5d7979e1f08264acc9c690f01708d8edede23
Instruction ID: 6b32e2073e1380313d7cd25770a2c32793299434ab1eddf944e5bb4e717fd489
Opcode Fuzzy Hash: b920bc5aa5fe02762f6f329b5ee5d7979e1f08264acc9c690f01708d8edede23
Instruction Fuzzy Hash: 69618CB5A00258AFDB10DFA8CC81EEE77B9EB09700F100199FA15AB391D770AE85DB50

Function 00652C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00652C94

Part of subcall function 006529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0065D7D1,00000000,00000000,00000000,00000000,?,0065D7F8,00000000,00000007,00000000,?,0065DBF5,00000000), ref: 006529DE
Part of subcall function 006529C8: GetLastError.KERNEL32(00000000,?,0065D7D1,00000000,00000000,00000000,00000000,?,0065D7F8,00000000,00000007,00000000,?,0065DBF5,00000000,00000000), ref: 006529F0

_free.LIBCMT ref: 00652CA0
_free.LIBCMT ref: 00652CAB
_free.LIBCMT ref: 00652CB6
_free.LIBCMT ref: 00652CC1
_free.LIBCMT ref: 00652CCC
_free.LIBCMT ref: 00652CD7
_free.LIBCMT ref: 00652CE2
_free.LIBCMT ref: 00652CED
_free.LIBCMT ref: 00652CFB

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 664c55bfebd1286bb85ffbbd4171cae00091c0cc47affaf4d512de1cea895737
Instruction ID: da4709ff3d57f353b205b96a2bed5e40bdbd225e44b8b799567e18b0cce142ce
Opcode Fuzzy Hash: 664c55bfebd1286bb85ffbbd4171cae00091c0cc47affaf4d512de1cea895737
Instruction Fuzzy Hash: 9F11D476100109AFCB82EF55D892CDD3BA6FF06751F4144A8FE48AF322DA31EE549B94

Function 00621410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00621459
OleUninitialize.OLE32(?,00000000), ref: 006214F8
UnregisterHotKey.USER32(?), ref: 006216DD
DestroyWindow.USER32(?), ref: 006624B9
FreeLibrary.KERNEL32(?), ref: 0066251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0066254B

Strings

close all, xrefs: 00621454

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 922e0fb4b07906d04b64dbc4fad6c40a4c56b76412c6f152e7470f2cb7c1ba95
Instruction ID: dbacda7fe6944e67474c6f660fcff92d557602a36d2008ff54433314cf27f526
Opcode Fuzzy Hash: 922e0fb4b07906d04b64dbc4fad6c40a4c56b76412c6f152e7470f2cb7c1ba95
Instruction Fuzzy Hash: 87D1AF71705A22CFDB29EF14D4A5A68F7A2BF15710F1442ADE44AAB351CB30ED12CF94

Function 00625BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00625C7A

Part of subcall function 00625D0A: GetClientRect.USER32(?,?), ref: 00625D30
Part of subcall function 00625D0A: GetWindowRect.USER32(?,?), ref: 00625D71
Part of subcall function 00625D0A: ScreenToClient.USER32(?,?), ref: 00625D99

GetDC.USER32 ref: 006646F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00664708
SelectObject.GDI32(00000000,00000000), ref: 00664716
SelectObject.GDI32(00000000,00000000), ref: 0066472B
ReleaseDC.USER32(?,00000000), ref: 00664733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 006647C4

Strings

U, xrefs: 00664693

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 4c4ea5ca639cf13d2962b33766cf5d2c8a0fddbdcff0c783e1beb4d10d8d618b
Instruction ID: a574f5c60f048f3e99b451f410933b8130d2dd21806182b9beb8c2150b156d06
Opcode Fuzzy Hash: 4c4ea5ca639cf13d2962b33766cf5d2c8a0fddbdcff0c783e1beb4d10d8d618b
Instruction Fuzzy Hash: 0471DF31500605DFCF218F64C984AFA7BB7FF4A360F144269ED569A2A6DB319882DF60

Function 0069359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 006935E4

Part of subcall function 00629CB3: _wcslen.LIBCMT ref: 00629CBD

LoadStringW.USER32(006F2390,?,00000FFF,?), ref: 0069360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00693724
Line %d (File "%s"):, xrefs: 0069366B
"%s" (%d) : ==> %s:, xrefs: 00693742
Error: , xrefs: 006936EF
^ ERROR, xrefs: 006936C9

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 64056f6e9c0c00067a61d4aa1a77a6833e3d709d333ae01d682ee38339f4d096
Instruction ID: d979c3a49e8677df404a440dd732163f59d0b9488e417b077a07aaea360d0ed8
Opcode Fuzzy Hash: 64056f6e9c0c00067a61d4aa1a77a6833e3d709d333ae01d682ee38339f4d096
Instruction Fuzzy Hash: 8D517072C00669ABCF54EBE0DC42EEDBB7AAF14340F144129F10576291DB315B99DF68

Function 0069C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0069C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0069C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0069C2CA
GetLastError.KERNEL32 ref: 0069C322
SetEvent.KERNEL32(?), ref: 0069C336
InternetCloseHandle.WININET(00000000), ref: 0069C341

Strings

, xrefs: 0069C2BB

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 47e2d9a8709f06eadca5c68abc7eb5744c6321fd34631b58c4ba653b04d5d0b3
Instruction ID: 073356df1c2cd965dcdcd7044095df34c420dcb94856fa0b6959dbead9193add
Opcode Fuzzy Hash: 47e2d9a8709f06eadca5c68abc7eb5744c6321fd34631b58c4ba653b04d5d0b3
Instruction Fuzzy Hash: 17318FB1600208AFDB219F64CC88AAB7BFEEF49764F10852EF446D3601DB30DE459B61

Function 0068989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00663AAF,?,?,Bad directive syntax error,006BCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 006898BC
LoadStringW.USER32(00000000,?,00663AAF,?), ref: 006898C3

Part of subcall function 00629CB3: _wcslen.LIBCMT ref: 00629CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00689987

Strings

Error: , xrefs: 00689955
%s (%d) : ==> %s.: %s %s, xrefs: 006898F1
., xrefs: 0068996D
Line %d (File "%s"):, xrefs: 0068992D
Line %d:, xrefs: 00689912

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 6f63a76934e7e7a0faa0dc1a54e5281a8fa97b7af5059a7ccaa7e2d62a3b4b9b
Instruction ID: f1d86223bd2b0c6b153566a624c2000d9d9ffbb0f4bd0024383e90067fa4dae7
Opcode Fuzzy Hash: 6f63a76934e7e7a0faa0dc1a54e5281a8fa97b7af5059a7ccaa7e2d62a3b4b9b
Instruction Fuzzy Hash: 90219C31C0026AABCF15EF90DC06EEE7777BF28340F084829F515660A2EB759A58CF64

Function 0068209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 006820AB
GetClassNameW.USER32(00000000,?,00000100), ref: 006820C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0068214D

Strings

list, xrefs: 0068212F
largeicons, xrefs: 006820E1
SHELLDLL_DefView, xrefs: 006820CC
details, xrefs: 006820FB
smallicons, xrefs: 00682115

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: ce3858b9162ec69e3a56274faf3364f11391df503a89bf18e4240a12162e1025
Instruction ID: cf6f1ef70f4d24e5ea6e63a48b6d1377c6ba8980485e5a878dc9211103a8af85
Opcode Fuzzy Hash: ce3858b9162ec69e3a56274faf3364f11391df503a89bf18e4240a12162e1025
Instruction Fuzzy Hash: 3A1159B6688707BAF7113221DC2FDE7339FDB05328B30021AFB45A41D2FEA168825718

Function 0065CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0065CEB7
_free.LIBCMT ref: 0065CF22
_free.LIBCMT ref: 0065CF48
_free.LIBCMT ref: 0065CF71
_free.LIBCMT ref: 0065CFA9
_free.LIBCMT ref: 0065CFDA
_free.LIBCMT ref: 0065D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0065D09C
_free.LIBCMT ref: 0065D0B5

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: c55f8c1160da25cefe85b4de3f6a8e9d312df2572b004a1ae52114709bfeb350
Instruction ID: 7d3fa9c80da302a3594e84d29a1ebc6887a07eb2fd4f808debab4e17048967e1
Opcode Fuzzy Hash: c55f8c1160da25cefe85b4de3f6a8e9d312df2572b004a1ae52114709bfeb350
Instruction Fuzzy Hash: 606116B1908301AFDB21AFB4DC91ABE7BA7AF05722F04416DFD44A7382D6319D09C794

Function 006B50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 006B5186
ShowWindow.USER32(?,00000000), ref: 006B51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 006B51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 006B51D1

Part of subcall function 006B6FBA: DeleteObject.GDI32(00000000), ref: 006B6FE6

GetWindowLongW.USER32(?,000000F0), ref: 006B520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 006B521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 006B524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 006B5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 006B5296

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: bfbed70edcafba1eddb709f80dd9c9c547c78ee89c7b02f5d2bfb6469b6ff766
Instruction ID: eb0351fd767dbdebb0c9190cce36ac002a3cc5d0e026456d61d41f4346af25be
Opcode Fuzzy Hash: bfbed70edcafba1eddb709f80dd9c9c547c78ee89c7b02f5d2bfb6469b6ff766
Instruction Fuzzy Hash: 2B51C3B0A52A08BFEF249F28DC46BD83B67EB05321F144116F616963E1C7B5AAC0DB50

Function 00638B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00676890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 006768A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 006768B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 006768D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 006768F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00638874,00000000,00000000,00000000,000000FF,00000000), ref: 00676901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0067691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00638874,00000000,00000000,00000000,000000FF,00000000), ref: 0067692D

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 243105fdfe9985a6f8a883873ce86ba7a0d111456bcd5a75074e4b726da09869
Instruction ID: c3b3c28a7d07e12ad7cdf06ed9234380e8b3fd3d7e44c0dc8c3589689e1ba070
Opcode Fuzzy Hash: 243105fdfe9985a6f8a883873ce86ba7a0d111456bcd5a75074e4b726da09869
Instruction Fuzzy Hash: 1E515CB0600706EFDB20CF24CC55FAA7BB7EB58760F104518F956972A0DB71EA91DB90

Function 0069C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0069C182
GetLastError.KERNEL32 ref: 0069C195
SetEvent.KERNEL32(?), ref: 0069C1A9

Part of subcall function 0069C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0069C272
Part of subcall function 0069C253: GetLastError.KERNEL32 ref: 0069C322
Part of subcall function 0069C253: SetEvent.KERNEL32(?), ref: 0069C336
Part of subcall function 0069C253: InternetCloseHandle.WININET(00000000), ref: 0069C341

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 8dc5752a611284ae89136318f8a31fed8b70e5577d88efe378edba8993945019
Instruction ID: 1882ae4e3951f478f83fcc782570bdb70e4f0761e626f9b9b1c03e5bec6bcbf6
Opcode Fuzzy Hash: 8dc5752a611284ae89136318f8a31fed8b70e5577d88efe378edba8993945019
Instruction Fuzzy Hash: 8A319EB1200701AFDF219FA5DC44AA6BBFEFF58320B10452DF95683A10DB30EA55DBA0

Function 006825A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00683A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00683A57
Part of subcall function 00683A3D: GetCurrentThreadId.KERNEL32 ref: 00683A5E
Part of subcall function 00683A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006825B3), ref: 00683A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 006825BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 006825DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 006825DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 006825E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00682601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00682605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0068260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00682623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00682627

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: b4a53d2f39e481e7b5d220f88ef01bb2711d3715288756d0920cc32bd5970d01
Instruction ID: 65b4a40ff35d39a05e8f1b6d11ffdbf260cb7b3c2420aab7df02db3a0e1c1338
Opcode Fuzzy Hash: b4a53d2f39e481e7b5d220f88ef01bb2711d3715288756d0920cc32bd5970d01
Instruction Fuzzy Hash: 0401D870390210BBFB107768DC8AF593F5ADB4EB21F101106F354AE1D1C9F115849A69

Function 00681803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00681449,?,?,00000000), ref: 0068180C
HeapAlloc.KERNEL32(00000000,?,00681449,?,?,00000000), ref: 00681813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00681449,?,?,00000000), ref: 00681828
GetCurrentProcess.KERNEL32(?,00000000,?,00681449,?,?,00000000), ref: 00681830
DuplicateHandle.KERNEL32(00000000,?,00681449,?,?,00000000), ref: 00681833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00681449,?,?,00000000), ref: 00681843
GetCurrentProcess.KERNEL32(00681449,00000000,?,00681449,?,?,00000000), ref: 0068184B
DuplicateHandle.KERNEL32(00000000,?,00681449,?,?,00000000), ref: 0068184E
CreateThread.KERNEL32(00000000,00000000,00681874,00000000,00000000,00000000), ref: 00681868

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 9fd4b2ea4fc9bccffe54f1015ff59dc4e070f86d1a9957b40647b31aeebc1f4d
Instruction ID: 33b2b1b2ac3fb9dcf73e15b496253a75b88f9c8c8462db8d220e64b5c6565afa
Opcode Fuzzy Hash: 9fd4b2ea4fc9bccffe54f1015ff59dc4e070f86d1a9957b40647b31aeebc1f4d
Instruction Fuzzy Hash: B801BFF5240304BFE710AFA5DC4DF573BADEB89B11F415511FA05EB191C6709940CB20

Function 006AA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0068D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0068D501
Part of subcall function 0068D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0068D50F
Part of subcall function 0068D4DC: CloseHandle.KERNEL32(00000000), ref: 0068D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 006AA16D
GetLastError.KERNEL32 ref: 006AA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 006AA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 006AA268
GetLastError.KERNEL32(00000000), ref: 006AA273
CloseHandle.KERNEL32(00000000), ref: 006AA2C4

Strings

SeDebugPrivilege, xrefs: 006AA18F

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: cebcce5adf013d2ef36f75b706f64b0f07d41c2d24e2df3b077a9708a1531b71
Instruction ID: 293cfac64ba45399571c9598fdbefb928c8fd5a690f25d95a26fa62654800bac
Opcode Fuzzy Hash: cebcce5adf013d2ef36f75b706f64b0f07d41c2d24e2df3b077a9708a1531b71
Instruction Fuzzy Hash: 3D619F70204642AFD720EF58C494F5ABBE2AF45318F18849DE4564BBA3C772ED45CF92

Function 006B3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 006B3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 006B393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 006B3954
_wcslen.LIBCMT ref: 006B3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 006B39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 006B39F4

Strings

SysListView32, xrefs: 006B38F7

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: a553baff36878f54c89e4b3f715f341da70a3069a6be798060e12235d6530808
Instruction ID: 29b8053ab95bd7eca1b167bb00de4ad35772c163feed2c2961082d096939d422
Opcode Fuzzy Hash: a553baff36878f54c89e4b3f715f341da70a3069a6be798060e12235d6530808
Instruction Fuzzy Hash: 2B4176B1A00329ABDF219F64CC45FEA77AAEF18354F10052AF554E7391D7719AC0CB94

Function 0068BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0068BCFD
IsMenu.USER32(00000000), ref: 0068BD1D
CreatePopupMenu.USER32 ref: 0068BD53
GetMenuItemCount.USER32(01174D88), ref: 0068BDA4
InsertMenuItemW.USER32(01174D88,?,00000001,00000030), ref: 0068BDCC

Strings

2, xrefs: 0068BD37
0, xrefs: 0068BCA8

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 2231f20c611e18469081ed41707b669780f55adeaba16d8a9d0b2253932373c6
Instruction ID: 36e5e23ffeb79257f7786f490cc3340375f7141b9d03cdee566eb6ea1ecc7f49
Opcode Fuzzy Hash: 2231f20c611e18469081ed41707b669780f55adeaba16d8a9d0b2253932373c6
Instruction Fuzzy Hash: EC51AF70A00205EBDF20EFA8D884BEEBBF6AF45324F146319E451A7391D7709945CB61

Function 00642D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00642D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00642D53
_ValidateLocalCookies.LIBCMT ref: 00642DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00642E0C
_ValidateLocalCookies.LIBCMT ref: 00642E61

Strings

csm, xrefs: 00642DF6
&Hd, xrefs: 00642DFE, 00642E07, 00642E18

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &Hd$csm
API String ID: 1170836740-649931742
Opcode ID: e8d72b14586cdb0f17565f6d78bd436951174011bd698f0f258061596362dd9d
Instruction ID: 7f85dbf8cb7fd27f3a571c5a200ae7c6e24a0673c01ed567b814828840823840
Opcode Fuzzy Hash: e8d72b14586cdb0f17565f6d78bd436951174011bd698f0f258061596362dd9d
Instruction Fuzzy Hash: 75419334E0021AEBCF10DF68C895ADEBBB7BF45324F648159F815AB392D7319A05CB90

Function 0068C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0068C913

Strings

question, xrefs: 0068C8CC
warning, xrefs: 0068C8FC
info, xrefs: 0068C8B4
blank, xrefs: 0068C895
stop, xrefs: 0068C8E4

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 321efdec9fa35dbc643e60bced989764466d7483bd12a0338924068834a39260
Instruction ID: dfd79723d03bebe9820f64b6f1443d1e981dbada485997f41b1cb4a7505334fc
Opcode Fuzzy Hash: 321efdec9fa35dbc643e60bced989764466d7483bd12a0338924068834a39260
Instruction Fuzzy Hash: C3113D31689706BAEF007B15DC83DEA279EDF15374B21016FF504A6382EBB45E415379

Function 0068ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0068ED2A
_wcslen.LIBCMT ref: 0068ED3B
_wcslen.LIBCMT ref: 0068ED79
_wcslen.LIBCMT ref: 0068EDAF
_wcslen.LIBCMT ref: 0068EDDF
_wcslen.LIBCMT ref: 0068EDEF
_wcslen.LIBCMT ref: 0068EE2B
_wcslen.LIBCMT ref: 0068EE5A

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 147ac999e5b2cd9af76a94c883d8e5a675f37ffa010a1c2c9dc7920e74d8986b
Instruction ID: bd0482aaee50859a2a6142ef292a4150a905002435d72c3517388f1d31961b6f
Opcode Fuzzy Hash: 147ac999e5b2cd9af76a94c883d8e5a675f37ffa010a1c2c9dc7920e74d8986b
Instruction Fuzzy Hash: 7C418F65C1021876CB51FBB4C88AACFB7AAAF45710F50856AF518E3121EB34E355C3EA

Function 0063F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0067682C,00000004,00000000,00000000), ref: 0063F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0067682C,00000004,00000000,00000000), ref: 0067F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0067682C,00000004,00000000,00000000), ref: 0067F454

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 6fc13b268514bdedbe45f75dc51556917d89f929455fb3e228c6e9a00d8feb5d
Instruction ID: d27c947d6b36d50e05189c27d0532258d1199c4bee4d553264e5d5d0a90a2703
Opcode Fuzzy Hash: 6fc13b268514bdedbe45f75dc51556917d89f929455fb3e228c6e9a00d8feb5d
Instruction Fuzzy Hash: ED411C31904640BFC7358B398888BBA7B97AB56334F14953CF04B567E1D672A981C7D1

Function 006B2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 006B2D1B
GetDC.USER32(00000000), ref: 006B2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006B2D2E
ReleaseDC.USER32(00000000,00000000), ref: 006B2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 006B2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 006B2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,006B5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 006B2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 006B2DE1

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: d8e25d6b3fc6bedba5c4672fa7f9f9f70660727992a057ef4e846e836994b709
Instruction ID: 100d7a58c9c8a3858126896d268f046ef17bcce1cb6fc1ca66fc1b1efa5e68be
Opcode Fuzzy Hash: d8e25d6b3fc6bedba5c4672fa7f9f9f70660727992a057ef4e846e836994b709
Instruction Fuzzy Hash: 7B319FB2201214BFEB214F54CC89FEB3BAEEF49721F044155FE089A291D6759D91C7B4

Function 00685622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00685637
_memcmp.LIBVCRUNTIME ref: 00685659
_memcmp.LIBVCRUNTIME ref: 00685671
_memcmp.LIBVCRUNTIME ref: 00685684
_memcmp.LIBVCRUNTIME ref: 0068569E
_memcmp.LIBVCRUNTIME ref: 006856B1
_memcmp.LIBVCRUNTIME ref: 006856C9
_memcmp.LIBVCRUNTIME ref: 006856E4

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 1cd1e03b97333d98c2cfd4465f70812949e567d09665d291889eccb336d3ec8d
Instruction ID: 5b2fef5481fdc34e9009cd21ed051a6a6624107eff303eb965d38ec97462215c
Opcode Fuzzy Hash: 1cd1e03b97333d98c2cfd4465f70812949e567d09665d291889eccb336d3ec8d
Instruction Fuzzy Hash: 2A21D7A1650A09B7D7157A208DA2FFB335FAF21384F444124FD069E691FB21EDD183A9

Function 006A4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 006A502E, 006A5383
Not an Object type, xrefs: 006A5007

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: b05431c7137101fe8f3746a83514e8cf9e92e5c841ac28339f2626f0f730dcd8
Instruction ID: c64567974b9b5b4386f54cf990e040d9fb14772f9f415ddd900ff837ce74445d
Opcode Fuzzy Hash: b05431c7137101fe8f3746a83514e8cf9e92e5c841ac28339f2626f0f730dcd8
Instruction Fuzzy Hash: 51D19F71A0060AAFDF10EF98C880BEEB7B6BF49354F148469E916AB281E771DD45CF50

Function 00661522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,006617FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 006615CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,006617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00661651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,006617FB,?,006617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006616E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,006617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006616FB

Part of subcall function 00653820: RtlAllocateHeap.NTDLL(00000000,?,006F1444,?,0063FDF5,?,?,0062A976,00000010,006F1440,006213FC,?,006213C6,?,00621129), ref: 00653852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,006617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00661777
__freea.LIBCMT ref: 006617A2
__freea.LIBCMT ref: 006617AE

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: d17f4c0f083a9264f061d80c53ed41ab775f1da5c3dfee75b071fadb2143729c
Instruction ID: 5b8dc8caf989c60b187ece10e8032dc939dee15d153d84c3135b719d578e5282
Opcode Fuzzy Hash: d17f4c0f083a9264f061d80c53ed41ab775f1da5c3dfee75b071fadb2143729c
Instruction Fuzzy Hash: 609192B1E002169BDB208E74CC91AEEBBB7AF4A710F1C4659E802EF251D735DD45CBA0

Function 006A4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006A4648
VariantInit.OLEAUT32(?), ref: 006A4749
VariantClear.OLEAUT32(?), ref: 006A4753
VariantClear.OLEAUT32(?), ref: 006A47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 006A472C
Null Object assignment in FOR..IN loop, xrefs: 006A45D8, 006A4706, 006A47BE

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 402aac5a0abe4ace00bee4112662a707336eefdf04dcca32f53d3ec1d0944cad
Instruction ID: d9978e3cf3f878a06773024d57a89780744a25c590b32e81e331359abc8e34bc
Opcode Fuzzy Hash: 402aac5a0abe4ace00bee4112662a707336eefdf04dcca32f53d3ec1d0944cad
Instruction Fuzzy Hash: 44917E71A00215ABDF20DFA5DC44FEEBBBAAF86710F108559E505AB281DBB09D41CFA0

Function 00691187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0069125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00691284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 006912A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 006912D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0069135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 006913C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00691430

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 8b7432cc9abc7f094d1957a3acaf90323d44230f454f18109e73b90cb348a798
Instruction ID: daa00d380ec3c9824dcedb5c5b7a84abf455ee4bf31f8ef1cd20df004dff2b84
Opcode Fuzzy Hash: 8b7432cc9abc7f094d1957a3acaf90323d44230f454f18109e73b90cb348a798
Instruction Fuzzy Hash: 3091C275A0021A9FEF00DF94C885BBEB7BAFF46725F244029E500EB691D774AA41CB94

Function 0063948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 04da3d7443ecb92a3ec7fd622c140530c94590923df9ae09a2bbbdcf69f3d900
Instruction ID: 43a0cbd183ff0d052860c568f25d5a7dd8032df88718e8ec8563468d55e94bbc
Opcode Fuzzy Hash: 04da3d7443ecb92a3ec7fd622c140530c94590923df9ae09a2bbbdcf69f3d900
Instruction Fuzzy Hash: 25911971D00219AFCB10CFA9CC84AEEBBBAFF49320F148559E515B7251D3759A82CFA0

Function 006A3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006A396B
CharUpperBuffW.USER32(?,?), ref: 006A3A7A
_wcslen.LIBCMT ref: 006A3A8A
VariantClear.OLEAUT32(?), ref: 006A3C1F

Part of subcall function 00690CDF: VariantInit.OLEAUT32(00000000), ref: 00690D1F
Part of subcall function 00690CDF: VariantCopy.OLEAUT32(?,?), ref: 00690D28
Part of subcall function 00690CDF: VariantClear.OLEAUT32(?), ref: 00690D34

Strings

AUTOIT.ERROR, xrefs: 006A3A80, 006A3A85
Incorrect Parameter format, xrefs: 006A39A6, 006A3BA1

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: c7da023b9cf7ea57c4cf54b9770b69f19d647c0173ceadab2f490bc7cc21a87c
Instruction ID: 8addbae79c8ab7a67e8dafc821863ca96099c3309b110c13a6c10fc121f8942e
Opcode Fuzzy Hash: c7da023b9cf7ea57c4cf54b9770b69f19d647c0173ceadab2f490bc7cc21a87c
Instruction Fuzzy Hash: DA9146746083159FC744EF24C48096AB7E6BF8A314F14892DF88A9B351DB31EE46CF96

Function 006A4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0068000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0067FF41,80070057,?,?,?,0068035E), ref: 0068002B
Part of subcall function 0068000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0067FF41,80070057,?,?), ref: 00680046
Part of subcall function 0068000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0067FF41,80070057,?,?), ref: 00680054
Part of subcall function 0068000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0067FF41,80070057,?), ref: 00680064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 006A4C51
_wcslen.LIBCMT ref: 006A4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 006A4DCF
CoTaskMemFree.OLE32(?), ref: 006A4DDA

Strings

NULL Pointer assignment, xrefs: 006A4E23, 006A4E52

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: ba2ed038532db55da24ff0e8b273acf8d089d78f13910bc90f5fac13cf4a8f83
Instruction ID: 2daf734679fdc80f7634a58915f36af8a3143721d8c156d083d0551d37e4410e
Opcode Fuzzy Hash: ba2ed038532db55da24ff0e8b273acf8d089d78f13910bc90f5fac13cf4a8f83
Instruction Fuzzy Hash: 46913671D0022D9FDF14EFA4DC90AEEBBBABF49310F104569E815A7241DB709E458FA0

Function 006B20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 006B2183
GetMenuItemCount.USER32(00000000), ref: 006B21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 006B21DD
_wcslen.LIBCMT ref: 006B2213
GetMenuItemID.USER32(?,?), ref: 006B224D
GetSubMenu.USER32(?,?), ref: 006B225B

Part of subcall function 00683A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00683A57
Part of subcall function 00683A3D: GetCurrentThreadId.KERNEL32 ref: 00683A5E
Part of subcall function 00683A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006825B3), ref: 00683A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 006B22E3

Part of subcall function 0068E97B: Sleep.KERNEL32 ref: 0068E9F3

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 9de90bbdabc7b863ddf906a3dcce2513d33c0f5b23851ecb4dd722dec3278232
Instruction ID: 502a2638dc2d0f0e466dadae074803a42aa285ac5474babf3e0a63542cb308cb
Opcode Fuzzy Hash: 9de90bbdabc7b863ddf906a3dcce2513d33c0f5b23851ecb4dd722dec3278232
Instruction Fuzzy Hash: 507163B5A00215AFCB50DF64C855AEEB7F6EF48310F148459E916EB351D734EE818F90

Function 0068AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0068AEF9
GetKeyboardState.USER32(?), ref: 0068AF0E
SetKeyboardState.USER32(?), ref: 0068AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0068AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0068AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0068AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0068B020

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a70b1c48ad77b854b62deb95412e5cfc7dfddaa66a4383e0967de69141e5f7fd
Instruction ID: 7ee7ab8faab834ccadce4e9ecfa1135b6e0938027048ada35030c00ddca29e96
Opcode Fuzzy Hash: a70b1c48ad77b854b62deb95412e5cfc7dfddaa66a4383e0967de69141e5f7fd
Instruction Fuzzy Hash: A85102B06043D13DFB3663748C45BFABEAA5B06304F08868AE6E9559C2D3D8ADC4D751

Function 0068ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0068AD19
GetKeyboardState.USER32(?), ref: 0068AD2E
SetKeyboardState.USER32(?), ref: 0068AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0068ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0068ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0068AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0068AE38

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 368300eebca37fcea501bbded0b8d7860fdc7aacb9138f83779853e870aaef9f
Instruction ID: dcafac1a7f1f4e09d4457ae7462ee2bc5531961b5ab259160ef5c58efdf3a7ec
Opcode Fuzzy Hash: 368300eebca37fcea501bbded0b8d7860fdc7aacb9138f83779853e870aaef9f
Instruction Fuzzy Hash: 295139B05047D13DFB3363B48C55BBABEAA5F05300F088A8AE5D5869C2D394ED84E752

Function 0065542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00663CD6,?,?,?,?,?,?,?,?,00655BA3,?,?,00663CD6,?,?), ref: 00655470
__fassign.LIBCMT ref: 006554EB
__fassign.LIBCMT ref: 00655506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00663CD6,00000005,00000000,00000000), ref: 0065552C
WriteFile.KERNEL32(?,00663CD6,00000000,00655BA3,00000000,?,?,?,?,?,?,?,?,?,00655BA3,?), ref: 0065554B
WriteFile.KERNEL32(?,?,00000001,00655BA3,00000000,?,?,?,?,?,?,?,?,?,00655BA3,?), ref: 00655584

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 01371608eb5a3f125ff935a5289b5be4885c0304a5721c9d318490e2971a6312
Instruction ID: a0ef37450d78354c954799059d7beacb9da60a350e71808b5b3d6470e433d857
Opcode Fuzzy Hash: 01371608eb5a3f125ff935a5289b5be4885c0304a5721c9d318490e2971a6312
Instruction Fuzzy Hash: BE51F7B09006499FDB10CFA8D855AEEBBFAEF08311F14415AF956E7391E730DA45CB60

Function 006A10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006A304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 006A307A
Part of subcall function 006A304E: _wcslen.LIBCMT ref: 006A309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 006A1112
WSAGetLastError.WSOCK32 ref: 006A1121
WSAGetLastError.WSOCK32 ref: 006A11C9
closesocket.WSOCK32(00000000), ref: 006A11F9

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: e9b3c31b8a46365ccf6ae76ad643d12230ecac65d00a6b5deb5e90255e9cfebf
Instruction ID: 73cfda2a6befa1009258836fbc6bf8ff1b5a6a1272cb2eb16c9001f21628a3be
Opcode Fuzzy Hash: e9b3c31b8a46365ccf6ae76ad643d12230ecac65d00a6b5deb5e90255e9cfebf
Instruction Fuzzy Hash: 7C41D271600614AFDB10AF14D884BA9BBABEF46364F148169F9159F391C770AE81CFE1

Function 0068CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0068DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0068CF22,?), ref: 0068DDFD

Part of subcall function 0068DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0068CF22,?), ref: 0068DE16

lstrcmpiW.KERNEL32(?,?), ref: 0068CF45
MoveFileW.KERNEL32(?,?), ref: 0068CF7F
_wcslen.LIBCMT ref: 0068D005
_wcslen.LIBCMT ref: 0068D01B
SHFileOperationW.SHELL32(?), ref: 0068D061

Strings

\*.*, xrefs: 0068CFF3

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: bc6cc00fc2d517511ac5f0c9976d9e5fa8648e32c2226623cecd40d394baaa57
Instruction ID: bcb838b85ff60b8e48bef6259e0b8a1084a6ba1a6c2ae05d389bf1a2299b4b20
Opcode Fuzzy Hash: bc6cc00fc2d517511ac5f0c9976d9e5fa8648e32c2226623cecd40d394baaa57
Instruction Fuzzy Hash: 9D4164719452185FDF52FFA4D981ADEB7BAAF48380F0001EAE605EB141EB34A784CF64

Function 006B2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 006B2E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 006B2E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 006B2E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 006B2EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 006B2EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 006B2EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 006B2F0B

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: fea0b7b4a3a70b287582c5f617ddcfb48cda86b0def3059ef972741a10bf0418
Instruction ID: 4114ed7e3ef78130fb7eba1e2ef09fef50f3004f1fd1b98cbd0de4fdf8b7c6ee
Opcode Fuzzy Hash: fea0b7b4a3a70b287582c5f617ddcfb48cda86b0def3059ef972741a10bf0418
Instruction Fuzzy Hash: 433114B06441529FDB218F19DC94FE537E6EB5A760F141164FA008F2B2CBB1E881DB51

Function 00687726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00687769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0068778F
SysAllocString.OLEAUT32(00000000), ref: 00687792
SysAllocString.OLEAUT32(?), ref: 006877B0
SysFreeString.OLEAUT32(?), ref: 006877B9
StringFromGUID2.OLE32(?,?,00000028), ref: 006877DE
SysAllocString.OLEAUT32(?), ref: 006877EC

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 5654d9a0a4294aa89c44afd5ef8a6ed2812e68a37463c0571f7304ffb8e1bab7
Instruction ID: fc30e439239a2464c7d61c20b89d74fdf6fe317507baae04b566d829ed5abd23
Opcode Fuzzy Hash: 5654d9a0a4294aa89c44afd5ef8a6ed2812e68a37463c0571f7304ffb8e1bab7
Instruction Fuzzy Hash: 4C219076608219AFDB10EFA8CC88CFB77EEEB09764B148225FA15DB250D670DD81C764

Function 006877FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00687842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00687868
SysAllocString.OLEAUT32(00000000), ref: 0068786B
SysAllocString.OLEAUT32 ref: 0068788C
SysFreeString.OLEAUT32 ref: 00687895
StringFromGUID2.OLE32(?,?,00000028), ref: 006878AF
SysAllocString.OLEAUT32(?), ref: 006878BD

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 97ec089123502b9a65c1ed93b54b6707c187a115464f6b75dc0544f24f613330
Instruction ID: 8bb10a9f89f9fa0e42969ab9b9b21feba7344eaa9bb0871f431764d4c62b9bac
Opcode Fuzzy Hash: 97ec089123502b9a65c1ed93b54b6707c187a115464f6b75dc0544f24f613330
Instruction Fuzzy Hash: EB2177B1608104BFDB10AFA8DC88DAA77EDEB09760B108235F915CB2A1DA70DD41CB74

Function 006904D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 006904F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0069052E

Strings

nul, xrefs: 00690567

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: eeb7178132de1129ac0250b843658e7aeb6b77c59b0e427b054d54f2b41eed3f
Instruction ID: 783dfc868abbf6dd5e992bb5d880a1cdfca56b43d34d9cf5672f53ac8945a307
Opcode Fuzzy Hash: eeb7178132de1129ac0250b843658e7aeb6b77c59b0e427b054d54f2b41eed3f
Instruction Fuzzy Hash: 7B2160B5500305AFEF209F29DD44A9A77BEAF44764F614A29F8A1D62E0D7709A40CF20

Function 006905A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 006905C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00690601

Strings

nul, xrefs: 00690639

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: e863f46c3e5c61047257348f49547139db2f9459a2be4dad0dfe9033774b3c1a
Instruction ID: 12e5c7a0050fda53a57275d55559e0a1d0fe52de9f8caca05b96bc4ffa81ea02
Opcode Fuzzy Hash: e863f46c3e5c61047257348f49547139db2f9459a2be4dad0dfe9033774b3c1a
Instruction Fuzzy Hash: 85214F75500305AFEF209F699C04A9A77EEAF95734F200B19F8A1E76E0D77099A1CB20

Function 006B40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0062600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0062604C
Part of subcall function 0062600E: GetStockObject.GDI32(00000011), ref: 00626060
Part of subcall function 0062600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0062606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 006B4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 006B411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 006B412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 006B4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 006B4145

Strings

Msctls_Progress32, xrefs: 006B40E3

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 3d648b508addfcdfe34b7799dc4f7e0c432dbb1c5ee39e28c412844a3fbb8816
Instruction ID: 377478514f269739b9eb07f2877e82751314f431a22a678255ebd8f6ddcc4430
Opcode Fuzzy Hash: 3d648b508addfcdfe34b7799dc4f7e0c432dbb1c5ee39e28c412844a3fbb8816
Instruction Fuzzy Hash: 9111B2B2150219BEEF119F64CC85EE77F6EEF09798F014111FB18A6150CA729C61DBA4

Function 0065D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0065D7A3: _free.LIBCMT ref: 0065D7CC

_free.LIBCMT ref: 0065D82D

Part of subcall function 006529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0065D7D1,00000000,00000000,00000000,00000000,?,0065D7F8,00000000,00000007,00000000,?,0065DBF5,00000000), ref: 006529DE
Part of subcall function 006529C8: GetLastError.KERNEL32(00000000,?,0065D7D1,00000000,00000000,00000000,00000000,?,0065D7F8,00000000,00000007,00000000,?,0065DBF5,00000000,00000000), ref: 006529F0

_free.LIBCMT ref: 0065D838
_free.LIBCMT ref: 0065D843
_free.LIBCMT ref: 0065D897
_free.LIBCMT ref: 0065D8A2
_free.LIBCMT ref: 0065D8AD
_free.LIBCMT ref: 0065D8B8

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 4f8fe6365d85b8d677c001142bf7fc6b4c79dbc1513d7524bf6ec19d6906d574
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: D3118171540B04AAD5B1BFB0CC07FCB7BDEAF09702F40082DBA99A69D2DA24F5094654

Function 0068DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0068DA74
LoadStringW.USER32(00000000), ref: 0068DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0068DA91
LoadStringW.USER32(00000000), ref: 0068DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0068DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0068DAB9

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 869987dce6c5babf1e1d435e0852cebd762c4782c0019505e572ff6d9c4f539f
Instruction ID: abc88868f2ade28a26d2fcdb6ec0f9cd60bc70786f7d5ec0b177e84615337bfc
Opcode Fuzzy Hash: 869987dce6c5babf1e1d435e0852cebd762c4782c0019505e572ff6d9c4f539f
Instruction Fuzzy Hash: B00162F29002087FE711ABA4DD89EE7376DE708311F405695B706E2181EA749EC44F74

Function 0069096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0116EE30,0116EE30), ref: 0069097B
EnterCriticalSection.KERNEL32(0116EE10,00000000), ref: 0069098D
TerminateThread.KERNEL32(006F0074,000001F6), ref: 0069099B
WaitForSingleObject.KERNEL32(006F0074,000003E8), ref: 006909A9
CloseHandle.KERNEL32(006F0074), ref: 006909B8
InterlockedExchange.KERNEL32(0116EE30,000001F6), ref: 006909C8
LeaveCriticalSection.KERNEL32(0116EE10), ref: 006909CF

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: e3950c57cb07d9898952e2b0943fd8b73ae4a071d79d884cd1696283564d64aa
Instruction ID: 7332cb4ced4b9a5c9ffbd0542af54a710cb1c12d2e9b4336491043656f840671
Opcode Fuzzy Hash: e3950c57cb07d9898952e2b0943fd8b73ae4a071d79d884cd1696283564d64aa
Instruction Fuzzy Hash: F0F03171442912BFEB455F94EE8CBD67B3AFF01712F403126F101508A0C7749AA5DF90

Function 006A1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 006A1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 006A1DE1
WSAGetLastError.WSOCK32 ref: 006A1DF2
htons.WSOCK32(?,?,?,?,?), ref: 006A1EDB
inet_ntoa.WSOCK32(?), ref: 006A1E8C

Part of subcall function 006839E8: _strlen.LIBCMT ref: 006839F2

Part of subcall function 006A3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0069EC0C), ref: 006A3240

_strlen.LIBCMT ref: 006A1F35

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: c765262568e6e2d6482dfa4b9e65d54672a4118f1b00ba5a7cda1206de93ed55
Instruction ID: fa541ea23058d960295cb50ba9a9b03f03ad47a17a3871fa28856bdd63c69d86
Opcode Fuzzy Hash: c765262568e6e2d6482dfa4b9e65d54672a4118f1b00ba5a7cda1206de93ed55
Instruction Fuzzy Hash: 07B1BB70604350AFC324EF24C895E6A7BE6AF86318F54894CF4565F2A2CB31EE46CF91

Function 00625D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00625D30
GetWindowRect.USER32(?,?), ref: 00625D71
ScreenToClient.USER32(?,?), ref: 00625D99
GetClientRect.USER32(?,?), ref: 00625ED7
GetWindowRect.USER32(?,?), ref: 00625EF8

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 8dfc053c9c0908d9bec108b2d7b2c3cd49365838d2b8eab5637cec6e967915c6
Instruction ID: 843f1a19d1e9a450b6938d8841d0216658e8ac0477f601261571a4dc77f8cfc9
Opcode Fuzzy Hash: 8dfc053c9c0908d9bec108b2d7b2c3cd49365838d2b8eab5637cec6e967915c6
Instruction Fuzzy Hash: 64B16A74A00A5ADBDB20CFA8C4407EAB7F2FF44310F14951AE8AAD7250DB30EA51DF54

Function 006501B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 006500BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006500D6
__allrem.LIBCMT ref: 006500ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0065010B
__allrem.LIBCMT ref: 00650122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00650140

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 7374642c37296c2509792faec01fefee145cbf9689cfcbb805adc817efd851cb
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: AD81F572A00B069BE7609F68CC41BAB73EBAF45325F24413EF951DA7C1E770D9088B95

Function 006561FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,006482D9,006482D9,?,?,?,0065644F,00000001,00000001,8BE85006), ref: 00656258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0065644F,00000001,00000001,8BE85006,?,?,?), ref: 006562DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 006563D8
__freea.LIBCMT ref: 006563E5

Part of subcall function 00653820: RtlAllocateHeap.NTDLL(00000000,?,006F1444,?,0063FDF5,?,?,0062A976,00000010,006F1440,006213FC,?,006213C6,?,00621129), ref: 00653852

__freea.LIBCMT ref: 006563EE
__freea.LIBCMT ref: 00656413

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 2ad7e53b077331cc1b7805716c4a74a91cfb1945ce40aecb55d7ac999d909590
Instruction ID: 259fb7d36296292c1eee8aeddb8ae508d03ad5c8f6728d218c45058e6b95df42
Opcode Fuzzy Hash: 2ad7e53b077331cc1b7805716c4a74a91cfb1945ce40aecb55d7ac999d909590
Instruction Fuzzy Hash: 6851C172A00216ABEB258F64CC81EEF77ABEF44752F554629FC05D7240EB34DD89C6A0

Function 006ABBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00629CB3: _wcslen.LIBCMT ref: 00629CBD

Part of subcall function 006AC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006AB6AE,?,?), ref: 006AC9B5
Part of subcall function 006AC998: _wcslen.LIBCMT ref: 006AC9F1
Part of subcall function 006AC998: _wcslen.LIBCMT ref: 006ACA68
Part of subcall function 006AC998: _wcslen.LIBCMT ref: 006ACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006ABCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006ABD25
RegCloseKey.ADVAPI32(00000000), ref: 006ABD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 006ABD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 006ABDF3
RegCloseKey.ADVAPI32(?), ref: 006ABDFF

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 2e01098007bec07a90e7f7a4a93f61f97f7d0280a1131628f5721320f9b9966b
Instruction ID: 5d6086b6cad55d808e5b009ebaf6a02bf3a4325f7c46418486c37cc09806ac8a
Opcode Fuzzy Hash: 2e01098007bec07a90e7f7a4a93f61f97f7d0280a1131628f5721320f9b9966b
Instruction Fuzzy Hash: ED819E70208241AFD714EF24C885E6ABBE6FF85318F14995CF4564B2A2DB32ED45CF92

Function 0067F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0067F7B9
SysAllocString.OLEAUT32(00000001), ref: 0067F860
VariantCopy.OLEAUT32(0067FA64,00000000), ref: 0067F889
VariantClear.OLEAUT32(0067FA64), ref: 0067F8AD
VariantCopy.OLEAUT32(0067FA64,00000000), ref: 0067F8B1
VariantClear.OLEAUT32(?), ref: 0067F8BB

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 5687608c316d1e3ad1882dd5c2948ca71052b19e81bb33ac5dcc067562f377b5
Instruction ID: b1b416840af1103b7045e0c1d46598c8ab18708cfd5e56f42b456dd6267823d3
Opcode Fuzzy Hash: 5687608c316d1e3ad1882dd5c2948ca71052b19e81bb33ac5dcc067562f377b5
Instruction Fuzzy Hash: 0051C631910310BACF54AB65D895F69B3EBEF45310F24D46AF909EF291DB708C41CBAA

Function 0069910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00627620: _wcslen.LIBCMT ref: 00627625

Part of subcall function 00626B57: _wcslen.LIBCMT ref: 00626B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 006994E5
_wcslen.LIBCMT ref: 00699506
_wcslen.LIBCMT ref: 0069952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00699585

Strings

X, xrefs: 00699412

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 9ca9796611bbf222cbf27cc40caacea1edeca1d047852a7033f458ce78cfc75a
Instruction ID: e0251e08f2add22cc1f006f6529f52bb8c72192ed8826021f9f1a9ecded78810
Opcode Fuzzy Hash: 9ca9796611bbf222cbf27cc40caacea1edeca1d047852a7033f458ce78cfc75a
Instruction Fuzzy Hash: 11E1B1315047519FCB64DF28D881A6AB7E6FF84310F04896DF8899B3A2DB31DD05CBA6

Function 0063920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00639BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00639BB2

BeginPaint.USER32(?,?,?), ref: 00639241
GetWindowRect.USER32(?,?), ref: 006392A5
ScreenToClient.USER32(?,?), ref: 006392C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 006392D3
EndPaint.USER32(?,?,?,?,?), ref: 00639321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 006771EA

Part of subcall function 00639339: BeginPath.GDI32(00000000), ref: 00639357

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 42c4a7febe236f6e8204ae9fed57668ac3706a9c8ec6173c53d4701f73b58679
Instruction ID: c9ae1fbc0574bef5a5bc5697ec82b396979cb0c64da70b65eb31d972fd3b9529
Opcode Fuzzy Hash: 42c4a7febe236f6e8204ae9fed57668ac3706a9c8ec6173c53d4701f73b58679
Instruction Fuzzy Hash: 23419D70104200EFE721DF24CC84FBA7BAAEB56364F140269F9A59B2A1C7B19945DFB1

Function 006907EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0069080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00690847
EnterCriticalSection.KERNEL32(?), ref: 00690863
LeaveCriticalSection.KERNEL32(?), ref: 006908DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 006908F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00690921

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: b395ff70e5ec127393f5cf5fd048e35f8b31ea756d8be0b6bf90f1a8a95f0576
Instruction ID: d377ae156d2df89fdd37491f768db03d6ae8a720336699bc846898f08e8818b7
Opcode Fuzzy Hash: b395ff70e5ec127393f5cf5fd048e35f8b31ea756d8be0b6bf90f1a8a95f0576
Instruction Fuzzy Hash: 74415C71A00205EFEF149F54DC85AAA777AFF04310F1440A9ED04AE297DB70DE65DBA4

Function 006B81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0067F3AB,00000000,?,?,00000000,?,0067682C,00000004,00000000,00000000), ref: 006B824C
EnableWindow.USER32(00000000,00000000), ref: 006B8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 006B82D1
ShowWindow.USER32(00000000,00000004), ref: 006B82E5
EnableWindow.USER32(00000000,00000001), ref: 006B830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 006B832F

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: f9891de3f0cf76a3fe51f2d3c7eb639c29957d76df24b566b16cb15021235679
Instruction ID: e6690d798a141f843419ff06b70cf063fe94f4846e13cefa0ee47565eaf0fce4
Opcode Fuzzy Hash: f9891de3f0cf76a3fe51f2d3c7eb639c29957d76df24b566b16cb15021235679
Instruction Fuzzy Hash: A44194B4601644EFDB11CF55C899BE47BE7BB0A714F1852A9E5084F362CB71AD81CB90

Function 00684C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00684C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00684CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00684CEA
_wcslen.LIBCMT ref: 00684D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00684D10
_wcsstr.LIBVCRUNTIME ref: 00684D1A

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 007305056282167c1b650d48b858618dc97adf2c28aafb38cef9b51373f9b556
Instruction ID: f9ed10beabe3a5d9a30470bd269dc147c60057facadf7a70bc305b620d80b47f
Opcode Fuzzy Hash: 007305056282167c1b650d48b858618dc97adf2c28aafb38cef9b51373f9b556
Instruction Fuzzy Hash: DB215E72604201BBEB256B35DC09E7F7B9EDF45760F10413DF805CA292EE61DD4193A0

Function 0069581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00623AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00623A97,?,?,00622E7F,?,?,?,00000000), ref: 00623AC2

_wcslen.LIBCMT ref: 0069587B
CoInitialize.OLE32(00000000), ref: 00695995
CoCreateInstance.OLE32(006BFCF8,00000000,00000001,006BFB68,?), ref: 006959AE
CoUninitialize.OLE32 ref: 006959CC

Strings

.lnk, xrefs: 00695876, 006958C1, 00695985

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: a36fb85a42a3ec2e8dcda2196d2735ca1a05dc7380bc1ae7baf0aeee00f352a9
Instruction ID: 3ca3d01153630493a572742164945795a0e7be051f35f0a1d44798253dd0b8b7
Opcode Fuzzy Hash: a36fb85a42a3ec2e8dcda2196d2735ca1a05dc7380bc1ae7baf0aeee00f352a9
Instruction Fuzzy Hash: F0D174716087119FCB04DF24C490A6ABBEAFF89310F14885DF88A9B361DB31ED45CB92

Function 0068175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00680FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00680FCA
Part of subcall function 00680FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00680FD6
Part of subcall function 00680FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00680FE5
Part of subcall function 00680FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00680FEC
Part of subcall function 00680FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00681002

GetLengthSid.ADVAPI32(?,00000000,00681335), ref: 006817AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 006817BA
HeapAlloc.KERNEL32(00000000), ref: 006817C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 006817DA
GetProcessHeap.KERNEL32(00000000,00000000,00681335), ref: 006817EE
HeapFree.KERNEL32(00000000), ref: 006817F5

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 1f3015f5f662afaadfe65fe64cc4161918b6f7c6de1e4ee8bfb5c318e0d48e9f
Instruction ID: 5179bba54bb05730092491a683726e17f538b024eb81a42cbedaeb47870ce7c8
Opcode Fuzzy Hash: 1f3015f5f662afaadfe65fe64cc4161918b6f7c6de1e4ee8bfb5c318e0d48e9f
Instruction Fuzzy Hash: 1A11AFB1500205EFDB10AFA4DC49BEE7BAEEB42365F10421DF441AB210C736AA45DB60

Function 006814CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 006814FF
OpenProcessToken.ADVAPI32(00000000), ref: 00681506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00681515
CloseHandle.KERNEL32(00000004), ref: 00681520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0068154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00681563

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 3304528f2043610ed439af1ba192079ea3c3f97db68cc16be6859cc3244225d8
Instruction ID: 109d62667744a2810cd3524ef2f2ebe747f14424bd24f6a4470c22c1b404dc5e
Opcode Fuzzy Hash: 3304528f2043610ed439af1ba192079ea3c3f97db68cc16be6859cc3244225d8
Instruction Fuzzy Hash: 641159B250420DABDF11DF98DD49FDE7BAEEF49714F044224FA05A6160C3728EA1DB61

Function 00643382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00643379,00642FE5), ref: 00643390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0064339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006433B7
SetLastError.KERNEL32(00000000,?,00643379,00642FE5), ref: 00643409

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 4426e15552625f96a796817050490224252708e5926e7cb6197fca14ae005047
Instruction ID: 6d6609b05345973c57ed73a05b3ab88f3ccf9f0f7e0d60c18fd761a064739464
Opcode Fuzzy Hash: 4426e15552625f96a796817050490224252708e5926e7cb6197fca14ae005047
Instruction Fuzzy Hash: 9601D833609372BEE7693B747CD55962A97EB15779720022DF420893F1EF124E025548

Function 00652D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00655686,00663CD6,?,00000000,?,00655B6A,?,?,?,?,?,0064E6D1,?,006E8A48), ref: 00652D78
_free.LIBCMT ref: 00652DAB
_free.LIBCMT ref: 00652DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0064E6D1,?,006E8A48,00000010,00624F4A,?,?,00000000,00663CD6), ref: 00652DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0064E6D1,?,006E8A48,00000010,00624F4A,?,?,00000000,00663CD6), ref: 00652DEC
_abort.LIBCMT ref: 00652DF2

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: e339d3fa915a41ac9e27c4a7177987818bb9acf9903a2ee4fbd03a18ba50756f
Instruction ID: 471c1f9dbbb23fbfc06aa998db133e09ef4be9585ea25b148438512962654a1f
Opcode Fuzzy Hash: e339d3fa915a41ac9e27c4a7177987818bb9acf9903a2ee4fbd03a18ba50756f
Instruction Fuzzy Hash: F4F0CD32504A0367C3522739BC36E9A26776FC3BB7F25461DFC24923D2DF24894E5164

Function 006B8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00639639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00639693
Part of subcall function 00639639: SelectObject.GDI32(?,00000000), ref: 006396A2
Part of subcall function 00639639: BeginPath.GDI32(?), ref: 006396B9
Part of subcall function 00639639: SelectObject.GDI32(?,00000000), ref: 006396E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 006B8A4E
LineTo.GDI32(?,00000003,00000000), ref: 006B8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 006B8A70
LineTo.GDI32(?,00000000,00000003), ref: 006B8A80
EndPath.GDI32(?), ref: 006B8A90
StrokePath.GDI32(?), ref: 006B8AA0

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: d83b84c8b0a596c453285cfae2047c8402f18924d1313764d29eac13c18b56d3
Instruction ID: f56e7dd7fb3d8fdc2be8277129d5f12ea3096a0af4d0e5a2683e9912ab34cab3
Opcode Fuzzy Hash: d83b84c8b0a596c453285cfae2047c8402f18924d1313764d29eac13c18b56d3
Instruction Fuzzy Hash: BB110CB640010DFFDB119F94DC88EEA7F6EEB05364F008111BA159A161C7729E95DFA0

Function 006851FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00685218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00685229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00685230
ReleaseDC.USER32(00000000,00000000), ref: 00685238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0068524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00685261

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 906e971428bef058fd6344cad761613cb3063326b5a7c69e5af2ce19f98ed3ea
Instruction ID: f13976cb3438a7c7b98d1a4edf97b59818d850f4f1dd98e69066fc7ea3d261e4
Opcode Fuzzy Hash: 906e971428bef058fd6344cad761613cb3063326b5a7c69e5af2ce19f98ed3ea
Instruction Fuzzy Hash: 7D0167B5E40714BBEB106BA99C49E5EBFB9EF44761F044165FA05A7381DA709D00CF60

Function 00621BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00621BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00621BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00621C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00621C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00621C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00621C22

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: be78df79b1ef45534b7134d5c017e00fb178260bd3c43fbb9a9a454d37c0344e
Instruction ID: da4beffc1085a4ebc9c16fb4e2c81a7860bc58264482c0b0d7afbaa5a3614d24
Opcode Fuzzy Hash: be78df79b1ef45534b7134d5c017e00fb178260bd3c43fbb9a9a454d37c0344e
Instruction Fuzzy Hash: D1016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47942C7F5A864CBE5

Function 0068EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0068EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0068EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0068EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0068EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0068EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0068EB75

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 443b850b306ca9b6fd2920e33d6e1f1575a17fc59651f7e49bb13e0ce8bfbbed
Instruction ID: 315b093e87f6b72202a8121ab6d725b39bcc5e14ed3eccbf1bd52cec4f957d4f
Opcode Fuzzy Hash: 443b850b306ca9b6fd2920e33d6e1f1575a17fc59651f7e49bb13e0ce8bfbbed
Instruction Fuzzy Hash: F8F054B2140558BBE7215B529C0DEEF3F7DEFCAB21F001269F601E1191E7A05B41C6B5

Function 00677439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00677452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00677469
GetWindowDC.USER32(?), ref: 00677475
GetPixel.GDI32(00000000,?,?), ref: 00677484
ReleaseDC.USER32(?,00000000), ref: 00677496
GetSysColor.USER32(00000005), ref: 006774B0

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: ae05fc87cab5bff7343cdca0e4f89f4de82ee8c1d831073dc29ad7a2d46e2a1e
Instruction ID: d3f8acd75b71e489162cae2684adda86b2107886f87f4c0e26570c1a5db42f0a
Opcode Fuzzy Hash: ae05fc87cab5bff7343cdca0e4f89f4de82ee8c1d831073dc29ad7a2d46e2a1e
Instruction Fuzzy Hash: 9A012872400215EFDB615F64DC08BEA7BB7FB04321F515264F919A21A1CB312E91AB60

Function 00681874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0068187F
UnloadUserProfile.USERENV(?,?), ref: 0068188B
CloseHandle.KERNEL32(?), ref: 00681894
CloseHandle.KERNEL32(?), ref: 0068189C
GetProcessHeap.KERNEL32(00000000,?), ref: 006818A5
HeapFree.KERNEL32(00000000), ref: 006818AC

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 5cf39b7ae3da678dc1479aeccb161d577d1fa8dd535268cafdaaea13f7336029
Instruction ID: 0e21bf221fe5d085e62844eced536492a8b0f9a12eaf74552afa42cf961dfa91
Opcode Fuzzy Hash: 5cf39b7ae3da678dc1479aeccb161d577d1fa8dd535268cafdaaea13f7336029
Instruction Fuzzy Hash: 41E0E5B6004901BBDB015FA5ED0C90ABF7AFF49B32B509331F22591070CB3295A0EF60

Function 0062BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0062BEB3

Strings

D%o, xrefs: 0062BCA2
D%o, xrefs: 0062BDED, 0062BD91, 0062BD1B
D%oD%o, xrefs: 0062BCA5
D%o, xrefs: 0062BE9A

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%o$D%o$D%o$D%oD%o
API String ID: 1385522511-4062757370
Opcode ID: d97d88f334de40fb9d506252ae77693d21b998bb6d3e0230b94d0778fab6ae88
Instruction ID: 2668b6b59f7e001e0e183abc8fd3469aaaead89fdd85b488c5b3a73cd4ac08b0
Opcode Fuzzy Hash: d97d88f334de40fb9d506252ae77693d21b998bb6d3e0230b94d0778fab6ae88
Instruction Fuzzy Hash: A6914B75A00A2ACFCB18CF58E0A06F9B7F2FF58314B249569D985AB351D731AD81CF90

Function 006A7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00640242: EnterCriticalSection.KERNEL32(006F070C,006F1884,?,?,0063198B,006F2518,?,?,?,006212F9,00000000), ref: 0064024D
Part of subcall function 00640242: LeaveCriticalSection.KERNEL32(006F070C,?,0063198B,006F2518,?,?,?,006212F9,00000000), ref: 0064028A

Part of subcall function 00629CB3: _wcslen.LIBCMT ref: 00629CBD

Part of subcall function 006400A3: __onexit.LIBCMT ref: 006400A9

__Init_thread_footer.LIBCMT ref: 006A7BFB

Part of subcall function 006401F8: EnterCriticalSection.KERNEL32(006F070C,?,?,00638747,006F2514), ref: 00640202
Part of subcall function 006401F8: LeaveCriticalSection.KERNEL32(006F070C,?,00638747,006F2514), ref: 00640235

Strings

+Tg, xrefs: 006A7E2E
G, xrefs: 006A7C7F
5, xrefs: 006A7C78
Variable must be of type 'Object'., xrefs: 006A7C3A

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +Tg$5$G$Variable must be of type 'Object'.
API String ID: 535116098-1659199945
Opcode ID: 7c769728b594792f8ce922d1f13887e738f9a5ae4bf0aa082da52019d55d8e6b
Instruction ID: 720ab6a1e29c7583408d72e5de78a10bcb0517a28d7a6042f22a4a0103f056cd
Opcode Fuzzy Hash: 7c769728b594792f8ce922d1f13887e738f9a5ae4bf0aa082da52019d55d8e6b
Instruction Fuzzy Hash: 79915670A04209AFCB14FF94D8919ADBBB3AF4A310F14805DF806AB392DB71AE45CF55

Function 0068C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00627620: _wcslen.LIBCMT ref: 00627625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0068C6EE
_wcslen.LIBCMT ref: 0068C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0068C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0068C7CA

Strings

0, xrefs: 0068C6AF

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 56f01f0a2b2306b15b273c6b0b38b6613bda88dfc1a3898049ba6998fc718f60
Instruction ID: 37c73d0ecba89b0bbcc7cea2d31d5fdd027fbc07406a94ea146f86f1841142d2
Opcode Fuzzy Hash: 56f01f0a2b2306b15b273c6b0b38b6613bda88dfc1a3898049ba6998fc718f60
Instruction Fuzzy Hash: 2D51D1716143019BD754AF28C885BAB77E6AF49330F040B2DFA95D3290DB70D944CBA6

Function 006AAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 006AAEA3

Part of subcall function 00627620: _wcslen.LIBCMT ref: 00627625

GetProcessId.KERNEL32(00000000), ref: 006AAF38
CloseHandle.KERNEL32(00000000), ref: 006AAF67

Strings

@, xrefs: 006AAE72
<, xrefs: 006AAE6B

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 8bacc739223c8297f31d759dccfdab01d592103a297ac07c23811be61535e9d4
Instruction ID: 6fec45cd7e21c499a2ed7bd18038abb3fb79b92021e67cd0b8fa7865f905dcae
Opcode Fuzzy Hash: 8bacc739223c8297f31d759dccfdab01d592103a297ac07c23811be61535e9d4
Instruction Fuzzy Hash: AD713571A006259FCB14EF94D484A9EBBF2BF09310F04849EE856AB362CB74ED45CF95

Function 0068719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00687206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0068723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0068724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 006872CF

Strings

DllGetClassObject, xrefs: 00687242

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 88c3eab7a2a4c5c239fa4eaff5efddd4287b6b894750f67107a12868d51cbd13
Instruction ID: 817d43e5ecbbcd3acfafc283c8d4362c3bab0c79675fcc957401df326802eee5
Opcode Fuzzy Hash: 88c3eab7a2a4c5c239fa4eaff5efddd4287b6b894750f67107a12868d51cbd13
Instruction Fuzzy Hash: 314162B1604204DFDB15DF54C894A9A7FAAEF84310F2482ADFD059F21AD7B1DA45CBA0

Function 006B3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006B3E35
IsMenu.USER32(?), ref: 006B3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006B3E92
DrawMenuBar.USER32 ref: 006B3EA5

Strings

0, xrefs: 006B3D89

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 32bff02a80f958dfdec465a2d891d2fadd99d2ca3df60b8da42b87e10bb3a5dd
Instruction ID: 3be7047446d8c88d56afa4c2ea083f51366f219f7b4f40aee4c1d02b373127fd
Opcode Fuzzy Hash: 32bff02a80f958dfdec465a2d891d2fadd99d2ca3df60b8da42b87e10bb3a5dd
Instruction Fuzzy Hash: 8F411AB5A01219EFDB10DF50D884AEAB7B6FF45354F04412AE9059B350D770EE96CF60

Function 006B2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 006B2F8D
LoadLibraryW.KERNEL32(?), ref: 006B2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 006B2FA9
DestroyWindow.USER32(?), ref: 006B2FB1

Strings

SysAnimate32, xrefs: 006B2F68

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 3ee1b7eb9d8b5789236201bcfc522bcfd0442bed6abf94ad73316e94ae9a8949
Instruction ID: 4207bcb425cadb4d8907dcc428953b48ce04c1c6edb34326e9e27ae78b402e68
Opcode Fuzzy Hash: 3ee1b7eb9d8b5789236201bcfc522bcfd0442bed6abf94ad73316e94ae9a8949
Instruction Fuzzy Hash: 6C219AB124020AABEF104F64DCA4EFB37FEEB59764F100218FA50D6290D771DC919760

Function 00644D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00644D1E,006528E9,?,00644CBE,006528E9,006E88B8,0000000C,00644E15,006528E9,00000002), ref: 00644D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00644DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00644D1E,006528E9,?,00644CBE,006528E9,006E88B8,0000000C,00644E15,006528E9,00000002,00000000), ref: 00644DC3

Strings

mscoree.dll, xrefs: 00644D86
CorExitProcess, xrefs: 00644D98

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 08a22925c33b7392dd4288feadc1e07e4ce68123f19ac698aade715f2784a113
Instruction ID: b0ea7f0ffa61282558970929e0f432c6dfef0d0fc306c22fc91f3e32fd807d1a
Opcode Fuzzy Hash: 08a22925c33b7392dd4288feadc1e07e4ce68123f19ac698aade715f2784a113
Instruction Fuzzy Hash: 4CF04475940218BBDB155F94DC49BEDBFBAEF44761F000158F905A2251CF715A84CA90

Function 00624E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00624EDD,?,006F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00624E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00624EAE
FreeLibrary.KERNEL32(00000000,?,?,00624EDD,?,006F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00624EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00624EA8
kernel32.dll, xrefs: 00624E94

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 443dca376f32d4e97d2e900d1387a94ea9e353a8419f037bf3fa4ec5198a6518
Instruction ID: 53c86344118332b123f89ca4d847ad4ff139c9f58557d80e8fdaf4eabff68e3f
Opcode Fuzzy Hash: 443dca376f32d4e97d2e900d1387a94ea9e353a8419f037bf3fa4ec5198a6518
Instruction Fuzzy Hash: 67E08675A02A325BE3311729BC18A9F655AAF81F727060215FC40E2341DFA0CE4245A0

Function 00624E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00663CDE,?,006F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00624E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00624E74
FreeLibrary.KERNEL32(00000000,?,?,00663CDE,?,006F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00624E87

Strings

kernel32.dll, xrefs: 00624E5B
Wow64RevertWow64FsRedirection, xrefs: 00624E6E

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 227ab4953ec9512333e63238b0f241cbf4952cfcfb6b68ee7177137d11e9a697
Instruction ID: a5c09bd0e78bd592c28ab4b30e96a56a987377bf4373d91da3caf43fa033d9f5
Opcode Fuzzy Hash: 227ab4953ec9512333e63238b0f241cbf4952cfcfb6b68ee7177137d11e9a697
Instruction Fuzzy Hash: 52D01275502A3257EB221B297C1CDCF6A1BAF85BB13070655F945B6325CF60CF4289E0

Function 00692947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00692C05
DeleteFileW.KERNEL32(?), ref: 00692C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00692C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00692CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00692CC0

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 371ecb3da2c6c28e86c318aed41c70fb649f2d36cb050d544dfa373e17b87757
Instruction ID: 0986cd904a932469974238632a5c5c2c6521c3eee7bd83c77c04f0ddbf67b3c2
Opcode Fuzzy Hash: 371ecb3da2c6c28e86c318aed41c70fb649f2d36cb050d544dfa373e17b87757
Instruction Fuzzy Hash: CEB15D72D00129BBDF61DBA4CC95EDEB7BEEF08354F1040AAF609E6141EA319E448F65

Function 006AA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 006AA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 006AA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 006AA468
CloseHandle.KERNEL32(?), ref: 006AA63D

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: b659dbb33678713b66186a03c49b8a584badb94f6f3e10073b2718a5c5a4fd7c
Instruction ID: aaa9ea3e998c746bfe9c0c383ab664f0b6b263951706ff4bb2688be7687dbd94
Opcode Fuzzy Hash: b659dbb33678713b66186a03c49b8a584badb94f6f3e10073b2718a5c5a4fd7c
Instruction Fuzzy Hash: 42A1BE716047009FE760EF24D882B2AB7E6AF88714F14881DF55A9B392D770ED41CF96

Function 0065BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,006C3700), ref: 0065BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,006F121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0065BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,006F1270,000000FF,?,0000003F,00000000,?), ref: 0065BC36
_free.LIBCMT ref: 0065BB7F

Part of subcall function 006529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0065D7D1,00000000,00000000,00000000,00000000,?,0065D7F8,00000000,00000007,00000000,?,0065DBF5,00000000), ref: 006529DE
Part of subcall function 006529C8: GetLastError.KERNEL32(00000000,?,0065D7D1,00000000,00000000,00000000,00000000,?,0065D7F8,00000000,00000007,00000000,?,0065DBF5,00000000,00000000), ref: 006529F0

_free.LIBCMT ref: 0065BD4B

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: d16e93e52db4524e7072166ebe5e43e52b0c56f1a27d9b831bf27b739741dea0
Instruction ID: 1d8a15681055c892d54d1d9fbabd25082f0ed5958d3ad7aad176621f015281d1
Opcode Fuzzy Hash: d16e93e52db4524e7072166ebe5e43e52b0c56f1a27d9b831bf27b739741dea0
Instruction Fuzzy Hash: 2E510A71900209DFCB10DFA99C819BEB7BAEF41361F10226EE950E7291EB705E49C754

Function 0068E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0068DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0068CF22,?), ref: 0068DDFD

Part of subcall function 0068DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0068CF22,?), ref: 0068DE16

Part of subcall function 0068E199: GetFileAttributesW.KERNEL32(?,0068CF95), ref: 0068E19A

lstrcmpiW.KERNEL32(?,?), ref: 0068E473
MoveFileW.KERNEL32(?,?), ref: 0068E4AC
_wcslen.LIBCMT ref: 0068E5EB
_wcslen.LIBCMT ref: 0068E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0068E650

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 0e56f0861efb4185500b7781c115c57f5efd0a164be073bc2b4b750bcaf37a45
Instruction ID: 2b2720925d70eaa72a021067b94425f12258abc11a331e8bf06ac21b67c6dc4e
Opcode Fuzzy Hash: 0e56f0861efb4185500b7781c115c57f5efd0a164be073bc2b4b750bcaf37a45
Instruction Fuzzy Hash: 975176B25087455BC764EBA0DC819DF73EEAF84340F004A1EF589D3151EF75A6888B6A

Function 006AB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00629CB3: _wcslen.LIBCMT ref: 00629CBD

Part of subcall function 006AC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006AB6AE,?,?), ref: 006AC9B5
Part of subcall function 006AC998: _wcslen.LIBCMT ref: 006AC9F1
Part of subcall function 006AC998: _wcslen.LIBCMT ref: 006ACA68
Part of subcall function 006AC998: _wcslen.LIBCMT ref: 006ACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006ABAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006ABB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 006ABB63
RegCloseKey.ADVAPI32(?,?), ref: 006ABBA6
RegCloseKey.ADVAPI32(00000000), ref: 006ABBB3

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 53724c4a202a386d664d56d27b27c88e12bc578ba5885417eef4b9c4d8dfa838
Instruction ID: 39e03eb16cb88dfc328322105c42bedd2abf21c6da28c073564326b7038eafb5
Opcode Fuzzy Hash: 53724c4a202a386d664d56d27b27c88e12bc578ba5885417eef4b9c4d8dfa838
Instruction Fuzzy Hash: DF61A171208241AFD314EF54C490E6ABBE6FF85318F14995CF4998B2A2DB31ED45CFA2

Function 00688BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00688BCD
VariantClear.OLEAUT32 ref: 00688C3E
VariantClear.OLEAUT32 ref: 00688C9D
VariantClear.OLEAUT32(?), ref: 00688D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00688D3B

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: db573fb76947f699284bef95cf1b6c4f043e7a7293b2f3c92c8ed9666a63e89f
Instruction ID: ee516b3ae330e18943a93f4680055ef139345302d0d703f8cdb78a755efbb0a5
Opcode Fuzzy Hash: db573fb76947f699284bef95cf1b6c4f043e7a7293b2f3c92c8ed9666a63e89f
Instruction Fuzzy Hash: 19517BB5A00219EFCB10DF68C894AAAB7F9FF89310B158659F905DB354E730EA11CF90

Function 00698AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00698BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00698BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00698C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00698C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00698C5F

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: e75ecbbacc1a5963822401d2e79be3dfe9a93f081a8fa57773417d743b80438a
Instruction ID: e7fc9523dba74582d97550dae8beb0751f9a6dc8d6f943831195447cbd9b6c31
Opcode Fuzzy Hash: e75ecbbacc1a5963822401d2e79be3dfe9a93f081a8fa57773417d743b80438a
Instruction Fuzzy Hash: 17512835A00615AFCB05DF64C881EA9BBF6FF49314F088458E849AB362DB35ED51CFA4

Function 006A8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 006A8F40
GetProcAddress.KERNEL32(00000000,?), ref: 006A8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 006A8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 006A9032
FreeLibrary.KERNEL32(00000000), ref: 006A9052

Part of subcall function 0063F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00691043,?,7644E610), ref: 0063F6E6
Part of subcall function 0063F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0067FA64,00000000,00000000,?,?,00691043,?,7644E610,?,0067FA64), ref: 0063F70D

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: ee32e1b5f33e223cd77c44a7bf8e0ce60546c34349c7d043711c993d817948ef
Instruction ID: 9b8348a71e27ef8d7b495d68f3795c930671cc37a8a1a9d07fa4156842353b2b
Opcode Fuzzy Hash: ee32e1b5f33e223cd77c44a7bf8e0ce60546c34349c7d043711c993d817948ef
Instruction Fuzzy Hash: C4512A35600615DFC715EF58C4848ADBBB2FF4A364F1481A9E805AB362DB31ED86CF90

Function 006B6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 006B6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 006B6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 006B6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0069AB79,00000000,00000000), ref: 006B6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 006B6CC7

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: e5d0af36a10ac14f16a209e6b972d080db14e35f90ad0d8b7c9de2b38611fb97
Instruction ID: ac79cb691e51cfc3f2c3aec85d54a272acda67df1210529111568ead74cb15a5
Opcode Fuzzy Hash: e5d0af36a10ac14f16a209e6b972d080db14e35f90ad0d8b7c9de2b38611fb97
Instruction Fuzzy Hash: B341A1B5604114AFD724CF28CC58FE97FA6EB09360F140268F995A73A1D375AE91CB90

Function 00652051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006520C3
_free.LIBCMT ref: 006520E3

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1edac35e46f5e2d56bb24e448b5045a0c0a1290dedeb1ac306a4f21400440eec
Instruction ID: ad476753e932a4e0bcd39df852286c8fc46bb58cb9f5d37c0f766407190d76e9
Opcode Fuzzy Hash: 1edac35e46f5e2d56bb24e448b5045a0c0a1290dedeb1ac306a4f21400440eec
Instruction Fuzzy Hash: 4E41D472A00201AFCB24DF78C991A9EB7A6EF8A714F154568EA15EB391D731AD05CB80

Function 0063912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00639141
ScreenToClient.USER32(00000000,?), ref: 0063915E
GetAsyncKeyState.USER32(00000001), ref: 00639183
GetAsyncKeyState.USER32(00000002), ref: 0063919D

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: d15c4f78ed52f4e668bd4a67a389b8284abc1f3a550d3da81d8f3c22efe31022
Instruction ID: ee03ab2acaa3c75c84a0bea16f5f4c346b78aa7cfad34bde55734b7df845d323
Opcode Fuzzy Hash: d15c4f78ed52f4e668bd4a67a389b8284abc1f3a550d3da81d8f3c22efe31022
Instruction Fuzzy Hash: A6414F71A0861BBBDF159F64C844BEEB776FF05324F248229E429A7290C7706990CFA1

Function 00693874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 006938CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00693922
TranslateMessage.USER32(?), ref: 0069394B
DispatchMessageW.USER32(?), ref: 00693955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00693966

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 55fdfa13022dd7415290fea2c5fd433606a968d37ed55435a728605adacc3bb4
Instruction ID: 960f4272299fae1bf9a5446714dda6f35a573a65c729891df9c672676eb36814
Opcode Fuzzy Hash: 55fdfa13022dd7415290fea2c5fd433606a968d37ed55435a728605adacc3bb4
Instruction Fuzzy Hash: 1831C370904365DEEF35CB249908BF637AFAB12340F04056EE466C6BA0F3A49A85CB11

Function 0069CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0069C21E,00000000), ref: 0069CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0069CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0069C21E,00000000), ref: 0069CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0069C21E,00000000), ref: 0069CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0069C21E,00000000), ref: 0069CFF2

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: deb02703d970d5f8c4b8b5ac47bbb9a9f52d4a2272543279e52b9a2dcc10274b
Instruction ID: 7d020a25684df8afd42eeb4b874b3c4f5e64f79789dbc01418cfbc54210c9dbc
Opcode Fuzzy Hash: deb02703d970d5f8c4b8b5ac47bbb9a9f52d4a2272543279e52b9a2dcc10274b
Instruction Fuzzy Hash: D8314BB1900605AFDF20DFA5C9849ABBBFEEF14360B10442EF506D2641DB30AE41DB60

Function 00681901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00681915
PostMessageW.USER32(00000001,00000201,00000001), ref: 006819C1
Sleep.KERNEL32(00000000,?,?,?), ref: 006819C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 006819DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 006819E2

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 6f3cb8c0802de8f69bb58d462c485dc4203d0b29c84416c4f628714809e1e6c8
Instruction ID: e8db5f817a9a4be1a248fc450648ba6fde9c7ec333662107841c147bfab117a7
Opcode Fuzzy Hash: 6f3cb8c0802de8f69bb58d462c485dc4203d0b29c84416c4f628714809e1e6c8
Instruction Fuzzy Hash: 0731D371900219EFCF00DFA8CD58ADE3BBAEB05324F004325F961AB2D1D3709945CB90

Function 006B5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 006B5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 006B579D
_wcslen.LIBCMT ref: 006B57AF
_wcslen.LIBCMT ref: 006B57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 006B5816

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 0c88f0d8ec33cddf62145365361ae269c87722ee29af3501f77e9d09a904e459
Instruction ID: 434cb54fb83d421cabd60364374de78a988101b95203bee405f3c540aef55ef8
Opcode Fuzzy Hash: 0c88f0d8ec33cddf62145365361ae269c87722ee29af3501f77e9d09a904e459
Instruction Fuzzy Hash: 862175B1904618DADB209F60CC45BED77BAFF14724F104216E92ADB281D77089C5CF50

Function 006A0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 006A0951
GetForegroundWindow.USER32 ref: 006A0968
GetDC.USER32(00000000), ref: 006A09A4
GetPixel.GDI32(00000000,?,00000003), ref: 006A09B0
ReleaseDC.USER32(00000000,00000003), ref: 006A09E8

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: b174b17d9b72d0856d4154c1186c8619cb0c86fbc7d718ab21f9387ad8732f1d
Instruction ID: 2494a02ee1d70e79e6e032453457b99817f0d0db482fcd703b9bd4cf1fcbfa78
Opcode Fuzzy Hash: b174b17d9b72d0856d4154c1186c8619cb0c86fbc7d718ab21f9387ad8732f1d
Instruction Fuzzy Hash: E321A175600214AFD754EF69D884AAEBBEAEF49710F00816CF84AA7752DB30AD44CF90

Function 0065CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0065CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0065CDE9

Part of subcall function 00653820: RtlAllocateHeap.NTDLL(00000000,?,006F1444,?,0063FDF5,?,?,0062A976,00000010,006F1440,006213FC,?,006213C6,?,00621129), ref: 00653852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0065CE0F
_free.LIBCMT ref: 0065CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0065CE31

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 96542a0523cad1bac2c0abe62ca056b51d6f265f0be7862545af81b052d0e455
Instruction ID: 85e4452a50a564599d2afe4425c017925d54132de03edbbaa6493b35b99a98be
Opcode Fuzzy Hash: 96542a0523cad1bac2c0abe62ca056b51d6f265f0be7862545af81b052d0e455
Instruction Fuzzy Hash: E301D8B26013167FA321167A6C4ACBB696FDEC6FB2715022DFD05D7300DA618E0581B0

Function 00639639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00639693
SelectObject.GDI32(?,00000000), ref: 006396A2
BeginPath.GDI32(?), ref: 006396B9
SelectObject.GDI32(?,00000000), ref: 006396E2

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 183d98fb525d1ba0684ba70743f62a854fdd8c4c5abb96b181744fd4de8165da
Instruction ID: 08c89f13cb7f8a39258dc4f63aa4b3661e3c236fd203b3b711113214c7f3abe1
Opcode Fuzzy Hash: 183d98fb525d1ba0684ba70743f62a854fdd8c4c5abb96b181744fd4de8165da
Instruction Fuzzy Hash: 0C217F70802309EBEB119F29DC157F93BABBB133A5F105216F410AA2A0D3F15991CFE4

Function 00685711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00685726
_memcmp.LIBVCRUNTIME ref: 00685744
_memcmp.LIBVCRUNTIME ref: 00685757
_memcmp.LIBVCRUNTIME ref: 0068576F
_memcmp.LIBVCRUNTIME ref: 00685787

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 020da7222312bfcffadd1f73d43797c54aecfbe95f48d3fa72451a643d7ac748
Instruction ID: 6c25a7cda2c6c19894cb532ebba588da9f75f1388c606b75233ca5e998a519ea
Opcode Fuzzy Hash: 020da7222312bfcffadd1f73d43797c54aecfbe95f48d3fa72451a643d7ac748
Instruction Fuzzy Hash: 1F01B5A5641609FBE3096610DD92FFB735F9B21394F408134FD069E241FB60ED9183A9

Function 00652DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0064F2DE,00653863,006F1444,?,0063FDF5,?,?,0062A976,00000010,006F1440,006213FC,?,006213C6), ref: 00652DFD
_free.LIBCMT ref: 00652E32
_free.LIBCMT ref: 00652E59
SetLastError.KERNEL32(00000000,00621129), ref: 00652E66
SetLastError.KERNEL32(00000000,00621129), ref: 00652E6F

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 845fbb6890ec4aa367bda402f5c7bc9c45e107704e867bbe507b1caa8980b7ee
Instruction ID: 6370edba848cb3d5150bd9ad2552dd57915acb8c64cabdd0056a42ca2ac71611
Opcode Fuzzy Hash: 845fbb6890ec4aa367bda402f5c7bc9c45e107704e867bbe507b1caa8980b7ee
Instruction Fuzzy Hash: 1F01F472205A0267C71227756CA7DAB269BABD37B7F25412DFD21A2392EE209D4E4120

Function 0068000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0067FF41,80070057,?,?,?,0068035E), ref: 0068002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0067FF41,80070057,?,?), ref: 00680046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0067FF41,80070057,?,?), ref: 00680054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0067FF41,80070057,?), ref: 00680064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0067FF41,80070057,?,?), ref: 00680070

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: d1b3f8846d9332ff10ac72a233de6643163f0a051592d61e6deffce1ac273175
Instruction ID: abb9e57b87b475ab704ed9c4cae2c26abb29f6f5e7e18d808793b518729d8d98
Opcode Fuzzy Hash: d1b3f8846d9332ff10ac72a233de6643163f0a051592d61e6deffce1ac273175
Instruction Fuzzy Hash: B601A2B2600204BFEB515F68DC04BAA7EFFEF44762F145624F905D6210D771DE849BA0

Function 0068E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0068E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0068E9A5
Sleep.KERNEL32(00000000), ref: 0068E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0068E9B7
Sleep.KERNEL32 ref: 0068E9F3

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 8f3e27796b8595f4a72af7b2b74ab9ac56124cad0c706445ba492385f122f4ae
Instruction ID: a4a5bd4d56ca03416ed7734cd43b045928b6a354b41472bf25bdd9141a715420
Opcode Fuzzy Hash: 8f3e27796b8595f4a72af7b2b74ab9ac56124cad0c706445ba492385f122f4ae
Instruction Fuzzy Hash: E1018C71C0162DDBCF00AFE8DC59AEDBB7AFF09311F000646E542B2240CBB59691CBA1

Function 006810F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00681114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00680B9B,?,?,?), ref: 00681120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00680B9B,?,?,?), ref: 0068112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00680B9B,?,?,?), ref: 00681136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0068114D

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 2d9bd220d4d2026328800de610009a1f08fbd3202c025b4a90df56f6757833eb
Instruction ID: 3f28c9af90b69ca31261ca6b2a4c680b703c1e00cf003600f88912a31736a504
Opcode Fuzzy Hash: 2d9bd220d4d2026328800de610009a1f08fbd3202c025b4a90df56f6757833eb
Instruction Fuzzy Hash: B80169B5200205BFDB115FA8DC4DAAA3B6FEF8A3A0B200529FA41D7360DA31DD409B60

Function 00680FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00680FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00680FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00680FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00680FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00681002

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 0506a8ee1b56b436626dd2ea1e541de38effc0e2a646ec2aaf6f1b2b04c2012f
Instruction ID: 9954c4b03ff740fdae4ea517fd90b82c33fd26fb3e53f8a8c33df841015df12a
Opcode Fuzzy Hash: 0506a8ee1b56b436626dd2ea1e541de38effc0e2a646ec2aaf6f1b2b04c2012f
Instruction Fuzzy Hash: ABF049B5200301ABDB216FA8DC49F963BAEEF8A762F104525FA45DA251CA71DD818A60

Function 00681014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0068102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00681036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00681045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0068104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00681062

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 62192787130348df130d7c7ec52527cea617b2f552bae6c8faf5e886dada65fc
Instruction ID: 11c19ea80137412989108c46af8af470f504986b3a83453568d4dbeadcb33105
Opcode Fuzzy Hash: 62192787130348df130d7c7ec52527cea617b2f552bae6c8faf5e886dada65fc
Instruction Fuzzy Hash: 12F04FB5100305ABD7216FA4EC49F973BAEEF8A761F100515FA45DA250CA71D9C18A60

Function 0069030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0069017D,?,006932FC,?,00000001,00662592,?), ref: 00690324
CloseHandle.KERNEL32(?,?,?,?,0069017D,?,006932FC,?,00000001,00662592,?), ref: 00690331
CloseHandle.KERNEL32(?,?,?,?,0069017D,?,006932FC,?,00000001,00662592,?), ref: 0069033E
CloseHandle.KERNEL32(?,?,?,?,0069017D,?,006932FC,?,00000001,00662592,?), ref: 0069034B
CloseHandle.KERNEL32(?,?,?,?,0069017D,?,006932FC,?,00000001,00662592,?), ref: 00690358
CloseHandle.KERNEL32(?,?,?,?,0069017D,?,006932FC,?,00000001,00662592,?), ref: 00690365

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 27914c2b0aff028a61b7be9e1ea1ec98e746f574d2fcec60f437d23af70cb703
Instruction ID: 62411db3befdb85d5145e53d6f7e72de0c1c991a9aceea3070cb5078f1774920
Opcode Fuzzy Hash: 27914c2b0aff028a61b7be9e1ea1ec98e746f574d2fcec60f437d23af70cb703
Instruction Fuzzy Hash: 9D01A276800B169FDB309F66D880452F7FABF503153158A3FD19652A31C371A955DF80

Function 0065D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0065D752

Part of subcall function 006529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0065D7D1,00000000,00000000,00000000,00000000,?,0065D7F8,00000000,00000007,00000000,?,0065DBF5,00000000), ref: 006529DE
Part of subcall function 006529C8: GetLastError.KERNEL32(00000000,?,0065D7D1,00000000,00000000,00000000,00000000,?,0065D7F8,00000000,00000007,00000000,?,0065DBF5,00000000,00000000), ref: 006529F0

_free.LIBCMT ref: 0065D764
_free.LIBCMT ref: 0065D776
_free.LIBCMT ref: 0065D788
_free.LIBCMT ref: 0065D79A

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 91938717bf488f1fdb66accf3833ffc97ffe124b46cce63d330c1d79e63b6ab4
Instruction ID: 3e3585209a10c98f3a5e540aa9b5e8320489069ef8354d77f30535f97f52caec
Opcode Fuzzy Hash: 91938717bf488f1fdb66accf3833ffc97ffe124b46cce63d330c1d79e63b6ab4
Instruction Fuzzy Hash: C4F04F32500349ABC675EB65F9C1C9A7BDFBB09722FA41809F848EB642C720FC848664

Function 00685C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00685C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00685C6F
MessageBeep.USER32(00000000), ref: 00685C87
KillTimer.USER32(?,0000040A), ref: 00685CA3
EndDialog.USER32(?,00000001), ref: 00685CBD

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: f63e91f259a17b037242ec8ff4ea62b47492849ecbc532cf927b8033ffc37072
Instruction ID: e8193fa325f6d2308fd0a5b3c7a38444adbb2ddaa1b44bc26c78b7c21e9865b6
Opcode Fuzzy Hash: f63e91f259a17b037242ec8ff4ea62b47492849ecbc532cf927b8033ffc37072
Instruction Fuzzy Hash: FC018670500B14ABEB216B14DD4EFE677BABB00B05F00275DB583A14E1EBF0AA848F91

Function 006522A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006522BE

Part of subcall function 006529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0065D7D1,00000000,00000000,00000000,00000000,?,0065D7F8,00000000,00000007,00000000,?,0065DBF5,00000000), ref: 006529DE
Part of subcall function 006529C8: GetLastError.KERNEL32(00000000,?,0065D7D1,00000000,00000000,00000000,00000000,?,0065D7F8,00000000,00000007,00000000,?,0065DBF5,00000000,00000000), ref: 006529F0

_free.LIBCMT ref: 006522D0
_free.LIBCMT ref: 006522E3
_free.LIBCMT ref: 006522F4
_free.LIBCMT ref: 00652305

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f9d67eb8bc382b2af9d38d5e42144496f0cbee5119208fba8d01448446074170
Instruction ID: fd2f9e67602c9f4b17b4107c5d9e4a4b23d7993f7741a4f79db4e196d63ffed6
Opcode Fuzzy Hash: f9d67eb8bc382b2af9d38d5e42144496f0cbee5119208fba8d01448446074170
Instruction Fuzzy Hash: E8F05B744012129BC752AF55BC518A93F57F716B62F00250AFC20EB371C7310655DFD8

Function 006395C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 006395D4
StrokeAndFillPath.GDI32(?,?,006771F7,00000000,?,?,?), ref: 006395F0
SelectObject.GDI32(?,00000000), ref: 00639603
DeleteObject.GDI32 ref: 00639616
StrokePath.GDI32(?), ref: 00639631

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: d562f4c3748492e608c5886b52194b43590070540c8b43c684db905ed0c5e2f9
Instruction ID: d1853cf33eeffb8394773555ffe7174eddfbce67767a65d19f814923414fd6f9
Opcode Fuzzy Hash: d562f4c3748492e608c5886b52194b43590070540c8b43c684db905ed0c5e2f9
Instruction Fuzzy Hash: DCF0F630006208EBDB126F69ED187B93B67AB133B6F04A214E465591F0C7B18A91DFE0

Function 00650F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 006510F9
__freea.LIBCMT ref: 00651117

Part of subcall function 00651537: _free.LIBCMT ref: 0065154F

Strings

am/pm, xrefs: 0065117A
a/p, xrefs: 006511DE

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 6aafe3cde64e6cfd737cdfdc2b25d337aab7904df12760d3d29465b62b6c5b1b
Instruction ID: 983d37cc2b61f94cc737e0cce4cc2d89d74bc1df6a4426ce00e4d27756710e19
Opcode Fuzzy Hash: 6aafe3cde64e6cfd737cdfdc2b25d337aab7904df12760d3d29465b62b6c5b1b
Instruction Fuzzy Hash: 36D1F331900206DADB249F68C865BFAB7B3EF07702F28015AED019F751D7759E89CB91

Function 006A61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00640242: EnterCriticalSection.KERNEL32(006F070C,006F1884,?,?,0063198B,006F2518,?,?,?,006212F9,00000000), ref: 0064024D
Part of subcall function 00640242: LeaveCriticalSection.KERNEL32(006F070C,?,0063198B,006F2518,?,?,?,006212F9,00000000), ref: 0064028A

Part of subcall function 006400A3: __onexit.LIBCMT ref: 006400A9

__Init_thread_footer.LIBCMT ref: 006A6238

Part of subcall function 006401F8: EnterCriticalSection.KERNEL32(006F070C,?,?,00638747,006F2514), ref: 00640202
Part of subcall function 006401F8: LeaveCriticalSection.KERNEL32(006F070C,?,00638747,006F2514), ref: 00640235

Part of subcall function 0069359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 006935E4
Part of subcall function 0069359C: LoadStringW.USER32(006F2390,?,00000FFF,?), ref: 0069360A

Strings

x#o, xrefs: 006A6353
x#o, xrefs: 006A636F
x#o, xrefs: 006A633A

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#o$x#o$x#o
API String ID: 1072379062-639736625
Opcode ID: 34ad114ab11efd3716f670865f4baf75b661c437ef73e5f406325b394dc8cd61
Instruction ID: ead68a107fdfd4ab7516114ae4fb101e297e794a4265648f6adcc9ed2a564a29
Opcode Fuzzy Hash: 34ad114ab11efd3716f670865f4baf75b661c437ef73e5f406325b394dc8cd61
Instruction Fuzzy Hash: 6BC15C71A00109AFDB14EF98C891EBEB7BAEF49310F148069FA159B291DB70ED45CF94

Function 00655AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOb, xrefs: 00655BA8, 00655C6C

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID:
String ID: JOb
API String ID: 0-1443988154
Opcode ID: e2e4da3dff07e4827174f99c26d2502d134a8c3e020c73d387cf99294a1bdd7c
Instruction ID: 88fbdd50fc2cdb43981b82dbca436836123512af319165952577788ad3f54694
Opcode Fuzzy Hash: e2e4da3dff07e4827174f99c26d2502d134a8c3e020c73d387cf99294a1bdd7c
Instruction Fuzzy Hash: CC51B171D0060A9FDF109FA8C86DEEE7BB6AF05312F14015DFC06AB291D6719A09CB65

Function 00658A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00658B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00658B7A
__dosmaperr.LIBCMT ref: 00658B81

Strings

.d, xrefs: 00658A63

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .d
API String ID: 2434981716-3816422287
Opcode ID: 562a6595b7e47f651597ecf8d515f8dafedd738e3c85e13a9e2ba598187c0c0b
Instruction ID: 44f83e24502aaf8fae710ca36be4d790a33bd5986dd11bb540df5754e42d4cb5
Opcode Fuzzy Hash: 562a6595b7e47f651597ecf8d515f8dafedd738e3c85e13a9e2ba598187c0c0b
Instruction Fuzzy Hash: 03416CB0604145AFDB249F64CC81ABD7FEBDB85305F2841A9FC85ABA52DE318D078794

Function 00682716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0068B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006821D0,?,?,00000034,00000800,?,00000034), ref: 0068B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00682760

Part of subcall function 0068B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006821FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0068B3F8

Part of subcall function 0068B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0068B355
Part of subcall function 0068B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00682194,00000034,?,?,00001004,00000000,00000000), ref: 0068B365
Part of subcall function 0068B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00682194,00000034,?,?,00001004,00000000,00000000), ref: 0068B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006827CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0068281A

Strings

@, xrefs: 00682832

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 0aa52c708bbf70337a8c6e71d139556fb2f37132b2caddfd5d6f8e7f07dbc90c
Instruction ID: 35da935687e3df01df8fe08c66dd78e24114399de705c12781249242fc6b0c23
Opcode Fuzzy Hash: 0aa52c708bbf70337a8c6e71d139556fb2f37132b2caddfd5d6f8e7f07dbc90c
Instruction Fuzzy Hash: 25413C72900218BFDB10EBA4CD56AEEBBB9AF09300F005159FA55B7181DB706E85CBA1

Function 0065172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\NEWORDER.exe,00000104), ref: 00651769
_free.LIBCMT ref: 00651834
_free.LIBCMT ref: 0065183E

Strings

C:\Users\user\Desktop\NEWORDER.exe, xrefs: 00651760, 00651767, 00651796, 006517CE

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\NEWORDER.exe
API String ID: 2506810119-4249851805
Opcode ID: db69577cfc8c3a444737a484c99f48c01afd17b7307793d7c855ce801b86d871
Instruction ID: 1bbdc7c640bd06b444cd4e204810d113425a05e139d4be3e2a68102308d12083
Opcode Fuzzy Hash: db69577cfc8c3a444737a484c99f48c01afd17b7307793d7c855ce801b86d871
Instruction Fuzzy Hash: BA318375A00218EBDB21DB999C81EDEBBBEEB86351F10416AF8149B311D6704E44CB94

Function 0068C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0068C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0068C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,006F1990,01174D88), ref: 0068C395

Strings

0, xrefs: 0068C2DF

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: b4c6b7a8744b7564ad2f73b893b72f188249b7fd855c5b564df983e67da96e58
Instruction ID: 775eeeec0381753a3a9e697a5aececfac0989278253d053d3309a45618f6817e
Opcode Fuzzy Hash: b4c6b7a8744b7564ad2f73b893b72f188249b7fd855c5b564df983e67da96e58
Instruction Fuzzy Hash: 8141AD712043019FD720EF24D884B5ABBEAEF85320F148B2DF8A5973D1D770A906CB66

Function 006B4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,006BCC08,00000000,?,?,?,?), ref: 006B44AA
GetWindowLongW.USER32 ref: 006B44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 006B44D7

Strings

SysTreeView32, xrefs: 006B447C

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: cb0dd04194a53ad75860a7609d0a6267b4a6154511a774b36a5db2204f2ba15c
Instruction ID: 5c7ccafa05950906686a00ae8c8eb956fc809afc56d6d40ed5228242bfd5d4d7
Opcode Fuzzy Hash: cb0dd04194a53ad75860a7609d0a6267b4a6154511a774b36a5db2204f2ba15c
Instruction Fuzzy Hash: 213181B2110605AFDB208E38DC45BEA77AAEB09334F204719F975922D1DB70ECA19B60

Function 00686E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00686EED
VariantCopyInd.OLEAUT32(?,?), ref: 00686F08
VariantClear.OLEAUT32(?), ref: 00686F12

Strings

*jh, xrefs: 00686E8B, 00686E90, 00686EF8

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jh
API String ID: 2173805711-383807587
Opcode ID: 2dfda15053f73adcc55764c95b72025e606f2eb39057033b995fd443e7743024
Instruction ID: d7149a7852104b2851b52bf36804c1e9f164d4237b0f2235cb78497238b13cbe
Opcode Fuzzy Hash: 2dfda15053f73adcc55764c95b72025e606f2eb39057033b995fd443e7743024
Instruction Fuzzy Hash: 6F318F72604655DBCB05BFA5E8519BE77B7EF89300B1006A8FA025B2B1CB34DA12DB94

Function 006A304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006A335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,006A3077,?,?), ref: 006A3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 006A307A
_wcslen.LIBCMT ref: 006A309B
htons.WSOCK32(00000000,?,?,00000000), ref: 006A3106

Strings

255.255.255.255, xrefs: 006A3095, 006A309A

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: d3138df0a8103feb77b638ac8f35c9149e7a4bd5a09d73b5e1d701882efc085b
Instruction ID: 423e4e309e0d8ba6172d8d56089faada6ae0370567324b8b58ad3a60c5817cad
Opcode Fuzzy Hash: d3138df0a8103feb77b638ac8f35c9149e7a4bd5a09d73b5e1d701882efc085b
Instruction Fuzzy Hash: F431C4752042159FCB10EF68C586EA977E2EF56318F248059F8158B392DB31EE41CB70

Function 006B4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 006B4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 006B4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 006B471A

Strings

msctls_updown32, xrefs: 006B4684

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 61d45f784e6958889b582009f2a4c38fe161ad81d427f52da3ff3518f89ad842
Instruction ID: 44730c12d13b3c3bdada3981129e197454245c265eaeae570aedeaa6540b5fb5
Opcode Fuzzy Hash: 61d45f784e6958889b582009f2a4c38fe161ad81d427f52da3ff3518f89ad842
Instruction Fuzzy Hash: 62212AF5601219AFDB10DF68DC91DF637AEEB5A3A4B040159FA009B352DB71EC51CBA0

Function 006895AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0068961D

Strings

#requireadmin, xrefs: 006895D9
#OnAutoItStartRegister, xrefs: 006895F3
#notrayicon, xrefs: 006895B7

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: ff73a85bf49e3772d338eb380a23c54868ccfc0dfce3f1c41066247ddfaf5931
Instruction ID: a5d1d875a9fa27b0850bfca3a20991f7a4239b8eb4edc3df1b3c513a4ca0c4b6
Opcode Fuzzy Hash: ff73a85bf49e3772d338eb380a23c54868ccfc0dfce3f1c41066247ddfaf5931
Instruction Fuzzy Hash: 23210872204521A6D331BB249C02FFB739B9F51310F18452AF94997242FB919D82C3F9

Function 006B37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 006B3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 006B3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 006B3876

Strings

Listbox, xrefs: 006B380F

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 52130678dfe66a4340e739320ab3a66b74aa752887adb7874b9602b8ff1e36d5
Instruction ID: eb5507f0a3025c5cf7970f5c947e16001a53020621307b4efc255cfd9f4df4f0
Opcode Fuzzy Hash: 52130678dfe66a4340e739320ab3a66b74aa752887adb7874b9602b8ff1e36d5
Instruction Fuzzy Hash: BD2180B2710228BBEB118F55DC45EFB376FEF89760F118124F9059B290CA71DD9287A0

Function 006949F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00694A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00694A5C
SetErrorMode.KERNEL32(00000000,?,?,006BCC08), ref: 00694AD0

Strings

%lu, xrefs: 00694A6F

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 4312c516b2b3cb89be1ef0a9c1fa8f1714e8de72a4e028f0835f1da439b22057
Instruction ID: 75404003e722d889cd4a3c65a39877cf4c9cfac564fc5662b1b4f8cfcb5be607
Opcode Fuzzy Hash: 4312c516b2b3cb89be1ef0a9c1fa8f1714e8de72a4e028f0835f1da439b22057
Instruction Fuzzy Hash: 5D317371A00109AFDB50DF54C885EAA7BFAEF44318F1480A9F505EB352DB71EE46CB61

Function 006B41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 006B424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 006B4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 006B4271

Strings

msctls_trackbar32, xrefs: 006B4226

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 0c74f0dfedce94dd0b0878f2d49d838c184253d6d35ab58531f9db1c11bb65bf
Instruction ID: 4f2bc3f0f48e7b667f6724565922efc8a6e8d57666ea806f26977eebbf35946f
Opcode Fuzzy Hash: 0c74f0dfedce94dd0b0878f2d49d838c184253d6d35ab58531f9db1c11bb65bf
Instruction Fuzzy Hash: 4011E3B1240248BEEF205F29CC06FFB3BAEEF95B64F010114FA55E6191D671DC919B50

Function 00682F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00626B57: _wcslen.LIBCMT ref: 00626B6A

Part of subcall function 00682DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00682DC5
Part of subcall function 00682DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00682DD6
Part of subcall function 00682DA7: GetCurrentThreadId.KERNEL32 ref: 00682DDD
Part of subcall function 00682DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00682DE4

GetFocus.USER32 ref: 00682F78

Part of subcall function 00682DEE: GetParent.USER32(00000000), ref: 00682DF9

GetClassNameW.USER32(?,?,00000100), ref: 00682FC3
EnumChildWindows.USER32(?,0068303B), ref: 00682FEB

Strings

%s%d, xrefs: 00682FFF

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: aa4c73de2726b93d2271e9dde69fe1a845aa795255ca6a34f091226a7c3694f1
Instruction ID: 7b5eaada050ec4fac13257719ab2a237ded7b1cff4f1ec50e47a6e008c386ea8
Opcode Fuzzy Hash: aa4c73de2726b93d2271e9dde69fe1a845aa795255ca6a34f091226a7c3694f1
Instruction Fuzzy Hash: 6E1106B16002156BCF507F70DC95EED376BAF84314F044179FD09AB252DE309A458B74

Function 006B5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 006B58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 006B58EE
DrawMenuBar.USER32(?), ref: 006B58FD

Strings

0, xrefs: 006B588F

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: bc144a84ef67fc40533ecfb2228247f308245f68982105555b50deca796895d2
Instruction ID: 1bc7c03c01c0660b6f223f8a78eb9f621bacc48bc9299e3a79aa0f83684fd895
Opcode Fuzzy Hash: bc144a84ef67fc40533ecfb2228247f308245f68982105555b50deca796895d2
Instruction Fuzzy Hash: 4D016172500258EFDB619F11DC44BEEBBB6FB45360F14809AE849D6251DB308AD4DF61

Function 0067D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0067D3BF
FreeLibrary.KERNEL32 ref: 0067D3E5

Strings

X64, xrefs: 0067D2A8
GetSystemWow64DirectoryW, xrefs: 0067D3B9

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 876f49ee32a643a57bc4d67e686fd2891bcdcf6cefd65cd742e2583ba3b3ba11
Instruction ID: 82e400e4e839e0869f852fdfc925eba2b364e48c9d3ff6bb6f3329eb024c48fd
Opcode Fuzzy Hash: 876f49ee32a643a57bc4d67e686fd2891bcdcf6cefd65cd742e2583ba3b3ba11
Instruction Fuzzy Hash: 91F05CB18016219BC3314B148C549A97737AF11B10F56CA54F50DF6142D760CF8387D2

Function 0068007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ea2c158d863c9a3c90bb2f7f0214cb8f311b901f76dbeadfed2da8e58fde883
Instruction ID: 70de129218e98401bad0ec13689dc1c47530c6988e829cb886da4b5970060248
Opcode Fuzzy Hash: 3ea2c158d863c9a3c90bb2f7f0214cb8f311b901f76dbeadfed2da8e58fde883
Instruction Fuzzy Hash: 09C18E75A00216EFEB54DF94C898EAEB7B6FF48314F108A98E405EB251C771EE45CB90

Function 006A342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 006A3459
CoUninitialize.OLE32 ref: 006A3463
VariantInit.OLEAUT32(?), ref: 006A346E
VariantClear.OLEAUT32(?), ref: 006A371B

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 597e495c0128b1c09feffb7d52c11df807e22d59a34f3d8f9ee586192702edbf
Instruction ID: f4d6c3d06280d7b045013ed0a31dd45f181342fd486a50ef6932883935bd44fe
Opcode Fuzzy Hash: 597e495c0128b1c09feffb7d52c11df807e22d59a34f3d8f9ee586192702edbf
Instruction Fuzzy Hash: 42A12B756046109FC740EF28C585A2AB7E6FF89714F14885DF98AAB362DB30EE01CF95

Function 00680436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,006BFC08,?), ref: 006805F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,006BFC08,?), ref: 00680608
CLSIDFromProgID.OLE32(?,?,00000000,006BCC40,000000FF,?,00000000,00000800,00000000,?,006BFC08,?), ref: 0068062D
_memcmp.LIBVCRUNTIME ref: 0068064E

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 5458cf6de4988e873f227b897c45780f68bf6d65ab9a7d14d4aac19ac9e02d15
Instruction ID: 522978220dff8889cdd8b7c31048121b8a30aa5cf5ef1b8915c72acc6d67f3ae
Opcode Fuzzy Hash: 5458cf6de4988e873f227b897c45780f68bf6d65ab9a7d14d4aac19ac9e02d15
Instruction Fuzzy Hash: 30812B71A00109EFDB44DF94C984EEEB7BAFF89315F204558E506AB250DB71AE4ACF60

Function 00661391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006614C0

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 9c88c6d287e3637fd44bd129d42f10863934e36fbdd58b33d2eb60b2e7f97f79
Instruction ID: 3293a8879b892e376dcba7a4d5eb0bcb059e1cf7196aa52c258fa9ee2977fef3
Opcode Fuzzy Hash: 9c88c6d287e3637fd44bd129d42f10863934e36fbdd58b33d2eb60b2e7f97f79
Instruction Fuzzy Hash: 2D413B31A00111ABDB61AFF98C466FE3AE7EF43370F1C4229F819DB391EA74894153A5

Function 006B6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0117EA40,?), ref: 006B62E2
ScreenToClient.USER32(?,?), ref: 006B6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 006B6382

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: c4f3f4fe1ffa242771a76490a56523c5202fc673ac2433de152245e4f882c40a
Instruction ID: bad3820dcf006763e5e613c9309c22a20289f6176d3455fecd1ac10204b49c14
Opcode Fuzzy Hash: c4f3f4fe1ffa242771a76490a56523c5202fc673ac2433de152245e4f882c40a
Instruction Fuzzy Hash: 36510AB4900209EFDB10DF58D8819EE7BF6EF55360F109269F9159B290D774AE81CB90

Function 006A1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 006A1AFD
WSAGetLastError.WSOCK32 ref: 006A1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 006A1B8A
WSAGetLastError.WSOCK32 ref: 006A1B94

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 93ab7fa23e50381e37823404a702faef54ec87c52cb4cb67ca05a64d0499b82a
Instruction ID: 04a6d5eafc34e68fc4c08e6fb9bb44d4a72de83c9b32703b636855c7e5bcb9e9
Opcode Fuzzy Hash: 93ab7fa23e50381e37823404a702faef54ec87c52cb4cb67ca05a64d0499b82a
Instruction Fuzzy Hash: 5C41D034600610AFE720AF20D886F6977E6AF49718F54844CF91A9F7D3D772ED428B90

Function 0065B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a7a000f8fedf8bfaece8e3f14ccc79be536386ae47609eaa6038fb878b92e1f
Instruction ID: e8d27cf977ab6992b7215d0d4c638b797fbb1fc773af45397f173e7e4a0f244a
Opcode Fuzzy Hash: 5a7a000f8fedf8bfaece8e3f14ccc79be536386ae47609eaa6038fb878b92e1f
Instruction Fuzzy Hash: 7E410672A00314AFD7249F78CC41BAABBFBEF88711F20452EF941DB282D77199058784

Function 006956D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00695783
GetLastError.KERNEL32(?,00000000), ref: 006957A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 006957CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 006957FA

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 767f3eca2c5bac2fe1946968485fb382aff9a3a25a4c413f78c768e8a141d42d
Instruction ID: 386fe6fd595afe36dd0f98af924607b57730f6947b1e2f7a38576c90e2984e20
Opcode Fuzzy Hash: 767f3eca2c5bac2fe1946968485fb382aff9a3a25a4c413f78c768e8a141d42d
Instruction Fuzzy Hash: 78411A35600A20DFCB11EF55D544A5EBBE6EF89320B188488E84AAB762CB31FD40CF95

Function 0065D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00646D71,00000000,00000000,006482D9,?,006482D9,?,00000001,00646D71,?,00000001,006482D9,006482D9), ref: 0065D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0065D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0065D9AB
__freea.LIBCMT ref: 0065D9B4

Part of subcall function 00653820: RtlAllocateHeap.NTDLL(00000000,?,006F1444,?,0063FDF5,?,?,0062A976,00000010,006F1440,006213FC,?,006213C6,?,00621129), ref: 00653852

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 38caacae2351ac5fdc075911663d4346c3d6b7b460f791b54c6552133de7a779
Instruction ID: 67965fa75055fecd2838198afab2afe23bf1800806743f284166efe910882b13
Opcode Fuzzy Hash: 38caacae2351ac5fdc075911663d4346c3d6b7b460f791b54c6552133de7a779
Instruction Fuzzy Hash: 4431CE72A0020AABDF24DF64DC41EEE7BA6EB41311F050268FC04E6291EB35CD58CB90

Function 006B52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 006B5352
GetWindowLongW.USER32(?,000000F0), ref: 006B5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 006B5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006B53A8

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 141f3e23d518df5562b346728c07a46d49d4992ceddb2c7b1298f2fbcec936a6
Instruction ID: 4cd64890e7e4c35f93154907234f44dea0e3fc118e8e380597359880c39dd0ee
Opcode Fuzzy Hash: 141f3e23d518df5562b346728c07a46d49d4992ceddb2c7b1298f2fbcec936a6
Instruction Fuzzy Hash: 0A31D2B0A55A08EFEB309F14CC15FE837E7AB05390F585101FA12963E1E7B599C1DB82

Function 0068AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 0068ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0068AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0068AC74
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 0068ACC6

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 915a809d231d6a1e1173fef096828d319a473c108ee057a5c6224b557b60b213
Instruction ID: 67e68ec4b8ed718b4785e860bcbb39a4dfd59b69b190d57a23d82ff6e1fcc912
Opcode Fuzzy Hash: 915a809d231d6a1e1173fef096828d319a473c108ee057a5c6224b557b60b213
Instruction Fuzzy Hash: 20310870A406186FFF35EBA58C04BFA7BB7AB49320F08431FE985522D1D3758A858762

Function 006B7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 006B769A
GetWindowRect.USER32(?,?), ref: 006B7710
PtInRect.USER32(?,?,006B8B89), ref: 006B7720
MessageBeep.USER32(00000000), ref: 006B778C

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: e6bd2ac119d69eb03aaf2bd9e1f80ffb0c2ac2691bb8167bd5a6eacba04d2f05
Instruction ID: a3a2c820510030e0702e633e9f0e09478fdd0a2f84ced6d72c3c979ab7f2eaa1
Opcode Fuzzy Hash: e6bd2ac119d69eb03aaf2bd9e1f80ffb0c2ac2691bb8167bd5a6eacba04d2f05
Instruction Fuzzy Hash: FD41BCB4A09214DFCB11CF58D884EE9B7F6FB89310F1841B8E5159B361DB30E982CB90

Function 006B16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 006B16EB

Part of subcall function 00683A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00683A57
Part of subcall function 00683A3D: GetCurrentThreadId.KERNEL32 ref: 00683A5E
Part of subcall function 00683A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006825B3), ref: 00683A65

GetCaretPos.USER32(?), ref: 006B16FF
ClientToScreen.USER32(00000000,?), ref: 006B174C
GetForegroundWindow.USER32 ref: 006B1752

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 2098d4fbcdd8d13fa1501682394fecde895a2101f2155d373dbb747c0e1a8536
Instruction ID: 56a8b8ee9b82a28e579eabf227ea2710cdbafe55f5200dbc0e4b6aac333c25c4
Opcode Fuzzy Hash: 2098d4fbcdd8d13fa1501682394fecde895a2101f2155d373dbb747c0e1a8536
Instruction Fuzzy Hash: A93150B1D00159AFC700EFA9D881CEEB7FAEF49304B50806DE415E7211DA319E45CFA0

Function 0068D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0068D501
Process32FirstW.KERNEL32(00000000,?), ref: 0068D50F
Process32NextW.KERNEL32(00000000,?), ref: 0068D52F
CloseHandle.KERNEL32(00000000), ref: 0068D5DC

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 5b133f21926cf7411af7aafd9730a251d5bf2f8af0e5eea4ae28c4b97ca6c252
Instruction ID: 76f7cef5a44e2fb4fec8f66e12c3640aa7bd4a9b935395646cb04e1ca00b4f93
Opcode Fuzzy Hash: 5b133f21926cf7411af7aafd9730a251d5bf2f8af0e5eea4ae28c4b97ca6c252
Instruction Fuzzy Hash: DE31A7711083009FD304EF54D885AAFBBF9EFD9354F14092DF581962A1EB719A45CBA3

Function 006B8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00639BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00639BB2

GetCursorPos.USER32(?), ref: 006B9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00677711,?,?,?,?,?), ref: 006B9016
GetCursorPos.USER32(?), ref: 006B905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00677711,?,?,?), ref: 006B9094

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: f7e100b728a26ed0fe0848867e3433470655dc5360fbc59236901585f6cd79d3
Instruction ID: 20c52258684904883cf544750acac0fb4229559d716bc28410aec17c73713ae7
Opcode Fuzzy Hash: f7e100b728a26ed0fe0848867e3433470655dc5360fbc59236901585f6cd79d3
Instruction Fuzzy Hash: 0B219F75600018EFCB299F94CC98EFA7BBBEB4A360F044159FA054B261C3719990DBB0

Function 0068D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,006BCB68), ref: 0068D2FB
GetLastError.KERNEL32 ref: 0068D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0068D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,006BCB68), ref: 0068D376

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: e512999c62b49eca5c85e935cf979a6d8fc891dd7bdb363dd11b28429a6038f1
Instruction ID: 6937f051e28a97223aaada02fa73058d5010f46f8c4052cb8fb65b942ec3d98c
Opcode Fuzzy Hash: e512999c62b49eca5c85e935cf979a6d8fc891dd7bdb363dd11b28429a6038f1
Instruction Fuzzy Hash: 0A2180705046019FC710EF24D8814AEB7E5AE9A364F104B1DF499C72E1DB30DA46CBA7

Function 00681571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00681014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0068102A
Part of subcall function 00681014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00681036
Part of subcall function 00681014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00681045
Part of subcall function 00681014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0068104C
Part of subcall function 00681014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00681062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 006815BE
_memcmp.LIBVCRUNTIME ref: 006815E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00681617
HeapFree.KERNEL32(00000000), ref: 0068161E

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 4de8945a17c6fbd48c09a65d7a1ad425e10e9b3e1160d9641bf88bc640985c23
Instruction ID: b40588b0f815f1fbad4ecd7f3ade79f4d68cc8d3473cbe1c0659e135acd3b6c5
Opcode Fuzzy Hash: 4de8945a17c6fbd48c09a65d7a1ad425e10e9b3e1160d9641bf88bc640985c23
Instruction Fuzzy Hash: F921AF71E00108EFDF10EFA4C945BEEB7BAFF45354F084659E441AB241E730AA86DBA0

Function 006B2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 006B280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 006B2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 006B2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 006B2840

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: f348d757e273bbfea26cf4ec2b07c65947bee203bdc67d914bc0130f4bd5495c
Instruction ID: fb54b7553295980c502a3a7b5286b0601f3f647868ca4fdf8ea72b48e4ed32f7
Opcode Fuzzy Hash: f348d757e273bbfea26cf4ec2b07c65947bee203bdc67d914bc0130f4bd5495c
Instruction Fuzzy Hash: 63219071204512AFD7149B24C855FEA7B9AAF85324F148258F4268B6A2CB71FD82CB94

Function 006878F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00688D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0068790A,?,000000FF,?,00688754,00000000,?,0000001C,?,?), ref: 00688D8C
Part of subcall function 00688D7D: lstrcpyW.KERNEL32(00000000,?,?,0068790A,?,000000FF,?,00688754,00000000,?,0000001C,?,?,00000000), ref: 00688DB2
Part of subcall function 00688D7D: lstrcmpiW.KERNEL32(00000000,?,0068790A,?,000000FF,?,00688754,00000000,?,0000001C,?,?), ref: 00688DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00688754,00000000,?,0000001C,?,?,00000000), ref: 00687923
lstrcpyW.KERNEL32(00000000,?,?,00688754,00000000,?,0000001C,?,?,00000000), ref: 00687949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00688754,00000000,?,0000001C,?,?,00000000), ref: 00687984

Strings

cdecl, xrefs: 0068797B

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 0c573463099ea04aed4d0c4392c421a0564abcc80f2680c8a65400280557bf68
Instruction ID: 042a4148287658f527405ac9f13e3fddd9132dbe8359c19619016c50b808364b
Opcode Fuzzy Hash: 0c573463099ea04aed4d0c4392c421a0564abcc80f2680c8a65400280557bf68
Instruction Fuzzy Hash: 7F11E43A200202AFCF15AF39C844DBA77AAEF55390B50412AF942C7364EF31D901C791

Function 006B7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 006B7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 006B7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 006B7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0069B7AD,00000000), ref: 006B7D6B

Part of subcall function 00639BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00639BB2

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: a5466d8b01854aafd0216a314f39e1533dc353baa123e374baa012e1cdbfafba
Instruction ID: dbf155c2a7b4139475c8816082c42ad86a44ed07eac76bd7a24ee33b22c15bfa
Opcode Fuzzy Hash: a5466d8b01854aafd0216a314f39e1533dc353baa123e374baa012e1cdbfafba
Instruction Fuzzy Hash: 2C1163B15156159FCB109F28CC04AF63BA6AF863B0B155724F835DB2F0E7319991DB90

Function 006B5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 006B56BB
_wcslen.LIBCMT ref: 006B56CD
_wcslen.LIBCMT ref: 006B56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 006B5816

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 31e53ba2930aff6976394822eff95f6d3eb9974c3ae7e64ee4a5cb19dc597583
Instruction ID: 1ed5ada1badefa49168ed76d7df7ab2a98665ff4d8cfe9d17fcdec08824f0179
Opcode Fuzzy Hash: 31e53ba2930aff6976394822eff95f6d3eb9974c3ae7e64ee4a5cb19dc597583
Instruction Fuzzy Hash: AC11D6B1600618AADF209F61CC85BEE77ADEF11764F10412AF916D6182EB70CAC1CB64

Function 00651D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe2efbec583e81c9cf3a0b048fea5f776e46be1412e272d74ca1979fc1dbbea3
Instruction ID: ddedd13516e222eafcdb13286d425a6d15ed9907e19d8f7261a18078dbfa36fb
Opcode Fuzzy Hash: fe2efbec583e81c9cf3a0b048fea5f776e46be1412e272d74ca1979fc1dbbea3
Instruction Fuzzy Hash: 0201A7B22096163EF76116786CC0FA7672FDF827BAF30132AFD31652D2DB608C484164

Function 00681A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00681A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00681A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00681A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00681A8A

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 605053575ca9b7b53168eed3ee3dbee6987c5d8780374adf67c6a1d7cc0b3fcd
Instruction ID: c40b6fa05efe66557952bdc6e7ccee495262c1d4028836333e4e00e67d14b36d
Opcode Fuzzy Hash: 605053575ca9b7b53168eed3ee3dbee6987c5d8780374adf67c6a1d7cc0b3fcd
Instruction Fuzzy Hash: F5113C7AD01219FFEB10DBA4CD85FADBB79EB08750F200191E610B7290D6716E51DB94

Function 0068E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0068E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0068E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0068E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0068E24D

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: ad536f59946537bf17ea7e299316387bbf6824b5ccf3c9e0f332af8569388fb9
Instruction ID: 041e7863f48db79683aed8a92f0032b8a65502e42534fd27bf32e80758cb69f8
Opcode Fuzzy Hash: ad536f59946537bf17ea7e299316387bbf6824b5ccf3c9e0f332af8569388fb9
Instruction Fuzzy Hash: 041108B2D04214BBC701AFA89C15AAE7FAFAB46320F004325F914E3290D6B18A0087A0

Function 0064D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0064CFF9,00000000,00000004,00000000), ref: 0064D218
GetLastError.KERNEL32 ref: 0064D224
__dosmaperr.LIBCMT ref: 0064D22B
ResumeThread.KERNEL32(00000000), ref: 0064D249

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 69ad5899257e598c679ad5df8c980307a65fc63e253d3dcd747b134882a4f305
Instruction ID: f6018df3cfb9c5d5b060868152445be089d70f1eec46bbcb3b9fc09ea56a64ff
Opcode Fuzzy Hash: 69ad5899257e598c679ad5df8c980307a65fc63e253d3dcd747b134882a4f305
Instruction Fuzzy Hash: 5001D276C05214BBCB615BA5DC09BEF7AABDF81731F100319FA25922D0CBB0CA41C6A0

Function 0062600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0062604C
GetStockObject.GDI32(00000011), ref: 00626060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0062606A

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 46871881890922be2afa1695d8c37756ad2c43f97dc637d949dda1a6eda8e391
Instruction ID: d7e69deb866486397b9b4b1e9466499ea6a31dd1ac72d71aded73a4d70abf8f9
Opcode Fuzzy Hash: 46871881890922be2afa1695d8c37756ad2c43f97dc637d949dda1a6eda8e391
Instruction Fuzzy Hash: D2118EB2101918BFEF124FA4DD54EEA7B6AEF093A4F001215FA0456110D7329CA0EFA0

Function 00643B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00643B56

Part of subcall function 00643AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00643AD2
Part of subcall function 00643AA3: ___AdjustPointer.LIBCMT ref: 00643AED

_UnwindNestedFrames.LIBCMT ref: 00643B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00643B7C
CallCatchBlock.LIBVCRUNTIME ref: 00643BA4

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: e3b94c24c39c775a2dc3420d625d5d651d79271d6a20c2e9d9bcbabff67480d7
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 9D014C32100148BBDF126E95CC42EEB3F6EEF58754F044018FE4896221C732E961DBA4

Function 00653073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,006213C6,00000000,00000000,?,0065301A,006213C6,00000000,00000000,00000000,?,0065328B,00000006,FlsSetValue), ref: 006530A5
GetLastError.KERNEL32(?,0065301A,006213C6,00000000,00000000,00000000,?,0065328B,00000006,FlsSetValue,006C2290,FlsSetValue,00000000,00000364,?,00652E46), ref: 006530B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0065301A,006213C6,00000000,00000000,00000000,?,0065328B,00000006,FlsSetValue,006C2290,FlsSetValue,00000000), ref: 006530BF

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 38924edc9b2263cc16545a961fa6341a519191560cb03cec50b76999b8a3bf2a
Instruction ID: 1cf49a29fdb80913a1c086cb1721e63056a62218a00d5cc0296b65661947ff23
Opcode Fuzzy Hash: 38924edc9b2263cc16545a961fa6341a519191560cb03cec50b76999b8a3bf2a
Instruction Fuzzy Hash: 8801B172301332ABCB214A689C449A67B9AAB45FB2F100720FD05E7380C721DA4AC6E0

Function 00687464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0068747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00687497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 006874AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 006874CA

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 6ae170c7bf6f01c47af45351a7466c7b2734c206f213c1a8179b8e480cd8f0d5
Instruction ID: 9bf182642261bb1d6b83ab9b7a012e518aa7a54bafe2a9bbba8942b2f58d67db
Opcode Fuzzy Hash: 6ae170c7bf6f01c47af45351a7466c7b2734c206f213c1a8179b8e480cd8f0d5
Instruction Fuzzy Hash: D611ADB1209314ABE720EF54DC08B927FFEEB40B10F208669E656D6191D7B0EA44DB60

Function 0068B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0068ACD3,?,00008000), ref: 0068B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0068ACD3,?,00008000), ref: 0068B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0068ACD3,?,00008000), ref: 0068B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0068ACD3,?,00008000), ref: 0068B126

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: c1eb79609fb80f9b190adcb14aafb91f461c8304bd9cccd60810807c35bf1206
Instruction ID: 33feea6de6c961e6c142a585d933fc4202198e2a2baab7571d6314e1068e6827
Opcode Fuzzy Hash: c1eb79609fb80f9b190adcb14aafb91f461c8304bd9cccd60810807c35bf1206
Instruction Fuzzy Hash: 2F115E71C0151DD7CF00EFE8E9586EEBB79FF0A711F105296D981B6281CB3056518B51

Function 00682DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00682DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00682DD6
GetCurrentThreadId.KERNEL32 ref: 00682DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00682DE4

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: aa21f06964023f23d62099f8bdaaefa8c46ad6fa7e73130fa3a9a015486836b0
Instruction ID: 1295bd4681bc4f3212d0ee28bf954bc85b784abda42abf83cf55d5d9db6497f5
Opcode Fuzzy Hash: aa21f06964023f23d62099f8bdaaefa8c46ad6fa7e73130fa3a9a015486836b0
Instruction Fuzzy Hash: 47E092B25012247BD7202B729C0DFEB7F6EEF42BB1F001215F505D1080AAA0CA81D7B0

Function 006B8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00639639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00639693
Part of subcall function 00639639: SelectObject.GDI32(?,00000000), ref: 006396A2
Part of subcall function 00639639: BeginPath.GDI32(?), ref: 006396B9
Part of subcall function 00639639: SelectObject.GDI32(?,00000000), ref: 006396E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 006B8887
LineTo.GDI32(?,?,?), ref: 006B8894
EndPath.GDI32(?), ref: 006B88A4
StrokePath.GDI32(?), ref: 006B88B2

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 39636de3643d3dbe85382679661fa6734f083cab1d6fa6f14b53f0835a1648d2
Instruction ID: 64bfbd45871b21fd61da1171d84e495111db6741057ca5c92427b76fdeadb579
Opcode Fuzzy Hash: 39636de3643d3dbe85382679661fa6734f083cab1d6fa6f14b53f0835a1648d2
Instruction Fuzzy Hash: 02F05E76041259FBEB126F94AC0AFDE3F5BAF06320F048100FA11661E1C7B65691CFE9

Function 006398B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 006398CC
SetTextColor.GDI32(?,?), ref: 006398D6
SetBkMode.GDI32(?,00000001), ref: 006398E9
GetStockObject.GDI32(00000005), ref: 006398F1

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 2d7ccd5935b5586d8c568db1734079f565615fdd9f758101fa33d8df73b21ce7
Instruction ID: 2d35c05389b7133fd630df6a9552eb865c43096998dd81ab916e8e63e61f24a2
Opcode Fuzzy Hash: 2d7ccd5935b5586d8c568db1734079f565615fdd9f758101fa33d8df73b21ce7
Instruction Fuzzy Hash: 87E06571244240AADB215B7CAC09BD83F52AB12335F04C319F6F9581E1C77147909F20

Function 0068162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00681634
OpenThreadToken.ADVAPI32(00000000,?,?,?,006811D9), ref: 0068163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,006811D9), ref: 00681648
OpenProcessToken.ADVAPI32(00000000,?,?,?,006811D9), ref: 0068164F

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: a10eb438e6f9669787e6ecb8c36b6bf8b1306c3a1f69228a00e123a81748df18
Instruction ID: 45aeaef62c67d597a1939fef7cfc8b5342596b82c6068e0224d5c36e0747168c
Opcode Fuzzy Hash: a10eb438e6f9669787e6ecb8c36b6bf8b1306c3a1f69228a00e123a81748df18
Instruction Fuzzy Hash: A8E086B1601211DBD7302FA09D0DFC63B7EAF457A1F184918F285CD080E63446C1C760

Function 0067D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0067D858
GetDC.USER32(00000000), ref: 0067D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0067D882
ReleaseDC.USER32(?), ref: 0067D8A3

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 7f9c957d30a532e04a830ebc533289f87e97cf941597eb92690c27ca340d3912
Instruction ID: b96196b03783abbb17cf122f8bb9854ace1dd930797e17c6ad956ff73c71efee
Opcode Fuzzy Hash: 7f9c957d30a532e04a830ebc533289f87e97cf941597eb92690c27ca340d3912
Instruction Fuzzy Hash: E4E01AB4C00204EFCB51AFA4D908A6DBBB3FF48320F109509E806E7250D7384A82AF51

Function 0067D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0067D86C
GetDC.USER32(00000000), ref: 0067D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0067D882
ReleaseDC.USER32(?), ref: 0067D8A3

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 5a3b3a027a2ef465346db6ec435fe3a2eba3644cffd119d054429149d892b1e4
Instruction ID: 4bbac6564f293e4a1126380332bab1afecc18fe19396c9eb748585069181a506
Opcode Fuzzy Hash: 5a3b3a027a2ef465346db6ec435fe3a2eba3644cffd119d054429149d892b1e4
Instruction Fuzzy Hash: FDE01AB4C00204DFCB50AFA4D808A6DBBB2BB48320F109108E906E7250D7385A419F50

Function 00694D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00627620: _wcslen.LIBCMT ref: 00627625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00694ED4

Strings

LPT, xrefs: 00694DFB
*, xrefs: 00694E10

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 6b1cffd001ede958995151d81b8366f79e120442094f673b536ac0eb5f5ff630
Instruction ID: 84473c76ead62da4aae0608f7650c3bd316665553e4df2e459dcd3b73a9dfbe8
Opcode Fuzzy Hash: 6b1cffd001ede958995151d81b8366f79e120442094f673b536ac0eb5f5ff630
Instruction Fuzzy Hash: C9916275A002159FCB14DF58C484EAABBF6BF84304F15809DE40A9F762DB31ED86CB91

Function 006A7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0067569E,00000000,?,006BCC08,?,00000000,00000000), ref: 006A78DD

Part of subcall function 00626B57: _wcslen.LIBCMT ref: 00626B6A

CharUpperBuffW.USER32(0067569E,00000000,?,006BCC08,00000000,?,00000000,00000000), ref: 006A783B

Strings

<sn, xrefs: 006A77C8

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sn
API String ID: 3544283678-2083038092
Opcode ID: a46c7ade6e524f62d8604b6d620be9ca9ba8e7750f73876a4b87f7da37d33c70
Instruction ID: bca1aa2d5d99869a39152ee94930269b8c672b4f51b4b1f13749816d35bb66d3
Opcode Fuzzy Hash: a46c7ade6e524f62d8604b6d620be9ca9ba8e7750f73876a4b87f7da37d33c70
Instruction Fuzzy Hash: 75614B72914129AACF44FBA4DC91DFEB37ABF19300B44452AF542A3191EF345E45CFA4

Function 0063E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0063E1B1

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: e751dc544ea726449692264f9d70fad1f4329e8faaefee48c5d4c2c96860bc34
Instruction ID: b6f279967e49adc39bd38de846083eaf1413bc1ba9394519dbec8ca7acaabde8
Opcode Fuzzy Hash: e751dc544ea726449692264f9d70fad1f4329e8faaefee48c5d4c2c96860bc34
Instruction Fuzzy Hash: 1D513635500246DFDB19DF68C481AFA7BA6EF19310F248099F8559B3D0D7369E47CBA0

Function 0063F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0063F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0063F2BB

Strings

@, xrefs: 0063F2AF

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 31b7d5561ded50ea99780e6ad3f2e4f66984dfb02de924fdb9a1229eca0d291d
Instruction ID: 658c1e5cab313e248dc857ad7eea7e3c436540aeb346f4d66e054552b79d3b30
Opcode Fuzzy Hash: 31b7d5561ded50ea99780e6ad3f2e4f66984dfb02de924fdb9a1229eca0d291d
Instruction Fuzzy Hash: 67515871408B449BD360AF50E886BAFBBF9FF84310F81885DF1D941195EB709529CB6B

Function 006A5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 006A57E0
_wcslen.LIBCMT ref: 006A57EC

Strings

CALLARGARRAY, xrefs: 006A57E6, 006A57EB

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: d731459fa6cfb46502ed8e5d20b3f2cac4f48eb853c7fafa517f34e3be7a4531
Instruction ID: c1c9ab46735f3fa9956d4ce241573d9da20af20ec7589a27cc168fa2e083af6a
Opcode Fuzzy Hash: d731459fa6cfb46502ed8e5d20b3f2cac4f48eb853c7fafa517f34e3be7a4531
Instruction Fuzzy Hash: 9A418E71A005199FCB14EFA8C8819EEBBB6FF5A320F14416DE506A7351E7349D81CFA4

Function 0069D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0069D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0069D13A

Strings

|, xrefs: 0069D10B

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: b5bd6bd2bf8733ff37cb4e851450a91665d04c4679599d106969ae01f8991cc6
Instruction ID: f91086d884efaff0506f684c65e59d07b2493cf368526e321fc82af97b18d5e2
Opcode Fuzzy Hash: b5bd6bd2bf8733ff37cb4e851450a91665d04c4679599d106969ae01f8991cc6
Instruction Fuzzy Hash: B5317E71C01219ABCF55EFA4DC85AEE7FBAFF04344F004029F815A6262DB31AA06DF64

Function 006B356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 006B3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 006B365C

Strings

static, xrefs: 006B35BC

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: aa8c3df6e4a07609005931f8f7d9c32af89237a20e61c4218150f026fac2d482
Instruction ID: 58e0bc0270e28521eb435487465718b70659b320379e66eb79a4a5cbc84abfeb
Opcode Fuzzy Hash: aa8c3df6e4a07609005931f8f7d9c32af89237a20e61c4218150f026fac2d482
Instruction Fuzzy Hash: E73192B1210614AEDB24DF68DC40EFB73AAFF48760F00961DF8A597280DA31AD81D764

Function 006B4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 006B461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006B4634

Strings

', xrefs: 006B458E

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: e0863e5ca6412a93cfc4d38823b7108301acadfa580c07b6d3011b21c3dcce58
Instruction ID: 3baa98ace71f417a326ff5bc6e510b739b1bb2e3c688385f60745201cc0a3fad
Opcode Fuzzy Hash: e0863e5ca6412a93cfc4d38823b7108301acadfa580c07b6d3011b21c3dcce58
Instruction Fuzzy Hash: 38313CB5A017199FDF14CF69C990BDA7BB6FF09340F104069E904AB342EB70A981CF90

Function 006B31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 006B327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006B3287

Strings

Combobox, xrefs: 006B3249

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 660db99d4c37d771785b4a6850cae513be617b8043ac116b06e160a2ec398bd0
Instruction ID: 012914c9e8b9e8c239cb2c70a949a478440bf584e781a986422c25ac9bf7eaa1
Opcode Fuzzy Hash: 660db99d4c37d771785b4a6850cae513be617b8043ac116b06e160a2ec398bd0
Instruction Fuzzy Hash: 9A11B2B13002187FEF219F94DC81EFB376BEB993A4F104228F91897391D6719E918760

Function 006B3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0062600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0062604C
Part of subcall function 0062600E: GetStockObject.GDI32(00000011), ref: 00626060
Part of subcall function 0062600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0062606A

GetWindowRect.USER32(00000000,?), ref: 006B377A
GetSysColor.USER32(00000012), ref: 006B3794

Strings

static, xrefs: 006B3757

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 65a6e3f712bc811f2206cd8c493144f60d6f5ffe6d14408469935acf46b33a97
Instruction ID: cdf71d13af222d6c3a12a3532d6789b9b970c828d4ab3a78d7ed94f4400f026f
Opcode Fuzzy Hash: 65a6e3f712bc811f2206cd8c493144f60d6f5ffe6d14408469935acf46b33a97
Instruction Fuzzy Hash: 151129B2610219AFDB00DFA8CC45EEA7BB9EB09354F005624F955E3250EB35E991DB60

Function 0069CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0069CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0069CDA6

Strings

<local>, xrefs: 0069CD66

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: cd5a24c2fbfbc2e22020d6f9b2b8efaae52655ebcb68ea497f395fc4fceb44e7
Instruction ID: 4ce2fc52eafd85d176850803b1c8333a9c294e34596fd8f1cf03d0f18e49ed74
Opcode Fuzzy Hash: cd5a24c2fbfbc2e22020d6f9b2b8efaae52655ebcb68ea497f395fc4fceb44e7
Instruction Fuzzy Hash: 2611C2B1205631BADB384B668C49EE7BEAEEF527B4F00423AB10983580D7709949D6F0

Function 006B3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 006B34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 006B34BA

Strings

edit, xrefs: 006B348F

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 2866afa9ea5ef7110dcd5985bcc6418a15a4bd87163983a6ca11b3a711f398fb
Instruction ID: 9d04270ad70e0bd07794f4abbe8b149274a9763dcd492c2b4bc92673d7ee708e
Opcode Fuzzy Hash: 2866afa9ea5ef7110dcd5985bcc6418a15a4bd87163983a6ca11b3a711f398fb
Instruction Fuzzy Hash: C2116AB1200218ABEB228E68DC44AEB37ABEB05374F504324F961973E0C771DD919B60

Function 00686C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00629CB3: _wcslen.LIBCMT ref: 00629CBD

CharUpperBuffW.USER32(?,?,?), ref: 00686CB6
_wcslen.LIBCMT ref: 00686CC2

Strings

STOP, xrefs: 00686CBC, 00686CC1

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: b336fd1d374d938a6e2903cde45facc8c9fe1ea19df61caf5d1617680eafa795
Instruction ID: 14ed1304d4ffbf55c5288c6742cc6860d54f5f3136492afcb9ea08b860eac53e
Opcode Fuzzy Hash: b336fd1d374d938a6e2903cde45facc8c9fe1ea19df61caf5d1617680eafa795
Instruction Fuzzy Hash: E601A1326105268BCB21AEBDDC819FF77A7AF61710B100628F85296290EA71D9418B50

Function 00681CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00629CB3: _wcslen.LIBCMT ref: 00629CBD

Part of subcall function 00683CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00683CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00681D4C

Strings

ComboBox, xrefs: 00681CEB
ListBox, xrefs: 00681D16

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 1fd19f79eca8ccc3cfa4625e7d2295bc5b6e4d90678acff1ed500d6f819240b2
Instruction ID: 80cbd0ac86497a0e5d1beadefef84d02db3fbbded056906f904eea02ad01ea32
Opcode Fuzzy Hash: 1fd19f79eca8ccc3cfa4625e7d2295bc5b6e4d90678acff1ed500d6f819240b2
Instruction Fuzzy Hash: 9F01B575601228ABCB18FBA4DD51DFE736AFF47350F040B1DA8226B3C1EA3059098B60

Function 00681BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00629CB3: _wcslen.LIBCMT ref: 00629CBD

Part of subcall function 00683CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00683CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00681C46

Strings

ComboBox, xrefs: 00681BE5
ListBox, xrefs: 00681C10

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 91a8c5d8b6b4b5c5f65edb9b011f3536ccde605388423ef0260df97ef8c9b5c6
Instruction ID: 261b764114009994c98989f7b917c1e62ab8059ecc4a3d328857c3e7e5782494
Opcode Fuzzy Hash: 91a8c5d8b6b4b5c5f65edb9b011f3536ccde605388423ef0260df97ef8c9b5c6
Instruction Fuzzy Hash: 0601A7B5B8111867CB08FB90DA61DFF77AEAB56340F14011DA40677281EA249F0987B5

Function 00681C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00629CB3: _wcslen.LIBCMT ref: 00629CBD

Part of subcall function 00683CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00683CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00681CC8

Strings

ComboBox, xrefs: 00681C69
ListBox, xrefs: 00681C94

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: e6e3c2cf3961bf7fff4bad7ce237f8c83cb9ee6133e13943b5858352270246ea
Instruction ID: 5999ac82e2c33b924074d47a852ee2fa4fb4e3b97a588a3291e8141480311ac4
Opcode Fuzzy Hash: e6e3c2cf3961bf7fff4bad7ce237f8c83cb9ee6133e13943b5858352270246ea
Instruction Fuzzy Hash: 1401F9B5B8122867CB04FBA1DB11EFF73AEAB12380F140119B80277381EA649F09C775

Function 0063A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0063A529

Part of subcall function 00629CB3: _wcslen.LIBCMT ref: 00629CBD

Strings

3yg, xrefs: 0063A545, 0063A54D, 0063A552
,%o, xrefs: 0063A509

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%o$3yg
API String ID: 2551934079-4247039339
Opcode ID: 569406581b4ee971bfce4023255e5d0671de3223c304d11aca10dd752702b5bf
Instruction ID: 186c5d88d56db23f445fed11adb2657fd1b10e8cdd44b119f47c8b02c233699d
Opcode Fuzzy Hash: 569406581b4ee971bfce4023255e5d0671de3223c304d11aca10dd752702b5bf
Instruction Fuzzy Hash: 0C01F77170062557D604F7A8EC27AAD37A79B45720F50002CF641572C3DE609D019EEB

Function 00681D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00629CB3: _wcslen.LIBCMT ref: 00629CBD

Part of subcall function 00683CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00683CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00681DD3

Strings

ComboBox, xrefs: 00681D75
ListBox, xrefs: 00681DA0

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ecfa1340303e73d9dd4a6493aaf0b4f3b330effb99c97736af13a8b9e94deab3
Instruction ID: 51af893a0cb98350a814a05d6de8799d8abce536d3b9fa13c1b6cc85af00502b
Opcode Fuzzy Hash: ecfa1340303e73d9dd4a6493aaf0b4f3b330effb99c97736af13a8b9e94deab3
Instruction Fuzzy Hash: 44F0A471B4162867DB08F7A4DD62FFE777EAF42750F040A19B822773C1EA605A098B74

Function 006B8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,006F3018,006F305C), ref: 006B81BF
CloseHandle.KERNEL32 ref: 006B81D1

Strings

\0o, xrefs: 006B818A

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0o
API String ID: 3712363035-2561426684
Opcode ID: a851f5a106561afba76866a601397a41356122219aae98ad42cbbc7e135684dc
Instruction ID: 93597fc3396dc26d8088d9ccfbfa8e5d53f368157fb182ec1df16add2239d676
Opcode Fuzzy Hash: a851f5a106561afba76866a601397a41356122219aae98ad42cbbc7e135684dc
Instruction Fuzzy Hash: C4F089F1640324BFE3506B65AC45FB73A5EEB04754F401426BB08D62A2DA768F40C3F8

Function 006A747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006A7493
_wcslen.LIBCMT ref: 006A74B9

Strings

3, 3, 16, 1, xrefs: 006A7483

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 99beeb94b5d6efb22bba365f1436108586ae91e00cbc3b96bdb6438edf93aa0f
Instruction ID: 1317c762b4308e8bac51bdcc67fde4c07c1fbb27696c2d8e9e2614e0dd39fac9
Opcode Fuzzy Hash: 99beeb94b5d6efb22bba365f1436108586ae91e00cbc3b96bdb6438edf93aa0f
Instruction Fuzzy Hash: C9E0E502215220109371226A9CC2ABF57CBCFCA750710282EF981C2266EE949D92A3A4

Function 00680B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00680B23

Strings

AutoIt, xrefs: 00680B17
Error allocating memory., xrefs: 00680B1C

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 92e135ed369b388264a838e43f9e1d007a57d774582283546559708769a427f1
Instruction ID: 9e59536fb5f1d967c0015b93277cfd0ebaa04a107d4957f3a41ea7178b02de5b
Opcode Fuzzy Hash: 92e135ed369b388264a838e43f9e1d007a57d774582283546559708769a427f1
Instruction Fuzzy Hash: F9E0487224535837E2543B95BC07FC97B878F05B65F10042EFB58555C38EE2659047ED

Function 00640D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0063F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00640D71,?,?,?,0062100A), ref: 0063F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0062100A), ref: 00640D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0062100A), ref: 00640D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00640D7F

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 2935dc0e2469bb91603c9e8aa34f5331ca07a6190e9e19807dcfe8cd273f5b5d
Instruction ID: d170401d5b192ff2b864dc3f40d5f9d538f4f26bccf15e13f66a999c7ef591d2
Opcode Fuzzy Hash: 2935dc0e2469bb91603c9e8aa34f5331ca07a6190e9e19807dcfe8cd273f5b5d
Instruction Fuzzy Hash: 54E092B06007218BE3709FBCE8047927FE3BF04740F004A2DE582C6661DBB5E588CBA1

Function 0063E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0063E3D5

Strings

0%o, xrefs: 0063E3B5
8%o, xrefs: 0063E3CA

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%o$8%o
API String ID: 1385522511-1239035482
Opcode ID: 44ee4f4cc8ca3f750e07368b6a97d57456181fb6d44cfe2e2b8e4284527a01f6
Instruction ID: 3a7ef9eaa102bf3df5ec9042fa8409a1d5598fe4cd41c68311e6f373cf83c416
Opcode Fuzzy Hash: 44ee4f4cc8ca3f750e07368b6a97d57456181fb6d44cfe2e2b8e4284527a01f6
Instruction Fuzzy Hash: 25E08635554926CBEB049B18B876AA93357FF05320F502169E6128B2D19B722C45CEA9

Function 00693017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0069302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00693044

Strings

aut, xrefs: 00693038

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: ef94fa5d14e07aeab810edcab6fc068ab64df7e6d3ce7606b63810bed5511e61
Instruction ID: 38be48d9c364a027e1cfc61269f5f4c3365ca158108fe5205f12aa0584cb82bd
Opcode Fuzzy Hash: ef94fa5d14e07aeab810edcab6fc068ab64df7e6d3ce7606b63810bed5511e61
Instruction Fuzzy Hash: 14D05BB150031467DB2097959C0DFC73A6CD704760F0002617755D2091DAB09784CBD0

Function 0067D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0067D220

Strings

X64, xrefs: 0067D2A8
%.3d, xrefs: 0067D22B

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 1683bb08c50984f0c3fd974df12d6b49b153fcc398d271fb21f2a38b72ebdd7d
Instruction ID: e33cb8b29c16c63350f056966b1ee268427a42718266abd69265eafd30cdb78a
Opcode Fuzzy Hash: 1683bb08c50984f0c3fd974df12d6b49b153fcc398d271fb21f2a38b72ebdd7d
Instruction Fuzzy Hash: 86D012A1C09108FACB9097D0DC458B9B37EAF18301F50C852FA1AA1041D634C74B6761

Function 006B2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006B236C
PostMessageW.USER32(00000000), ref: 006B2373

Part of subcall function 0068E97B: Sleep.KERNEL32 ref: 0068E9F3

Strings

Shell_TrayWnd, xrefs: 006B2365

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: e603af771ad4c78454450e1bf35d8e1bbed73bf06186b70d0a2f2d7369b4cd19
Instruction ID: da7c8bceb3ecf16e6a0984d49e62a2fad40ba2e557243f9933c5a85db0491fbc
Opcode Fuzzy Hash: e603af771ad4c78454450e1bf35d8e1bbed73bf06186b70d0a2f2d7369b4cd19
Instruction Fuzzy Hash: 77D0A9723C13007AEAA4B730DC0FFC666169B04B20F000A06B281AA0D0D8E0A8808A08

Function 006B2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006B232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 006B233F

Part of subcall function 0068E97B: Sleep.KERNEL32 ref: 0068E9F3

Strings

Shell_TrayWnd, xrefs: 006B2325

Memory Dump Source

Source File: 00000000.00000002.2186022735.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2185993705.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186260098.00000000006E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188580838.00000000006EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188600062.0000000000727000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_NEWORDER.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 895d51e9d2f81c7ffa2bf10ae698e5fd2305ba2f99f18288766d3801aa8ef4f5
Instruction ID: 592b4241fe6486f2110be89ec36796c8689e90079f95f9bf4a8e988f58803f4c
Opcode Fuzzy Hash: 895d51e9d2f81c7ffa2bf10ae698e5fd2305ba2f99f18288766d3801aa8ef4f5
Instruction Fuzzy Hash: 62D0A972390300B6EAA4B730DC0FFD66A169B00B20F000A06B285AA0D0D8E0A8808A04

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NEWORDER.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\overfertilize

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
NEWORDER.exe

Function 006242DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 006242A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00662BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00622CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0066065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0062344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00622B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00623170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 0144E0D0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00622C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 0144DE50 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
fileCOMMON

Function 00623B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Function 0144CD40 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Function 00623923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre